Documentation Library for System Center 2012 Configuration Manager

Microsoft Corporation Published: February 1, 2014

Copyright
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet website references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2014 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, ActiveSync, ActiveX, Authenticode, Bing, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, JScript, Microsoft Press, MSDN, Outlook, SharePoint, Silverlight, SoftGrid, SQL Server, Visio, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Intune, Windows Mobile, Windows PowerShell, Windows Server, Windows Server System, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Contents
System Center 2012 Configuration Manager ................................................................................ 23 Getting Started with System Center 2012 Configuration Manager ............................................ 25 Introduction to Configuration Manager ................................................................................... 26 Whats New in System Center 2012 R2 Configuration Manager ........................................... 40 Whats New in System Center 2012 Configuration Manager SP1 ......................................... 50 Whats New in System Center 2012 Configuration Manager ................................................. 65 Whats New in the Documentation for Configuration Manager .............................................. 99 Fundamentals of Configuration Manager ............................................................................. 136 Supported Configurations for Configuration Manager .......................................................... 148 Frequently Asked Questions for Configuration Manager...................................................... 253 Accessibility Features of Configuration Manager ................................................................. 286 Information and Support for Configuration Manager ............................................................ 289 Site Administration for System Center 2012 Configuration Manager ...................................... 292 Introduction to Site Administration in Configuration Manager .............................................. 292 Planning for Configuration Manager Sites and Hierarchy .................................................... 296 Supported Configurations for Configuration Manager .......................................................... 297 Interoperability between Different Versions of Configuration Manager ....................................... 402 Planning for Hardware Configurations for Configuration Manager ............................................. 410 PKI Certificate Requirements for Configuration Manager ........................................................... 415 Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy .................................................................................................................................................. 437 Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012 Configuration Manager ............................................................................................................. 460 Determine Whether to Extend the Active Directory Schema for Configuration Manager ........... 461 Planning for Sites and Hierarchies in Configuration Manager .................................................... 466 Planning to Upgrade System Center 2012 Configuration Manager ............................................ 490 Planning for Publishing of Site Data to Active Directory Domain Services ................................. 513 Planning for Discovery in Configuration Manager ....................................................................... 514 Planning for Client Settings in Configuration Manager................................................................ 540 Planning for Site Systems in Configuration Manager .................................................................. 542 Planning for Cloud Services in Configuration Manager .............................................................. 568

Planning for Content Management in Configuration Manager .................................................... 569 Planning for Boundaries and Boundary Groups in Configuration Manager ................................ 594 Planning to Use Extensions in Configuration Manager ............................................................... 598 Planning for Security in Configuration Manager .......................................................................... 602 Planning for Communications in Configuration Manager ............................................................ 616 Planning for Site Operations in Configuration Manager .............................................................. 655 Planning for High Availability with Configuration Manager .......................................................... 678 Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager ................ 688 Configuring Sites and Hierarchies in Configuration Manager ..................................................... 698 Prepare the Windows Environment for Configuration Manager .................................................. 698 Install Sites and Create a Hierarchy for Configuration Manager ................................................. 707 Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site ........... 787 Upgrade Configuration Manager to a New Service Pack ............................................................ 788 Configure Sites and the Hierarchy in Configuration Manager ..................................................... 793 Configuring Security for Configuration Manager ......................................................................... 795 Configuring Discovery in Configuration Manager ........................................................................ 806 Configuring Sites to Publish to Active Directory Domain Services .............................................. 818 Configuring Settings for Client Management in Configuration Manager ..................................... 819 Configuring Distribution Point Groups in Configuration Manager ............................................... 829 Configuring Boundaries and Boundary Groups in Configuration Manager ................................. 831 Configuring Alerts in Configuration Manager .............................................................................. 837 Configuring Site Components in Configuration Manager ............................................................ 840 Install and Configure Site System Roles for Configuration Manager .......................................... 850 Configure Database Replicas for Management Points ............................................................... 867 Migrate Data from Configuration Manager 2007 to Configuration Manager ............................... 881 Operations and Maintenance for Site Administration in Configuration Manager ........................ 881

Manage Site and Hierarchy Configurations ................................................................................. 882 Configure the Status System for Configuration Manager ............................................................ 895 Configure Maintenance Tasks for Configuration Manager Sites ................................................. 899 Monitor Configuration Manager Sites and Hierarchy .................................................................. 900 Manage Cloud Services for Configuration Manager ................................................................... 912 Backup and Recovery in Configuration Manager ........................................................................ 917 Update System Center 2012 Configuration Manager ................................................................. 951 Reporting in Configuration Manager............................................................................................ 962 Introduction to Reporting in Configuration Manager.................................................................... 963 Planning for Reporting in Configuration Manager ....................................................................... 969 Prerequisites for Reporting in Configuration Manager ................................................................ 971 Best Practices for Reporting ........................................................................................................ 973 Configuring Reporting in Configuration Manager ........................................................................ 974 Operations and Maintenance for Reporting in Configuration Manager ....................................... 984 Creating Custom Report Models in SQL Server Reporting Services .......................................... 995 Security and Privacy for Reporting in Configuration Manager .................................................. 1006 Technical Reference for Reporting in Configuration Manager .................................................. 1007 Security and Privacy for Site Administration in Configuration Manager .................................... 1007 Technical Reference for Site Administration in Configuration Manager.................................... 1028 Technical Reference for Site Communications in Configuration Manager................................ 1029 Technical Reference for Ports Used in Configuration Manager ................................................ 1032 Technical Reference for Log Files in Configuration Manager ................................................... 1053 Technical Reference for Accounts Used in Configuration Manager ......................................... 1102 Technical Reference for Cryptographic Controls Used in Configuration Manager ................... 1120 Technical Reference for Language Packs in Configuration Manager ....................................... 1132 Technical Reference for Unicode and ASCII Support in Configuration Manager ..................... 1140

Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager ................................................................................................................................................ 1143 Technical Reference for the Prerequisite Checker in Configuration Manager .......................... 1147 Technical Reference for International Support in Configuration Manager ................................ 1180 Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority ........................................................................................ 1181 Migrating Hierarchies in System Center 2012 Configuration Manager ..................................... 1204 Introduction to Migration in System Center 2012 Configuration Manager ................................ 1205 Planning for Migration to System Center 2012 Configuration Manager .................................... 1212 Prerequisites for Migration in System Center 2012 Configuration Manager ............................. 1213 Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager ................................................................................................................................................ 1218 Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration Manager ................................................................................................................................. 1225 Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager ........... 1226 Planning a Migration Job Strategy in System Center 2012 Configuration Manager ................. 1230 Planning a Client Migration Strategy in System Center 2012 Configuration Manager ............. 1239 Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager ................................................................................................................................. 1242 Planning for the Migration of Configuration Manager Objects to System Center 2012 Configuration Manager ........................................................................................................... 1252 Planning to Monitor Migration Activity in System Center 2012 Configuration Manager ............ 1260 Planning to Complete Migration in System Center 2012 Configuration Manager ..................... 1261 Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager ........................................................................................................... 1263 Operations for Migrating to System Center 2012 Configuration Manager ................................ 1266 Security and Privacy for Migration to System Center 2012 Configuration Manager ................. 1272 Deploying Clients for System Center 2012 Configuration Manager .......................................... 1273 Introduction to Client Deployment in Configuration Manager .................................................... 1274

Planning for Client Deployment in Configuration Manager ....................................................... 1295 Prerequisites for Windows Client Deployment in Configuration Manager................................. 1296 Best Practices for Client Deployment in Configuration Manager .............................................. 1306 Determine How to Manage Mobile Devices in Configuration Manager ..................................... 1310 Planning for Client Deployment for Linux and UNIX Servers .................................................... 1315 Determine the Site System Roles for Client Deployment in Configuration Manager ................ 1328 Determine the Client Installation Method to Use for Windows Computers in Configuration Manager ................................................................................................................................. 1331 Determine Whether to Block Clients in Configuration Manager ................................................ 1335 Configuring Client Deployment in Configuration Manager ........................................................ 1338 How to Configure Client Communication Port Numbers in Configuration Manager ................. 1338 How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager ........................................................................................................... 1340 How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager ................................................................................................................................. 1342 How to Configure Client Settings in Configuration Manager ..................................................... 1344 How to Install Clients on Windows-Based Computers in Configuration Manager .................... 1346 How to Assign Clients to a Site in Configuration Manager ........................................................ 1365 How to Install Clients on Mac Computers in Configuration Manager ........................................ 1372 How to Install Clients on Linux and UNIX Computers in Configuration Manager ..................... 1394 How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager .. 1405 How to Configure Client Status in Configuration Manager ........................................................ 1414 Operations and Maintenance for Client Deployment in Configuration Manager ....................... 1417 How to Manage Mobile Devices by Using Configuration Manager and Exchange ................... 1417 How to Manage Mobile Devices by Using Configuration Manager and Windows Intune ......... 1421 How to Manage Clients in Configuration Manager .................................................................... 1433 How to Monitor Clients in Configuration Manager ..................................................................... 1448

How to Manage Linux and UNIX Clients in Configuration Manager ......................................... 1450 How to Monitor Linux and UNIX Clients in Configuration Manager .......................................... 1453 Security and Privacy for Clients in Configuration Manager ....................................................... 1454 Technical Reference for Client Deployment in Configuration Manager .................................... 1469 About Client Settings in Configuration Manager ....................................................................... 1469 About Client Installation Properties in Configuration Manager .................................................. 1501 About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager ........................................................................................................... 1520 Administrator Checklist: Deploying Clients in Configuration Manager ...................................... 1524 Windows Firewall and Port Settings for Client Computers in Configuration Manager .............. 1526 Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices ................................................................................................................ 1534 Technical Reference for the Configuration Manager Client for Linux and UNIX ....................... 1542 Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune ...................................................................................................................... 1545 Deploying Software and Operating Systems in System Center 2012 Configuration Manager . 1548 Content Management in Configuration Manager ...................................................................... 1548 Introduction to Content Management in Configuration Manager .............................................. 1549 Planning for Content Management in Configuration Manager .................................................. 1557 Prerequisites for Content Management in Configuration Manager ........................................... 1582 Best Practices for Content Management in Configuration Manager ......................................... 1584 Configuring Content Management in Configuration Manager ................................................... 1585 Operations and Maintenance for Content Management in Configuration Manager .................. 1601 How to Prestage Content to Distribution Points Located on a Site Server ............................... 1619 Security and Privacy for Content Management in Configuration Manager ............................... 1620 Technical Reference for Content Management in Configuration Manager ............................... 1624 Application Management in Configuration Manager ................................................................. 1625

Introduction to Application Management in Configuration Manager ......................................... 1625 Planning for Application Management in Configuration Manager ............................................. 1643 Prerequisites for Application Management in Configuration Manager ...................................... 1643 Best Practices for Application Management in Configuration Manager .................................... 1648 Planning to Deploy Windows 8 Apps in Configuration Manager ............................................... 1650 Planning for App-V Integration with Configuration Manager ..................................................... 1655 Configuring the Application Catalog and Software Center in Configuration Manager .............. 1665 Operations and Maintenance for Application Management in Configuration Manager ............. 1672 How to Create Applications in Configuration Manager.............................................................. 1673 How to Create and Deploy Applications for Mac Computers in Configuration Manager .......... 1693 How to Deploy Applications in Configuration Manager ............................................................. 1700 How to Simulate an Application Deployment in Configuration Manager ................................... 1704 How to Manage Applications and Deployment Types in Configuration Manager ..................... 1705 How to Manage Application Revisions in Configuration Manager ............................................ 1709 How to Use Application Supersedence in Configuration Manager ........................................... 1711 How to Uninstall Applications in Configuration Manager .......................................................... 1712 How to Monitor Applications in Configuration Manager ............................................................ 1713 How to Manage User Device Affinity in Configuration Manager ............................................... 1716 How to Create Global Conditions in Configuration Manager .................................................... 1720 How to Create App-V Virtual Environments in Configuration Manager..................................... 1729 How to Create and Deploy Applications for Mobile Devices in Configuration Manager ........... 1730 Packages and Programs in Configuration Manager.................................................................. 1740 How to Create Packages and Programs in Configuration Manager ......................................... 1742 How to Deploy Packages and Programs in Configuration Manager ......................................... 1751 How to Monitor Packages and Programs in Configuration Manager ........................................ 1754 How to Manage Packages and Programs in Configuration Manager ....................................... 1754

Deploying Software to Linux and UNIX Servers in Configuration Manager .............................. 1756 Security and Privacy for Application Management in Configuration Manager .......................... 1764 Technical Reference for Application Management in Configuration Manager .......................... 1772 Example Scenario for Managing Applications by Using Configuration Manager ...................... 1772 Software Updates in Configuration Manager ............................................................................ 1781 Introduction to Software Updates in Configuration Manager .................................................... 1782 Planning for Software Updates in Configuration Manager ........................................................ 1800 Prerequisites for Software Updates in Configuration Manager ................................................. 1819 Best Practices for Software Updates in Configuration Manager ............................................... 1824 Configuring Software Updates in Configuration Manager ......................................................... 1826 How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster .... 1848 How to Determine the Port Settings Used by WSUS ................................................................ 1854 How to Enable CRL Checking for Software Updates ................................................................ 1855 Operations and Maintenance for Software Updates in Configuration Manager ........................ 1856 Security and Privacy for Software Updates in Configuration Manager ..................................... 1887 Technical Reference for Software Updates in Configuration Manager ..................................... 1892 Technical Reference for the Icons Used for Software Updates ................................................ 1892 Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft ............................................................................... 1895 Operating System Deployment in Configuration Manager ........................................................ 1901 Introduction to Operating System Deployment in Configuration Manager ................................ 1902 Planning to Deploy Operating Systems in Configuration Manager ........................................... 1914 Prerequisites For Deploying Operating Systems in Configuration Manager ............................. 1915 Supported Operating Systems and Hard Disk Configurations for Operating System Deployment ................................................................................................................................................ 1923 Determine the Operating System Deployment Method to Use in Configuration Manager ........ 1925 Planning Site System Roles for Operating System Deployments in Configuration Manager ... 1928

Planning for Deploying Operating System Images in Configuration Manager .......................... 1931 Planning for Capturing Operating System Images in Configuration Manager .......................... 1934 Planning for Boot Image Deployments in Configuration Manager ............................................ 1940 Planning a Device Driver Strategy in Configuration Manager ................................................... 1942 Planning for PXE-Initiated Operating System Deployments in Configuration Manager ............ 1945 Planning a Multicast Strategy in Configuration Manager .......................................................... 1948 Planning for Media Operating System Deployments in Configuration Manager ....................... 1950 Planning a Task Sequences Strategy in Configuration Manager .............................................. 1953 Planning for Operating System Deployments in a NAP-Enabled Environment ........................ 1968 Planning for Operating System Deployment Interoperability .................................................... 1970 Configuring Configuration Manager for Operating System Deployments ................................. 1972 How to Manage Operating System Images and Installers in Configuration Manager .............. 1973 How to Manage Boot Images in Configuration Manager .......................................................... 1977 How to Manage the Driver Catalog in Configuration Manager .................................................. 1985 How to Manage Task Sequences in Configuration Manager .................................................... 1992 How to Manage the User State in Configuration Manager ........................................................ 2012 How to Manage Unknown Computer Deployments in Configuration Manager ......................... 2019 How to Associate Users with a Destination Computer .............................................................. 2022 How to Manage Multicast in Configuration Manager ................................................................. 2024 Operations and Maintenance for Deploying Operating Systems in Configuration Manager .... 2027 How to Deploy Operating Systems in Configuration Manager .................................................. 2027 How to Deploy Operating Systems by Using Media in Configuration Manager ........................ 2033 How to Deploy Operating Systems by Using PXE in Configuration Manager .......................... 2045 How to Deploy Operating Systems to Offline Computers in Configuration Manager ................ 2048 Security and Privacy for Deploying Operating Systems in Configuration Manager .................. 2049 Technical Reference for Deploying Operating Systems in Configuration Manager .................. 2057

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager ................................................................................................................................. 2058 Task Sequence Variables in Configuration Manager ................................................................ 2061 Task Sequence Action Variables in Configuration Manager ..................................................... 2061 Task Sequence Built-in Variables in Configuration Manager .................................................... 2088 Task Sequence Steps in Configuration Manager ...................................................................... 2099 Task Sequence Scenarios in Configuration Manager ............................................................... 2149 How to Provision Windows To Go in Configuration Manager ................................................... 2159 Prestart Commands for Task Sequence Media in Configuration Manager ............................... 2173 How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager .................................................................................... 2175 Assets and Compliance in System Center 2012 Configuration Manager ................................. 2193 Collections in Configuration Manager ....................................................................................... 2194 Introduction to Collections in Configuration Manager................................................................ 2194 Planning for Collections in Configuration Manager ................................................................... 2202 Prerequisites for Collections in Configuration Manager ............................................................ 2202 Best Practices for Collections in Configuration Manager .......................................................... 2203 Operations and Maintenance for Collections in Configuration Manager ................................... 2204 How to Create Collections in Configuration Manager ............................................................... 2204 How to Manage Collections in Configuration Manager ............................................................. 2213 How to Use Maintenance Windows in Configuration Manager ................................................. 2221 Security and Privacy for Collections in Configuration Manager ................................................ 2223 Technical Reference for Collections in Configuration Manager ................................................ 2224 Queries in Configuration Manager............................................................................................. 2225 Introduction to Queries in Configuration Manager ..................................................................... 2225 Operations and Maintenance for Queries in Configuration Manager ........................................ 2226 How to Create Queries in Configuration Manager .................................................................... 2226

How to Manage Queries in Configuration Manager .................................................................. 2231 Security and Privacy for Queries in Configuration Manager ..................................................... 2233 Technical Reference for Queries in Configuration Manager ..................................................... 2233 Inventory in Configuration Manager .......................................................................................... 2234 Hardware Inventory in Configuration Manager .......................................................................... 2234 Introduction to Hardware Inventory in Configuration Manager .................................................. 2235 Planning for Hardware Inventory in Configuration Manager ..................................................... 2237 Prerequisites for Hardware Inventory in Configuration Manager .............................................. 2237 Best Practices for Hardware Inventory in Configuration Manager ............................................ 2238 Configuring Hardware Inventory in Configuration Manager ...................................................... 2238 How to Configure Hardware Inventory in Configuration Manager ............................................. 2239 How to Extend Hardware Inventory in Configuration Manager ................................................. 2240 How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager ........................................................................................................... 2245 Operations and Maintenance for Hardware Inventory in Configuration Manager ..................... 2249 How to Use Resource Explorer to View Hardware Inventory in Configuration Manager .......... 2249 Hardware Inventory for Linux and UNIX in Configuration Manager .......................................... 2251 Security and Privacy for Hardware Inventory in Configuration Manager .................................. 2254 Technical Reference for Hardware Inventory in Configuration Manager .................................. 2256 Software Inventory in Configuration Manager ........................................................................... 2256 Introduction to Software Inventory in Configuration Manager ................................................... 2257 Planning for Software Inventory in Configuration Manager ....................................................... 2259 Prerequisites for Software Inventory ......................................................................................... 2259 Configuring Software Inventory in Configuration Manager........................................................ 2260 How to Configure Software Inventory in Configuration Manager .............................................. 2260 How to Exclude Folders from Software Inventory in Configuration Manager............................ 2261 Operations and Maintenance for Software Inventory in Configuration Manager ...................... 2261

How to Use Resource Explorer to View Software Inventory in Configuration Manager ........... 2262 Security and Privacy for Software Inventory in Configuration Manager .................................... 2263 Technical Reference for Software Inventory in Configuration Manager.................................... 2265 Asset Intelligence in Configuration Manager ............................................................................. 2265 Introduction to Asset Intelligence in Configuration Manager ..................................................... 2266 Prerequisites for Asset Intelligence in Configuration Manager ................................................. 2277 Configuring Asset Intelligence in Configuration Manager ......................................................... 2281 Operations for Asset Intelligence in Configuration Manager ..................................................... 2292 Security and Privacy for Asset Intelligence in Configuration Manager ...................................... 2302 Technical Reference for Asset Intelligence in Configuration Manager ..................................... 2304 Example Validation State Transitions for Asset Intelligence ..................................................... 2304 Example Asset Intelligence General License Import File .......................................................... 2308 Power Management in Configuration Manager ......................................................................... 2310 Introduction to Power Management in Configuration Manager ................................................. 2311 Planning for Power Management in Configuration Manager .................................................... 2313 Prerequisites for Power Management in Configuration Manager ............................................. 2313 Best Practices for Power Management in Configuration Manager ........................................... 2314 Administrator Checklist for Power Management in Configuration Manager ............................. 2317 Configuring Power Management in Configuration Manager ..................................................... 2322 Operations and Maintenance for Power Management in Configuration Manager .................... 2323 How to Monitor and Plan for Power Management in Configuration Manager ........................... 2324 How to Create and Apply Power Plans in Configuration Manager ............................................ 2351 Security and Privacy for Power Management in Configuration Manager.................................. 2359 Technical Reference for Power Management in Configuration Manager ................................. 2360 Remote Control in Configuration Manager ................................................................................ 2360 Introduction to Remote Control in Configuration Manager ........................................................ 2360

Planning for Remote Control in Configuration Manager ........................................................... 2362 Prerequisites for Remote Control in Configuration Manager .................................................... 2362 Configuring Remote Control in Configuration Manager ............................................................ 2365 Operations and Maintenance for Remote Control in Configuration Manager ........................... 2366 How to Remotely Administer a Client Computer by Using Configuration Manager .................. 2367 How to Audit Remote Control Usage in Configuration Manager ............................................... 2369 Security and Privacy for Remote Control in Configuration Manager ......................................... 2370 Technical Reference for Remote Control in Configuration Manager ........................................ 2373 Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager ........................ 2373 Software Metering in Configuration Manager ............................................................................ 2374 Introduction to Software Metering in Configuration Manager .................................................... 2375 Planning for Software Metering in Configuration Manager........................................................ 2376 Prerequisites for Software Metering in Configuration Manager ................................................ 2376 Configuring Software Metering in Configuration Manager ........................................................ 2377 How to Configure Software Metering in Configuration Manager ............................................... 2377 Operations and Maintenance for Software Metering in Configuration Manager ....................... 2378 How to Create Software Metering Rules in Configuration Manager ......................................... 2378 How to Configure Automatic Software Metering Rule Generation in Configuration Manager .. 2380 How to Manage Software Metering Rules in Configuration Manager ....................................... 2381 How to Monitor Software Metering in Configuration Manager .................................................. 2382 Security and Privacy for Software Metering in Configuration Manager..................................... 2382 Technical Reference for Software Metering in Configuration Manager .................................... 2383 Example Scenario for Software Metering in Configuration Manager ........................................ 2384 Maintenance Tasks for Software Metering in Configuration Manager ...................................... 2386 Out of Band Management in Configuration Manager ................................................................ 2388 Introduction to Out of Band Management in Configuration Manager ........................................ 2388

Planning for Out of Band Management in Configuration Manager ........................................... 2394 Prerequisites for Out of Band Management in Configuration Manager .................................... 2395 Best Practices for Out of Band Management in Configuration Manager .................................. 2401 Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer ................................................................................................................................................ 2403 Configuring Out of Band Management in Configuration Manager ............................................ 2404 Administrator Checklist: Out of Band Management in Configuration Manager ......................... 2404 How to Provision and Configure AMT-Based Computers in Configuration Manager ............... 2405 How to Manage AMT Provisioning Information in Configuration Manager ............................... 2417 Operations and Maintenance for Out of Band Management in Configuration Manager ........... 2420 How to Manage AMT-based Computers Out of Band in Configuration Manager ..................... 2421 How to Manage the Audit Log for AMT-Based Computers in Configuration Manager ............. 2428 How to Monitor Out of Band Management in Configuration Manager ...................................... 2430 Security and Privacy for Out of Band Management in Configuration Manager ........................ 2432 Technical Reference for Out of Band Management in Configuration Manager ........................ 2439 About the AMT Status and Out of Band Management in Configuration Manager .................... 2439 Example Scenario for Implementing Out of Band Management in Configuration Manager ..... 2442 Example Scenarios for Using Out of Band Management in Configuration Manager ................ 2449 AMT Provisioning Process for Out of Band Management in Configuration Manager ............... 2456 Compliance Settings in Configuration Manager ........................................................................ 2459 Introduction to Compliance Settings in Configuration Manager ................................................ 2459 Planning for Compliance Settings in Configuration Manager .................................................... 2463 Prerequisites for Compliance Settings in Configuration Manager ............................................. 2464 Configuring Compliance Settings in Configuration Manager .................................................... 2465 Operations and Maintenance for Compliance Settings in Configuration Manager ................... 2467 How to Create Windows Configuration Items for Compliance Settings in Configuration Manager ................................................................................................................................................ 2467

How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager ................................................................................................................................. 2485 How to Create Mac Computer Configuration Items in Configuration Manager ......................... 2487 How to Create Configuration Baselines for Compliance Settings in Configuration Manager ... 2494 How to Create Child Configuration Items in Configuration Manager ........................................ 2496 How to Deploy Configuration Baselines in Configuration Manager .......................................... 2497 How to Manage Configuration Baselines for Compliance Settings in Configuration Manager . 2498 How to Manage Configuration Items for Compliance Settings in Configuration Manager ........ 2500 How to Monitor for Compliance Settings in Configuration Manager ......................................... 2502 How to Import Configuration Data in Configuration Manager ................................................... 2506 How to Create User Data and Profiles Configuration Items in Configuration Manager ............ 2507 Compliance Settings for Mobile Devices in Configuration Manager ......................................... 2511 Security and Privacy for Compliance Settings in Configuration Manager ................................. 2521 Technical Reference for Compliance Settings in Configuration Manager................................. 2523 Example Scenario for Compliance Settings in Configuration Manager .................................... 2523 Example Scenario for User Data and Profiles Management in Configuration Manager ........... 2528 Remote Connection Profiles in Configuration Manager ............................................................ 2533 Introduction to Remote Connection Profiles in Configuration Manager .................................... 2534 Planning for Remote Connection Profiles in Configuration Manager ........................................ 2536 Prerequisites for Remote Connection Profiles in Configuration Manager ................................. 2536 Operations and Maintenance for Remote Connection Profiles in Configuration Manager ....... 2539 How to Create Remote Connection Profiles in Configuration Manager .................................... 2540 How to Deploy Remote Connection Profiles in Configuration Manager ................................... 2542 How to Monitor Remote Connection Profiles in Configuration Manager ................................... 2544 Security and Privacy for Remote Connection Profiles in Configuration Manager ..................... 2546 Technical Reference for Remote Connection Profiles in Configuration Manager ..................... 2548 Company Resource Access in Configuration Manager ............................................................ 2548

Certificate Profiles in Configuration Manager ............................................................................ 2549 Introduction to Certificate Profiles in Configuration Manager .................................................... 2549 Planning for Certificate Profiles in Configuration Manager ....................................................... 2553 Prerequisites for Certificate Profiles in Configuration Manager ................................................ 2554 Planning for Certificate Template Permissions for Certificate Profiles in Configuration Manager ................................................................................................................................................ 2558 Configuring Certificate Profiles in Configuration Manager ........................................................ 2560 Operations and Maintenance for Certificate Profiles in Configuration Manager ....................... 2566 How to Create Certificate Profiles in Configuration Manager .................................................... 2567 How to Deploy Certificate Profiles in Configuration Manager ................................................... 2575 How to Monitor Certificate Profiles in Configuration Manager .................................................. 2576 Security and Privacy for Certificate Profiles in Configuration Manager..................................... 2579 Technical Reference for Certificate Profiles in Configuration Manager .................................... 2581 How to Configure the Policy Module to Use a New Client Certificate in Configuration Manager ................................................................................................................................................ 2581 How to Install Certificates on Android Devices in Configuration Manager ................................ 2583 VPN Profiles in Configuration Manager ..................................................................................... 2583 Introduction to VPN Profiles in Configuration Manager ............................................................. 2584 Planning for VPN Profiles in Configuration Manager ................................................................ 2585 Prerequisites for VPN Profiles in Configuration Manager ......................................................... 2586 Operations and Maintenance for VPN Profiles in Configuration Manager ................................ 2587 How to Create VPN Profiles in Configuration Manager ............................................................ 2588 How to Deploy VPN Profiles in Configuration Manager ............................................................ 2595 How to Monitor VPN Profiles in Configuration Manager ........................................................... 2596 Security and Privacy for VPN Profiles in Configuration Manager ............................................. 2598 Technical Reference for VPN Profiles in Configuration Manager ............................................. 2599 Wi-Fi Profiles in Configuration Manager .................................................................................... 2600

Introduction to Wi-Fi Profiles in Configuration Manager ............................................................ 2600 Planning for Wi-Fi Profiles in Configuration Manager ............................................................... 2601 Prerequisites for Wi-Fi Profiles in Configuration Manager ........................................................ 2602 Operations and Maintenance for Wi-Fi Profiles in Configuration Manager ............................... 2603 How to Create Wi-Fi Profiles in Configuration Manager ........................................................... 2604 How to Deploy Wi-Fi Profiles in Configuration Manager ........................................................... 2609 How to Monitor Wi-Fi Profiles in Configuration Manager .......................................................... 2611 Security and Privacy for Wi-Fi Profiles in Configuration Manager ............................................ 2612 Technical Reference for Wi-Fi Profiles in Configuration Manager ............................................ 2614 Email Profiles in Configuration Manager ................................................................................... 2614 Introduction to Email Profiles in Configuration Manager ........................................................... 2615 Planning for Email Profiles in Configuration Manager ............................................................... 2615 Prerequisites for Email Profiles in Configuration Manager ........................................................ 2616 Configuring Email Profiles in Configuration Manager ................................................................ 2618 Operations and Maintenance for Email Profiles in Configuration Manager .............................. 2618 How to Create Exchange ActiveSync Email Profiles in Configuration Manager ....................... 2619 How to Deploy Email Profiles in Configuration Manager .......................................................... 2624 How to Monitor Email Profiles in Configuration Manager .......................................................... 2626 Security and Privacy for Email Profiles in Configuration Manager ............................................ 2627 Technical Reference for Email Profiles in Configuration Manager ............................................ 2628 Endpoint Protection in Configuration Manager .......................................................................... 2629 Introduction to Endpoint Protection in Configuration Manager .................................................. 2629 Planning for Endpoint Protection in Configuration Manager ..................................................... 2635 Prerequisites for Endpoint Protection in Configuration Manager .............................................. 2635 Best Practices for Endpoint Protection in Configuration Manager ............................................ 2639 Administrator Workflow for Endpoint Protection in Configuration Manager .............................. 2640

Configuring Endpoint Protection in Configuration Manager ...................................................... 2640 How to Configure Endpoint Protection in Configuration Manager ............................................. 2641 How to Configure Alerts for Endpoint Protection in Configuration Manager ............................. 2645 How to Configure Definition Updates for Endpoint Protection in Configuration Manager ......... 2649 Operations and Maintenance for Endpoint Protection in Configuration Manager ..................... 2656 How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager ................................................................................................................................................ 2657 How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager ................................................................................................................................. 2663 How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager ........................................................................................................... 2665 How to Monitor Endpoint Protection in Configuration Manager ................................................ 2669 Security and Privacy for Endpoint Protection in Configuration Manager .................................. 2672 Technical Reference for Endpoint Protection in Configuration Manager .................................. 2674 Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager ........................................................................................................... 2675 Security and Privacy for System Center 2012 Configuration Manager ..................................... 2681 Planning for Security in Configuration Manager ........................................................................ 2682 Configuring Security for Configuration Manager ....................................................................... 2696 Microsoft System Center 2012 Configuration Manager Privacy Statement .............................. 2707 Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum .............................................................................................................................. 2722 Security Best Practices and Privacy Information for Configuration Manager ........................... 2723 Security and Privacy for Site Administration in Configuration Manager .................................... 2724 Security and Privacy for Reporting in Configuration Manager .................................................. 2744 Security and Privacy for Migration to System Center 2012 Configuration Manager ................. 2745 Security and Privacy for Clients in Configuration Manager ....................................................... 2747 Security and Privacy for Content Management in Configuration Manager ............................... 2761

Security and Privacy for Application Management in Configuration Manager .......................... 2766 Security and Privacy for Software Updates in Configuration Manager ..................................... 2774 Security and Privacy for Deploying Operating Systems in Configuration Manager .................. 2778 Security and Privacy for Collections in Configuration Manager ................................................ 2786 Security and Privacy for Queries in Configuration Manager ..................................................... 2787 Security and Privacy for Hardware Inventory in Configuration Manager .................................. 2788 Security and Privacy for Software Inventory in Configuration Manager .................................... 2790 Security and Privacy for Asset Intelligence in Configuration Manager ...................................... 2792 Security and Privacy for Power Management in Configuration Manager.................................. 2794 Security and Privacy for Remote Control in Configuration Manager ......................................... 2795 Security and Privacy for Software Metering in Configuration Manager..................................... 2798 Security and Privacy for Out of Band Management in Configuration Manager ........................ 2799 Security and Privacy for Compliance Settings in Configuration Manager ................................. 2806 Security and Privacy for Remote Connection Profiles in Configuration Manager ..................... 2808 Security and Privacy for Certificate Profiles in Configuration Manager..................................... 2810 Security and Privacy for VPN Profiles in Configuration Manager ............................................. 2812 Security and Privacy for Wi-Fi Profiles in Configuration Manager ............................................ 2813 Security and Privacy for Email Profiles in Configuration Manager ............................................ 2815 Security and Privacy for Endpoint Protection in Configuration Manager .................................. 2816 Technical Reference for Cryptographic Controls Used in Configuration Manager ................... 2818 Technical Reference for Ports Used in Configuration Manager ................................................ 2829 Technical Reference for Accounts Used in Configuration Manager ......................................... 2851 Scenarios and Solutions Using System Center 2012 Configuration Manager .......................... 2869 Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager .............. 2870 Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices ................................................................................................................ 2880 How to Manage Mobile Devices by Using Configuration Manager and Windows Intune ......... 2888

Example Scenario for Managing Applications by Using Configuration Manager ...................... 2900 Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft ............................................................................... 2910 Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager ................................................................................................................................. 2916 How to Provision Windows To Go in Configuration Manager ................................................... 2919 How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager .................................................................................... 2933 Example Scenario for Software Metering in Configuration Manager ........................................ 2951 Example Scenario for Implementing Out of Band Management in Configuration Manager ..... 2953 Example Scenarios for Using Out of Band Management in Configuration Manager ................ 2960 Example Scenario for Compliance Settings in Configuration Manager .................................... 2967 Example Scenario for User Data and Profiles Management in Configuration Manager ........... 2972 Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager ........................................................................................................... 2977 Glossary for Microsoft System Center 2012 Configuration Manager ........................................ 2982

System Center 2012 Configuration Manager

Updated: February 1, 2013 Welcome to Microsoft System Center 2012 Configuration Manager. Use Configuration Manager to provide more effective IT services by enabling secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, and mobile devices. For in-depth information about how System Center 2012 Configuration Manager can help you manage your IT infrastructure, see the following guides: Getting Started with System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager Migrating Hierarchies in System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager Security and Privacy for System Center 2012 Configuration Manager Scenarios and Solutions Using System Center 2012 Configuration Manager

Release Notes
The release notes are published online. See the Release Notes for System Center 2012 Configuration Manager on TechNet.

Search the Configuration Manager Documentation Library

Find information online from the Documentation Library for System Center 2012 Configuration Manager. This customized Bing search query scopes your search so that you see results from the Documentation Library for System Center 2012 Configuration Manager only. It uses the search
23

text Configuration Manager, which you can replace in the search bar with your own search string or strings, and choice of search operators, to help you narrow the search results.

Example Searches
Use the Find information online link and customize the search by using the following examples. Single search string: To search for topics that contain the search string Endpoint Protection, replace Configuration Manager with Endpoint Protection: ("Endpoint Protection") site:technet.microsoft.com/enus/library meta:search.MSCategory(gg682056) Combining search strings: To search for topics that contain the search strings Endpoint Protection and monitoring, use the AND operator: ("Endpoint Protection") AND ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Alternative search strings: To search for topics that contain the search string Endpoint Protection or monitoring, use the OR operator: ("Endpoint Protection" OR "monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Exclude search strings: To search for topics that contain the search string Endpoint Protection and exclude topics about monitoring, use the NOT operator: ("Endpoint Protection)" NOT ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056)

Search Tips
Use the following search tips to help you find the information that you need: When you search on a page in TechNet or in the help file (for example, press Ctrl-F1, and enter search terms in the Find box), the results exclude text that is in collapsed sections. To search for text in collapsed sections, expand the sections before you search on the page. Whenever possible, use the TechNet online library rather than downloaded documentation. TechNet contains the most up-to-date information and the information that you are searching for might not be in the downloaded documentation or there might be corrections or additional information online. If you find it easier and faster to search documentation when it is stored locally, you can select multiple topics on TechNet and save them locally. For more information, see the following instructions on the TechNet wiki: How to Build Your Own Custom TechNet Documentation.

24

Copyright Information
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet website references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, ActiveSync, ActiveX, Authenticode, Bing, BitLocker, Excel, Forefront, Hyper-V, Internet Explorer, JScript, Microsoft Press, MSDN, Outlook, SharePoint, Silverlight, SoftGrid, SQL Server, Visio, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Intune, Windows Mobile, Windows PowerShell, Windows Server, Windows Server System, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.

Getting Started with System Center 2012 Configuration Manager

Getting Started Topics
Use the following topics to help you get started with Microsoft System Center 2012 Configuration Manager: Introduction to Configuration Manager Whats New in System Center 2012 R2 Configuration Manager Whats New in System Center 2012 Configuration Manager SP1 Whats New in System Center 2012 Configuration Manager Whats New in the Documentation for Configuration Manager Fundamentals of Configuration Manager Frequently Asked Questions for Configuration Manager Supported Configurations for Configuration Manager Accessibility Features of Configuration Manager Information and Support for Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

25

Introduction to Configuration Manager

A member of the Microsoft System Center suite of management solutions, System Center 2012 Configuration Manager increases IT productivity and efficiency by reducing manual tasks and letting you focus on high-value projects, maximize hardware and software investments, and empower end-user productivity by providing the right software at the right time. Configuration Manager helps you deliver more effective IT services by enabling secure and scalable software deployment, compliance settings management, and comprehensive asset management of servers, desktops, laptops, and mobile devices. Configuration Manager extends and works alongside your existing Microsoft technologies and solutions. For example: Configuration Manager uses Active Directory Domain Services for security, service location, configuration, and to discover the users and devices that you want to manage. Configuration Manager uses Microsoft SQL Server as a distributed change management database and integrates with SQL Server Reporting Services (SSRS) to produce reports to monitor and track the management activities. Many of the Configuration Manager site system roles that provide management functionality use the web services of Internet Information Services (IIS). Background Intelligent Transfer Service (BITS) and BranchCache can be used to help manage the available network bandwidth.

In addition, Configuration Manager can integrate with Windows Server Update Services (WSUS), Network Access Protection (NAP), Certificate Services, Exchange Server and Exchange Online, Group Policy, the DNS Server role, Windows Automated Installation Kit (Windows AIK) and the User State Migration Tool (USMT), Windows Deployment Services (WDS), and Remote Desktop and Remote Assistance. To be successful with Configuration Manager, you must first thoroughly plan and test the management features before you use Configuration Manager in a production environment. As a powerful management application, Configuration Manager can potentially affect every computer in your organization. When you deploy and manage Configuration Manager with careful planning and consideration of your business requirements, Configuration Manager can reduce your administrative overhead and total cost of ownership. Use the following sections to learn more about Configuration Manager: Configuration Manager Management Capabilities The Configuration Manager Console The Application Catalog, Software Center, and the Company Portal Configuration Manager Properties (Client) Example Scenario: Empower Users by Ensuring Access to Applications from Any Device Example Scenario: Unify Compliance Management for Devices Example Scenario: Simplify Client Management for Devices Example Scenarios for Configuration Manager

Next Steps
26

Configuration Manager Management Capabilities

The following table provides details about the primary management capabilities of Configuration Manager. Each capability has its own prerequisites, and the capabilities that you want to use might influence the design and implementation of your Configuration Manager hierarchy. For example, if you want to deploy software to devices in your hierarchy, you must install the distribution point site system role.
Management capability Description More information

Application management

Provides a set of tools and resources that can help you create, manage, deploy, and monitor applications in the enterprise. For System Center 2012 R2 Configuration Manager only: Provides a set of tools and resources that enable you to give users in your organization access to data and applications from remote locations. These tools include the following: Wi-Fi profiles VPN profiles Certificate profiles

Introduction to Application Management in Configuration Manager

Company resource access

Company Resource Access in Configuration Manager

Compliance settings

Provides a set of tools and resources that can help you to assess, track, and remediate the configuration compliance of client devices in the enterprise. Provides security, antimalware, and Windows Firewall management for computers in your enterprise. Provides a set of tools to help identify and monitor assets: Hardware inventory: Collects detailed information about the

Introduction to Compliance Settings in Configuration Manager

Endpoint Protection

Introduction to Endpoint Protection in Configuration Manager See the following documentation: Introduction to Hardware Inventory in Configuration
27

Inventory

Management capability

Description

More information

hardware of devices in your enterprise. Software inventory: Collects and reports information about the files that are stored on client computers in your organization. Asset Intelligence: Provides tools to collect inventory data and to monitor software license usage in your enterprise.

Manager Introduction to Software Inventory in Configuration Manager Introduction to Asset Intelligence in Configuration Manager

Operating system deployment

Provides a tool to create operating system images. You can then use these images to deploy them to computers that are managed by Configuration Manager and to unmanaged computers, by using PXE boot or bootable media such as a CD set, DVD, or USB flash drives. Integrates with Intel Active Management Technology (Intel AMT), which lets you manage desktop and laptop computers independently from the Configuration Manager client or the computer operating system. Provides a set of tools and resources that you can use to manage and monitor the power consumption of client computers in the enterprise. Provides a tool to retrieve information about resources in your hierarchy and information about inventory data and

Introduction to Operating System Deployment in Configuration Manager

Out of band management

Introduction to Out of Band Management in Configuration Manager

Power management

Introduction to Power Management in Configuration Manager

Queries

Introduction to Queries in Configuration Manager

28

Management capability

Description

More information

status messages. You can then use this information for reporting or for defining collections of devices or users for software deployment and configuration settings. Remote connection profiles For System Center 2012 R2 Configuration Manager only: Provides a set of tools and resources to help you to create, deploy and monitor remote connection settings to devices in your organization. By deploying these settings, you minimize the end-user effort required to connect to their computer on the corporate network. Remote control Provides tools to remotely administer client computers from the Configuration Manager console. Provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services from the Configuration Manager console. Provides tools to monitor and collect software usage data from Configuration Manager clients. Provides a set of tools and resources that can help you manage, deploy, and monitor software updates in the enterprise. Introduction to Remote Connection Profiles in Configuration Manager

Introduction to Remote Control in Configuration Manager

Reporting

Introduction to Reporting in Configuration Manager

Software metering

Introduction to Software Metering in Configuration Manager Introduction to Software Updates in Configuration Manager

Software updates

29

For more information about how to plan and install Configuration Manager to support these management capabilities in your environment, see Introduction to Site Administration in Configuration Manager.

The Configuration Manager Console

After you install Configuration Manager, use the Configuration Manager console to configure sites and clients, and to run and monitor management tasks. This console is the main point of administration and lets you manage multiple sites. You can use the console to run secondary consoles to support specific client management tasks, such as the following: Resource Explorer, to view hardware and software inventory information. Remote control, to remotely connect to a client computer to perform troubleshooting tasks. Out of band management, to connect to the AMT management controller on Intel AMT-based computers and perform power management operations or troubleshooting tasks.

You can install the Configuration Manager console on additional server computers and workstations, and restrict access and limit what administrative users can see in the console by using Configuration Manager role-based administration. For more information, see the Install a Configuration Manager Console section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

The Application Catalog, Software Center, and the Company Portal

The Configuration Manager Application Catalog is a website where users can browse for and request software for their Windows-based PCs. To use the Application Catalog, you must install the Application Catalog web service point and the Application Catalog website point for the site. Software Center is an application that is installed when the Configuration Manager client is installed on Windows-based computers. Users run this application to request software and manage the software that is deployed to them by using Configuration Manager. Software Center lets users do the following: Browse for and install software from the Application Catalog. View their software request history. Configure when Configuration Manager can install software on their devices. Configure access settings for remote control, if an administrative user enabled remote control.

The company portal is an app or website that provides similar functions to the Application Catalog, but for mobile devices that are enrolled by Windows Intune. For more information, see the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic. Configuration Manager Properties (Client) When the Configuration Manager client is installed on Windows computers, Configuration Manager is installed in Control Panel. Typically, you do not have to configure this application
30

because the client configuration is performed in the Configuration Manager console. This application helps administrative users and the help desk troubleshoot problems with individual clients. For more information about client deployment, see Introduction to Client Deployment in Configuration Manager

Example Scenarios for Configuration Manager

The following example scenarios demonstrate how a company named Trey Research uses System Center 2012 Configuration Manager to empower users to be more productive, unify their compliance management for devices for a more streamlined administration experience, and simplify device management to reduce IT operating costs. In all scenarios, Adam is the main administrator for Configuration Manager. Example Scenario: Empower Users by Ensuring Access to Applications from Any Device Trey Research wants to ensure that employees have access to the applications that they require and as efficiently as possible. Adam maps these company requirements to the following scenarios:
Requirement Current client management state Future client management state

New employees can work efficiently from day one.

When employees join the company, they have to wait for applications to be installed after they first log on. When employees require additional applications, they file a ticket with the help desk, and then typically wait two days for the ticket to be processed and the applications are installed.

When employees join the company, they log on and their applications are installed and are ready to be used. When employees require additional applications, they can request them from a website and they are installed immediately if there are no licensing restrictions. If there are licensing restrictions, users must first ask for approval before they can install the application. The website shows users only the applications that they are allowed to install.

Employees can quickly and easily request additional software that they need.

Employees can use their mobile devices at work if the devices comply with security policies that are monitored and

Employees connect their mobile devices to Exchange Server for email service but there is limited reporting to

The IT organization can report mobile device security compliance with the required settings. This confirmation lets
31

Requirement

Current client management state

Future client management state

enforced. These policies include the following: Strong password Lock after period of inactivity Lost or stolen mobile devices are remotely wiped

confirm that they are in compliance with the security policies in the default Exchange ActiveSync mailbox policies. The personal use of mobile devices is at risk of being prohibited unless IT can confirm adherence to policy.

users continue to use their mobile device at work. Users can remotely wipe their mobile device if it is lost or stolen, and the help desk can wipe any users mobile device that is reported as lost or stolen. Provide mobile device enrollment in a PKI environment for additional security and control. Employees can use kiosk computers to access their applications and data.

Employees can be productive even if they are not at their desk.

When employees are not at their desk and do not have portable computers, they cannot access their applications by using the kiosk computers that are available throughout the company. Applications and software updates that are required install during the day and frequently disrupt users from working because their computers slow down or restart during the installation.

Usually, business continuity takes precedence over installing required applications and software updates.

Users can configure their working hours to prevent required software from installing while they are using their computer.

To meet the requirements, Adam uses these Configuration Manager management capabilities and configuration options: Application management Mobile device management

He implements these by using the configuration steps in the following table.

Configuration steps Outcome

Adam makes sure that the new users have user accounts in Active Directory and creates a new query-based collection in Configuration Manager for these users. He then defines user device affinity for these users by creating a file

Because of the user device affinity information, the applications are installed to each users primary computer or computers before the user log on. The applications are ready to use as soon as
32

Configuration steps

Outcome

that maps the user accounts to the primary computers that they will use and imports this file into Configuration Manager. The applications that the new users must have are already created in Configuration Manager. He then deploys these applications that have the purpose of Required to the collection that contains the new users. Adam installs and configures the Application Catalog site system roles so that users can browse for applications to install. He creates application deployments that have the purpose of Available, and then deploys these applications to the collection that contains the new users. For the applications that have a restricted number of licenses, Adam configures these applications to require approval. Adam creates an Exchange Server connector in Configuration Manager to manage the mobile devices that connect to the companys onpremises Exchange Server. He configures this connector with security settings that include the requirement for a strong password and lock the mobile device after a period of inactivity. Adam has Configuration Manager SP1, so for additional management for devices that run Windows Phone 8, Windows RT, and iOS, he obtains a Windows Intune subscription and then installs the Windows Intune connector site system role. This mobile device management solution gives the company greater management support for these devices. This includes making applications available for users to install on these devices, and extensive settings management. In addition, mobile device connections are secured by using PKI certificates that are automatically created and deployed by Windows Intune. After configuring the Windows Intune connector, Adam sends an

the user successfully logs on.

By configuring applications as available to these users and by using the Application Catalog, users can now browse the applications that they are allowed to install. Users can then either install the applications immediately or request approval and return to the Application Catalog to install them after the help desk has approved their request.

With these two mobile device management solutions, the IT organization can now provide reporting information about the mobile devices that are being used on the company network and their compliance with the configured security settings. Users are shown how to remotely wipe their mobile device by using the Application Catalog or the company portal if their mobile device is lost or stolen. The help desk is also instructed how to remotely wipe a mobile device for users by using the Configuration Manager console. In addition, for the mobile devices that are enrolled by Windows Intune, Adam can now deploy mobile applications for users to install, collect more inventory data from these devices, and have better management control over these devices by being able to access more settings.

33

Configuration steps

Outcome

email message to the users who own these mobile devices for them to click a link to start the enrollment process. For the mobile devices to be enrolled by Windows Intune, Adam uses compliance settings to configure security settings for these mobile devices. These settings include the requirement to configure a strong password and lock the mobile device after a period of inactivity. Trey Research has several kiosk computers that are used by employees who visit the office. The employees want their applications to be available to them wherever they log on. However, Adam does not want to locally install all the applications on each computer. To achieve this, Adam creates the required applications that have two deployment types: A full, local installation of the application that has a requirement that it can only be installed on a users primary device. A virtual version of the application that has the requirement that it must not be installed on the users primary device. Because users can control when Configuration Manager deploys software to their computers, users remain more productive during their work day. When visiting employees log on to a kiosk computer, they see the applications that they require displayed as icons on the kiosk computers desktop. When they run the application, it is streamed as a virtual application. This way, they can be as productive as if they are sitting at their desktop.

Adam lets users know that they can configure their business hours in Software Center and select options to prevent software deployment activities during this time period and when the computer is in presentation mode.

These configuration steps and outcomes let Trey Research successfully empower their employees by ensuring access to applications from any device. Example Scenario: Unify Compliance Management for Devices Trey Research wants a unified client management solution that ensures that their computers run antivirus software that is automatically kept up-to-date. That is, Windows Firewall is enabled, critical software updates are installed, specific registry keys are set, and managed mobile devices cannot install or run unsigned applications. The company also wants to extend this protection to the Internet for laptops that move from the intranet to the Internet. Adam maps these company requirements to the following scenarios:
34

Requirement

Current client management state

Future client management state

All computers run antimalware software that has up-to-date definition files and enables Windows Firewall.

Different computers run different antimalware solutions that are not always kept up-todate and although Windows Firewall is enabled by default, users sometimes disable it. Users are asked to contact the help desk if malware is detected on their computer.

All computers run the same antimalware solution that automatically downloads the latest definition update files and automatically re-enables Windows Firewall if users disable it. The help desk is automatically notified by email if malware is detected. Improve the current compliance rate within the specified month to over 95% without sending email messages or asking the help desk to manually install them.

All computers install critical software updates within the first month of release.

Although software updates are installed on computers, many computers do not automatically install critical software updates until two or three months after they are released. This leaves them vulnerable to attack during this time period. For the computers that do not install the critical software updates, the help desk first sends out email messages asking users to install the updates. For computers that remain noncompliant, engineers remotely connect to these computers and manually install the missing software updates.

Security settings for specific applications are regularly checked and remediated if it is necessary.

Computers run complex startup scripts that rely on computer group membership to reset registry values for specific applications. Because these scripts only run at startup and some computers are left on for days, the help

Registry values are checked and automatically remediated without relying on computer group membership or restarting the computer.

35

Requirement

Current client management state

Future client management state

desk cannot check for configuration drift on a timely basis. Mobile devices cannot install or run unsafe applications. Users are asked not to download and run potentially unsafe applications from the Internet but there are no controls in place to monitor or enforce this. For users who travel, they frequently cannot connect over the VPN daily and these laptops become out of compliance with security requirements. Mobile devices that are managed by the Windows Intune connector or Configuration Manager automatically prevent unsigned applications from installing or running. An Internet connection is all that is required for laptops to be kept in compliance with security requirements. Users do not have to log on or use the VPN.

Laptops that move from the intranet to the Internet must be kept secure.

To meet the requirements, Adam uses these Configuration Manager management capabilities and configuration options: Endpoint Protection Software updates Compliance settings Mobile device management Internet-based client management

He implements these by using the configuration steps in the following table.

Configuration steps Outcome

Adam configures Endpoint Protection and enables the client setting to uninstall other antimalware solutions and enables Windows Firewall. He configures automatic deployment rules so that computers check for and install the latest definition updates regularly. To help increase compliance rates, Adam uses automatic deployment rules, defines maintenance windows for servers, and

The single antimalware solution helps protect all computers by using minimal administrative overhead. Because the help desk is automatically notified by email message if antimalware is detected, problems can be resolved quickly. This helps prevent attacks on other computers. Compliance for critical software updates increases and reduces the requirement for users or the help desk to install software
36

Configuration steps

Outcome

investigates the advantages and disadvantages updates manually. of using Wake on LAN for computers that hibernate. Adam uses compliance settings to check for the presence of the specified applications. When the applications are detected, configuration items then check the registry values and automatically remediate them if they are out of compliance. Adam uses compliance settings for enrolled mobile devices and configures the Exchange Server connector so that unsigned applications are prohibited from installing and running on mobile devices. Adam makes sure that site system servers and computers have the PKI certificates that Configuration Manager requires for HTTPS connections, and then he installs additional site system roles in the perimeter network that accept client connections from the Internet. By using configuration items and configuration baselines that are deployed to all computers and that check for compliance every day, separate scripts that rely on computer membership and computer restarts are no longer required. By prohibiting unsigned applications, mobile devices are automatically protected from potentially harmful applications.

Computers that move from the intranet to the Internet automatically continue to be managed by Configuration Manager when they have an Internet connection. Those computers do not rely on users logging on to their computer or connecting to the VPN. These computers continue to be managed for antimalware and Windows Firewall, software updates, and configuration items. As a result, compliance levels automatically increase.

These configuration steps and outcomes result in Trey Research successfully unifying their compliance management for devices. Example Scenario: Simplify Client Management for Devices Trey Research wants all new computers to automatically install their companys base computer image that runs Windows 7. After the operating image is installed on these computers, they must be managed and monitored for additional software that users install. Computers that store highly confidential information require more restrictive management policies than the other computers. For example, help desk engineers must not connect to them remotely, BitLocker PIN entry must be used for restarts, and only local administrators can install software. Adam maps these company requirements to the following scenarios:

37

Requirement

Current client management state

Future client management state

New computers are installed with Windows 7.

The help desk installs and configures Windows 7 for users and then sends the computer to the respective location. The Configuration Manager client is deployed by using automatic client push and the help desk investigates installation failures and clients that do not send inventory data when expected. Failures are frequent because of installation dependencies that are not met and WMI corruption on the client.

New computers go straight to the final destination, are plugged into the network, and they automatically install and configure Windows 7. Client installation and inventory data that is collected from computers is more reliable and requires less intervention from the help desk. Reports show software usage for license information.

Computers must be managed and monitored. This includes hardware and software inventory to help determine licensing requirements.

Some computers must have more rigorous management policies.

Because of the more rigorous management policies, these computers are currently not managed by Configuration Manager.

Manage these computers by using Configuration Manager without additional administrative overhead to accommodate the exceptions.

To meet the requirements, Adam uses these Configuration Manager management capabilities and configuration options: Operating system deployment Client deployment and client status Compliance settings Client settings Inventory and Asset Intelligence Role-based administration

He implements these by using the configuration steps in the following table.

Configuration steps Outcome

Adam captures an operating system image from a computer that has Windows 7 installed and that is configured to the company

New computers are up and running more quickly without intervention from the help desk.

38

Configuration steps

Outcome

specifications. He then deploys the operating system to the new computers by using unknown computer support and PXE. He also installs the Configuration Manager client as part of the operating system deployment. Adam configures automatic site-wide client push installation to install the Configuration Manager client on any computers that are discovered. This ensures that any computers that were not imaged with the client still install the client so that the computer is managed by Configuration Manager. Installing the client together with the operating system is quicker and more reliable than waiting for Configuration Manager to discover the computer and then try to install the client source files on the computer. However, leaving the automatic client push option enabled provides a backup means for a computer that already has the operating system installed to Adam configures client status to automatically remediate any client issues that are discovered. install the client when the computer connects to the network. Adam also configures client settings that enable the collection of inventory data that is Client settings ensure that clients send their required, and configures Asset Intelligence. inventory information to the site regularly. This, in addition to the client status tests, help to keep the client running with minimal intervention from the help desk. For example, WMI corruptions are detected and automatically remediated. The Asset Intelligence reports help monitor software usage and licenses. Adam creates a collection for the computers that must have more rigorous policy settings and then creates a custom client device setting for this collection that includes disabling remote control, enables BitLocker PIN entry, and lets only local administrators to install software. Adam configures role-based administration so that help desk engineers do not see this collection of computers to help ensure that they are not accidentally managed as a standard computer. These computers are now managed by Configuration Manager but with specific settings that do not require a new site. The collection for these computers is not visible to the help desk engineers to help reduce the possibility that they are accidentally sent deployments and scripts for standard computers.

These configuration steps and outcomes result in Trey Research successfully simplifying client management for devices.

39

Next Steps
Before you install Configuration Manager, you can become familiar with some basic concepts and terms that are specific to Configuration Manager. If you are familiar with Configuration Manager 2007, see Whats New in System Center 2012 Configuration Manager, because there are some important changes in basic concepts and functionality from earlier versions of the software. If you are upgrading from System Center 2012 Configuration Manager with no service pack to Configuration Manager SP1, or from Configuration Manager SP1 to System Center 2012 R2 Configuration Manager, see Whats New in System Center 2012 Configuration Manager SP1 and Whats New in System Center 2012 R2 Configuration Manager for changes and updates to the later release. For a high-level technical overview of System Center 2012 Configuration Manager, see Fundamentals of Configuration Manager.

When you are familiar with the basic concepts, use the System Center 2012 Configuration Manager documentation to help you successfully deploy and use Configuration Manager. For more information about the available documentation, see Whats New in the Documentation for Configuration Manager.

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use the following sections to review information about significant changes in System Center 2012 R2 Configuration Manager since System Center 2012 Configuration Manager SP1: Site Installation and the Configuration Manager Console Sites and Hierarchies Migration Client Deployment and Operations Software Deployment and Content Management Monitoring and Reporting

One of the most significant changes is support for Windows 8.1 and Windows Server 2012 R2. For more information about the supported operating system versions and editions that System Center 2012 R2 Configuration Manager supports, see Supported Configurations for Configuration Manager.

40

Site Installation and the Configuration Manager Console

The following sections contain information about Setup and site installation changes in System Center 2012 R2 Configuration Manager. Site Installation The following options in Setup for site installation are new or have changed for System Center 2012 R2 Configuration Manager: When you run Setup to install a new primary site or central administration site, you can select non-default locations for the site database files. The option to specify non-default file locations is not available when you specify a SQL Server cluster.

For more information, see the Install Sites and Create a Hierarchy for Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

Sites and Hierarchies

The following sections contain information about site and hierarchy changes in System Center 2012 R2 Configuration Manager. Note The Active Directory schema extensions for System Center 2012 R2 Configuration Manager are unchanged from those used by System Center 2012 Configuration Manager SP1. If you extended the schema for Configuration Manager 2007 or the release version or service pack version of System Center 2012 Configuration Manager, you do not need to extend the schema again for System Center 2012 R2 Configuration Manager. Site System Roles The following are new for site system roles in System Center 2012 R2 Configuration Manager: There is a new site system role, the certificate registration point. This new site system role requires IIS and works in conjunction with a policy module add-on for the Network Device Enrollment Service server role for Active Directory Domain Services that runs on Windows Server 2012 R2. This solution provides certificate enrollment for devices that Configuration Manager manages. For more information, see Introduction to Certificate Profiles in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Migration
The following items are new or have changed for migration in System Center 2012 R2 Configuration Manager: Some UI labels and descriptions are updated to reflect the functionality of migrating, not upgrading, distribution points between hierarchies that run the same version of System Center 2012 R2 Configuration Manager.

41

When you use the Reassign Shared Distribution Points Wizard, you have the same options as when you deploy a new distribution point, including options make the distribution point a pull-distribution point and to add it to boundary groups in the destination hierarchy.

For more information about migration, see the Introduction to Migration in System Center 2012 Configuration Manager topic in the Migrating Hierarchies in System Center 2012 Configuration Manager guide.

Client Deployment and Operations

The following sections contain information about client deployment and client operations changes in System Center 2012 R2 Configuration Manager. Client Deployment The following items are new or have changed for client deployment in System Center 2012 R2 Configuration Manager: You can now install the client certificate and enroll Mac computers by using the new enrollment wizard for the Mac client as an alternative to using the CMEnroll tool commandline tool. You can now use the renew certificate wizard to renew the Mac client certificate. You can now select Resultant Client Settings from the Configuration Manager console to view the effective client settings that will be applied to the selected device. The resultant client setting accounts for the prioritization or combination of attributes where multiple client settings have been deployed to the same device. Configuration Manager now supports the Unified Write Filter available in certain Windows Embedded operating systems. If you use wake-up proxy, you no longer have to manually configure Windows Firewall on clients to allow TCP/IP ping commands when you specify the Power Management client setting, Firewall exception for wake-up proxy. A new property has been added for Ccmsetup.exe, /ExcludeFeatures:<feature>. This property prevents the specified feature from installing the client installation. For this release, the only supported feature is ClientUI, which prevents the Software Center from installing on the client. For more information, see CCMSetup.exe Command-Line Properties.

For more information, see the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Client Assignment The following items are new or have changed for client assignment in System Center 2012 R2 Configuration Manager: You can now reassign Configuration Manager clients, including managed mobile devices, to another primary site in the hierarchy. Clients can be reassigned individually or can be multiselected and reassigned in bulk to a new site.

For more information, see the How to Assign Clients to a Site in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide.
42

Mobile Devices The following items are new for mobile device management in System Center 2012 R2 Configuration Manager: Users can enroll Android devices by using the company portal app which will be available on Google Play. The company portal app is supported on Android devices as of Android 4.0. When users download the company portal app the installation includes the management agent. The management agent gives you the following management capabilities. You can manage compliance settings which include password, camera, and encryption settings. When you deploy apps to Android devices, you now have the option to install the apps directly to the device. Users are prompted to take required actions, such as app installations or updating device passcodes by using Android notifications.

Users can enroll iOS devices by using the iOS company portal app which will be available in the App store. The company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions: Change or reset passwords. Download and install company apps. Enroll, unenroll, or wipe company content from their devices.

Devices that run Windows RT, iOS and Android now support a deployment purpose of Required. This allows you to deploy apps to devices according to a configured schedule. Wipe and retire functions now include the option to only remove company content from devices, see the table in Device Life-cycle Management for information about what company content is removed. You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on on all mobile devices. You can configure devices as personal-owned or company-owned by using the Change ownership action. Change ownership is only available for devices that are not domain-joined and do not have the Configuration Manager client installed.All mobile devices will report software inventory on company content when they are personal-owned or company-owned. iOS and Android will report a full software inventory on the device if they are set as Company-owned. You can use Windows Intune to manage Windows 8.1 devices that are not joined to the domain and do not have the Configuration Manager client installed. Extensions for Windows Intune allow you to integrate new mobile device management capabilities into the Configuration Manager console. For example, email profiles allow you to provision devices with settings to connect to corporate email. For more information about extensions for Windows Intune, see Planning to Use Extensions in Configuration Manager.

For more information, see the Deploying the Configuration Manager Client to Mobile Devices section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide.

43

Collections The following items are new or have changed for collections in System Center 2012 R2 Configuration Manager: A new management option allows you to configure maintenance windows to apply to task sequences only, software updates only, or to all deployments.

For more information, see How to Create Collections in Configuration Manager. Compliance Settings The following items are new or have changed for compliance settings in System Center 2012 R2 Configuration Manager: New mobile device settings and mobile device setting groups have been added. These can be found on the Mobile Device Settings page of the Create Configuration Item Wizard. New iOS 7 settings have been added as part of an extension. For more information, see Compliance Settings for Mobile Devices in Configuration Manager.

For more information, see the Introduction to Compliance Settings in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Remote Connection Profiles Remote connection profiles are new in System Center 2012 R2 Configuration Manager. They provide the following capabilities and have some dependent configurations: Deployment of remote connection profiles that allow users to remotely connect to work computers from the company portal, when they are not connected to the domain or if they are connected over the Internet.

For more information, see the Introduction to Remote Connection Profiles in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Certificate Profiles Certificate profiles are new in System Center 2012 R2 Configuration Manager. They provide the following capabilities and have some dependent configurations: Deployment of user and device certificates for managed devices by using the Simple Certificate Enrollment Protocol (SCEP). These certificates can be used to support Wi-Fi and VPN connections. Supported devices include those that run iOS, Windows 8.1 and Windows RT 8.1, and Android. Deployment of root certification authority (CA) certificates and intermediate CA certificates, so that devices can create a chain of trust when they use server authentication for network connections. A certificate registration point must be deployed in the central administration site or a primary site and the Configuration Manager Policy Module must be installed on a server that is running Windows Server 2012 R2 with Active Directory Certificate Services and the Network Device Enrollment Service role. This server must be accessible from the Internet and communicate with an enterprise CA to issue the certificates. For more information about the
44

changes in the Network Device Enrollment Service to support this scenario, see What's New in Certificate Services in Windows Server 2012 R2. For more information, see the Introduction to Certificate Profiles in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. VPN Profiles VPN profiles are new in System Center 2012 R2 Configuration Manager. They provide the following capabilities and have some dependent configurations: Deployment of VPN profiles that provision devices with the settings and certificates that they need to access corporate networks. Supported devices include those that run iOS, Windows 8.1, Windows RT and Windows RT 8.1.

For more information, see the Introduction to VPN Profiles in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Wi-Fi Profiles Wi-Fi profiles are new in System Center 2012 R2 Configuration Manager. They provide the following capabilities and have some dependent configurations: Deployment of Wi-Fi profiles that provision devices with the settings and certificates that they need to access corporate Wi-Fi hotspots. Supported devices include those that run iOS, Windows 8.1, and Windows RT 8.1, and Android.

For more information, see the Introduction to Wi-Fi Profiles in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Email Profiles Email profiles are a new extension for Windows Intune in System Center 2012 R2 Configuration Manager. They provide the following capabilities and have some dependent configurations Deployment of email profiles that provision devices with email profiles and restrictions by using Exchange ActiveSync. Supported devices include those that run iOS, and Windows Phone 8.

For more information, see the Introduction to Email Profiles in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Software Deployment and Content Management

The following sections contain information about changes for software updates, software distribution, operating system deployment and task sequences in System Center 2012 R2 Configuration Manager. Software Updates The following items are new or have changed for software updates in System Center 2012 R2 Configuration Manager:
45

New maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates. When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. You can now change the deployment package for an existing automatic deployment rule. New software updates are added to the specified deployment package every time an automatic deployment rule is run. Deployment packages can become very large over time and might impact replication scenarios, particularly when a new distribution point is added to your hierarchy or when a distribution point is added to a distribution point group. You can now change the deployment package periodically to keep the size of the deployment package from getting too large. For more information about automatic deployment rules, see the Automatic Deployment of Software Updates section in this topic. You can now preview software updates that meet the property filters and search criteria that you define in an automatic deployment rule. Software updates preview lets you review the software updates before you create the deployment. The Preview button is located on the Software Updates page in the Automatic Deployment Wizard and on the Software Updates tab in the properties for the automatic deployment rule.

For more information, see the Introduction to Software Updates in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Application Management The following items are new or have changed for application management in System Center 2012 R2 Configuration Manager: Web applications in System Center 2012 R2 Configuration Manager are a new deployment type that allows you to deploy a shortcut to a web-based app on users devices. Windows 8.1 introduces the app bundle (or .appxbundle package) to help optimize the packaging and distribution of Windows Store apps and resource packages. Configuration Manager extends the existing Windows app package deployment type to recognize .appxbundle package files. The create application wizard includes a new option that allows you to configure featured applications. These applications are displayed prominently in the company portal. You can specify a privacy link for each application that users can review before they install the application. You can configure an application to automatically open a VPN connection if a VPN profile has been configured. For more information, see VPN Profiles in Configuration Manager.

For more information, see How to Create Applications in Configuration Manager and How to Create Deployment Types in Configuration Manager. Operating System Deployment The following items are new or have changed for operation system deployment in System Center 2012 R2 Configuration Manager:
46

Support for Windows Server 2012 R2 and Windows 8.1. For more information about supported operating system versions, see Prerequisites For Deploying Operating Systems in Configuration Manager. Support for boot images created by using the Windows Automated Installation Kit (Windows AIK) for Windows 7 SP1 and based on Windows PE 3.1. For more information about customizing and adding boot images to Configuration Manager, see How to Customize WinPE Boot Images to Use in Configuration Manager. Added support for PXE boot of IA32 UEFI computers. For more information about operating system requirement for a PXE-enabled distribution point, see the Operating System Requirements for Typical Site System Roles section of the Supported Configurations for Configuration Manager topic. Ability to create prestaged content files for task sequence content. The Create Prestaged Content action creates a compressed, prestaged content file that contains the files and associated metadata for the content in the task sequence. By default, Configuration Manager detects and adds the dependencies associated with the task sequence to the prestaged content file. You can then manually import the content at a site server, secondary site, or distribution point. For more information about prestaged content, see the Determine Whether To Prestage Content section in the Planning for Content Management in Configuration Manager topic. Added virtual hard disk management from the Configuration Manager console. You can create and modify virtual hard disks, and upload them to Virtual Machine Manager. New task sequence steps: Run PowerShell Script: This task sequence step runs the specified Windows PowerShell script on the target computer. Check Readiness: This task sequence step verifies that the target computer meets the specified deployment prerequisite conditions. Set Dynamic Variables: This task sequence step gathers information and sets specific task sequence variables with the information. Then, it evaluates defined rules and sets task sequence variables based on the variables and values configured for rules that evaluate to true. Note For more information about task sequence steps, see Task Sequence Steps in Configuration Manager.

New task sequence built-in variables: SMSTSDownloadRetryCount: Use this variable to specify the number of times that Configuration Manager attempts to download content from a distribution point. SMSTSDownloadRetryDelay: Use this variable to specify the number of seconds that Configuration Manager waits before it retries to download content from a distribution point. TSErrorOnWarning: Use this variable to specify whether the task sequence engine treats the requirements not met warning from an application as a fatal error. You can set this variable to True or False. False is the default behavior.
47

SMSTSMPListRequestTimeout: Use this variable to specify how much time a task sequence waits before it retries to install an application after it fails to retrieve the management point list from location services. By default, the task sequence waits one minute before it retries the step. This variable is applicable only to the Install Application task sequence step. _TSAppInstallStatus: The task sequence sets the _TSAppInstallStatus variable with the installation status for the application during the Install Application task sequence step. The task sequence sets the variable with one of the following values: Undefined: Set when the Install Application task sequence step has not been run. Error: Set when at least one application failed because of an error during the Install Application task sequence step. Warning: Set when no errors occur during the Install Application task sequence step, but one or more applications, or a required dependency, did not install because a requirement was not met. Success: Set when there are no errors or warning detected during the Install Application task sequence step. Note For more information about built-in task sequence variables, see Task Sequence Built-in Variables in Configuration Manager.

For more information, see the Introduction to Operating System Deployment in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Content Management The following items are new or have changed for content management in System Center 2012 R2 Configuration Manager: The following changes are introduced for pull-distribution points: Pull-distribution points support the prioritization of their source distribution points. A priority can be assigned to one or more source distribution points, and the pull-distribution point attempts to locate content from a distribution point assigned to the lowest numbered priority before attempting to contact a distribution point associated with the next higher numbered priority. Pull-distribution points push status for completed actions to the site server. This replaces the requirement to have Distribution Manager (distmgr) on the site server poll each pulldistribution point periodically to obtain this status, and helps to reduce the overall processing load for distmgr on the site server.

For more information see the Planning for Pull-Distribution Points section in the Planning for Content Management in Configuration Manager topic. From the Distribution Status node in the Monitoring workspace of the Configuration Manager console, you can cancel distributions that are in progress to a distribution point, and redistribute distributions that have failed.

48

For more information see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic. You can use the new built-in report named Distribution point usage summary to view details about how individual distribution points are utilized, including how many unique clients access the distribution point, and how much data transfers from the distribution point. You can configure multiple Network Access Accounts at each site. For more information, see Configuring Site Components in Configuration Manager. Clients that use Windows BranchCache to download content and that have a download interrupted now resume the download where it left off, without having to restart the download from the beginning. The following additional optimizations are introduced to improve performance during deployment of content: Each time Configuration Manager transfers content to a distribution point, it calculates the speed of the transfer. During subsequent content deployment, this information is used to prioritize which distribution points receive content first. This is done to maximize the number of distribution points that receive content in the shortest period of time. For more information see the Plan for Distribution Point Priority section in the Planning for Content Management in Configuration Manager topic. To improve concurrent distributions, when Configuration Manager validates content on distribution points, it validates up to 50 files during each WMI call to a distribution point. Prior to this version, Configuration Manager used a single WMI call to a distribution point to validate each individual file.

For more information, see the Introduction to Content Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Monitoring and Reporting

The following sections contain information about changes for monitoring and reporting in System Center 2012 R2 Configuration Manager. Reporting The following items are new or have changed for reporting in System Center 2012 R2 Configuration Manager: Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. For more information, see the Planning for Role-Based Administration for Reports section in the Planning for Reporting in Configuration Manager topic.

For more information, see the Introduction to Reporting in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

49

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in System Center 2012 Configuration Manager SP1

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1. Use the following sections to review information about significant changes in System Center 2012 Configuration Manager SP1 since System Center 2012 Configuration Manager: Setup and Site Installation Sites and Hierarchies Migration Client Deployment and Operations Software Deployment and Content Management Monitoring and Reporting

One of the most significant changes is support for Windows 8 for Configuration Manager clients. Configuration Manager SP1 supports Windows 8 in the following ways: You can install the Configuration Manager client on Windows 8 computers and deploy Windows 8 to new computers or to upgrade previous client operating versions. Configuration Manager also supports Windows To Go. You can configure user data and profiles configuration items for folder redirection, offline files, and roaming profiles. You can configure new deployment types for Windows 8 applications, which support standalone applications (.appx files) and links to the Windows Store. Configuration Manager supports Windows 8 features, such as metered Internet connections and Always On Always Connected. Support for Windows Server 2012 on site systems and clients, and support for SQL Server 2012 for the Configuration Manager database. Support for clients on Mac computers, and on Linux and UNIX servers. Support for user-owned mobile devices that run Windows Phone 8, Windows RT, iOS, and Android when you have a Windows Intune organizational account. Windows PowerShell cmdlets are available to automate Configuration Manager operations by using Windows PowerShell scripts. Support for cloud services, such as a new distribution point for Windows Azure. More flexible hierarchy management, along with support to expand a stand-alone primary site into a hierarchy that includes a new central administration site, and the migration of a Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy. Support for multiple software update points for a site to provide automatic redundancy for clients without requiring you to configure a network load balancing cluster.
50

Other significant changes include the following:

Client notification to start some client operations from the Configuration Manager console. These include downloading computer policy and initiating a malware scan to be performed as soon as possible, instead of during the normal client policy polling interval. Support for virtual environments that allow multiple virtual applications to share file system and registry information instead of running in an isolated space. Email alert subscriptions are now supported for all features, not just Endpoint Protection.

For more information about the supported operating system versions and editions that Configuration Manager SP1 supports, see Supported Configurations for Configuration Manager. You can read more detailed information about these changes in the following sections.

Setup and Site Installation

The following sections contain information about setup and site installation changes in Configuration Manager SP1. Site Installation The following options in Setup for site installation are new or have changed for Configuration Manager SP1: With System Center 2012 Configuration Manager SP1 there is a new option when you install a central administration site. You have the option to install the central administration site as the first site of a new hierarchy, or install the central administration site to expand a standalone primary site into a hierarchy with the new central administration site.

For more information, see the Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site topic in the Site Administration for System Center 2012 Configuration Manager guide. Upgrade Support You can upgrade from System Center 2012 Configuration Manager to System Center 2012 Configuration Manager SP1. For more information, see Planning to Upgrade System Center 2012 Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. Windows PowerShell After you have installed Configuration Manager SP1, you can automate console operations by using Windows PowerShell cmdlets. For example, you can create user and device collections, configure client settings, and create email subscriptions for alerts. Configuration Manager SP1 requires Windows PowerShell 3.0. To open a Windows PowerShell session, click the Application menu, and then select Connect via Windows PowerShell. To discover which cmdlets are available, type the following command at the Windows PowerShell prompt. get-command -module ConfigurationManager Tip
51

All Configuration Manager cmdlets include the CM prefix in their name. For more information about Configuration Manager cmdlets, see Cmdlets in Configuration Manager SP1.

Sites and Hierarchies

The following sections contain information about site and hierarchy changes in Configuration Manager SP1. Note The Active Directory schema extensions for System Center 2012 Configuration Manager SP1 are unchanged from those used by System Center 2012 Configuration Manager. If you extended the schema for Configuration Manager 2007 or for System Center 2012 Configuration Manager, you do not have to extend the schema again for System Center 2012 Configuration Manager SP1. Site to Site Communication The following items are new or have changed for site communication for Configuration Manager SP1: File replication routes replace addresses for file-based replication between sites. This is only a change in the name for file-based replication and brings consistency with database replication. There is no change in functionality. Configure database replication links between site databases to control and monitor the network traffic for database replication: Use distributed views to prevent the replication of selected site data from a primary site to the central administration site. The central administration site then accesses this data directly from the primary site database. Schedule the transfer of selected site data across database replication links. Control the frequency that replication traffic is summarized for reports. Define custom thresholds that raise alerts for replication problems. Change the port that Configuration Manager uses for the SQL Server Service Broker. Configure the period of time to wait before a replication failure triggers a site to reinitialize its local copy of global data. Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.

Configure replication controls for the SQL Server database at a site:

For more information about file replication, see the File-Based Replication section in the Planning for Communications in Configuration Manager topic. For more information about database replication links, see the Database Replication Links section in the Planning for Communications in Configuration Manager topic.

52

For more information about replication controls for the SQL Server database, see the Site Database Replication Controls section in the Planning for Communications in Configuration Manager topic. Backup and Recovery The following item is new in backup and recovery in Configuration Manager SP1: You can recover a secondary site by using the Recover Secondary Site action from the Sites node in the Configuration Manager console. During the recovery, the secondary site files are installed on the destination computer and then the secondary site data is reinitialized with data from the primary site. The secondary site that you recover must have the same FQDN, meet all secondary site prerequisites, and you must configure appropriate security rights for the secondary site. For more information about secondary site security requirements, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For more information about how to recover secondary sites, see the Recover a Secondary Site section in the Backup and Recovery in Configuration Manager topic. Site System Roles The following are new for site system roles in Configuration Manager SP1: Configuration Manager primary sites now support distribution points that run as a cloud service in Windows Azure. Clients can use the cloud-based distribution point as standard content location or as a fallback location, after the client receives client settings that enable the use of cloud-based distribution points. For more information, see the Planning for Cloud Services in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. You can configure a proxy server on each site system server for use by all site system roles installed on that computer. This is not a new site system role, but a configuration for site system server computers. For more information, see the Planning for Proxy Servers Configurations for Site System Roles section in the Planning for Site Systems in Configuration Manager topic.

Migration
The following items are new for migration in Configuration Manager SP1: Beginning with System Center 2012 Configuration Manager SP1, you can merge data from other hierarchies that run the same version of Configuration Manager as your hierarchy. This includes migrating data from a test environment into your production environment. Some UI labels and descriptions are updated to reflect the change in functionality that lets you migrate data between two System Center 2012 Configuration Manager hierarchies.

For more information about migration, see the Introduction to Migration in System Center 2012 Configuration Manager topic in the Migrating Hierarchies in System Center 2012 Configuration Manager guide.
53

Client Deployment and Operations

The following sections contain information about client deployment and client operations changes in Configuration Manager SP1. Client Deployment The following items are new or have changed for client deployment in Configuration Manager SP1: Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the version of their assigned System Center 2012 Configuration Manager site. For more information see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager. You can now specify the following CCMSetup.exe properties as installation options when you use client push: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Configuration Manager SP1 clients now use Microsoft Silverlight 5 for the Application Catalog. Configuration Manager automatically installs this version of Silverlight on clients if it is not already installed, and by default, configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. For more information, see the Certificates for Silverlight 5 and Elevated Trust Mode Required for the Application Catalog section in the Security and Privacy for Application Management in Configuration Manager topic. There is a new value that is now the default for the Computer Agent client setting, PowerShell execution policy: All Signed. This new value restricts the Configuration Manager client to running Windows PowerShell scripts only if they are signed by a trusted publisher, regardless of the current Windows PowerShell configuration on the client computer. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. Client notification in Configuration Manager enables some client operations to be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can initiate some actions for Endpoint Protection, such as a malware scan of a client.

54

By default, client notification communication uses TCP port 10123, which is configurable as a site property for a primary site. You might have to configure Windows Firewall on the management point, clients, and any intervening firewalls for this new port communication. However, client notification can fall back to using the established client-to-management point communication of HTTP or HTTPS. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace. Note Client notification does not support role-based administration. All users of the Configuration Manager console can see notifications in the Client Operations node in the Monitoring workspace. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager and How to Manage Clients in Configuration Manager. You can install the Configuration Manager client on computers that run Mac OS X. You can then manage this client by using compliance settings, deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Mac Computers in Configuration Manager. You can install the Configuration Manager client on servers that run a supported version of Linux or UNIX. You can then manage this client by using deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

For more information, see the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Mobile Devices The following items are new or have changed for mobile devices in Configuration Manager SP1: The client settings group to configure mobile device enrollment settings is no longer named Mobile Devices but Enrollment. This change and associated changes, such as the change from the client setting of Mobile device enrollment profile to Enrollment profile, reflects that the enrollment functionality is now extended to Mac computers. Important The client certificates for mobile devices and Mac computers have different requirements. Therefore, if you configure client settings enrollment for mobile devices and Mac computers, do not configure the certificate templates to use the same user accounts. Mobile devices that are enrolled by Configuration Manager SP1 now use the client policy polling interval setting in the Client Policy client setting group and no longer use the polling interval in the renamed Enrollment client setting group. This change lets you configure different client policy intervals for mobile devices that are enrolled by Configuration Manager, by using custom device client settings. You cannot create custom device client settings for Enrollment.

55

You can enroll mobile devices that run Windows Phone 8, Windows RT, and iOS when you use the Windows Intune connector. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. Users who have mobile devices that are enrolled by Windows Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices. The new Retire option for mobile devices in the Configuration Manager console is supported only for mobile devices that are enrolled by Windows Intune.

Client Management The following items are new or have changed for client management in Configuration Manager SP1: The Configuration Manager SP1 client supports Windows 8 Always On Always Connected. The Configuration Manager client can now detect power states for devices that support Always On Always Connected and therefore, these clients might delay client actions. This automatic adjustment helps to maximize performance and preserve battery life for the device. The Configuration Manager client can detect the following states on an Always On Always Connected device. Whether networking is turned on or off Whether the device is running on battery power or plugged in The battery power remaining Whether the device is in idle mode Whether the device is in its Windows Automatic Maintenance window Whether the device is using a metered Internet connection Note These changes can also improve performance of the Configuration Manager client on computers that do not support Always On Always Connected. Configuration Manager supports Always On Always Connected devices that run Windows 8 versions on x86 and x64 platforms. Configuration Manager does not support Always On Always Connected for Windows 8 RT devices. Client notification in Configuration Manager lets some client operations be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can start some actions for Endpoint Protection, such as a malware scan of a client. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace. For more information, see How to Manage Clients in Configuration Manager. You can manage how Windows 8 client computers transfer data over metered Internet connections by using the Metered Internet Connections client setting Specify how clients communicate on metered network connections and the software deployment setting Allow clients to use a metered Internet connection to download content after the
56

installation deadline in a required software deployment. For more information, see the Metered Internet Connections section in the About Client Settings in Configuration Manager topic. When Configuration Manager SP1 clients run Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012, you can supplement the Wake on LAN site setting for unicast packets by using the wake-up proxy client settings. This combination helps to wake up computers on subnets without the requirement to reconfigure network switches. For more information about wake-up proxy, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic.

For more information, see the Introduction to Client Deployment in Configuration Manager and How to Manage Clients in Configuration Manager topics in the Deploying Clients for System Center 2012 Configuration Manager guide. Collections The following items are new or have changed for collections in Configuration Manager SP1: The built-in collections are now read-only and cannot be modified. For more information, see the Introduction to Collections in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Compliance Settings The following items are new or have changed for compliance settings in Configuration Manager SP1: You can now configure user data and profiles configuration items that contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy these settings to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. For more information, see How to Create User Data and Profiles Configuration Items in Configuration Manager. The new Mac OS X configuration item enables you to evaluate and remediate property list (.plist) settings on Mac computers. You can also use shell scripts to evaluate and remediate other Mac settings. For more information, see How to Create Mac Computer Configuration Items in Configuration Manager. For more information, see the Introduction to Compliance Settings in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Endpoint Protection The following items are new or have changed for Endpoint Protection in Configuration Manager SP1: You can now enable an Endpoint Protection client setting that commits the installation of the Endpoint Protection client on Windows Embedded devices that are write filter enabled. For

57

more information about this client setting, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic. Additionally, definition updates that are deployed by software updates can be configured to write to the overlay on Windows Embedded devices, so that these updates are installed immediately and without a restart. For more information, see the Support for Windows Embedded Devices That Use Write Filters section in the Introduction to Software Updates in Configuration Manager topic. You can now configure the Endpoint Protection client to install only during configured maintenance windows. The maintenance window must be at least 30 minutes long to allow installation to occur. Endpoint Protection in Configuration Manager now uses client notification to start the following actions as soon as possible, instead of during the normal client policy polling interval: Force antimalware definition updates Run quick scans Run full scans Allow threats Exclude folders and files Restore quarantined files

Improvements to software updates to allow more frequent distribution of Endpoint Protection definition updates. Multiple antimalware policies that are deployed to the same client computer are merged on the client. When two settings are in conflict, the highest priority option is used. Some settings are also merged, such as exclusion lists from separate antimalware policies. Client-side merge also honors the priority that you configured for each antimalware policy. A software update deployment template named Definition Updates is included in the Deploy Software Updates Wizard and Automatic Deployment Rule Wizard. This template includes typical settings to use when you deploy definition software updates for Endpoint Protection.

For more information, see the Introduction to Endpoint Protection in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Asset Intelligence The following items are new for Asset Intelligence in Configuration Manager SP1: Asset Intelligence supports the 7 mandatory software identification tags that are defined in ISO/IEC 19770-2. The ISO/IEC 19770-2 standard specifies the structure and basic usage of software identification. Software identification tags provide authoritative information that is used to identify installed software. If software contains software identification tag information that is compliant with ISO/IEC 19770-2, then Asset Intelligence collects the software identification tags from the software. Note

58

You must enable the SMS_SoftwareTag Asset Intelligence hardware inventory reporting class before Configuration Manager will collect the software identification tags. Asset Intelligence provides the three new reports that provide information about software with the software identification tags. The report titles start with Software 14A, Software 14B, and Software 14C. Asset Intelligence collects information about Application Virtualization 5 applications and continues to collect information about Application Virtualization 4.

For more information about Asset Intelligence, see the Introduction to Asset Intelligence in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Software Deployment and Content Management

The following sections contain information about changes for software updates, software distribution, operating system deployment and task sequences in Configuration Manager SP1. Software Updates The following items are new or have changed for software updates in Configuration Manager SP1: Software update points are redesigned in Configuration Manager SP1. You can install multiple software update point site systems at a site. You can configure a software update point to be in the same forest as the site server or in a different forest, and whether to accept communication from clients on the Internet, intranet, or both. This behavior provides a level of fault tolerance without requiring a network load balancing (NLB) cluster. You cannot install more than one software update point in a secondary site. For more information, see the Determine the Software Update Point Infrastructure section in the Planning for Software Updates in Configuration Manager topic. Note The active software update point concept is deprecated in Configuration Manager SP1. You no longer have the option to configure a software update point as an NLB in the Configuration Manager console. Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using the Set-CMSoftwareUpdatePoint PowerShell cmdlet. For more information about a software update point configured to use an NLB, see Software Update Point Configured to Use an NLB section in the Planning for Software Updates in Configuration Manager topic. For more information about the Set-CMSoftwareUpdatePoint PowerShell cmdlet, see the Set-CMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide. At the top-level Configuration Manager site, you can now specify an existing WSUS server as the upstream synchronization source location. During synchronization, the site connects to this location to synchronize software updates. For example, if you have an existing WSUS
59

server that is not part of the Configuration Manager hierarchy, you can specify the existing WSUS server to synchronize software updates. You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle. In the software update point properties, you can provide credentials for the site server to use to connect to the WSUS server. You can specify this account to connect to a software update point in a different forest, for example. You can run an automatic deployment rule up to 3 times per day to align with the Microsoft System Center Endpoint Protection definition updates publishing frequency. You can select multiple software updates to install as a group from Software Center. You can control the behavior of the write filter on Windows Embedded devices when you deploy software updates by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts). For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

For more information, see the Introduction to Software Updates in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Application Management The following items are new or have changed for application management in Configuration Manager SP1: App-V virtual environments in Configuration Manager enable virtual applications to share the same file system and registry on client computers. This allows applications that are in the same virtual environment to share data with one other. For more information, see How to Create App-V Virtual Environments in Configuration Manager. You can configure new deployment types for Windows 8 applications that support standalone applications (.appx files) and links to the Windows Store. Configuration Manager includes a new deployment type that you can use to deploy virtual applications that you have created by using Microsoft Application Virtualization 5.0. Configuration Manager includes a new deployment type that you can use to deploy applications to Mac computers that run the Configuration Manager client. Configuration Manager includes new deployment types for the following mobile devices when you use the Windows Intune connector: Windows Phone 8, Windows RT, iOS, and Android. Users download these apps from the new self-service portal for mobile devices, the company

60

portal. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. You can control the behavior of the write filter on Windows Embedded devices when you deploy applications, and packages and programs, by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts) . For Windows Embedded devices that have the write filter enabled: Software deployments that have a purpose of Available are not supported. If you target a software deployment to these devices, users can see the deployment in Software Center but if they try to install it from there, they see an error message that they do not have permissions. Users on these devices cannot configure their business hours in Software Center. Users on these devices do not see user notifications to let them postpone a software deployment to nonbusiness hours.

Users can no longer install applications from the Application Catalog if the Client Policy client setting Enable user policy on clients is set to No. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and for required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

For more information, see the Introduction to Application Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Operating System Deployment The following items are new or have changed for operating system deployment in Configuration Manager SP1: Changes to Configuration Manager Setup: Configuration Manager SP1 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK) to deploy an operating system. Before you run Setup, you must download and install Windows ADK on the site server and the provider computer. The User State Migration Tool (USMT) for Windows 8 is installed as part of the Windows ADK. At the top-level site, Setup automatically creates the package for this new version of USMT at the site. Setup automatically updates default boot images at the site. You must manually update any custom boot images. The default task sequences were changed to optimize the deployment of operating systems starting with Windows 7. Support for computers that are in Unified Extensible Firmware Interface (UEFI) mode. The task sequence sets the SMSTSBootUEFI built-in task sequence variable when it detects a computer that is in UEFI mode.
61

Changes to task sequence:

The default task sequence automatically partitions the computer based on whether it was booted in UEFI mode or BIOS mode (conditioned based on the value of the _SMSTSBootUEFI variable). The build and capture task sequence was updated to apply an operating system image instead of running Setup.exe for installation. You can still run Setup.exe for Windows 8 deployments by editing the task sequence in the task sequence editor. Support for operating system deployments to devices with limited available disk space, such as embedded devices. You can configure the Apply Operating System Image step to install the image directly from a distribution point even if the task sequence deployment is configured to download content to the task sequence cache first. You can control the behavior of write filters on Windows Embedded devices when you deploy task sequences. Note For information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Changes to how you create pre-staged media: You can specify applications, packages, and driver packages to deploy with the operating system. When you deploy the task sequence by using pre-staged media, the wizard checks the local task sequence cache for valid content first, and if the content cannot be found or was revised, the content is downloaded from the distribution point. Note For information about how to create pre-staged media, see the How to Create Prestaged Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Changes to BitLocker support: Use the Pre-provision BitLocker task sequence step to encrypt the disk drive from Windows PE and only encrypt the space that is used by data. The result is much faster encryption times. For more information, see the Pre-provision BitLocker section in the Task Sequence Steps in Configuration Manager topic. TPM and PIN is now available as one of the key management options for the current operating system drive in the Enable BitLocker task sequence step. For more information, see the Enable BitLocker section in the Task Sequence Steps in Configuration Manager topic.

You can configure the Windows PE scratch space in the boot image properties. For more information, see the How to Modify a Boot Image section in the How to Manage Boot Images in Configuration Manager topic. Added language neutral boot images: You can use the SMSTSLanguageFolder built-in variable to change the language for information displayed by Windows PE. Languages are auto-detected and used when boot images are started from Software Center.
62

Note For information about boot image deployments, see Planning for Boot Image Deployments in Configuration Manager. Added the following task sequence built-in variables: SMSTSPersistContent: Use this variable to temporarily persist content in the task sequence cache. SMSTSPostAction: Use this variable to run a command after the task sequence is completed. SMSTSLanguageFolder: Use this variable to change the display language of a language neutral boot image. OSDPreserveDriveLetter: This variable determines whether or not the task sequence uses the drive letter on the operating system image WIM file. In Configuration Manager with no service pack, the drive letter on the WIM file was used when it applied the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the location that you specify for the Destination setting in the Apply Operating System task sequence step. For more information about the Apply Operating System task sequence step, see the Apply Operating System Image section in the Task Sequence Steps in Configuration Manager topic. SMSTSDownloadProgram: Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download. SMSTSAssignmentsDownloadInterval: Use this variable to specify the number of seconds to wait before the client tries to download the task sequence policy since the last attempt that returned no policies. You can set this variable by using a prestart command from media or PXE. SMSTSAssignmentsDownloadRetry: Use this variable to specify the number of times a client will attempt to download the task sequence policy after no policies are found on the first attempt. You can set this variable by using a prestart command from media or PXE. _SMSTSBootUEFI: The task sequence sets the _SMSTSBootUEFI variable when it detects a computer that boots in UEFI mode. _SMSTSWTG: Specifies if the computer is running as a Windows To Go device. Note For more information about built-in task sequence variables, see the Task Sequence Built-in Variables in Configuration Manager topic. Changes to software update installation for offline operating system images: Ability to continue to update an image even when one or more software updates cannot be installed. Software updates are copied from the content library on the site server instead of the package source.
63

Ability to provision Windows To Go in Configuration Manager. Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows To Go drive the same as you pre-stage media in Configuration Manager. For more information about how to provision Windows To Go, see How to Provision Windows To Go in Configuration Manager. New site maintenance task (Delete Aged Unknown Computers) to delete information about unknown computers from the site database when it has not been updated for a specified time. For more information about site maintenance tasks, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic. Better monitoring and status for task sequence content and task sequence deployments. New deployment setting lets you deploy task sequences that are available only in Windows PE. You can manage Windows PE optional components from the Optional Components tab in the properties for boot images. You can export and import driver packages from the Driver Packages node in the Software Library workspace.

Content Management The following items are new or have changed for content management in Configuration Manager SP1: You can configure the drive location for the content library in the Create Site System Server Wizard and Add Site System Roles Wizard when you create the distribution point site role. You can configure some distribution points as pull-distribution points. When you distribute content to a pull-distribution point, the Configuration Manager site server does not transfer the content that you distribute to the distribution point computer. Instead, Configuration Manager notifies the pull-distribution point which then transfers the content from a source distribution point that you specify.

For more information, see the Introduction to Content Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Monitoring and Reporting

The following sections contain information about monitoring and reporting changes in Configuration Manager SP1. Reporting The following items are new or have changed for reporting in Configuration Manager SP1: Configuration Manager SP1 supports Microsoft SQL Server 2012 Reporting Services. When Microsoft SQL Server 2012 or SQL Server 2008 R2 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 3.0 when you create or modify reports. When Microsoft SQL Server 2008 runs on the Reporting Services point,

64

Configuration Manager opens Reporting Services Report Builder 2.0 when you create or modify reports. The Monitoring workspace now displays links to SQL Server Reporting Services Report Manage from the Reporting node.

For more information, see the Introduction to Reporting in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Alerts The following items are new or have changed for alerts in Configuration Manager SP1: You can create email subscriptions to all alerts that are generated by Configuration Manager. For more information, see the Configuring Alerts in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in System Center 2012 Configuration Manager

Use the following sections to review information about significant changes in System Center 2012 Configuration Manager since Configuration Manager 2007: Site Installation and the Configuration Manager Console Sites and Hierarchies Client Deployment and Operations Software Deployment and Content Management Monitoring and Reporting Wake on LAN Windows Embedded devices

In addition, the following features either have not changed or have minor changes:

Site Installation and the Configuration Manager Console

The following sections contain information about changes in Configuration Manager since Configuration Manager 2007 that relate to how you install System Center 2012 Configuration Manager and changes to the Configuration Manager console. Site Installation The following options in Setup for site installation are new or have changed since Configuration Manager 2007. Central Administration Site The top-level Configuration Manager 2007 site in a multi-primary site hierarchy was known as a central site. In System Center 2012 Configuration Manager the central site is replaced by the central administration site. The central administration site is not a primary site at the top
65

of the hierarchy, but rather a site that is used for reporting and to facilitate communication between primary sites in the hierarchy. A central administration site supports a limited selection of site system roles and does not directly support clients or process client data. Installation of Site System Roles The following site roles can be installed and configured during Setup: Management point Distribution point

The site system roles are installed locally on the site server. After installation, you can add a distribution point on another server. The management point for the secondary site is a supported role only on the site server. No Secondary Site Installation Option Secondary sites can only be installed from the System Center 2012 Configuration Manager console. For more information about installing a secondary site, see the Install a Secondary Site section in the topic. Optional Configuration Manager Console Installation You can choose to install the Configuration Manager console during Setup or install the console after Setup by using the Configuration Manager console Windows Installer package (consolesetup.exe). Server and client language selections You are no longer required to install your site servers by using source files for a specific language or install International Client Packs when you want to support different languages on the client. From Setup, you can choose the server and client languages that are supported in your Configuration Manager hierarchy. Configuration Manager uses the display language of the server or client computer when you have configured support for the language. English is the default language used when Configuration Manager does not support the display language of the server or client computer. Warning You cannot select specific languages for mobile device clients. Instead, you must enable all available client languages or use English only. Unattended installation script is automatically created Setup automatically creates the unattended installation script when you confirm the settings on the Summary page of the wizard. The unattended installation script contains the settings that you choose in the wizard. You can modify the script to install other sites in your hierarchy. Setup creates the script in %TEMP%\ConfigMgrAutoSave.ini. Database Replication When you have more than one System Center 2012 Configuration Manager site in your hierarchy, Configuration Manager uses database replication to transfer data and merge changes made to a sites database with the information stored in the database at other s ites in the hierarchy. This enables all sites to share the same information. When you have a primary site without any other sites, database replication is not used. Database replication is
66

enabled when you install a primary site that reports to a central administration site or when you connect a secondary site to a primary site. Setup Downloader Setup Downloader (SetupDL.exe) is a stand-alone application that downloads the files required by Setup. You can run Setup Downloader or Setup can run it during site installation. You can see the progress of files being downloaded and verified, and only the required files are downloaded (missing files and files that have been updated). For more information about Setup Downloader, see the Setup Downloader section in this topic. Prerequisite Checker The Prerequisite Checker (prereqchk.exe) is a standalone application that verifies server readiness for a specific site system role. In addition to the site server, site database server, and provider computer, the Prerequisite Checker now checks management point and distribution point site systems. You can run Prerequisite Checker manually or Setup runs it automatically as part of site installation. For more information about the Prerequisite Checker, see the Prerequisite Checker section in this topic. The Configuration Manager 2007 log viewer tool, Trace32, is now replaced with CMTrace. For more information, see the Install Sites and Create a Hierarchy for Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. The Configuration Manager Console There is a new console for System Center 2012 Configuration Manager, which provides the following benefits: Logical grouping of operations into the following workspaces: Assets and Compliance, Software Library, Monitoring, and Administration. To change the default order of the workspaces and which ones are displayed, click the down arrow on the navigation pane above the status bar, and then select one of the options: Show More Buttons, Show Fewer Buttons, or Navigation Pane Options. A ribbon to help you more efficiently use the console. An administrative user sees only the objects that she is allowed to see, as defined by rolebased administration. Search capabilities throughout the console, to help you find your data more quickly. Browse and verify capability for many accounts that you configure in the console, which helps to eliminate misconfiguration and can be useful for troubleshooting scenarios. For example, this design applies to the Client Push Installation Account and the Network Access Account. Use of temporary nodes in the navigation pane that are automatically created and selected as a result of actions that you take and that do not display after you close the console. Examples of temporary nodes include the following: In the Assets and Compliance workspace, click the Device Collections node, and then select the All Systems collection. In the Collection group, click Show Members and the temporary node named All Systems is created and automatically selected in the navigation pane.

67

In the Monitoring workspace, click Client Status, and in the Statistics section, browse to the All Systems collection, and then click Active clients that passed client check or no results. The temporary node named Active clients that passed client check or no results from All Systems is created and automatically selected in the Assets and Compliance workspace.

Sites and Hierarchies

The following sections contain information about changes from Configuration Manager 2007 that relate to sites and hierarchies in System Center 2012 Configuration Manager. Note The Active Directory schema extensions for System Center 2012 Configuration Manager are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for System Center 2012 Configuration Manager. Site Types System Center 2012 Configuration Manager introduces the central administration site and some changes to primary and secondary sites. The following tables summaries these sites and how they compare to sites in Configuration Manager 2007.
Site Purpose Change from Configuration Manager 2007

Central administration site

The central administration site coordinates intersite data replication across the hierarchy by using Configuration Manager database replication. It also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. Use this site for all administration and reporting for the hierarchy.

Although this is the site at the top of the hierarchy in System Center 2012 Configuration Manager, it has the following differences from a central site in Configuration Manager 2007: Does not process data submitted by clients, except for the Heartbeat Discovery discovery data record. Does not accept client assignments. Does not support all site system roles. Participates in database replication

Primary site

Manages clients in wellconnected networks.

Primary sites in System Center 2012

68

Site

Purpose

Change from Configuration Manager 2007

Configuration Manager have the following differences from primary sites in Configuration Manager 2007: Additional primary sites allow the hierarchy to support more clients. Cannot be tiered below other primary sites. No longer used as a boundary for client agent settings or security. Participates in database replication.

Secondary site Controls content distribution for clients in remote locations across links that have limited network bandwidth.

Secondary sites in System Center 2012 Configuration Manager have the following differences from secondary sites in Configuration Manager 2007: SQL Server is required and SQL Server Express will be installed during site installation if required. A management point and distribution point are automatically deployed during the site installation. Secondary sites can send content distribution to other secondary sites. Participates in database replication.

For more information, see the Planning for Sites and Hierarchies in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Site Communication The following items are new or have changed for site communication since Configuration Manager 2007:
69

Site-to-site communication now uses database replication in addition to file-based replication for many site-to-site data transfers, including configurations and settings. The Configuration Manager 2007 concept of mixed-mode or native-mode sites to define how clients communicate to site systems in the site has been replaced by site system roles that can independently support HTTP or HTTPS client communications. To help support client computers in other forests, Configuration Manager can discover computers in these forests and publish site information to these forests. The server locator point is no longer used, and the functionality of this site system role is moved to the management point. Note Although the Active Directory schema extensions still include the server locator point, this object is not used by Microsoft System Center 2012 Configuration Manager.

Internet-based client management now supports the following: User policies when the Internet-based management point can authenticate the user by using Windows authentication (Kerberos or NTLM). Simple task sequences, such as scripts. Operating system deployment on the Internet remains unsupported. Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

For more information, see the Planning for Communications in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Site Modes Sites are no longer configured for mixed mode or native mode. Instead, you secure client communication endpoints by configuring individual site system roles to support client connections over HTTPS or HTTP. Site system roles in the same site can have different settings, for example, some management points are configured for HTTPS and some are configured for HTTP. Most client connections over HTTPS use mutual authentication so you must make sure that clients have a PKI certificate that has client authentication capability to support this configuration. Mobile devices and client connections over the Internet must use HTTPS. Active Directory Domain Services and DNS remains the preferred method for clients to find management points. However, you can still use WINS as an alternative service location method and Configuration Manager now supports an entry for HTTPS management points (record type of [19]) in addition to the entry for HTTP (record type of [1A]. For sites that use HTTPS client connections, you do not have to specify a PKI certificate for document signing (the site server signing certificate in Configuration Manager 2007) because System Center 2012 Configuration Manager automatically creates this certificate (self-signed). However, most of the PKI certificate requirements from Configuration Manager 2007 remain the same when you configure site system roles to use HTTPS client communication, except that

70

many certificates now support SHA-2 in addition to SHA-1. For more information about the certificates, see Security: Certificates and Cryptographic Controls in this topic. Language Pack Support The following items are new or have changed for language support since Configuration Manager 2007: You no longer install site servers by using source files designed for a specific language. Additionally, you no longer install International Client Packs to support different languages on the client. Instead, you can choose to install only the server and client languages that you want to support. Available client and server language packs are included with the Configuration Manager installation media in the LanguagePack folder, and updates are available by download with the prerequisite files. You can add client and server language packs to a site when you install the site, and can modify the language packs in use after the site installs. Each site supports multiple languages for use with Configuration Manager consoles. At each site you can install individual client language packs, adding support for only the client languages you want to support.

You can install multiple languages at each site, and only need to install those you use:

When you install support for a language that matches the display language of a computer, Configuration Manager consoles and the client user interface that run on that computer display information in that language. When you install support for a language that matches the language preference that is in use by the web browser of a computer, connections to web-based information including the Application Catalog or SQL Server Reporting Services reports display in that language.

Site System Roles The following site systems roles are removed: The reporting point. All reports are generated by the reporting services point. The PXE service point. This functionality is moved to the distribution point. The server locator point. This functionality is moved to the management point. The branch distribution point. Distribution points can be installed on servers or workstations that are in an Active Directory domain. The functionality of the branch distribution point is now a BranchCache setting for an application deployment type and the package deployment.

In addition, network load balanced (NLB) management points are no longer supported and this configuration is removed from the management point component properties. Instead, this functionality is automatically provided when you install more than one management point in the site. The following site system roles are new: The Application Catalog website point and the Application Catalog web services point. These site system roles require IIS and support the new client application, Software Center.

71

The enrollment proxy point, which manages enrollment requests from mobile devices, and the enrollment point, which completes mobile device enrollment and provisions AMT-based computers. These site system roles require IIS.

There is no longer a default management point at primary sites. Instead you can install multiple management points and the client will automatically select one, based on network location and capability (HTTPS or HTTP). This behavior supports a higher number of clients in a single site and provides redundancy, which was previously obtained by using a network load balancing (NLB) cluster. When the site contains some management points that support HTTPS client connections and some management points that support HTTP client connections, the client will connect to a management point that is configured for HTTPS when the client has a valid PKI certificate. You can also have more than one Internet-based management point in a primary site, although you can specify only one when you configure clients for Internet-based client management. When Internet-based clients communicate with the specified Internet-based management point, they will be given a list of all the Internet-based management points in the site and then select one. At a secondary site, the management point is no longer referred to as proxy management point, and must be co-located on the secondary site server. Boundaries and Boundary Groups The following items are new or have changed for boundaries since Configuration Manager 2007: Boundaries are no longer site specific, but defined once for the hierarchy, and they are available at all sites in the hierarchy. Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point. You no longer configure the network connection speed of each boundary. Instead, in a boundary group you specify the network connection speed for each site system server associated to the boundary group as a content location server.

For more information, see the Planning for Boundaries and Boundary Groups in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Fallback Site for Client Assignment In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback site (an optional setting for the hierarchy) and the client is not in a boundary group, automatic site assignment succeeds and the client is assigned to the specified fallback site. For more information, see the How to Assign Clients to a Site in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Discovery The following items are new or have changed for Discovery since Configuration Manager 2007: Each data discovery record is processed and entered into the database one time only, at a primary site or central administration site, and then the data discovery record is deleted without additional processing.
72

Discovery information entered into the database at one site is shared to each site in the hierarchy by using Configuration Manager database replication. Active Directory Forest Discovery is a new discovery method that can discover subnets and Active Directory sites, and can add them as boundaries for your hierarchy. Active Directory System Group Discovery has been removed. Active Directory Security Group Discovery is renamed to Active Directory Group Discovery and discovers the group memberships of resources. Active Directory System Discovery and Active Directory Group Discovery support options to filter out stale computer records from discovery. Active Directory System, User, and Group Discovery support Active Directory Delta Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now detect when computers or users are added or removed from a group.

For more information, see the Planning for Discovery in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Client Agent Settings is Now Client Settings In Configuration Manager 2007, client agent settings are configured on a per-site basis and you cannot configure these settings for the whole hierarchy. In System Center 2012 Configuration Manager, client agent settings and other client settings are grouped into centrally configurable client settings objects that are applied at the hierarchy. To view and configure these, modify the default client settings. If you need additional flexibility for groups of users or computers, configure custom client settings and assign them to collections. For example, you can configure remote control to be available only on specified computers. For more information, see the Planning for Client Settings in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Security: Role-Based Administration In Configuration Manager 2007, administrative access to site resources is controlled by using class and instance security settings that are verified by the SMS Provider computer to allow access to site information and configuration settings. System Center 2012 Configuration Manager introduces role-based administration to centrally define and manage hierarchy-wide security access settings for all sites and site settings. Instead of using individual class rights, role-based administration uses security roles to group typical administrative tasks that are assigned to multiple administrative users. Security scopes replace individual instance rights per object to group the permissions that are applied to site objects. The combination of security roles, security scopes, and collections allow you to segregate the administrative assignments that meet your organization requirements and this combination defines what an administrative user can view and manage in the Configuration Manager hierarchy. Role-based administration provides the following benefits: Sites are no longer administrative boundaries.
73

You create administrative users for the hierarchy and assign security to them one time only. You create content for the hierarchy and assign security to that content one time only. All security assignments are replicated and available throughout the hierarchy. There are built-in security roles to assign the typical administration tasks and you can create your own custom security roles. Administrative users see only the objects that they have permissions to manage. You can audit administrative security actions.

The following table illustrates the differences between implementing security permissions in Configuration Manager 2007 and System Center 2012 Configuration Manager:
Scenario Configuration Manager 2007 System Center 2012 Configuration Manager

Add new administrative user

Perform the following actions from each site in the hierarchy: 1. Add the Configuration Manager user. 2. Select the security classes. 3. For each class selected, select instance permissions.

Perform the following actions one time only from any site in the hierarchy: 1. Add the Configuration Manager administrative user. 2. Select the security roles. 3. Select the security scopes. 4. Select the collections.

Create and deploy software.

Perform the following actions from each site in the hierarchy:

Perform the following actions one time only from any site in the hierarchy:

1. Edit the package 1. Assign a security scope to the properties and select the software deployment. security classes 2. Deploy the software. 2. Add each user or group to the instance and then select the instance rights. 3. Deploy the software. To configure role-based administration, in the Administration workspace, click Security, and then view or edit the Administrative Users, Security Roles, and Security Scopes. For more information, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

74

Security: Certificates and Cryptographic Controls The following items are new or have changed for certificates and cryptographic controls since Configuration Manager 2007: For most Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. If they are not available, Configuration Manager generates self-signed certificates. The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. When two Configuration Manager sites communicate with each other, they sign their communications by using SHA-256 and you can require that all clients use SHA-256. Configuration Manager uses two new types of certificates for site systems: a site system server certificate for authentication to other site systems in the same Configuration Manager site, and a site system role certificate. Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. The site server signing certificate is now self-signed; you cannot use a PKI certificate to sign client policies. You can use a client PKI certificate for authentication to a site system that accepts HTTP client connections. The new certificate issuers list for a site acts like a certificate trust list (CTL) in IIS. It is used by site systems and clients to help ensure that the correct client PKI certificate is used for PKI communication in Configuration Manager. For more information, see the Planning for the PKI Trusted Root Certificates and the Certificate Issuers List section in the Planning for Security in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide.

For more information about the certificates and the cryptographic controls, see Technical Reference for Cryptographic Controls Used in Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. For more information about the PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. In addition, when you deploy operating systems and use PKI certificates, Configuration Manager now supports the following: The client authentication certificate supports the Subject Alternative Name (SAN) certificate field and a blank Subject. If you use Active Directory Certificate Services with an enterprise CA to deploy this certificate, you can use the Workstation certificate template to generate a certificate with a blank Subject and SAN value. Task sequences support the option to disable CRL checking on clients.

When you implement Internet-based client management, user policies are now supported for devices that are on the Internet when the management point can authenticate the user in Active Directory Domain Services. For example, the management point is in the intranet and accepts connections from Internet clients and intranet clients; or the management point is in a perimeter network that trusts the intranet forest where the user account resides. For more information about
75

Internet-based client management, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Backup and Recovery The following items are new or have changed for backup and recovery since Configuration Manager 2007.
Feature Description

Recovery integrated with System Center 2012 Configuration Manager Setup

Configuration Manager 2007 used the Site Repair Wizard to recover sites. In System Center 2012 Configuration Manager, recovery is integrated in the Configuration Manager Setup Wizard. You have the following options when running recovery in System Center 2012 Configuration Manager: Site Server Recover the site server from a backup. Reinstall the site server Recover the site database from a backup Create a new site database Use a site database that been manually recovered Skip database recovery

Support for multiple recovery options

Site Database

Recovery uses data replication to minimize data loss

System Center 2012 Configuration Manager database replication uses SQL Server to transfer data and merge changes made to a sites database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Recovery in System Center 2012 Configuration Manager leverages database replication to retrieve global data that was created by the failed site before it failed. This process minimizes data loss even when no backup is available.

76

Feature

Description

Recovery using a Setup script

You can initiate an unattended site recovery by configuring an unattended installation script and then using the Setup command /script option.

For more information, see the Planning for Backup and Recovery section in the Planning for Site Operations in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Manage Site Accounts Tool (MSAC) The Manage Site Accounts (MSAC) command-line tool that was provided with Configuration Manager 2007 is not provided with System Center 2012 Configuration Manager. Do not use MSAC from Configuration Manager 2007 with System Center 2012 Configuration Manager. Instead, configure and manage the accounts by using the Configuration Manager console.

Client Deployment and Operations

The following sections contain information about changes from Configuration Manager 2007 that relate to client deployment and client operations in System Center 2012 Configuration Manager. Client Deployment The following items are new or have changed for client deployment since Configuration Manager 2007: Clients are no longer configured for mixed mode or native mode, but instead use HTTPS with public key infrastructure (PKI) certificates or HTTP with self-signed certificates. Clients use HTTPS or HTTP according to the configuration of the site system roles that the clients connect to and whether they have a valid PKI certificate that includes client authentication capability. On the Configuration Manager client, in Properties, on the General tab, review the Client certificate value to determine the current client communication method. This value displays PKI certificate when the client communicates with a management point over HTTPS, and Self-signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on which management point the client communicates with. Because Microsoft System Center 2012 Configuration Manager does not use mixed mode and native mode, the client installation property, /native: [<native mode option>] , is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command

77

/NoCRLCheck if you do not want a client to check the certificate revocation list (CRL) before it establishes an HTTPS communication. The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. When you reassign a client from a Microsoft System Center 2012 Configuration Manager hierarchy to another Microsoft System Center 2012 Configuration Manager hierarchy, the client will be able to automatically replace the trusted root key if the new site is published to Active Directory Domain Services and the client can access that information from a Global Catalog server. For this scenario in Configuration Manager 2007, you had to remove the trusted root key, manually replace the trusted root key, or uninstall and reinstall the client. The server locator point is no longer used for site assignment or to locate management points. This functionality is replaced by the management point. The CCMSetup Client.msi property SMSSLP remains supported, but only to specify the computer name of management points. You no longer install International Client Packs when you want to support different languages on the client. Instead, select the client languages that you want during Setup. Then, during the client installation, Configuration Manager automatically installs support for those languages on the client, enabling the display of information in a language that matches the users language preferences. If a matching language is not available, the client displays information in the default of English. For more information, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic. Decommissioned clients are no longer displayed in the Configuration Manager console and they are automatically removed from the database by the Delete Aged Discovery Data task. The Client.msi property for CCMSetup, SMSDIRECTORYLOOKUP=WINSPROMISCUOUS, is no longer supported. This setting allowed the client to use WINS to find a management point without verifying the management point's self-signed certificate. To support the new 64-bit client, the location of the CCM folder for client-related files (such as the client cache and log files) has changed from %windir%\system32 to %windir%. If you reference the CCM folder for your own script files, update these references for the new folder location for Microsoft System Center 2012 Configuration Manager clients. Microsoft System Center 2012 Configuration Manager does not support the CCM folder on paths that support redirection (such as Program Files and %windir%\system32) on 64-bit operating systems. Automatic, site-wide client push now installs the Configuration Manager on existing computer resources if the client is not installed, and not just newly discovered computer resources. Client push installation initiates and tracks the installation of the client by using the Configuration Manager database and no longer creates individual .CCR files. When you enable client push installation for a site, all discovered resources that are assigned to the site and that do not have a client installed are immediately added to the database and client installation begins. Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012
78

Configuration Manager version when they are below a version that you specify. For more information see the How to Automatically Upgrade the Configuration Manager Client section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager. For more information, see the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Client Assignment The following items are new or have changed for client assignment since Configuration Manager 2007: For automatic site assignment to succeed with boundary information, the boundary must be configured in a boundary group that is configured for site assignment. In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback site (an optional setting for the hierarchy) and the clients network location is not in a boundary group, automatic site assignment succeeds, and the client is assigned to the specified fallback site. Clients can now download site settings from the management point after they have assigned to the site if they cannot locate these settings from Active Directory Domain Services. Although clients continue to download policy and upload client data to management points in their assigned site or in a secondary site that is a child site of their assigned site, all clients that are configured for intranet client management can now use any management point in the hierarchy for content location requests. There is no longer a requirement to extend the Active Directory schema to support this capability, and there is no longer a concept of regional and global roaming. DNS publishing no longer requires you to configure a DNS suffix on the client if there is a management point published to DNS in the same domain as the client. In this scenario, automatic site assignment works by default when you publish to DNS at least one management point, even if this management point is in a different Configuration Manager site to the clients final assigned site.

For more information, see the How to Assign Clients to a Site in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Collections The following items are new or have changed for collections since Configuration Manager 2007:
Feature Description

User Collections and Device Collections nodes

You can no longer combine user resources and device resources in the same collection. The Configuration Manager console has two new nodes for user collections and device collections. Sub collections are no longer used in
79

Sub collections

Feature

Description

System Center 2012 Configuration Manager. In Configuration Manager 2007, sub collections had two main uses: Organize collections in folders. In System Center 2012 Configuration Manager, you can now create a hierarchy of folders in which to store collections. Sub collections were often used in Configuration Manager 2007 for phased software deployments to a larger collection of computers. In System Center 2012 Configuration Manager, you can use include rules to progressively increase the membership of a collection.

For more information, see How to Manage Collections in Configuration Manager. Include collection rules and exclude collection rules Incremental collection member evaluation In System Center 2012 Configuration Manager, you can include or exclude the contents of another collection from a specified collection. Incremental collection member evaluation periodically scans for new or changed resources from the previous collection evaluation and updates a collections membership with these resources, independently of a full collection evaluation. By default, when you enable incremental collection member updates, it runs every 10 minutes and helps to keep your collection data up-to-date without the overhead of a full collection evaluation. Collections can be migrated from Configuration Manager 2007 collections. For more information, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. You can use collections to limit access to Configuration Manager objects. For more information, see Planning for Security in
80

Migration support

Role-based administration security scopes

Feature

Description

Configuration Manager. Collection resources In Configuration Manager 2007, collections contained only resources from the site where they were created and from child sites of that site. In System Center 2012 Configuration Manager, collections contain resources from all sites in the hierarchy. In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection.

Collection limiting

For more information, see the Introduction to Collections in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Queries The following items are new or have changed for queries since Configuration Manager 2007: The option to export the results of a query is not available in this release. As a workaround, you can copy the query results to the Windows clipboard.

For more information about queries, see the Introduction to Queries in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Client Status Reporting is Now Client Status The following items are new or have changed for client status reporting (now client status) since Configuration Manager 2007: Client status and client activity information is integrated into the Configuration Manager console. Typical client problems that are detected are automatically remediated. The Ping tool from Configuration Manager 2007 R2 client status reporting is not used by System Center 2012 Configuration Manager.

For more information, see the Monitoring the Status of Client Computers in Configuration Manager section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Desired Configuration Management is Now Compliance Settings The following items are new or have changed for desired configuration management (now compliance settings) since Configuration Manager 2007:

81

Configuration Manager 2007 desired configuration management is now called compliance settings in System Center 2012 Configuration Manager. Configuration Manager provides a new built-in security role named Compliance Settings Manager. Administrative users who are members of this role can manage and deploy configuration items and configuration baselines and view compliance results. An administrative user can create registry and file system settings by browsing to an existing file, folder, or registry setting on the local or a remote reference computer. It is now easier to create configuration baselines. You can reuse settings for multiple configuration items. You can remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager. When you deploy a configuration baseline, you can specify a compliance threshold for the deployment. If the compliance is below the specified threshold after a specified date and time, System Center 2012 Configuration Manager generates an alert to notify the administrator. You can use the new monitoring features of System Center 2012 Configuration Manager to monitor compliance settings and to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can deploy configuration baselines to users and devices. Configuration baseline deployments and evaluation support Configuration Manager maintenance windows. You can use compliance settings to manage the mobile devices that you enroll with Configuration Manager. Configuration item versioning lets you view and use previous versions of configuration items. You can restore or delete previous versions of configuration items and see the user names of administrative users who made changes. Configuration items can contain user and device settings. User settings are evaluated when the user is logged on. Examples of user settings include registry settings that are stored in HKEY CURRENT USER and user-based script settings that an administrative user configured. Improved reports contain rule details, remediation information, and troubleshooting information. You can now detect and report conflicting compliance rules. Unlike Configuration Manager 2007, System Center 2012 Configuration Manager does not support uninterpreted configuration items. An uninterpreted configuration item is a configuration item that is imported into compliance settings, but the Configuration Manager console cannot interpret it. Consequently you cannot view or edit the configuration item properties in the console. Before you import Configuration Packs or configuration baselines to System Center 2012 Configuration Manager, you must remove uninterpreted configuration items in Configuration Manager 2007. You can migrate configuration items and configuration baselines from Configuration Manager 2007 to System Center 2012 Configuration Manager. During migration, configuration data is automatically converted into the new format.
82

Settings groups from Configuration Manager 2007 are no longer supported in System Center 2012 Configuration Manager. Regular expressions for settings are not supported in System Center 2012 Configuration Manager. Using wildcards for registry settings is not supported in System Center 2012 Configuration Manager. If you migrate configuration data from Configuration Manager 2007, you must remove wildcards from registry settings before you migrate otherwise the data will be invalid in the System Center 2012 Configuration Manager configuration item. The string operators Matches and Do not Match are not supported in System Center 2012 Configuration Manager. You can no longer create configuration items of the type General from the Configuration Manager console. You can now create only application configuration items and operating system configuration items. However, if you create a configuration item for a mobile device, this is created as a general configuration item.

For more information, see the Introduction to Compliance Settings in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Out of Band Management The following have changed for out of band management since Configuration Manager 2007: System Center 2012 Configuration Manager no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed, or the computer did not have an operating system installed. To provision computers for AMT in System Center 2012 Configuration Manager, they must belong to an Active Directory domain, have the System Center 2012 Configuration Manager client installed, and be assigned to a System Center 2012 Configuration Manager primary site. To provision computers for AMT, you must install the new site system role, the enrollment point, in addition to the out of band service point. You must install both these site system roles on the same primary site. There is a new account, the AMT Provisioning Removal Account, which you specify on the Out of Band Management Component Properties: Provisioning tab. When you specify this account and use the same Windows account that is specified as an AMT User Account, you can use this account to remove the AMT provisioning information, if you have to recover the site. You might also be able to use it when the client was reassigned and the AMT provisioning information was not removed on the old site. Configuration Manager no longer generates a status message to warn you that the AMT provisioning certificate is about to expire. You must check the remaining validity period yourself and ensure that you renew this certificate before it expires. AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used. Port TCP 9971 is no longer used to connect the AMT management controller to the out of band service point to provision computers for AMT. The out of band service point uses HTTPS (by default, port TCP 443) to connect to the enrollment point. The WS-MAN translator is no longer supported.
83

The maintenance task Reset AMT Computer Passwords has been removed. You no longer select individual permissions for each AMT User Account. Instead, all AMT User Accounts are automatically configured for the PT Administration (Configuration Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right, which grants permissions to all AMT features. You must specify a universal security group in the Out Of Band Management Component Properties to contain the AMT computer accounts that Configuration Manager creates during the AMT provisioning process. The site server computer no longer requires Full Control to the organizational unit (OU) that is used during AMT provisioning. Instead, it grants Read Members and Writer Members (this object only) permissions. The enrollment point rather than the primary site server computer now requires the Issue and Manage Certificates permission on the issuing certification authority (CA). This permission is required to revoke AMT certificates. As in Configuration Manager 2007, this computer account requires DCOM permissions to communicate with the issuing CA. To configure this, ensure that for Windows Server 2008, the computer account of the enrollment point site system server is a member of the security group Certificate Service DCOM Access, or, for Windows Server 2003 SP1 and later, a member of the security group CERTSVC_DCOM_ACCESS in the domain where the issuing CA resides. The certificate templates for the AMT web server certificate and the AMT 802.1X client certificate no longer use Supply in the request, and the site server computer account no longer requires permissions to the following certificate templates: For the AMT web server certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Component Properties. For the AMT 802.1X client certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. Clear the DNS name check box, and then select User principal name (UPN) as the alternate subject name. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in Out Of Band Management Point Component Properties.

The AMT provisioning certificate no longer requires that the private key can be exported. By default, the out of band service point checks the AMT provisioning certificate for certificate revocation. This occurs when the site system first runs, and when the AMT provisioning certificate is changed. You can disable this option in the Out Of Band Service Point Properties. You can enable or disable CRL checking for the AMT web server certificate in the out of band management console. To change the settings, click the Tools menu, and then click Options. The new setting is used when you next connect to an AMT-based computer. When a certificate for an AMT-based computer is revoked, the revocation reason is now Cease of Operation instead of Superseded.

84

AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN. When you reassign an AMT-based computer from one Configuration Manager site to another, you must first remove the AMT provisioning information, reassign the client, and then provision the client again for AMT. The security rights View management controllers and Manage management controllers in Configuration Manager 2007 are now named Provision AMT and Control AMT, respectively. The Control AMT permission is automatically added to the Remote Tools Operator security role. If an administrative user is assigned to the Remote Tools Operator security role, and you want this administrative user to provision AMT-based computers or control the AMT audit log, you must add the Provision AMT permission to this security role, or ensure that the administrative user belongs to another security role that includes this permission.

For more information, see the Introduction to Out of Band Management in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Remote Control The following items are new or have changed for remote control since Configuration Manager 2007: Remote control now supports sending the CTRL+ALT+DEL command to computers. You can apply different remote control settings to collections of computers by using client settings. You can lock the keyboard and mouse of the computer that is being administered during a remote control session. The copy and paste functionality between the host computer and the computer that is being administered has been improved. If the remote control network connection is disconnected, the desktop of the computer that is being administered will be locked. You can start the remote control viewer from the Windows Start menu. Remote control client settings can automatically configure the Windows Firewall on client computers to allow remote control to operate. Remote control supports connecting to computers with multiple monitors. A high visibility notification bar is visible on client computers to inform the user that a remote control session is active. By default, members of the local Administrators group are granted the Remote Control permission as a client setting. The account name of the administrative user who starts the remote control session is automatically displayed to users during the remote control session. This display helps users to verify who is connecting to their computer. If Kerberos authentication fails when you make a remote control connection to a computer, you are prompted to confirm that you want to continue before Configuration Manager falls back to using the less secure authentication method of NTLM.
85

Only TCP port 2701 is required for remote control packets; ports TCP 2702 and TCP 135 are no longer used. Responsiveness for low-bandwidth connections supports the following improvements: Elimination of mouse trails by using single mouse cursor design. Full support for Windows Aero. Elimination of mirror driver.

For more information, see the Introduction to Remote Control in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Hardware Inventory The following items are new or have changed for hardware inventory since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable custom hardware inventory, and add and import new inventory classes from the Configuration Manager console. The sms_def.mof file is no longer used to customize hardware inventory. You can extend the inventory schema by adding or importing new classes. Different hardware inventory settings can be applied to collections of devices by using client settings.

For more information, see the Introduction to Hardware Inventory in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Software Inventory There are no significant changes for software inventory in Configuration Manager since Configuration Manager 2007. For more information about software inventory, see the Introduction to Software Inventory in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Asset Intelligence The following items are new or have changed for Asset Intelligence since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable Asset Intelligence hardware inventory classes without editing the sms_def.mof file. You can now download the Microsoft Volume Licensing Service (MVLS) license statement from the Microsoft Volume Licensing Service Center and import the license statement from the Configuration Manager console. There is a new maintenance task (Check Application Title with Inventory Information) that checks that the software title reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. There is a new maintenance task (Summarize Installed Software Data) that provides the information displayed in the Inventoried Software node under the Asset Intelligence node in the Assets and Compliance workspace.
86

The Client Access License reports have been deprecated.

For more information, see the Introduction to Asset Intelligence in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Software Metering There are no significant changes for software metering in Configuration Manager since Configuration Manager 2007. For more information about software metering, see the Introduction to Software Metering in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Power Management The following items are new or have changed for power management since Configuration Manager 2007: If an administrative user enables this option, users can exclude computers from power management. Virtual machines are excluded from power management. Administrative users can copy power management settings from another collection. A new Computers Excluded report is now available. It displays the computers that are excluded from power management.

For more information, see the Introduction to Power Management in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. Mobile Devices Enrollment for mobile devices in System Center 2012 Configuration Manager is now natively supported by using the two new enrollment site system roles (the enrollment point and the enrollment proxy point) and a Microsoft enterprise certification authority. For more information about how to configure enrollment for mobile devices by using System Center 2012 Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. After the mobile devices are enrolled, you can manage their settings by creating mobile device configuration items and then deploy them in a configuration baseline. For more information, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information, see the Deploying the Configuration Manager Client to Mobile Devices section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Exchange Server Connector New in System Center 2012 Configuration Manager, the Exchange Server connector allows you to find and manage devices that connect to Exchange Server (on-premise or hosted) by using the

87

Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. For more information about the different management capabilities when you manage mobile devices by using the Exchange Server connector and when you install a Configuration Manager client on mobile devices, see Determine How to Manage Mobile Devices in Configuration Manager. For more information about how to install and configure the Exchange Server connector, see the How to Manage Mobile Devices by Using Configuration Manager and Exchange topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Mobile Device Legacy Client If you have mobile devices that you managed with Configuration Manager 2007 and you cannot enroll them by using System Center 2012 Configuration Manager, you can continue to use them with System Center 2012 Configuration Manager. The installation for this mobile device client remains the same. However, whereas Configuration Manager 2007 did not require PKI certificates, System Center 2012 Configuration Manager requires PKI certificates on the mobile device and the management points and distribution points. Unlike other clients, mobile device legacy clients cannot automatically use multiple management points in a site. File collection is no longer supported for these mobile device clients in System Center 2012 Configuration Manager and unlike the mobile devices that you can enroll with Configuration Manager or manage by using the Exchange Server connector, you cannot manage settings for these mobile devices. In addition, the mobile device management inventory extension tool (DmInvExtension.exe) is no longer supported. This functionality is replaced with the Exchange Server connector. For more information about the different mobile device management capabilities, see Determine How to Manage Mobile Devices in Configuration Manager. For more information, see the Deploying the Configuration Manager Client to Mobile Devices section in the Introduction to Client Deployment in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. Endpoint Protection System Center 2012 Endpoint Protection is now integrated with System Center 2012 Configuration Manager. The following items are new or have changed for Endpoint Protection since Forefront Endpoint Protection 2010: Because Endpoint Protection is now fully integrated with Configuration Manager, you do not run a separate Setup program to install an Endpoint Protection server. Instead, select the Endpoint Protection point as one of the available Configuration Manager site system roles. You can install the Endpoint Protection client by using Configuration Manager client settings, or you can manage existing Endpoint Protection clients. You do not use a package and program to install the Endpoint Protection client.

88

The Endpoint Protection Manager role-based administration security role provides an administrative user with the minimum permissions required to manage Endpoint Protection in the hierarchy. Endpoint Protection in Configuration Manager provides new reports that integrate with Configuration Manager reporting. For example, you can now identify the users who have computers that most frequently report security threats. You can use Configuration Manager software updates to automatically update definitions and the definition engine by using automatic deployment rules. You can configure multiple malware alert types to notify you when Endpoint Protection detects malware on computers. You can also configure subscriptions to notify you about these alerts by using email. The Endpoint Protection dashboard is integrated with the Configuration Manager console. You do not have to install the dashboard separately. To view the Endpoint Protection dashboard, click the System Center 2012 Endpoint Protection Status node in the Monitoring workspace.

For more information, see the Introduction to Endpoint Protection in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Software Deployment and Content Management

The following sections contain information about changes from Configuration Manager 2007 that relate to software updates, software distribution, operating system deployment and task sequences in System Center 2012 Configuration Manager. Software Updates Although the general concepts for deploying software updates are the same in System Center 2012 Configuration Manager as they were in Configuration Manager 2007, new or updated functionality is available that improves the software update deployment process. This includes automatic approval and deployment for software updates, improved search with expanded criteria, enhancements to software updates monitoring, and greater user control for scheduling software update installation. The following table lists the functionality that is new or that has changed for software updates since Configuration Manager 2007.
Functionality Description

Software update groups

Software update groups are new in Configuration Manager and replace update lists that were used in Configuration Manager 2007. Software update groups more effectively organize software updates in your environment. You can manually add software updates to a software updates group, or add software updates automatically to a new or existing
89

Functionality

Description

software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group, and they are automatically deployed. Automatic deployment rules Automatic deployment rules automatically approve and deploy software updates. You specify the criteria for software updates (for example, all Windows 7 software updates released in the last week), the software updates are added to a software update group, you configure deployment and monitoring settings, and decide whether to deploy the software updates in the software update group. You can deploy the software updates in the software update group or retrieve compliance information from client computers for the software updates in the software update group without deploying them. New search and expanded criteria are available when software updates are listed in the Configuration Manager console. You can add a set of criteria that makes it easy to find the software updates that you require. You can save the search criteria to use later. For example, you can set criteria for all critical software updates for Windows 7 and for software updates that were released in the last year. After you filter for the updates that you require, you can select the software updates and review compliance information per software update, create a software update group that contains the software updates, manually deploy the software updates, and so on. In the Configuration Manager console, you can monitor the following software updates objects and processes:
90

Software updates filtering

Software updates monitoring

Functionality

Description

Important software updates compliance and deployment views Detailed state messages for all deployments and assets Software updates error codes with additional information to help identify issues Status for software updates synchronization Alerts for important software updates issues

Software update reports are also available that provide detailed state information for software updates, software update groups, and software update deployments. Manage superseded software updates Superseded software updates in Configuration Manager 2007 were automatically expired during the full software updates synchronization process for a site. In System Center 2012 Configuration Manager, you can decide whether to manage superseded software updates as in Configuration Manager 2007, or you can configure a specified period of time where the software update is not automatically expired after it is superseded. During this time, you can deploy superseded software updates. Increased user control over software updates installation Configuration Manager gives users more control over when to install software updates on their computer. Configuration Manager Software Center is an application that is installed with the Configuration Manager client. Users run this application on the Start menu to manage the software that is deployed to them. This includes software updates. In Software Center, users can schedule software update installation at a convenient time before the deadline and install optional software updates. For example, you can configure your business hours and have software updates run outside of those hours to minimize productivity
91

Functionality

Description

loss. When the deadline is reached for a software update, the installation for the software update is started. Software update files are stored in the content library The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. For more information about content management, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. Software update deployment template There is no longer a Deployment Templates node in the Configuration Manager console to manage your templates. Deployment templates can be created only in the Automatic Deployment Rules Wizard or Deploy Software Updates Wizard. Deployment templates store many of the deployment properties that might not change from deployment to deployment, and they can save much time for administrative users when they deploy software updates. Deployment templates can be created for different deployment scenarios in your environment. For example, you can create a template for expedited software update deployments and planned deployments. The
92

Functionality

Description

template for the expedited deployment can suppress display notifications on client computers, set the deadline for zero (0) days from the deployment schedule, and enable system restarts outside maintenance windows. The template for a planned deployment can allow for display notifications on client computers and set the deadline for 14 days from the deployment schedule. Internet-based clients can retrieve update files from the Internet When an Internet-based client receives a deployment, the client first tries to download the software files from Microsoft Update instead of distribution points. When the connection to Microsoft is not successful, clients fall back to a distribution point that hosts the software update files and is configured to accept communication from clients on the Internet. Update lists have been replaced by software update groups. Although you can still deploy software updates in System Center 2012 Configuration Manager, there is no longer a visible software update deployment object. The deployment object is now nested in a software update group.

Update lists are no longer used Deployments are no longer used

The New Policies Wizard is no longer available to create a NAP policy for software updates

The Network Access Protection node in the Configuration Manager console and the New Policies Wizard are no longer available in System Center 2012 Configuration Manager. To create a NAP policy for software updates, you must select Enable NAP evaluation on the NAP Evaluation tab in software update properties.

For more information, see the Introduction to Software Updates in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

93

Application Management Applications are new in System Center 2012 Configuration Manager and have the following characteristics: Applications contain the files and information necessary to deploy a software package to a computer or a mobile device. Applications contain multiple deployment types that contain the files and commands necessary to install the software. For example, an application could contain deployment types for a local installation of a software package, a virtual application package or a version of the application for mobile devices. Requirement rules define conditions that specify how an application is deployed to client devices. For example, you can specify that the application should not be installed if the destination computer has less than 2GB RAM or you could specify that a virtual application deployment type is installed when the destination computer is not the primary device of the user. Global conditions are similar to requirement rules but can be reused with any deployment type. User device affinity allows you to associate a user with specified devices. This allows you to deploy software to a user rather than a device. For example, you could deploy an application so that it only installs on the primary device of the user. On devices that are not the primary device of the user, you could deploy a virtual application that is removed when the user logs out. Deployments are used to distribute applications. A deployment can have an action which specifies whether to install or uninstall the application and a purpose which specifies whether the application must be installed or whether the user can choose to install it. System Center 2012 Configuration Manager can use detection methods to determine if a deployment type has already been installed on a device by using product information, or a script. Application management supports the new monitoring features in System Center 2012 Configuration Manager. The status of an application deployment can be monitored directly in the Configuration Manager console. Packages and programs from Configuration Manager 2007 are supported in System Center 2012 Configuration Manager and can use some of the new deployment and monitoring features. You can now deploy a task sequence on the Internet, as a method to deploy a script, for example, prior to installing a package and program. It is still not supported to deploy an operating system over the Internet. Software Center is a new client interface that allows users to request and install applications, control some client functionality, and to access the Application Catalog, which contains details about all available applications. When you deploy software to users, users no longer have to log off and back on again for Configuration Manager to include the new software deployment in the user policy. However, if the deployment uses a Windows group and you have newly added the user to this group, the Windows requirement for the user to log off and back on again to receive the new Windows group membership still applies before the user can receive the user-targeted software deployment.
94

The following are new or changed for virtual application (App-V) deployment in System Center 2012 Configuration Manager: Virtual applications support App-V Dynamic Suite Composition by using Configuration Manager local and virtual application dependencies. You can selectively publish the components of a virtual application to client computers. Performance improvements when publishing application shortcuts to client computers. Clients now check more quickly for required installations after logon. Clients also now check for required installations when the desktop is unlocked. Applications can be deployed to users of Remote Desktop Services or Citrix servers when other users are logged in. System Center 2012 Configuration Manager supports streaming virtual applications over the Internet from an Internet-based distribution point. Streaming support for packages suited together using Dynamic Suite Composition. In Configuration Manager 2007, you had to enable streaming support for virtual applications on each distribution point. In System Center 2012 Configuration Manager, all distribution points are automatically capable of virtual application streaming. Reduced disk space usage on distribution points as application content is no longer duplicated for multiple application revisions. Virtual application content is no longer persisted by default in the Configuration Manager client cache. You can no longer create virtual applications by using Configuration Manager packages and programs. You must use Configuration Manager application management. Configuration Manager supports migrating virtual application packages from Configuration Manager 2007 to System Center 2012 Configuration Manager. When you migrate an App-V package from Configuration Manager 2007, the migration Wizard will create this as a System Center 2012 Configuration Manager application. The Configuration Manager 2007 client option Allow virtual application package advertisement has been removed. In System Center 2012 Configuration Manager, virtual applications can be deployed by default. Virtual applications that are deployed from an App-V Server are not deleted by the Configuration Manager client. Configuration Manager hardware inventory can be used to inventory virtual applications deployed by an App-V Server. Application content that has been downloaded to the App-V cache is not downloaded to the Configuration Manager client cache. Note To modify a virtual application, you must first create it as a Configuration Manager application. For more information, see the Introduction to Application Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
95

Operating System Deployment The following items are new or have changed for operating system deployment since Configuration Manager 2007: You can apply Windows Updates by using Component-Based Servicing (CBS) to update the Windows Imaging Format (WIM) files that are stored in the Image node of the Software Library workspace. The Task Sequence Media Wizard includes steps to add prestart command files (formerly pre-execution hooks) to prestaged media, bootable media, and stand-alone media. For more information about how to deploy operation system including using prestart commands when you create media, see one of the following sections in the How to Deploy Operating Systems by Using Media in Configuration Manager topic: How to Create Prestaged Media How to Create Bootable Media How to Create Stand-alone Media

When you create media that deploys an operating system, you can configure the Task Sequence Media Wizard to suppress the Task Sequence wizard during operating system installation. This configuration enables you to deploy operating systems without end-user intervention. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager.

You can define a deployment in a prestart command that overrides existing deployments to the destination computer. Use the SMSTSPreferredAdvertID task sequence variable to configure the task sequence to use the specific Offer ID that defines the conditions for the deployment. You can use the same task sequence media to deploy operating systems to computers anywhere in the hierarchy. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager.

The Capture User State task sequence action and the Restore User State task sequence steps support new features from the User State Migration Tool (USMT) version 4. For more information about capturing and restoring the user state, see How to Manage the User State in Configuration Manager.

You can use the Install Application task sequence step to deploy applications when you deploy an operating system. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

You can associate a user with the computer where the operating system is deployed to support user device affinity actions. For more information about creating an association between users and the destination computer, see How to Associate Users with a Destination Computer.

96

For more information about how to manage user device affinity, see How to Manage User Device Affinity in Configuration Manager. The functionality of the PXE service point and its configuration is moved to the distribution point to increase scalability. For more information about creating a distribution point that accepts PXE requests, see the Creating Distribution Points that Accept PXE Requests section of the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. CMTrace, the Configuration Manager log viewer tool, is added to all boot images that are added to the Software Library. For more information about boot images, see Planning for Boot Image Deployments in Configuration Manager. For more information, see the Introduction to Operating System Deployment in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Content Management The following items are new or have changed for content management since Configuration Manager 2007: Branch distribution points were available in Configuration Manager 2007 to distribute content, for example, to a small office with limited bandwidth. In System Center 2012 Configuration Manager, there is only one distribution point type with the following new functionality: You can install the distribution point site system role on client or server computers. You can configure bandwidth settings, throttling settings, and schedule content distribution between the site server and distribution point. You can prestage content on remote distribution points and manage how Configuration Manager updates content to the prestaged distribution points. The PXE service point and the associated settings are in the properties for the distribution point.

In Configuration Manager 2007, you configure a distribution point as protected to prevent clients outside the protected boundaries from accessing the distribution point. In System Center 2012 Configuration Manager, preferred distribution points replace protected distribution points. Distribution point groups provide a logical grouping of distribution points for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group. This expanded functionality lets you manage and monitor content from a central location for distribution points that span multiple sites. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might
97

distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. You can prestage content, which is the process to copy content, to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, Configuration Manager does not copy the files over the network when you distribute the content. The Configuration Manager console provides content monitoring that includes the status for all package types in relation to the associated distribution points, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point. You can enable content validation on distribution points to verify the integrity of packages that have been distributed to the distribution point. In Configuration Manager 2007, content files are automatically distributed to the disk drive with the most amount of free space. In System Center 2012 Configuration Manager, you configure the disk drives on which you want to store content and configure the priority for each drive when Configuration Manager copies the content files. BranchCache has been integrated in System Center 2012 Configuration Manager so that you can control usage at a more detailed level. You can configure the BranchCache settings on a deployment type for applications and on the deployment for a package.

For more information, see the Introduction to Content Management in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Monitoring and Reporting

The following sections contain information about changes from Configuration Manager 2007 that relate to monitoring and reporting in System Center 2012 Configuration Manager. Reporting The following items are new or have changed for reporting since Configuration Manager 2007: Configuration Manager no longer uses the reporting point; the reporting services point is the only site system role that Configuration Manager now uses for reporting. Full integration of the Configuration Manager 2007 R2 SQL Server Reporting Services solution: In addition to standard report management, Configuration Manager 2007 R2 introduced support for SQL Server Reporting Services reporting. System Center 2012 Configuration Manager integrates the Reporting Services solution, adds new functionality, and removes standard report management as a reporting solution. Report Builder 2.0 integration: System Center 2012 Configuration Manager uses Microsoft SQL Server 2008 Reporting Services Report Builder 2.0 as the exclusive authoring and editing tool for both model-based and SQL-based reports. Report Builder 2.0 is automatically installed when you create or modify a report for the first time.

98

Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified reports by email or to a file share in scheduled intervals. You can run Configuration Manager reports in the Configuration Manager console by using Report Viewer, or you can run reports from a browser by using Report Manager. Both methods for running reports provide a similar experience. Reports in Configuration Manager are rendered in the locale of the installed Configuration Manager console. Subscriptions are rendered in the locale that SQL Server Reporting Services is installed. When you author a report, you can specify the assembly and expression.

For more information, see the Introduction to Reporting in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Alerts Alerts are new in System Center 2012 Configuration Manager and provide near real-time awareness of current site operations and conditions in the Configuration Manager console. Alerts are state-based and will automatically update when conditions change. System Center 2012 Configuration Manager alerts are not similar to status messages in Configuration Manager, nor are they similar to alerts in other System Center products, such as those found in Microsoft System Center Operations Manager 2007. For more information, see the Configuring Alerts in Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide. Monitoring Database Replication You can monitor the status of System Center 2012 Configuration Manager data replication by using the Database Replication node in the Monitoring workspace of the Configuration Manager console. For more information, see the How to Monitor Database Replication and SQL Server Status for Database Replication section in the Monitor Configuration Manager Sites and Hierarchy topic from the Site Administration for System Center 2012 Configuration Manager guide.

See Also
Getting Started with System Center 2012 Configuration Manager

Whats New in the Documentation for Configuration Manager

Use this topic to track a summary of significant changes in the Documentation Library for System Center 2012 Configuration Manager. After the release, the documentation might be updated for new information, to incorporate customer feedback, and to make any corrections that might be required. Typically, any documentation changes are announced each month on the System Center Configuration Manager Team Blog, and then periodically summarized in this topic. Tip

99

You can use the Configuration Manager Documentation Team Twitter feed to be notified about recent updates. In the release publication of the library, the following guides include information to help you be successful with Configuration Manager:
Guide Description

Getting Started with System Center 2012 Configuration Manager

This guide helps you get started with System Center 2012 Configuration Manager with an introduction to the product, whats new and changed since Configuration Manager 2007, basic concepts, and some frequently asked questions. This guide provides the information to help you plan, install, configure, and maintain System Center 2012 Configuration Manager. This information includes how to run Setup for the product. This guide provides information about migrating an existing Configuration Manager 2007 infrastructure to System Center 2012 Configuration Manager. This guide provides information to help you plan, install, configure, and manage client deployment in System Center 2012 Configuration Manager. This information includes enrolling mobile devices with Configuration Manager and how to manage mobile devices by using the Exchange Server connector. This guide provides information to help you plan, configure, and manage the deployment of software and operating systems in System Center 2012 Configuration Manager. This guide provides information to help you manage your devices (computers and mobile devices) in System Center 2012 Configuration Manager. This guide contains security-related information from the other Configuration Manager guides
100

Site Administration for System Center 2012 Configuration Manager

Migrating Hierarchies in System Center 2012 Configuration Manager

Deploying Clients for System Center 2012 Configuration Manager

Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Assets and Compliance in System Center 2012 Configuration Manager

Security and Privacy for System Center 2012 Configuration Manager

Guide

Description

and privacy statements for the product. For a glossary of terms and definitions, see Glossary for Microsoft System Center 2012 Configuration Manager.

What's New in the Documentation Library for May 2012

The following sections describe what's new in the Documentation Library for System Center 2012 Configuration Manager since the official documentation library release in March 2012. The topics that are listed are either new topics or topics that contain significant technical changes. Topics that contain minor changes are not listed. In addition, you can now download a copy of this technical documentation from the Microsoft Download Center. Always use the TechNet online library for the most up-to-date information. Getting Started with System Center 2012 Configuration Manager The following new or updated topics are from the Getting Started with System Center 2012 Configuration Manager guide.
Topic More information

Whats New in System Center 2012 Configuration Manager

In the Sites and Hierarchies section, added a new section for Language Pack Support. This information is also clarified in the Client Deployment and Operations section, which contains the information that you no longer install International Client Packs (ICPs) when you want to support different languages on the client. Updated for the latest support statements. Updated for new questions that include the following: Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007? Can I migrate maintenance windows? Which antimalware solutions can Endpoint Protection uninstall?

Supported Configurations for Configuration Manager Frequently Asked Questions for Configuration Manager

Information and Support for Configuration

Updated the Search the Configuration Manager

101

Topic

More information

Manager

Documentation Library section to explain how to use the scoped search link, with examples and search tips.

Site Administration for System Center 2012 Configuration Manager The following new or updated topics are from the Site Administration for System Center 2012 Configuration Manager guide.
Topic More information

Planning for Site Systems in Configuration Manager Planning for Sites and Hierarchies in Configuration Manager

Updated the site system role placement for secondary sites. Updated for additional information about planning for language packs at Configuration Manager sites, clients, and the Configuration Manager console. Updated for the new section, Best Practices for Discovery. Updated for the information that the Application Catalog web service point, like the out of band service point, must reside in the same Active Directory forest as the site server. Other site system roles can be installed in other forests. This topic is also updated for a procedure how to manually publish management points to DNS on Windows Server.

Planning for Discovery in Configuration Manager Planning for Communications in Configuration Manager

Install Sites and Create a Hierarchy for Configuration Manager

Updated for a new section, Decommission Sites and Hierarchies, for information about how to uninstall Configuration Manager. In addition, the /TESTDBUPGRADE option is updated in the Using Command-Line Options with Setup section to clarify that this switch is not supported on a production database.

Manage Site and Hierarchy Configurations

Updated the Modify the Site Database Configuration section to clarify that Configuration Manager does not support changing the port for SQL Server after the site is installed.
102

Topic

More information

Added new sections, Manage Language Packs at Configuration Manager Sites and Configure Custom Locations for the Site Database Files. Security and Privacy for Site Administration in Configuration Manager Updated the entry about the Security Configuration Wizard with the link to download the toolkit for System Center 2012 Configuration Manager: System Center 2012 Configuration Manager Component Add-ons and Extensions. This information is also updated in the Security and Privacy for System Center 2012 Configuration Manager guide. Updated for the ports used by the new site system roles: the Application Catalog website point and Application Catalog web service point; the enrollment point and enrollment proxy point; and the Endpoint Protection point. Also clarified that Configuration Manager does not support dynamic ports for SQL Server. New topic that provides technical details about language support in System Center 2012 Configuration Manager.

Technical Reference for Ports Used in Configuration Manager

Technical Reference for Language Packs in Configuration Manager

Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager The following new or updated topics are from the Migrating Hierarchies in System Center 2012 Configuration Manager guide.
Topic More information

Planning for Migration to System Center 2012 Configuration Manager

Updated for additional information about planning for overlapping boundaries if you will install new Configuration Manager 2007 client during the migration period. Updated to clarify that when a collection migrates, Configuration Manager also migrates collection settings that include maintenance windows and collection variables, but cannot migrate collection settings for AMT provisioning. Updated the Distribution Point Upgrade section
103

Planning a Migration Job Strategy in System Center 2012 Configuration Manager

Planning a Content Deployment Migration

Topic

More information

Strategy in System Center 2012 Configuration Manager

to clarify the package migration behavior during a distribution point upgrade.

Deploying Clients for System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Clients for System Center 2012 Configuration Manager guide.
Topic More information

Prerequisites for Windows Client Deployment in Updated to clarify that although most operating Configuration Manager systems now include BITS, some operating systems, such as Windows Server 2003 R2 SP2, do not. If you install the client on an operating system that does not already have BITS installed, you must first install it. Best Practices for Client Deployment in Configuration Manager Updated for the new best practice to install additional client languages on the site before you deploy clients on computers and mobile devices. Updated to clarify the assignment behavior for a System Center 2012 Configuration Manager client when it is assigned to a Configuration Manager 2007 site. Updated for information about file locations for the /config: and CCMENABLELOGGING installation properties.

How to Assign Clients to a Site in Configuration Manager

About Client Installation Properties in Configuration Manager

Deploying Software and Operating Systems in System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
Topic More information

Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft How to Manage Applications and Deployment

New topic that provides an example scenario for how you might deploy software updates in your environment. Updated to clarify that the Retire management task does not remove any installed copies of
104

Topic

More information

Types in Configuration Manager Planning a Task Sequences Strategy in Configuration Manager How to Manage the User State in Configuration Manager Task Sequence Steps in Configuration Manager

the application from client computers. Updated for information about running task sequences in a maintenance window. Updated for how to create a USMT package and how to restore the user state if the operating system deployment fails. Updated the Updated Install Software Updates step for the information that the step cannot suppress restarts if the software update requires a restart. New topic that provides an example scenario for how you might deploy an operating system by using PXE in your environment.

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager

Assets and Compliance in System Center 2012 Configuration Manager The following new or updated topics are from the Assets and Compliance in System Center 2012 Configuration Manager guide.
Topic More information

How to Create Queries in Configuration Manager How to Extend Hardware Inventory in Configuration Manager How to Configure Software Inventory in Configuration Manager Introduction to Software Metering in Configuration Manager How to Manage AMT-based Computers Out of Band in Configuration Manager

Updated to clarify that a query that contains no criteria will return all devices in the All Systems collection. Updated for the information that you must create a hardware inventory class for any MIF files you want to add to inventory. Updated for an example of how to specify a file type that you want to inventory. Updated to include the reference to Example Scenario for Software Metering in Configuration Manager. Updated to clarify that the out of band management power control commands are always available for a collection, even if the collection contains resources that are not provisioned for AMT. Updated for information about using software
105

How to Configure Endpoint Protection in

Topic

More information

Configuration Manager

updates automatic deployment rules to deploy definition updates for Endpoint Protection.

What's New in the Documentation Library for January 2013

The following sections describe what's new in the Documentation Library for System Center 2012 Configuration Manager since the documentation library was updated in May 2012. The documentation library now contains information for Configuration Manager Service Pack 1 (SP1). The topics that are listed are either new topics or topics that contain significant technical changes. Topics that contain minor changes are not listed. In addition to these sections, the Glossary for Microsoft System Center 2012 Configuration Manager is updated for System Center 2012 Configuration Manager SP1. Getting Started with System Center 2012 Configuration Manager The following new or updated topics are from the Getting Started with System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Configuration Manager Whats New in System Center 2012 Configuration Manager SP1 Fundamentals of Configuration Manager

Updated for Configuration Manager SP1. New topic that lists the changes in Configuration Manager SP1, with links to additional information. Updated for Configuration Manager SP1. For example, how you can use site expansion if you install a stand-alone primary site and later decide that you require additional primary sites. This topic also has diagrams added to illustrate example site designs, site system roles, and client settings.

Supported Configurations for Configuration Manager

Updated support statements for Configuration Manager with no service pack, and new support statements for Configuration Manager SP1. Updated for new questions that include the following: To support computers in an untrusted forest, do I have to create a new primary site and configure a two-way forest trust?
106

Frequently Asked Questions for Configuration Manager

Topic

More information

Do I have to configure my site for Internetbased client management before I can use cloud-based distribution points in Configuration Manager SP1? How can I create a collection that contains only Mac computers, or only Linux servers? Why might there be differences between a clients assigned, installed, and resident site values when I look at the client properties in the Configuration Manager console? Can I install the Configuration Manager client on my Windows Embedded devices that have very small disks? Where is the documentation for the Configuration Manager client for Mac Computers? Where is the documentation for the Configuration Manager client for Linux and UNIX? If the same application is deployed to a user and a device, which one takes priority? Why do I see an error message about insufficient permissions from a Windows Embedded device when I try to install software from Software Center? Whats the minimum permission an administrative user requires for the Client Push Installation Wizard? Why dont clients run scheduled activities such as inventory, software updates, and application evaluation and installations at the time I schedule them? How can I create a collection of Windows 8 computers that are Always On Always Connected capable?

Accessibility Features of Configuration Manager

New topic that outlines accessibility features for Configuration Manager and provides links to more information.

107

Site Administration for System Center 2012 Configuration Manager The following new or updated topics are from the Site Administration for System Center 2012 Configuration Manager guide.
Topic More information

Interoperability between Different Versions of Configuration Manager

New topic that contains information about interoperability between System Center 2012 Configuration Manager and Configuration Manager 2007 and about interoperability between sites with different service pack versions in System Center 2012 Configuration Manager. Updated for the new certificates in Configuration Manager SP1, which includes certificates for Mac computers, cloud-based distribution points, and the Windows Intune connector and mobile devices that are enrolled by Windows Intune. This topic also includes a new entry for the specific certificate requirements when you use a SQL Server cluster for the Configuration Manager site database. New topic to help you plan to upgrade System Center 2012 Configuration Manager to Configuration Manager SP1. Updated for the information that there are no new schema changes in Configuration Manager SP1. The topic also lists the clients that do not use the Configuration Manager schema extensions. Updated for the new Planning to Expand a Stand-Alone Primary Site section for Configuration Manager SP1 information about how to expand a stand-alone primary site into a new hierarchy with a central administration site. Updated for the new best practice to not run Active Directory Forest Discovery at multiple sites when you plan to automatically create boundaries from the discovery data, because this can create duplicate boundary objects.
108

PKI Certificate Requirements for Configuration Manager

Planning to Upgrade System Center 2012 Configuration Manager Determine Whether to Extend the Active Directory Schema for Configuration Manager

Planning for Sites and Hierarchies in Configuration Manager

Planning for Discovery in Configuration Manager

Topic

More information

Also updated to clarify that when Active Directory Forest Discovery discovers a supernet that is assigned to an Active Directory site, Configuration Manager translates the supernet into a boundary as an IP address range. This information is also added to Planning for Boundaries and Boundary Groups in Configuration Manager. Planning for Site Systems in Configuration Manager Updated for the new Configuration Manager SP1 site system roles, proxy server configuration, cloud-based distribution points, and the Windows Intune connector. New topic that contains planning information for cloud-based distribution points in Windows Azure. Updated for how to use database replication controls and distributed views in Configuration Manager SP1. The Planning How to Wake Up Clients section is also updated for the new wake-up proxy functionality in Configuration Manager SP1. Configuring Settings for Client Management in Configuration Manager Install Sites and Create a Hierarchy for Configuration Manager Updated the Configure Wake on LAN section for the new wake-up proxy functionality in Configuration Manager SP1. The topic that contains information about how to run Setup has the following updates: The required permissions to run Setup for the site installation procedures. In Configuration Manager SP1, you must disable distributed views for all primary sites before you uninstall from the hierarchy a primary site that uses distributed views In Configuration Manager SP1, you can configure the SQL Server service port to be a non-default TCP port number.

Manage Cloud Services for Configuration Manager Planning for Communications in Configuration Manager

In addition, the following information is updated for unattended installations: The script file details.
109

Topic

More information

Updated information about the automatic creation of an unattended installation script when you run Setup. Updated the command line details for /MANGAELANGS, which is used to manage languages at a previously installed site. New sections for an unattended recovery of a primary site or central administration site.

Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site Upgrade Configuration Manager to a New Service Pack Configuring Alerts in Configuration Manager

New topic that provides information about the new site expansion functionality in Configuration Manager SP1. New topic that contains information about how to upgrade to the latest service pack, such as Configuration Manager SP1. Updated with the new information that for Configuration Manager SP1, you can configure email subscriptions for all alerts whereas in Configuration Manager with no service pack, email subscriptions were restricted to Endpoint Protection. Updated for the new site system roles in Configuration Manager SP1 and the information that when you install a site system on a domain controller that does not host the site server, the new site system role does not complete the installation until the Kerberos ticket refreshes. Updated for a new section to uninstall a database replica. The Configuring the Database Replica Server section is also updated for the information that the SQL Server service on the replica database server must run as the System account. This topic is also updated for the required configurations to use a database replica; you must configure databases to support a Max Text Repl Size of 2 GB.

Install and Configure Site System Roles for Configuration Manager

Configure Database Replicas for Management Points

Manage Cloud Services for Configuration

New topic to help you manage cloud-based distribution points in Configuration

110

Topic

More information

Manager Backup and Recovery in Configuration Manager

Manager SP1. Updated to add the new Using Data Protection Manager to Back up Your Site Database section and updated the Recover a Secondary Site section. New topic that explains how to install update bundles if you require hotfixes to System Center 2012 Configuration Manager. Updated to add the section Supported SQL Server Versions for the Reporting Services Point. Updated to add the new section Reporting Services Security Roles for Configuration Manager. Updated for the new ports used by Configuration Manager SP1, which includes the client notification, cloud-based distribution point, and the Windows Intune connector. Also added the ports used by the Exchange Server connector. Updated to include the AppDiscovery.log and AppEnforce.log log files, which are used with application management. Also updated for the new log files in Configuration Manager SP1, which includes log files for Mac computers, Linux and UNIX servers, and cloud-based distribution points.

Update System Center 2012 Configuration Manager Prerequisites for Reporting in Configuration Manager Configuring Reporting in Configuration Manager Technical Reference for Ports Used in Configuration Manager

Technical Reference for Log Files in Configuration Manager

Technical Reference for Cryptographic Controls Updated for the new security controls in Used in Configuration Manager Configuration Manager SP1, which includes content hashing support for the new devices that Configuration Manager SP1 supports, the encryption algorithm used by client notification, and certificates used by cloud-based distribution points and for Windows Intune. Technical Reference for Language Packs in Configuration Manager Technical Reference for the Prerequisite Updated for the new languages supported by Configuration Manager SP1. Updated the information about prerequisite
111

Topic

More information

Checker in Configuration Manager

checks for Configuration Manager, which includes the prerequisite checks for Configuration Manager with no service pack, new prerequisite checks for Configuration Manager SP1, and prerequisite checks for upgrading to Configuration Manager SP1. Updated for new procedures for deploying the client certificate for Mac computers and the service certificate for cloud-based distribution points in Configuration Manager SP1.

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

Migrating Hierarchies in System Center 2012 Configuration Manager This guide was previously named Migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager and is now renamed to reflect the new functionality in Configuration Manager SP1 that now also lets you migrate a System Center 2012 Configuration Manager SP1 hierarchy to another System Center 2012 Configuration Manager SP1 hierarchy. Topics in this guide are updated to reflect this new functionality, where applicable. Deploying Clients for System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Clients for System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Client Deployment in Configuration Manager Prerequisites for Windows Client Deployment in Configuration Manager

Updated for information for Configuration Manager SP1 information about Windows Embedded, Mac computers, and Linux and UNIX servers. This topic is also updated to include a list of client checks that Windows-based clients make when Configuration Manager monitor clients and remediates any issues. Updated for Configuration Manager SP1, which includes the following: You no longer have to configure Internet Explorer to exclude the ActiveX control Microsoft.ConfigurationManager.SoftwareCatalog.Website.ClientBridgeCont rol.dll from ActiveX filtering and allow it to run in the browser. Silverlight 5 is automatically downloaded and installed during client installation.

This topic is also updated to clarify that BITS is not automatically downloaded during client installation.

112

Topic

More information

Best Practices for Client Deployment in Configuration Manager

Updated for the following best practices: Plan and prepare any required PKI certificates in advance for Internetbased client management, enrolled mobile devices, and Mac computers. Before you install clients, configure any required client settings and maintenance windows. For Mac computers and mobile devices that are enrolled by Configuration Manager, plan your user enrollment experience. When you manage Windows Embedded devices on the Configuration Manager SP1 client, use File-Based Write Filters (FBWF) rather than Enhanced Write Filters (EWF) for higher scalability.

Planning for New topic that provides planning information to help you install the client on Client Linux and UNIX server in Configuration Manager SP1. Deployment for Linux and UNIX Servers Determine the Updated for the information that you require an enrollment point and enrollment Site System proxy point to manage Mac computers in Configuration Manager SP1. Roles for Client Deployment in Configuration Manager How to Configure Client Communicatio n Port Numbers in Configuration Manager How to Install Clients on WindowsBased Computers in Configuration Manager Updated for information about ports for client notification in Configuration Manager SP1.

This topic was previously named How to Install Clients on Computers in Configuration Manager and renamed because Configuration Manager SP1 supports the installation of clients on other operating systems, such as Mac OS X, and Linux and UNIX. Other updates to this topic include the following: Configuration Manager SP1 does not support client push installation for Windows Embedded devices that have write filters that are enabled. Configuration Manager SP1 client push installation now supports some CCMSetup properties in the Installation Properties tab. Configuration Manager SP1 updates for How to Automatically Upgrade the
113

Topic

More information

Configuration Manager Client for the Hierarchy. Examples are added to How to Install Configuration Manager Clients Manually, How to Install Configuration Manager Clients on Workgroup Computers, and How to Install Configuration Manager Clients for Internetbased Client Management.

How to Install Clients on Mac Computers in Configuration Manager How to Install Clients on Linux and UNIX Computers in Configuration Manager How to Manage Mobile Devices by Using Configuration Manager and Windows Intune How to Manage Clients in Configuration Manager How to Manage Linux and UNIX Clients in Configuration Manager

New topic that explains how to install and enroll Mac computers that so that you manage these computers similarly to how you manage other clients in the Configuration Manager hierarchy.

New topic that explains how to install the Configuration Manager client on Linux and UNIX servers that so that you manage these computers similarly to how you manage other clients in the Configuration Manager hierarchy.

New topic for Configuration Manager SP1 that explains how to manage mobile devices that run Windows Phone 8, Windows RTM, iOS, and Android. This mobile devices management solution requires a subscription to Windows Intune and uses the Windows Intune connector site system role.

Updated to include information about how to notify computers to download policy as soon as possible when they run the Configuration Manager SP1 client.

New topic that explains how to manage the Configuration Manager SP1 client on Linux and UNIX servers.

How to Monitor New topic that explains how to monitor the Configuration Manager SP1 client on Linux and Linux and UNIX servers. UNIX Clients in
114

Topic

More information

Configuration Manager Security and Privacy for Clients in Configuration Manager Updated for the following security best practices: Do not use automatic site assignment if the client will download the trusted root key from the first management point it contacts. For Windows embedded devices that have write filters, take additional security precautions to reduce the attack surface if Configuration Manager disables the write filters to persist software installations and changes. For mobile devices: Do not deploy applications to users who have mobile devices enrolled by Configuration Manager or Windows Intune when the mobile device is used by more than one person, the device is enrolled by an administrator on behalf of a user, or the device is transferred to another person without retiring and then re-enrolling the device. For mobile devices: Make sure that users enroll their own mobile devices for Windows Intune. For Mac computers: Independently from Configuration Manager, monitor and track the validity period of the certificate that enrolled to users. In Configuration Manager SP1, the connection from a client to the management point is not dropped if you block a client and the blocked client could continue to send client notification packets to the management point, as keep-alive messages. In Configuration Manager SP1, when you use automatic client upgrade and the client is directed to a management point to download the client source files, the management point is not verified as a trusted source. In Configuration Manager SP1, if you use the options to commit changes on Windows Embedded devices, accounts might be locked out sooner than expected.

This topic also has the following new security issues listed:

About Client Settings in Configuration Manager

Updated throughout to incorporate the change in Configuration Manager SP1 where the True and False values in Configuration Manager with no service pack are now Yes and No. Other updates include the following: Background Intelligent Transfer Added information for these settings. Client Policy: Client policy polling interval Updated for Configuration Manager SP1 because the client policy interval in Service Pack 1 now applies to mobile devices that are enrolled by Configuration Manager, to Mac computers, and to computers that run Linux or UNIX. Computer Agent: Additional software manages the deployment of applications and software updates - This setting in Configuration Manager with no service pack was named Agent extensions manage the deployment of applications and software updates and has been
115

Topic

More information

renamed for clarity. There is no change in behavior. Typically, you select this option if you have installed a vendor add-on for Configuration Manager or use the SDK to install applications and software updates. Computer Agent: Allow Silverlight applications to run in elevated trust mode - This is a new setting to support Silverlight 5 in Service Pack 1. Computer Agent: PowerShell execution policy Added the value of All Signed, which is new in Configuration Manager SP1 and the new default value. Computer Agent: Disable deadline randomization Added for Configuration Manager SP1 and determines whether the client uses an activation delay of up to two hours to install required software updates and required applications when the deadline is reached. Endpoint Protection: Install Endpoint Protection client on client computers Updated to clarify that False or No does not uninstall the Endpoint Protection client. To uninstall the Endpoint Protection client, you must set the Manage Endpoint Protection client on client computers client setting to False or No, and then deploy a package and program to uninstall the Endpoint Protection client. Client Policy: Enable user policy polling on clients Updated for the new restriction in Configuration Manager SP1 that if this setting is not enabled, users cannot install applications from the Application Catalog. Metered Internet Connections New group settings that lets you specify how Configuration Manager SP1 clients that run Windows 8 communicate on metered network connections. Power Management New settings that let you configure wake-up proxy for Configuration Manager SP1 clients. Enrollment: - Added for Configuration Manager SP1, which replaces the Mobile Devices group settings in Configuration Manager with no service pack. Endpoint Protection: For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart) Added for Windows Embedded clients in Configuration Manager SP1.

About Client Installation Properties in Configuration Manager

Updated for the following: Updated to add the new CCMSetup property of /forceinstall, which lets you specify that any existing Configuration Manager client will be uninstalled before installing the new client. Updated to correct the information that /NotifyOnly is a Client.msi property and not a CCMSetup property. Updated to correct the information about the minimum cache size that you can specify, which is 1 MB for a new client. For a reinstalled client, you cannot specify a value lower than the previously configured cache size.
116

Topic

More information

Administrator Checklist: Deploying Clients in Configuration Manager Windows Firewall and Port Settings for Client Computers in Configuration Manager Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices

Updated for references to the new devices that are supported in Configuration Manager SP1.

Updated for the new wake-up proxy and client notification communication in Configuration Manager SP1.

New topic that provides an example scenario of how to manage write filters on Windows Embedded devices when you manage these clients in Configuration Manager SP1.

Technical New topic that contains technical reference information that you might require if Reference for you install the Configuration Manager SP1 client on Linux or UNIX servers. the Configuration Manager Client for Linux and UNIX

Deploying Software and Operating Systems in System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Content Management in Configuration Manager

Updated for information about the Configuration Manager content library, which includes a new
117

Topic

More information

section, About the Content Library on the Central Administration Site to help you plan for content storage on a central administration site. More information about this requirement appears in the Planning for Content Management in Configuration Manager. This topic, and the Planning for Content Management in Configuration Manager topic is also updated for information about how to move the content library. Planning for Content Management in Configuration Manager Configuring Content Management in Configuration Manager Updated for planning information for cloudbased distribution points and pull distribution points in Configuration Manager SP1. Updated the Install and Configure the Distribution Point section for additional information about the Allow clients to connect anonymously setting. Updated for security best practices and security issues for cloud-based distribution points in Configuration Manager SP1. Updated for the following new functionality in Configuration Manager SP1: App-V virtual environments App-V 5 deployment type New deployment types to support client computers that run Windows 8, and new deployment types for mobile devices that are managed by the Windows Intune connector.

Security and Privacy for Content Management in Configuration Manager Introduction to Application Management in Configuration Manager

This topic also has a new section to explain how mobile devices that are managed by the Windows Intune connector use the company portal so that users can download apps that you make available. Planning to Deploy Windows 8 Apps in Configuration Manager Planning for App-V Integration with Configuration Manager New topic to help you plan for deploying Windows 8 apps in Configuration Manager SP1. New topic that contains planning information to help you deploy virtual applications by using Configuration Manager.
118

Topic

More information

Configuring the Application Catalog and Software Center in Configuration Manager

Updated for the following: Updated Step 4 instructions that for Configuration Manager with no service pack, you must include setting permissions explicitly on the CMApplicationCatalog\Content\Images\AppI cons folder for users in other domains, because this folder does not inherit permissions from the parent folder, CMApplicationCatalog. In Configuration Manager SP1, users from other domains can automatically access the Application Catalog without manual configuration for the security permissions. Updated Step 6 with the tip that missing prerequisites are one of the most typical reasons for the Application Catalog to not operate correctly after installation. Check and confirm the site system role prerequisites for the Application Catalog site system roles by using the Site System Requirements section of the Supported Configurations for Configuration Manager topic. The footnotes for the table include important information about configuring WCF activation and the requirement to explicitly enable ASP.NET.

How to Create Applications in Configuration Manager How to Create and Deploy Applications for Mac Computers in Configuration Manager How to Deploy Applications in Configuration Manager

Updated to include information about the new application types in Configuration Manager SP1. New topic that contains information about how to deploy applications to Mac computers in Configuration Manager SP1. Updated for information about the new Configuration Manager SP1 option Allow clients on a metered Internet connection to download content after the installation deadline, which might occur additional costs. Updated to include information about the new deployment types in Configuration Manager SP1. This topic is also updated for information about
119

How to Create Deployment Types in Configuration Manager

Topic

More information

how to create a script to detect if an application is already installed. How to Create App-V Virtual Environments in Configuration Manager Deploying Software to Linux and UNIX Servers in Configuration Manager Introduction to Software Updates in Configuration Manager Planning for Software Updates in Configuration Manager New topic that contains information about how to create and manage App-V virtual environments in Configuration Manager SP1. New topic that contains information about how to deploy applications to Linux and UNIX servers in Configuration Manager SP1. Updated to add information about the new software update point functionality in Configuration Manager SP1. Updated to include changes to software update point functionality that is introduced in Configuration Manager SP1, such as the ability to install more than one software update point at a site.

Configuring Software Updates in Configuration Updated for the new and changed configuration Manager options in Configuration Manager SP1. Prerequisites For Deploying Operating Systems in Configuration Manager Updated the Dependencies External to Configuration Manager section to include new dependencies for Configuration Manager SP1. This includes details about the Automated Installation Kit (Windows AIK) for Configuration Manager with no service pack, and its replacement by the Windows Assessment and Deployment Kit (Windows ADK) for Configuration Manager SP1. Updated for information about a new setting that lets you configure the Windows PE scratch space in Configuration Manager SP1. New topic that provides information about deploying operating systems when sites in your hierarchy have different versions of Configuration Manager. Updated for the following security improvement in Configuration Manager SP1: When you use bootable media with
120

How to Manage Boot Images in Configuration Manager Planning for Operating System Deployment Interoperability

Security and Privacy for Deploying Operating Systems in Configuration Manager

Topic

More information

Configuration Manager SP1, the content is hashed and must be used with the original policy. This help prevents a client from installing content or client policy that has been tampered with. Configuration Manager SP1 uses client authentication to the state migration point by using a Configuration Manager token that is issued by the management point.

Task Sequence Built-in Variables in Configuration Manager

Updated to add the following variables: _SMSTSWTG OSDPreserveDriveLetter SMSTSAssignmentsDownloadInterval SMSTSAssignmentsDownloadRetry SMSTSBootUEFI SMSTSDownloadProgram SMSTSLanguageFolder SMSTSPersistContent SMSTSPostAction

How to Provision Windows To Go in Configuration Manager

New topic that provides information and procedures about how to use Configuration Manager SP1 so that users can boot to Windows 8 from a USB drive.

Prestart Commands for Task Sequence Media New topic that provides information and in Configuration Manager procedures about how to use a script or executable as a prestart command that runs before a task sequence is selected and can interact with the user in Windows PE.

Assets and Compliance in System Center 2012 Configuration Manager The following new or updated topics are from the Assets and Compliance in System Center 2012 Configuration Manager guide.
Topic More information

How to Create Queries in Configuration Manager

Updated for some example WQL queries that you can easily import and modify for your own use. For example, you could create your own collections by using these queries.
121

Topic

More information

Hardware Inventory for Linux and UNIX in Configuration Manager Introduction to Compliance Settings in Configuration Manager Prerequisites for Compliance Settings in Configuration Manager

New topic that explain how to inventory computers in Configuration Manager SP1 that run Linux or UNIX. Updated for information about the new user data and profiles configuration items in Configuration Manager SP1. Updated for the required permissions to manage user data and profiles configuration items in Configuration Manager SP1.

How to Create Windows Configuration Items for Updated to include more information about how Compliance Settings in Configuration Manager to create Active Directory settings. How to Create User Data and Profiles Configuration Items in Configuration Manager How to Create Mac Computer Configuration Items in Configuration Manager How to Import Configuration Data in Configuration Manager New topic about how to create user data and profiles configuration items in Configuration Manager SP1. New topic that provides information about how to create and deploy configuration items for Mac computers in Configuration Manager SP1. Updated to add a link to the System Center 2012 Configuration Manager Configuration Pack.

Security and Privacy for Compliance Settings in Updated for the following security best Configuration Manager practices: Introduction to Endpoint Protection in Configuration Manager Do not configure compliance rules that use data that can be modified by end users. Secure the communication channel when you browse to a reference computer.

Updated for a new workflow diagram that shows the steps and processes required to configure Endpoint Protection in Configuration Manager. New topic that contains information about how to configure update sources for Endpoint Protection definitions. Updated for new information about exclusion settings that you can use to prevent folders from being scanned by Endpoint Protection.
122

How to Configure Definition Updates for Endpoint Protection in Configuration Manager How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager

Topic

More information

How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager How to Monitor Endpoint Protection in Configuration Manager

Updated for new information about the available management tasks to remediate detected malware. Updated to add a new section named Malware Alert Levels, which contains a description of the various malware alert levels that you might see in the console and reports. New topic that provides an example scenario for how you can implement Endpoint Protection in Configuration Manager to protect computers in an organization from malware attacks.

Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager

Security and Privacy for System Center 2012 Configuration Manager The following new or updated topics are from the Security and Privacy for System Center 2012 Configuration Manager guide.
Topic More information

Security and Privacy for System Center 2012 Configuration Manager Microsoft System Center 2012 Configuration Manager Privacy Statement

Updated the information about the Security Configuration Wizard (SCW) so that it includes the toolkit for Configuration Manager SP1. Updated for Configuration Manager SP1. There are no updates for Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum.

Scenarios and Solutions Using System Center 2012 Configuration Manager The Scenarios and Solutions Using System Center 2012 Configuration Manager guide is new and contains example scenario and solutions documentation from the other Configuration Manager guides.

What's New in the Documentation Library for November 2013

The following sections describe what's new in the Documentation Library for System Center 2012 Configuration Manager since the documentation library was updated in January 2013. The documentation library now contains information for System Center 2012 R2 Configuration Manager. The topics that are listed are either new topics or topics that contain significant technical changes. Topics that contain minor changes are not listed.

123

In addition to these sections, the Glossary for Microsoft System Center 2012 Configuration Manager is updated for System Center 2012 R2 Configuration Manager. Getting Started with System Center 2012 Configuration Manager The following new or updated topics are from the Getting Started with System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Configuration Manager Whats New in System Center 2012 R2 Configuration Manager Fundamentals of Configuration Manager

Updated for System Center 2012 R2 Configuration Manager. New topic that lists the changes in System Center 2012 R2 Configuration Manager, with links to additional information. Updated for System Center 2012 R2 Configuration Manager. For example, the new site system role, the certificate registration point. Updated support statements for Configuration Manager with no service pack and Configuration Manager SP1, and also new support statements for System Center 2012 R2 Configuration Manager. Updated for new questions that include the following: How can I increase the number of search results in the Configuration Manager console? When I search folders, how can I automatically include subfolders in the search? Should I use collections or application requirements to control software deployments? When I view the report named Distribution Point Usage Summary, why do I see a value for more clients than I expect to see in the column named Client Accessed (Unique)? Why does the value for Bytes Sent (MB), in the Distribution Point Usage Summary report, not always reflect the actual volume
124

Supported Configurations for Configuration Manager

Frequently Asked Questions for Configuration Manager

Topic

More information

of data I deploy? Is there a limit to the number of certificate templates that I can use with certificate profiles? Do I really need Windows Server 2012 R2 to deploy certificate profiles?

Site Administration for System Center 2012 Configuration Manager The following new or updated topics are from the Site Administration for System Center 2012 Configuration Manager guide.
Topic More information

Interoperability between Different Versions of Configuration Manager

New topic that contains information about interoperability between System Center 2012 Configuration Manager and Configuration Manager 2007 and about interoperability between sites with different versions in System Center 2012 Configuration Manager. Updated to add a note to the table in the Disk Space Configurations section to make clear that the minimum disk space listed does not include the space required for source content that is located on the site server. You can find more information about this in the Plan for Content Libraries section of the Planning for Content Management in Configuration Manager topic. Updated the guidance for planning a hierarchy to reflect consideration of options to later expand a stand-alone primary site into a larger hierarchy; an option that did not exist when this documentation was first released. Updated to include Active Directory Certificate Services on Windows Server 2012. This topic is also updated for the new certificate requirement for servers running the Configuration Manager Policy Module with the Network Device Enrollment Service.
125

Planning for Hardware Configurations for Configuration Manager

Planning for Sites and Hierarchies in Configuration Manager

PKI Certificate Requirements for Configuration Manager

Topic

More information

Planning to Upgrade System Center 2012 Configuration Manager

Updated for a new section, Planning to Upgrade to System Center 2012 R2 Configuration Manager, which helps you plan to upgrade Configuration Manager SP1 to System Center 2012 R2 Configuration Manager. Updated for the information that there are no new schema changes in System Center 2012 R2 Configuration Manager. Updated to include the new System Center 2012 R2 Configuration Manager information: Where you can install the new site system role, the certificate registration point, and additional placement considerations for this site system role. The new prerequisite of Windows Assessment and Deployment Kit 8.1.

Determine Whether to Extend the Active Directory Schema for Configuration Manager Planning for Site Systems in Configuration Manager

Planning for Boundaries and Boundary Groups in Configuration Manager

Updated to add best practice guidance about using IP address ranges as boundaries only when other boundary types are not sufficient for your environment. Updated the Planning for Maintenance Tasks for Configuration Manager section for the following maintenance tasks that were introduced with Configuration Manager SP1: Delete Aged Client Presence History Delete Aged Notification Task History Delete Aged Replication Summary Data Delete Aged Unknown Computers

Planning for Site Operations in Configuration Manager

Install Sites and Create a Hierarchy for Configuration Manager

The topic that contains information about how to run Setup has the following updates: Clarified that when you upgrade an evaluation edition of Configuration Manager to a full edition, you must run the copy of Setup that is located on the site server in the Configuration Manager installation folder. The procedures for installing a central administration site or primary site installation are updated to identify when
126

Topic

More information

you can specify alternate file locations for the site database. This information also appears as an update in the Configure Custom Locations for the Site Database Files section of the Manage Site and Hierarchy Configurations topic. A new section, Whats New in System Center 2012 R2 Configuration Manager, lets you know that during installation of a central administration site or primary site, you can now specify alternate, non-default, locations for the site database files.

Configuring Settings for Client Management in Configuration Manager

Updated the Configure Wake on LAN section for the information that if you run System Center 2012 R2 Configuration Manager, you no longer have to manually configure Windows Firewall to allow the inbound ICMP ping commands that are required for wake-up proxy. This update is also reflected in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic. Updated for the following: Corrected the details about the service FQDN for a cloud-based distribution point. The FQDN must be unique and not match the name of a computer that is joined to a domain. This clarification is also added to the section that discusses the service certificate that you use for a cloud-based distribution point, in the Planning for Content Management in Configuration Manager topic. Updated the reference to the Virtual IP Address (VIP) for cloud-based distribution points to reflect the recent changes in the Windows Azure web portal. Clarified that site expansion was not available prior to Configuration Manager with Service Pack 1.

Install and Configure Site System Roles for Configuration Manager

Manage Site and Hierarchy Configurations

Updated to remove the guidance for the required configuration of the SQL Server
127

Topic

More information

cluster. This information is moved to, and is kept up-to-date, in Supported Configurations for Configuration Manager. Prerequisites for Reporting in Configuration Manager Updated for the support information that the reporting services point supports SQL Server 2012 SP1. Also clarified that the database for the reporting services point must be on a 64-bit installation of SQL Server. Updated the details for SQL Server to SQL Server connections to clarify that Configuration Manager does not require the SQL Server Browser (UDP 1434). Also updated the details in the Connections to Microsoft SQL Server section to clarify that for intersite communications, the SQL Server Service is in use, and that it defaults to port TCP 1433. This topic is also updated for the new ports used by certificate enrollment in System Center 2012 R2 Configuration Manager. Technical Reference for Log Files in Configuration Manager Updated to include new log files for new features in System Center 2012 R2 Configuration Manager: Certificate Enrollment

Technical Reference for Ports Used in Configuration Manager

Technical Reference for Cryptographic Controls Updated for System Center 2012 R2 Used in Configuration Manager Configuration Manager.

Migrating Hierarchies in System Center 2012 Configuration Manager The following new or updated topics are from the Migrating Hierarchies in System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Migration in System Center 2012 Configuration Manager

Updated for the new migration scenario: System Center 2012 R2 Configuration Manager to System Center 2012 R2 Configuration Manager. Updates for this scenario can also be found in Migrating Hierarchies in System Center 2012 Configuration Manager and in
128

Topic

More information

Prerequisites for Migration in System Center 2012 Configuration Manager. Prerequisites for Migration in System Center 2012 Configuration Manager Operations for Migrating to System Center 2012 Configuration Manager Updated for the permissions that are required by the Source Site Database Account, which is used during migration. Updated for a new section, Migrate Clients in System Center 2012 Configuration Manager, to clarify that although you can migrate client data, you dont migrate clients. Instead, you uninstall them from the source hierarchy and reinstall them from the destination hierarchy.

Deploying Clients for System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Clients for System Center 2012 Configuration Manager guide.
Topic More information

Introduction to Client Deployment in Configuration Manager

Updated for the following: Clarified that client notification does not support role-based administration. Added information about the hardware inventory that is collected from Mac computers. The Deploying the Configuration Manager Client to Linux and UNIX Servers section is updated for whats new or changed for the client for Linux and UNIX with cumulative update 1.

Determine the Site System Roles for Client Deployment in Configuration Manager

Updated to clarify that that the Application Catalog web service point and the Application Catalog website point site system roles are required for Windows-based computers when you want to deploy software with a deployment purpose of Available. Updated for the following: A procedure to restrict the client certificate to the Configuration Manager client, by using the Keychain Access dialog box.
129

How to Install Clients on Mac Computers in Configuration Manager

Topic

More information

Clarified that maintenance windows are not supported for these clients. A new section that explains how to upgrade the client on Mac computers. Added a script that can be used to configure the System Center 2012 R2 Configuration Manager client to use an existing certificate. How to use the new Mac Computer Enrollment Wizard in System Center 2012 R2 Configuration Manager.

How to Configure Client Settings in Configuration Manager

Updated for the System Center 2012 R2 Configuration Manager Resultant Settings option that displays calculated resultant settings for devices, users, and user groups. Updated for the following: How to verify that the connector is installed and configured correctly. Information about using a Client Access Server array if you use an on-premises Exchange Server, and information about the Configuration Manager retry behavior and associated logging information. A tip that if you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log log file on the site server computer.

How to Manage Mobile Devices by Using Configuration Manager and Exchange

How to Manage Mobile Devices by Using Configuration Manager and Windows Intune How to Manage Clients in Configuration Manager Security and Privacy for Clients in Configuration Manager

Updated for System Center 2012 R2 Configuration Manager. Updated to add information about the System Center 2012 R2 Configuration Manager Change Ownership option for clients. Updated to add the mobile device security issue that a wipe acknowledgment does not verify that the device has been successfully wiped. The following security best practices and security issues are also added for Mac
130

Topic

More information

computers: Store and access the client source files from a secured location. Consider configuring the trusted root CA certificate such that it is trusted for the SSL protocol only, to help protect against elevation of privileges. When users first enroll Mac computers, they are at risk from DNS spoofing. Mac enrollment does not limit certificate requests.

About Client Installation Properties in Configuration Manager

Updated for the CCMSetup.exe property of /ExcludeFeatures, which is new for System Center 2012 R2 Configuration Manager, and lets you prevent a feature from being installed during client installation. New topic that summaries the high-level steps required to configure the Windows Intune connector to manage mobile devices such as Windows RT, Windows Phone 8, iOS, and Android.

Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune

Deploying Software and Operating Systems in System Center 2012 Configuration Manager The following new or updated topics are from the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
Topic More information

Planning for Content Management in Configuration Manager

Updated for the following: Clarifications that cloud-based distribution points do not support software update packages and you must make sure that the service certificate does not define an FQDN for the cloud-based distribution point that matches an FQDN of a computer that is joined to a domain. Clarification in the Plan for Content Libraries section to clarify that Configuration Manager creates and maintains a content library on each site
131

Topic

More information

server in addition to the content library that is created on each distribution point. Added a new section, Plan for Binary Differential Replication. A new section, Plan for Distribution Point Priority, explains how System Center 2012 R2 Configuration Manager determines which distribution points it will transfer content to first, and how it then self-tunes this process to decrease the time it takes to get content deployments to more distribution points than in previous product versions. The section Planning for Pull-Distribution Points is updated to explain how pulldistribution points now support prioritization of their source distribution points. Information that the Configuration Manager console from System Center 2012 R2 Configuration Manager now identifies when a distribution point is configured as a pulldistribution point.

Configuring Content Management in Configuration Manager

Updated for the information that System Center 2012 R2 Configuration Manager supports the configuration of multiple Network Access Accounts for each site. Updated for the information that System Center 2012 R2 Configuration Manager has new options in content status monitoring to help you manage content distributions. Updated to clarify that App-V 5.0 SP1 is now supported by Configuration Manager. Updated for the following: Clarified that the Rate Limits tab and Schedule tab of the distribution point properties are available only when you configure a distribution point that is on a computer other than the site server. Clarified that pull-distribution points use BITS to transfer content from a source
132

Operations and Maintenance for Content Management in Configuration Manager

Planning for App-V Integration with Configuration Manager Configuring Content Management in Configuration Manager

Topic

More information

distribution point. Clarified that clients can run a task sequence from a cloud-based distribution point only when that task sequence is configured with the deployment option Download all content locally before starting task sequence.

How to Create Applications in Configuration Manager

Updated for System Center 2012 R2 Configuration Manager: There is a new web app deployment type. Windows 8 app bundle packages are now supported. The supported limit for the number of files in an application is 20,000. Information about the new option to allow Windows 8 apps to use an automatic VPN connection.

This topic now includes how to create deployment types, which was previously in a separate topic. Security and Privacy for Application Management in Configuration Manager Updated to add the following security best practices and security issues for application management: If you deploy applications for Mac computers, make sure that the source files are from a trustworthy source. If you configure a web application deployment type, use HTTPS rather than HTTP to secure the connection. You cannot restrict install permissions for the company portal.

How to Manage Virtual Hard Disks in Configuration Manager

New topic for System Center 2012 R2 Configuration Manager, which contains information about how to manage virtual hard disks (VHDs) from the Configuration Manager console and integrate the VHDs that you create into your datacenter. Updated for the following built-in variables that were added for System Center 2012 R2
133

Task Sequence Built-in Variables in Configuration Manager

Topic

More information

Configuration Manager: Task Sequence Steps in Configuration Manager _TSAppInstallStatus SMSTSDownloadRetryCount SMSTSDownloadRetryDelay TSErrorOnWarning

Updated to include the following task sequence steps that were added for System Center 2012 R2 Configuration Manager: Check Readiness Run PowerShell Script Set Dynamic Variables

Assets and Compliance in System Center 2012 Configuration Manager The following new or updated topics are from the Assets and Compliance in System Center 2012 Configuration Manager guide.
Topic More information

How to Create Collections in Configuration Manager

Updated for the following: The correct attributes that are available when you create a user collection. Some examples of how you might use include and exclude collection rules. The information that incremental collection evaluation interval is every 10 minutes. Removed the reference to the Evaluate Collection Members maintenance task.

How to Manage Collections in Configuration Manager

Updated for the information about the new client notification management tasks that allow you to download user or computer policy to all members of the selected device collection. Updated for the System Center 2012 R2 Configuration Manager new option, apply this schedule, which lets you define whether the maintenance window applies to all deployments, software updates, or task sequences. Updated for the following information:
134

How to Use Maintenance Windows in Configuration Manager

How to Create Mac Computer Configuration

Topic

More information

Items in Configuration Manager

Key names are case sensitive and will not be evaluated if they differ from the key name on the Mac computer. You cannot edit the key name after you have specified it. Configuration Manager does not support using the Boolean data type for Mac configuration item script settings.

Remote Connection Profiles in Configuration Manager

New section for System Center 2012 R2 Configuration Manager to help you create, deploy, and monitor remote connection settings to devices in your organization. New section for System Center 2012 R2 Configuration Manager that contains information about how you can minimize the end-user configuration required to connect to resources on the company network. For more information, see the following new sections: Certificate Profiles in Configuration Manager VPN Profiles in Configuration Manager Wi-Fi Profiles in Configuration Manager

Company Resource Access in Configuration Manager

Introduction to Endpoint Protection in Configuration Manager How to Provision the Endpoint Protection Client in a Disk Image in Configuration Manager

Updated to include information about where to find the Endpoint Protection client for Mac and for Linux. New topic that helps you to install the Endpoint Protection client on a computer that you intend to use as a disk image source for Configuration Manager operating system deployment. Updated for new and changed antimalware policy settings in Configuration Manager SP1.

How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager

Security and Privacy for System Center 2012 Configuration Manager The Microsoft System Center 2012 Configuration Manager Privacy Statement and Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum are

135

now moved from the Security and Privacy for System Center 2012 Configuration Manager guide to the System Center 2012 R2 Privacy Statement topic.

See Also
Getting Started with System Center 2012 Configuration Manager

Fundamentals of Configuration Manager

If you are new to Configuration Manager, you can use the following information to learn about the basic concepts for Microsoft System Center 2012 Configuration Manager before you run Setup or read more detailed information. If you are familiar with Configuration Manager 2007, see Whats New in System Center 2012 Configuration Manager. For information about supported operating systems and supported environments, hardware requirements, and capacity information, see Supported Configurations for Configuration Manager.

Sites
When you install System Center 2012 Configuration Manager for the first time, you create a Configuration Manager site that is the foundation from which to manage devices and users in your enterprise. This site is either a central administration site or a primary site. A central administration site is suitable for large-scale deployments and provides a central point of administration and the flexibility to support devices that are distributed across a global network infrastructure. A primary site is suitable for smaller deployments and it has fewer options to accommodate any future growth of your enterprise. When you install a central administration site, you must also install at least one primary site to manage users and devices. With this design, you can install additional primary sites to manage more devices and to control network bandwidth when devices are in different geographical locations. You can also install another type of site that is named a secondary site. Secondary sites extend a primary site to manage a few devices that have a slow network connection to the primary site. If you do not install a central administration site, the first site that you install is a stand-alone primary site. By default, you cannot install additional primary sites that can communicate with one another. However, you can still install one or more secondary sites to extend this primary site when you have to manage a few devices that have a slow network connection to the primary site. If you have installed a stand-alone primary site and you later decide to use a central administration site design, Configuration Manager SP1 lets you do this. Configuration Manager without a service pack does not support this design change until you upgrade the site to Configuration Manager SP1. This design change is known as site expansion. When you have more than one site that communicates with one another, you have an arrangement of sites that is known as a hierarchy. The following diagrams show some example site designs.

136

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide: Introduction to Site Administration in Configuration Manager Planning for Sites and Hierarchies in Configuration Manager Install Sites and Create a Hierarchy for Configuration Manager

Publishing Site Information to Active Directory Domain Services If you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish System Center 2012 Configuration Manager sites to Active Directory Domain Services so that Active Directory computers can securely retrieve System Center 2012 Configuration Manager site information from a trusted source. Although publishing site information to Active Directory Domain Services is not required for basic Configuration Manager functionality, this configuration improves the security of your System Center 2012 Configuration Manager hierarchy and reduces administrative overhead. You can extend the Active Directory schema before or after you install System Center 2012 Configuration Manager. Before you can publish site information, you must also create an Active
137

Directory container named System Management in each domain that contains a System Center 2012 Configuration Manager site. You must also configure the Active Directory permissions so that the site can publish its information to this Active Directory container. As with all schema extensions, you extend the schema for System Center 2012 Configuration Manager one time only per forest. For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide: Determine Whether to Extend the Active Directory Schema for Configuration Manager Planning for Publishing of Site Data to Active Directory Domain Services Configuring Sites to Publish to Active Directory Domain Services

Site System Servers and Site System Roles Configuration Manager uses site system roles to support management operations at each site. When you install a Configuration Manager site, some site system roles are automatically installed and assigned to the server on which Configuration Manager Setup has run successfully. One of these site system roles is the site server, which you cannot transfer to another server or remove without uninstalling the site. You can use other servers to run additional site system roles or to transfer some site system roles from the site server by installing and configuring Configuration Manager site system servers. Each site system role supports different management functions. The site system roles that provide basic management functionality are described in the following table.
Site system role Description

Site server

A computer from which you run Configuration Manager Setup and that provides the core functionality for the site. A server that hosts the SQL Server database, which stores information about Configuration Manager assets and site data. A server that runs Configuration Manager services. When you install all the site system roles except for the distribution point role, Configuration Manager automatically installs the component server.

Site database server

Component server

Management point

A site system role that provides policy and service location information to clients and receives configuration data from clients.

138

Site system role

Description

Distribution point

A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images.

Reporting services point

A site system role that integrates with SQL Server Reporting Services to create and manage reports for Configuration Manager.

When companies first deploy Configuration Manager in a production environment, they typically run multiple site system roles on the site server and have additional site system servers for distribution points. Then they install additional site system servers and add new site system roles, according to their business requirements and network infrastructure. The additional site system roles that you might need for specific functionality are listed in the following table.
Site system role Description

Application Catalog web service point

A site system role that provides software information to the Application Catalog website from the Software Library. A site system role that provides users with a list of available software from the Application Catalog. A site system role that connects to Microsoft to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog. A site system role that communicates with a server that runs the Network Device Enrollment Service to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP). A site system role that Configuration Manager uses to accept the Endpoint Protection license terms and to configure the default membership
139

Application Catalog website point

Asset Intelligence synchronization point

Certificate registration point

Endpoint Protection point

Site system role

Description

for Microsoft Active Protection Service. Enrollment point A site system role that uses PKI certificates for Configuration Manager to enroll mobile devices and Mac computers, and to provision Intel AMT-based computers. A site system role that manages Configuration Manager enrollment requests from mobile devices and Mac computers. A site system role that helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point. A site system role that provisions and configures Intel AMT-based computers for out of band management. A site system role that integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients. A site system role that stores user state data when a computer is migrated to a new operating system. A site system role that validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server. A site system role in Configuration Manager SP1 that uses Windows Intune to manage mobile devices in the Configuration Manager console.

Enrollment proxy point

Fallback status point

Out of band service point

Software update point

State migration point

System Health Validator point

Windows Intune connector

The following diagram shows these basic and additional site system roles that you can add to the site server computer or distribute by installing additional site system servers.

140

For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide: Planning for Site Systems in Configuration Manager Install and Configure Site System Roles for Configuration Manager

Clients
System Center 2012 Configuration Manager clients are devices such as workstations, laptops, servers, and mobile devices that have the Configuration Manager client software installed so that you can manage them. Management includes operations such as reporting hardware and software inventory information, installing software, and configuring settings that are needed for compliance. Configuration Manager has discovery methods that you can use to find devices on the network to help you install the client software on those devices.
141

Configuration Manager has several options to install the client software on devices. These options include client push installation, software update-based installation, Group Policy, and manual installation. You can also include the client when you deploy an operating system image. Configuration Manager uses collections to group devices so that you can perform management tasks on multiple devices that share a common set of criteria. For example, you might want to install a mobile device application on all mobile devices that are enrolled by Configuration Manager. If this is the case, you could use the All Mobile Devices collection, which automatically excludes computers. You can create your own collections to logically group the devices that you manage, according to your business requirements. For more information, see the following topics in the Deploying Clients for System Center 2012 Configuration Manager guide and the Assets and Compliance in System Center 2012 Configuration Manager guide: Introduction to Client Deployment in Configuration Manager Determine the Client Installation Method to Use for Windows Computers in Configuration Manager Determine How to Manage Mobile Devices in Configuration Manager Introduction to Collections in Configuration Manager

User-Centric Management In addition to the collections for devices, there are also user collections that contain users from Active Directory Domain Services. User collections let you install software on all computers that the user logs into, or you can configure user device affinity so that the software installs on only the main devices that the user uses. These main devices are called primary devices. A user can have one or more primary devices. One of the ways in which users can control their software deployment experience is by using the new computer client interface, Software Center. Software Center is automatically installed on client computers and accessed from the users Start menu. This client interface lets users manage their own software, as well as perform the following: Install software Schedule software to automatically install outside working hours Configure when Configuration Manager can install software on their device Configure access settings for remote control, if remote control is enabled in Configuration Manager Configure options for power management if an administrative user has enabled this

A link in Software Center lets users connect to the Application Catalog, where they can browse for, install, and request software. In addition, the Application Catalog lets users configure some preference settings and wipe their mobile devices. Because Application Catalog is a website that is hosted in IIS, users can also access the Application Catalog directly from a browser, from the intranet, or from the Internet.

142

Users can also specify their primary devices from the Application Catalog, if you allow this configuration. Other methods of configuring the user device affinity information include importing the information from a file and automatic generation from usage data. For more information, see the following topics in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide: Introduction to Application Management in Configuration Manager Configuring the Application Catalog and Software Center in Configuration Manager

Client Settings When you first install System Center 2012 Configuration Manager, all clients in the hierarchy are configured by using default client settings that you can change. These client settings include configuration options such as how frequently devices communicate with the site, whether the client is enabled for software updates and other management operations, and whether users can enroll their mobile devices to be managed by Configuration Manager. If you need different client settings for groups of users or devices, you can create custom client settings and then assign them to collections. Users or devices that are in the collection will be configured to have the custom settings. You can create multiple custom client settings and they are applied in the order that you specify. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings. The following diagram shows an example of how you could create and apply custom client settings.

143

For more information, see the following topics in the Deploying Clients for System Center 2012 Configuration Manager guide: How to Configure Client Settings in Configuration Manager About Client Settings in Configuration Manager

Limited Management without Clients The System Center 2012 Configuration Manager client software provides full management capability for users and devices. However, there are also two scenarios in which you can manage devices independently from the client software: out of band management, which uses Intel Active Management Technology (AMT), and mobile devices that are connected to an Exchange service, such as an on-premises Exchange Server or Exchange Online (Office 365). Configuration Manager uses the client software to provision and configure computers for AMT, but when you perform AMT management operations, the client software is not used. Instead,
144

Configuration Manager connects directly to the AMT management controller. This means that you continue to have some management control over computers that are not started or are not responding at the operating system level. For example, you could restart these computers, reimage them, or run diagnostic utilities to help troubleshoot them. When you cannot install the Configuration Manager client software on mobile devices, you can still manage them by using the Exchange Server connector. The connector lets you configure the settings in the Exchange Default ActiveSync mailbox policy. Any settings that are defined in this policy can be configured by Configuration Manager, and this connector also supports remote wipe and Exchange access rules for block and quarantine. Any mobile device that you manage by using the Exchange Server connector displays in the All Mobile Devices collection, even though the device does not have the System Center 2012 Configuration Manager client installed. Because the client is not installed, you cannot deploy software to these devices. For more information, see the following topics in the Assets and Compliance in System Center 2012 Configuration Manager guide and the Deploying Clients for System Center 2012 Configuration Manager guide: Introduction to Out of Band Management in Configuration Manager Administrator Checklist: Out of Band Management in Configuration Manager How to Manage Mobile Devices by Using Configuration Manager and Exchange

Client Management Tasks

After you have installed Configuration Manager clients, you can perform various client management tasks, which include the following: Deploy applications, software updates, maintenance scripts, and operating systems. You can configure these to be installed by a specified date and time, or make them available for users to install when they are requested, and you can configure applications to be uninstalled. Help protect computers from malware and security threats, and notify you when problems are detected. Define client configuration settings that you want to monitor and remediate if they are out of compliance. Collect hardware and software inventory information, which includes monitoring and reconciling license information from Microsoft. Troubleshoot computers by using remote control or by using AMT operations for AMT-based computers that are not responding. Implement power management settings to manage and monitor the power consumption of computers.

You can use the Configuration Manager console to monitor these operations in near real-time, by using alerts and status information. For capturing data and historical trending, you can use the integrated reporting capabilities of SQL Reporting Services. To help ensure that you continue to manage the System Center 2012 Configuration Manager clients, use the client status information that provides data about the health of the client and client

145

activity. This data helps identify computers that are not responding and in some cases, problems can be automatically remediated. For more information, see the following topics in the Deploying Clients for System Center 2012 Configuration Manager guide and the Site Administration for System Center 2012 Configuration Manager guide: How to Manage Clients in Configuration Manager Introduction to Reporting in Configuration Manager

Configuration Manager (Windows Control Panel) When you install the Configuration Manager client, this installs the Configuration Manager client application in Control Panel. Unlike Software Center, this application is designed for the help desk rather than for end users. Some configuration options require local administrative permissions and most options require technical knowledge about how Configuration Manager works. You can use this application to perform the following tasks on a client: View properties about the client, such as the build number, its assigned site, the management point it is communicating with, and whether the client is using a PKI certificate or a self-signed certificate. Confirm that the client has successfully downloaded client policy after the client is installed for the first time and that client settings are enabled or disabled as expected, according to the client settings that are configured in the Configuration Manager console. Start client actions, such as download the client policy if there was a recent change of configuration in the Configuration Manager console and you do not want to wait until the next schedule time. Manually assign a client to a Configuration Manager site or try to find a site, and specify the DNS suffix for management points that publish to DNS. Configure the client cache that temporarily stores files, and delete files in the cache if you require more disk space to install software. Configure settings for Internet-based client management. View configuration baselines that were deployed to the client, initiate compliance evaluation, and view compliance reports.

Security
Security for System Center 2012 Configuration Manager consists of several layers. First, Windows provides many security features for both the operating system and the network, such as the following: File sharing to transfer files between System Center 2012 Configuration Manager components Access Control Lists (ACLs) to help secure files and registry keys IPsec for securing communications Group Policy for setting security policy DCOM permissions for distributed applications, such as the Configuration Manager console
146

Active Directory Domain Services to store security principals Windows account security, including some groups that are created during System Center 2012 Configuration Manager Setup

Then, additional security components, such as firewalls and intrusion detection, help provide defense in depth for the whole environment. Certificates issued by industry standard PKI implementations help provide authentication, signing, and encryption. System Center 2012 Configuration Manager controls access to the Configuration Manager console in several ways. By default, only local Administrators have rights to the files and registry keys required to run the Configuration Manager console on computers where it is installed. The next layer of security is based on access through Windows Management Instrumentation (WMI), specifically the SMS Provider. The SMS Provider is restricted by default to members of the local SMS Admins group. This group at first contains only the user who installed System Center 2012 Configuration Manager. To grant other accounts permission to the Common Information Model (CIM) repository and the SMS Provider, add the other accounts to the SMS Admins group. The final layer of security is based on permissions to objects in the site database. By default, the Local System account and the user account that you used to install System Center 2012 Configuration Manager can administer all objects in the site database. You can grant and restrict permissions to additional administrative users in the Configuration Manager console by using role-based administration. For more information, see the Security and Privacy for System Center 2012 Configuration Manager guide. Role-Based Administration System Center 2012 Configuration Manager uses role-based administration to help secure objects such as collections, deployments, and sites. This administration model centrally defines and manages hierarchy-wide security access settings for all sites and site settings. Security roles are assigned to administrative users and group permissions to different Configuration Manager object types, such as the permissions to create or change client settings. Security scopes group specific instances of objects that an administrative user is responsible to manage, such as an application that installs Microsoft Office 2010. The combination of security roles, security scopes, and collections define what objects an administrative user can view and manage. System Center 2012 Configuration Manager installs some default security roles for typical management tasks. However, you can create your own security roles to support your specific business requirements. For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide: Planning for Security in Configuration Manager Configuring Security for Configuration Manager

147

Securing Client Endpoints Client communication to site system roles is secured by using either self-signed certificates, or by using public key infrastructure (PKI) certificates. Computer clients that Configuration Manager detects to be on the Internet and mobile device clients must use PKI certificates so that the client endpoints can be secured by using HTTPS. The site system roles that clients connect to can be configured for either HTTPS or HTTP client communication. Client computers always communicate by using the most secure method that is available and only fall back to using the less secure communication method of HTTP on the intranet if you have site systems roles that allow HTTP communication. For more information, see the following topics in the Site Administration for System Center 2012 Configuration Manager guide: Planning for Security in Configuration Manager Configuring Security for Configuration Manager Technical Reference for Cryptographic Controls Used in Configuration Manager

Configuration Manager Accounts and Groups System Center 2012 Configuration Manager uses the Local System account for most site operations. However, some management tasks might require creating and maintaining additional accounts. Several default groups and SQL Server roles are created during Setup. However, you might have to manually add computer or user accounts to these default groups and roles. For more information, see Technical Reference for Accounts Used in Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. Privacy Although enterprise management products offer many advantages because they can effectively manage lots of clients, you must also be aware of how this software might affect the privacy of users in your organization. System Center 2012 Configuration Manager includes many tools to collect data and monitor devices, some of which could raise privacy concerns. For example, when you install the System Center 2012 Configuration Manager client, many management settings are enabled by default. This results in the client software sending information to the Configuration Manager site. Client information is stored in the Configuration Manager database and the information is not sent to Microsoft. Before you implement System Center 2012 Configuration Manager, consider your privacy requirements. For more information, see the Security and Privacy for System Center 2012 Configuration Manager guide.

See Also
Getting Started with System Center 2012 Configuration Manager

Supported Configurations for Configuration Manager

Note
148

This topic appears in the Getting Started with System Center 2012 Configuration Manager guide and in the Site Administration for System Center 2012 Configuration Manager guide. This topic specifies the requirements to implement and maintain Microsoft System Center 2012 Configuration Manager in your environment. The following sections list products that are supported with System Center 2012 Configuration Manager. No extension of support for these products beyond their current product life-cycles is implied. Products that are beyond their current support life cycle are not supported for use with Configuration Manager. For more information about Microsoft Support Lifecycles, visit the Microsoft Support Lifecycle website at Microsoft Support Lifecycle. Warning Microsoft provides support for the current service pack and, in some cases, the immediately previous service pack. For more information about Microsoft support lifecycle policy, go to the Microsoft Support Lifecycle Support Policy FAQ website at Microsoft Support Lifecycle Policy FAQ. Products that are not listed in this document are not supported with System Center 2012 Configuration Manager unless they are announced on the System Center Configuration Manager Team Blog. Configuration Manager System Requirements Site and Site System Role Scalability Client Support Numbers for Sites and Hierarchies Site System Requirements Prerequisites for Site System Roles Prerequisites for Site System Roles on Windows Server 2012 Minimum Hardware Requirements for Site Systems Operating System Requirements for Site Servers, Database Servers, and the SMS Provider Operating System Requirements for Typical Site System Roles Operating System Requirements for Function-Specific Site System Roles Computer Client Hardware Requirements Operating System Requirements for Configuration Manager Client Installation Embedded Operating System Requirements for Configuration Manager Clients Client Requirements for Mac Computers Client Requirements for Linux and UNIX Servers Mobile Devices Enrolled by Configuration Manager Mobile Devices Enrolled by Windows Intune Mobile Device Support by Using the Exchange Server Connector
149

Computer Client Requirements

Mobile Device Requirements

Mobile Device Legacy Client

Configuration Manager Console Requirements SQL Server Requirements Application Management Operating System Deployment Out of Band Management Remote Control Viewer Software Center and the Application Catalog Active Directory Schema Extensions Disjoint Namespaces Single Label Domains Support for Internet Protocol Version 6 Support for Specialized Storage Technology Support for Computers in Workgroups Support for Virtualization Environments Support for Network Address Translation DirectAccess Feature Support BranchCache Feature Support Fast User Switching Dual Boot Computers Upgrade Configuration Manager Infrastructure Upgrade for Configuration Manager SQL Server Upgrade for the Site Database Server

Configurations for the SQL Server Site Database Function-Specific Requirements

Support for Active Directory Domains

Windows Environment

Supported Upgrade Paths for Configuration Manager

Configuration Manager System Requirements

The following sections specify the hardware and software requirements that you must have to implement and maintain Configuration Manager in your environment. Site and Site System Role Scalability The following table contains information about the support limits at each site type and for clientfacing site system role. This information is based on the recommended hardware for site systems. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. For information about the minimum required hardware to run a Configuration Manager site, see Minimum Hardware
150

Requirements for Site Systems, in this topic. For information about the number of clients supported by each site or hierarchy, see Client Support Numbers for Sites and Hierarchies, in this topic.
Site or site system role More information

Central administration site Primary site

A central administration site can support up to 25 child primary sites. Each primary site can support up to 250 secondary sites. Note The number of secondary sites per primary site is based on continuously connected and reliable wide area network (WAN) connections. For locations that have fewer than 500 clients, consider a distribution point instead of a secondary site. For information about the numbers of clients and devices a primary site can support, see the Client Support Numbers for Sites and Hierarchies section in this topic.

Secondary site

For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. Management points per site: Each primary site can support up to 10 management points. Tip Do not position management points across a slow link from their primary site server or from the site database server. Each secondary site supports a single management point that must be installed on the secondary site server.

Management point

For information about the numbers of clients and devices a management point can support, see the Clients per Management Point section
151

Site or site system role

More information

in this topic. Distribution point The number of distribution points that are supported by an individual site depends on the version of Configuration Manager that you use: System Center 2012 Configuration Manager with no service pack Each primary and secondary site supports up to 250 distribution points. Each distribution point supports connections from up to 4,000 clients.

System Center 2012 Configuration Manager with SP1 Each primary and secondary site supports up to 250 distribution points. Each distribution point supports connections from up to 4,000 clients. A pull-distribution point is considered to be a client when it accesses another distribution point to obtain content.

System Center 2012 R2 Configuration Manager Each primary and secondary site supports up to 250 distribution points. Each primary and secondary site supports up to 2000 additional distribution points configured as pulldistribution points. For example, a single primary site supports 2250 distribution points when 2000 of those distribution points are configured as pull-distribution points. Each distribution point supports connections from up to 4,000 clients. A pull-distribution point is considered to be a client when it accesses another distribution point to obtain content.

Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the
152

Site or site system role

More information

primary sites child secondary sites. Each distribution point supports a combined total of up to 10,000 packages and applications. Note The number of clients that one distribution point can support depends on the speed of the network, and the hardware configuration of the distribution point computer. Software update point The number of software update points supported by each site depends on the version of Configuration Manager that you use: For Configuration Manager without service pack, each site supports one active software update point for use on the intranet, and optionally, one software update point for use on the Internet. You can configure each of these software update points as a Network Load Balancing (NLB) cluster. You can have up to four software update points in the NLB cluster. Beginning with Configuration Manager SP1, each site supports multiple software update points for use on the intranet and on the Internet. By default, beginning with Configuration Manager SP1, the Configuration Manager console does not support configuring software update points as NLB clusters. However, you can use the Configuration Manager SDK to configure a software update point on a NLB cluster. A software update point that is installed on the site server can support up to 25,000 clients. A software update point that is installed on a computer that is remote from the site server can support up to 100,000 clients when the remote computer meets the WSUS requirements to support this
153

Site or site system role

More information

number. Note For more information, see Planning for Software Updates in Configuration Manager. Fallback status point Application Catalog website point Each fallback status point can support up to 100,000 clients. You can install multiple instances of the Application Catalog website point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet. Application Catalog web service point You can install multiple instances of the Application Catalog web service point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet.

154

Site or site system role

More information

System Health Validator point

Each System Health Validator point can support up to 100,000 clients.

Client Support Numbers for Sites and Hierarchies Use the following information to determine how many clients (devices) are supported by Configuration Manager sites and hierarchies. The following table identifies logical groups that combine different types of supported devices into one of three client groups. These client groups are then referenced in this topic to identify how many devices are supported by each type of Configuration Manager site, and as a combined total of devices for a hierarchy of Configuration Manager sites.
Logical groups Details

Client group 1

This client group includes computers that run a client for Configuration Manager and includes Windows Server, Windows Client, and Windows Embedded operating systems. It also includes the Configuration Manager client for Linux and UNIX. For more information, see the following sections of this topic: Operating System Requirements for Configuration Manager Client Installation Client Requirements for Linux and UNIX Servers Embedded Operating System Requirements for Configuration Manager Clients

Client group 2

This client group includes devices that are managed using Windows Intune with Configuration Manager, and devices supported by using the Exchange Server connector. For more information, see the following sections of this topic: Mobile Devices Enrolled by Windows Intune Mobile Device Support by Using the Exchange Server Connector Note
155

Logical groups

Details

Prior to Configuration Manager SP1, only mobile devices supported by using the Exchange Server connector are supported by Configuration Manager. Client group 3 This client group includes devices that are enrolled by Configuration Manager, devices supported by the mobile device legacy client, and computers that run the client for Mac. For more information, see the following sections of this topic: Clients per Hierarchy This section contains information about the number of clients (devices) that are supported by a Configuration Manager hierarchy. The following table lists the maximum number of devices supported by different hierarchy designs and configurations, and is followed by supplemental details about the different designs and the maximum number of devices each design supports: Note Configuration Manager supports up to the listed number of devices from each client group for each listed hierarchy design when you use the default settings for all Configuration Manager features.
Hierarchy design Client group 1 Client group 2 Client group 3

Mobile Devices Enrolled by Configuration Manager Mobile Device Legacy Client Client Requirements for Mac Computers

Stand-alone primary site Central administration site with a site database created on a Datacenter or Enterprise edition of SQL Server Central administration site with a site database created on a Standard edition of SQL Server

100,000 400,000

50,000

25,000 25,000

300,000

50,000

300,000

25,000

156

When a stand-alone primary site supports only devices from client group 2, the site can support up to 100,000 devices. Stand-alone primary: For a hierarchy that has a stand-alone primary site as the top-level site, Configuration Manager supports up to 100,000 devices from client group 1. Additional devices from client group 2 and client group 3 are also supported. Unlike a central administration site, the edition of SQL Server that you use at a primary site does not affect the maximum number of clients that the hierarchy can support. Central administration site: For a hierarchy that has a central administration site as the toplevel site, the combined number of clients from client group 1 that the hierarchy can support depends on the edition of SQL Server that you use to host the site database at the central administration site. Regardless of the edition of SQL Server that you use, the number of devices from client group 2 and from client group 3 that a hierarchy supports does not change. If you expand a stand-alone primary site into a hierarchy by installing a new central administration site, the edition of SQL Server in use at the primary site does not place limits on the number of devices that the hierarchy can support. Instead, it is the edition of SQL Server in use at the new central administration site that determines the maximum number of devices that the new hierarchy can support. When you install a central administration site and use an Enterprise or Datacenter edition of SQL Server, the hierarchy can support a combined total of up to 400,000 devices from client group 1. Additional devices from client group 2 and client group 3 are also supported. In this configuration, the number of devices that each child primary site can support remains limited by the configuration of that primary site. For more information, see the Clients per Site section in this topic. When you install a central administration site and use a Standard edition of SQL Server, the hierarchy can support a total of up to 50,000 devices from client group 1. This total of devices is combined from all child primary sites in the hierarchy. This limitation exists because of how the database is partitioned when its created by using a Standard edition of SQL Server at the central administration site. Additional devices from client group 2 and client group 3 are also supported. After you install a central administration site, if you then upgrade the edition of SQL Server at the central administration site from Standard to an Enterprise or Datacenter edition, the database does not repartition and the 50,000 device limitation remains in place.

Clients per Site The maximum number of clients (devices) that a site can support depends on the site type, and the version of Configuration Manager that you use. Although you can only assign a device to a primary site, secondary sites support communications from devices. To help identify the supported number of devices, devices are divided into three logical client groups. A site is not limited to supporting devices from a single client group. A primary site can support a separate number of devices from each of the three client groups. For example, a standalone primary site that runs Configuration Manager SP1 can support up to 100,000 devices from client group 1, up to 50,000 devices from client group 2, and up to 25,000 devices from client group 3; for a total of 175,000 devices. However, Configuration Manager does not support replacing any number of devices from one client group with devices from another client group. For example, you have a stand-alone primary site that has 100,000 assigned devices from client
157

group 1 and you do not assign any devices from client group 2 or client group 3. In this scenario, the site cannot support additional devices from client group 1 even though it is not supporting additional clients from the additional client groups. The following table identifies the maximum number of devices per client group that are supported at primary and secondary sites: Tip The maximum number of clients that a primary or secondary site can support is not affected by the edition of SQL Server you use at that site. However, a child primary site that uses a local site database (installed on the site server) is limited to 50,000 clients from client group 1.
Site type Configuration Manager version Client group 1 Client group 2
4

Client group 3

Stand-alone primary site, with a local site database, or a remote site database

System Center 2012 Configuration Manager 1 with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

100,000

50,000

25,000

100,000

50,000

25,000

100,000 50,000

50,000 50,000

25,000 25,000

Child primary site System Center 2012 with a local site Configuration Manager 1 database with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Child primary site System Center 2012 with a remote Configuration Manager 1 site database with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

50,000

50,000

25,000

50,000

50,000 50,000

25,000 25,000

100,000

100,000

2, 3

50,000

25,000

100,000

2, 3

50,000

25,000

158

Site type

Configuration Manager version

1

Client group 1
5

Client group 2

Client group 3

Secondary site
1

Any version

5,000

System Center 2012 Configuration Manager with no service pack does not support the cilent for Linux and UNIX (client group 1) and does not support the client for Mac (client group 3). Additioanlly, client group 2 includes only mobile devices supported by using the Exchange Server connector. Support for the additional device types in this client group is introduced with System Center 2012 Configuration Manager SP1.
2

Beginning with System Center 2012 Configuration Manager SP1, primary sites support Windows Embedded devices that have File-Based Write Filters (FBWF) enabled. When embedded devices do not have write filters enabled, a primary site can support a number of embedded devices up to the allowed number of devices for that site (50,000 or 100,000). Of the total number of devices that a primary site supports, a maximum of 10,000 of these can be Windows Embedded devices when those devices are configured for the exceptions listed in the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. A primary site supports only 3,000 Windows Embedded devices that have FBWF enabled and that are not configured for the exceptions.
3

In a hierarchy that has a central administration site that uses a Standard edition of SQL Server, child primary sites are limited to 50,000 devices from client group 1 because this is the maximum number of devices that are supported by that hierarchy configuration.
4

When a site supports only devices from client group 2, the site can support up to 100,000 devices. With this configuration, there is no change to the total number of devices that are supported in the hierarchy.
5

Each secondary site can support communications from up to 5,000 devices when you use a secondary site server that has the recommended hardware and a fast and reliable network connection to its primary parent site. This number includes a mix of devices from any of the three client groups. A secondary site could support communications from additional devices when its hardware configuration exceeds the recommended hardware configuration. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. Clients per Management Point The number of devices that a management point supports depends on the type of site where the management point is located, and the type and numbers of clients that might use the management point. To help you understand the following details, you should be familiar with the three logical client groups which define different types of clients. For information about the client groups, see Client Support Numbers for Sites and Hierarchies, in this topic.

159

Site type

Client group 1

Client group 2

Client group 3

Primary site: Each primary site supports up to 10 management points

Allocate at least one management point for every 25,000 clients

For example, if you have a stand-alone primary site that can support up to 100,000 clients from client group 1, and you have 100,000 active clients from client group 1, you must have at least four management points. It is a best practice to provide additional management points. Note When you use more than four management points in a primary site, you do not increase the number of clients that site can support beyond the documented limits. Instead, any additional management points provide redundancy for communications from clients.

Not applicable. Clients in client group 2 do not require the use of a management point.

Allocate at least one management point that is enabled for mobile devices for every 25,000 devices that run the mobile device legacy client in addition to any management points you use to manage devices that run the client for Mac. Allocate at least one management point that is enabled for mobile devices for every 10,000 devices that run the client for Mac, in addition to any management points you use for devices that run the mobile device legacy client.

Secondary site: Each secondary site supports a single management point which must be installed on the site server

The management point at a secondary site always supports communications from the same number of clients as supported by the secondary site server. For information about the number of clients supported by a secondary site, see, Clients per Site, in this topic.

160

Site type

Client group 1

Client group 2

Client group 3

computer. For example, you have a site that supports the following devices: 35,000 clients that include a mix of Windows client and server operating systems, Linux, and Windows Embedded devices (group 1) 15,000 devices that run the client for Mac, (group 3) 10,000 devices that run the mobile device legacy client (group 3) Two management points to support the various devices from group 1 Two management points enabled for mobile devices to support the clients for Mac One additional management point enable for mobile devices to support the devices that run the mobile device legacy client Note In most scenarios you cannot control the specific management point that is used by a client that runs the mobile device legacy client or the Mac client. Therefore, it is a best practice to plan for extra capacity, providing additional management points per device. Site System Requirements Each System Center 2012 Configuration Manager site system server must use a 64-bit operating system. The only exception to this is the distribution point site system role which can be installed on limited 32-bit operating system versions. Limitations for site systems: Site systems are not supported on Server Core installations for the following operating systems: Windows Server 2008 or Windows Server 2008 R2. Windows Server 2008 Foundation or Windows Server 2008 R2 Foundation. Windows Server 2012 or Windows Server 2012 R2. An exception to this is that beginning with System Center 2012 R2 Configuration Manager, these operating systems support the distribution point site system role, without PXE or multicast support. Windows Server 2012 Foundation or Windows Server 2012 R2 Foundation.

To support this distribution of devices, you deploy five management points:

It is not supported to change the domain membership or computer name of a Configuration Manager site system after it is installed. Site system roles are not supported on an instance of a Windows Server cluster. The only exception to this is the site database server.

The following sections list the hardware requirements and operating system requirements for System Center 2012 Configuration Manager sites, typical site system roles, and function-specific site system roles. Prerequisites for Site System Roles
161

The following table identifies prerequisites that are required by Configuration Manager for each site system role on supported operating systems prior to Windows Server 2012. For information about prerequisites for site system roles on Windows Server 2012 and Windows Server 2012 R2, see Prerequisites for Site System Roles on Windows Server 2012. Important Except where specifically noted, prerequisites apply to all versions of System Center 2012 Configuration Manager. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role .NET Framework version
1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Site server

Requires both Not of the applicabl following: e 3.5 SP1 4.0

Not applicable

Windows feature: Remote Differential Compression The computer where you install a central administration site or a primary site must have the required version of Windows AIK or Windows ADK installed before you install Configuration Manager. Similarly, when you upgrade a Configuration Manager site, you must install the version of the Windows ADK that the new version of Configuration Manager requires before you can upgrade the site. For more information about this requirement, see Operating System Deployment in this topic. By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system roles.

162

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Database Not server applicable

Not applicabl e

Not applicable

A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express.

SMS Provider Server

Not applicable

Not applicabl e

Not applicable

The computer where you install an instance of the SMS Provider must have the required version of Windows AIK or Windows ADK installed before you install the SMS Provider. Similarly, when you upgrade a Configuration Manager site, on each computer that runs an instance of the SMS Provider you must install the version of the Windows ADK that the new version of Configuration Manager requires. For more information about this requirement, see Operating System Deploymentin this topic.

Applicatio n Catalog web service point

Requires both Requires of the the following: following options 3.5 SP1 for WCF 4.0 activatio n: HTT

Requires the Not applicable default IIS configuratio n with the following additions: Appl ication Develop
163

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

P Activ ation NonHTT P Activ ation

ment: ASP .NE T (and auto mati cally sele cted opti ons) IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y

Applicatio Requires the n Catalog following: website 4.0 point

Not applicabl e

Requires the Not applicable default IIS configuratio n with the following additions: Co mmon
164

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

HTTP Feature s: Stati c Con tent Def ault Doc ume nt Appl ication Develop ment: ASP .NE T (and auto mati cally sele cted opti ons)
3

Sec
165

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

urity: Win dow s Auth enti cati on IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y Not applicable

Asset Requires the Intelligen following: ce 4.0 synchroni zation point Certificat e registrati on point Requires the following: 4.0

Not applicabl e

Not applicable

Requires the following options for WCF activatio

Requires the Not applicable default IIS configuratio n with the following additions:
166

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

n: HTT P Activ ation

IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y IIS 6 WMI Co mpa tibilit y Windows feature: Remote Differential Compression To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note For Windows Server 2008, Windows Server 2008 R2, WDS is installed and configured automatically when you configure a distribution point to support PXE or Multicast. For Windows Server 2003, you must install and configure WDS manually. For System Center 2012
167

Distributi 4 on point

Not applicable

Not applicabl e

You can use the default IIS configuratio n, or a custom configuratio n. To use a custom IIS configuratio n, you must enable the following options for IIS:

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Appl ication Develop ment: ISA PI Exte nsio ns Sec urity:

Configuration Manager with no service pack, to support PXE on a distribution point that is on a computer remote from the site server, you should install the following: Microsoft Visual C++ 2008 Redistributable. Note You can run the Microsoft Visual C++ 2008 Redistributable Setup from the Configuration Manager installation at: <ConfigMgrInstallationFolder>\ Client\x64\vcredist_x64.exe

For Configuration Win Manager SP1, dow vcredist_x64.exe is installed s automatically when you Auth configure a distribution point to enti support PXE. cati on With Configuration Manager SP1, you can IIS 6 use a cloud service in Windows Azure to Manage host a distribution point. For more ment information, see the section Planning for Compati Distribution Points for Windows Azure in bility: the Planning for Content Management in IIS 6 Configuration Manager topic. Met aba Note se With System Center 2012 Co Configuration Manager, the mpa distribution point site system role tibilit does not require Background y Intelligent Transfer Service (BITS). IIS 6 When BITS is configured on the
168

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

WMI Co mpa tibilit y When you use a custom IIS configuratio n, you can remove options that are not required, such as the following: Co mmon HTTP Feature s: HTT P Redi recti on IIS Manage ment Scripts and Tools

distribution point computer, BITS on the distribution point computer is not used to facilitate the download of content by clients that use BITS

Endpoint

Requires the

Not

Not

Not applicable
169

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Protectio n point Enrollme nt point

following: 3.5 SP1

applicabl e

applicable

Requires the following:

Requires the following 3.5 SP1 options for System C for WCF enter 201 activatio 2 n: Configura tion Mana ger with HTT no P service Activ pack ation 4.0 for NonSystem C HTT enter 201 P 2 Activ Configura ation tion Mana ger with SP1

Requires the Not applicable default IIS configuratio n with the following additions: Appl ication Develop ment: ASP .NE T (and auto mati cally sele cted opti ons)
3

Enrollme nt proxy point

Requires the following:

Requires the following 3.5 SP1 options for System C for WCF enter 201 activatio 2 n: Configura tion Mana

Requires the Not applicable default IIS configuratio n with the following additions: Appl
170

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

ger with no service pack 4.0 for System C enter 201 2 Configura tion Mana ger with SP1

HTT P Activ ation NonHTT P Activ ation

ication Develop ment: ASP .NE T (and auto mati cally sele cted opti ons)
3

Fallback status point

Not applicable

Not applicabl e

Requires the Not applicable default IIS configuratio n with the following additions: IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y
171

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Manage ment point

System Cent er 2012 Configuration Manager with no service pack: Mana gement points that support mobile devices require the .NET Framewo rk 3.5 5 SP1 System Cent er 2012 Configuration Manager with SP1: All managem ent points require the .NET Framewo rk 4

Not applicabl e

You can use the default IIS configuratio n, or a custom configuratio 5 n. To use a custom IIS configuratio n, you must enable the following options for IIS: Appl ication Develop ment: ISA PI Exte nsio ns Sec urity: Win dow s

Windows feature: BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options)

172

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Auth enti cati on IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y IIS 6 WMI Co mpa tibilit y

When you use a custom IIS configuratio n you can remove options that are not required, such as the following: Co
173

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

mmon HTTP Feature s: HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable

Out of band service point

Requires the following: 4.0

Requires the following options for WCF activatio n: HTT P Activ ation NonHTT P Activ ation

Not applicable

Reporting Requires the

Not

Not

SQL Server Reporting Services installed

174

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

services point

following: 4.0

applicabl e

applicable

and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing the instance of SQL Server. Windows Server Update Services (WSUS) 3.0 SP2 must be installed on this computer. For more information, see the Planning for Software Update Point Installation section in the Planning for Software Updates in Configuration Manager topic.

Software update point

Requires both Not of the applicabl following: e 3.5 SP1 4.0

Requires the default IIS configuratio n

State migration point System Health Validator point Windows Intune connecto r
1

Not applicable

Not applicabl e Not applicabl e Not applicabl e

Requires the Not applicable default IIS configuratio n Not applicable This site system role is supported only on a NAP health policy server.

Not applicable

Requires the following: 4.0

Not applicable

Not applicable

Install the full version of the Microsoft.NET Framework before you install the site system roles. For example, see the Microsoft .NET Framework 4 (Stand-Alone Installer). Important
175

The Microsoft .NET Framework 4 Client Profile is insufficient for this requirement.
2

You can configure WCF activation as part of the .NET Framework Windows feature on the site system server. For example, on Windows Server 2008 R2, run the Add Features Wizard to install additional features on the server. On the Select Features page, expand NET Framework 3.5.1 Features, then expand WCF Activation, and then select the check box for both HTTP Activation and Non-HTTP Activation to enable these options.
3

In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit computer that runs the .NET Framework version 4.0.30319, run the following command: %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i -enable
4

You must manually install IIS on computers that run a supported version of Windows Server 2003. Additionally, to install IIS and configure the additional Windows features, the computer might require access to the Windows Server 2003 source media.
5

Each management point that you enable to support mobile devices requires the additional IIS configuration for ASP.NET (and its automatically selected options). With this requirement, review note 3 for applicability to your installation. Prerequisites for Site System Roles on Windows Server 2012 For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The following table identifies prerequisites that are required by Configuration Manager site system roles you install on Windows Server 2012 or Windows Server 2012 R2. For information about prerequisites for site system roles on supported operating systems prior to Windows Server 2012, see Prerequisites for Site System Roles. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role Windows Server Roles and Features Additional prerequisites

Site server

Features: .NET Framework 3.5 .NET Framework 4.5 Remote Differential Compression

The computer where you install a central administration site or a primary site must have the required version of Windows AIK or Windows ADK installed before you install Configuration Manager. Similarly, when you upgrade a Configuration Manager site, you
176

Site system role

Windows Server Roles and Features

Additional prerequisites

must install the version of the Windows ADK that the new version of Configuration Manager requires before you can upgrade the site. For more information about this requirement, see Operating System Deployment in this topic. By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system roles. Database server Not applicable A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express. SMS Provider Server Not applicable The computer where you install an instance of the SMS Provider must have the required version of Windows AIK or Windows ADK installed before you install the SMS Provider. Similarly, when you upgrade a Configuration Manager site, on each computer that runs an instance of the SMS Provider you must install the version of the Windows ADK that the new version of Configuration Manager requires.
177

Site system role

Windows Server Roles and Features

Additional prerequisites

For more information about this requirement, see Operating System Deploymentin this topic. Application Catalog web service point Features: .NET Framework 3.5 HTTP Activation (and automatically selected options) ASP.NET 4.5 Not applicable

.NET Framework 4.5

IIS Configuration: Common HTTP Features: Default Document IIS 6 Management Compatibility: IIS 6 Metabase Compatibility ASP.NET 3.5 (and automatically selected options) .NET Extensibility 3.5 Not applicable

Application Development:

Application Catalog website point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options)
178

Application Development:

Site system role

Windows Server Roles and Features

Additional prerequisites

.NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Asset Intelligence synchronization point Certificate registration point

Features: .NET Framework 4.5

Features: .NET Framework 4.5 HTTP Activation

Not applicable

IIS Configuration: Application Development: ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options)

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

1

Distribution point

Features : Remote Differential Compression Application Development: ISAPI Extensions Windows Authentication Security:

To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note WDS installs and configures automatically when you configure a
179

IIS Configuration:

Site system role

Windows Server Roles and Features

Additional prerequisites

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

distribution point to support PXE or Multicast on Windows Server 2012. For Configuration Manager with SP1, to support PXE on a distribution point that is on a computer remote from the site server, install the following: Microsoft Visual C++ 2008 Redistributable. Note For Windows Server 2012, the vcredist_x64.exe is installed automatically when you configure a distribution point to support PXE. PowerShell 3.0 is required on Windows Server 2012 before you install the distribution point.

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in Configuration Manager topic. Note With System Center 2012 Configuration Manager, the distribution point site system role does not require Background Intelligent Transfer Service (BITS). When BITS is configured on the distribution point
180

Site system role

Windows Server Roles and Features

Additional prerequisites

computer, BITS on the distribution point computer is not used to facilitate the download of content by clients that use BITS Endpoint Protection point Features: Enrollment point .NET Framework 3.5 SP1 Not applicable Not applicable

Features: .NET Framework 3.5 HTTP Activation ASP.NET 4.5 Default Document ASP.NET 3.5 .NET Extensibility 3.5 .NET Framework 4.5 Common HTTP Features: Application Development:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Enrollment proxy point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options)
181

Application Development:

Site system role

Windows Server Roles and Features

Additional prerequisites

.NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Fallback status point

Requires the default IIS configuration with the following additions: IIS Configuration: IIS 6 Management Compatibility: IIS 6 Metabase Compatibility

Management point

Features: .NET Framework 4.5 BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options) Application Development: ISAPI Extensions Windows Authentication Security:

Not applicable

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

182

Site system role

Windows Server Roles and Features

Additional prerequisites

Out of band service point

Features: .NET Framework 4.5 HTTP Activation Non-HTTP Activation

Not applicable

Reporting services point

Features: .NET Framework 4.5

SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing the instance of SQL Server. Windows server role: Windows Server Update Services

Software update point

Features: .NET Framework 3.5 SP1 .NET Framework 4.5

Requires the default IIS configuration

For more information, see the Planning for Software Update Point Installation section in the Planning for Software Updates in Configuration Manager topic. Not applicable This site system role is supported only on a NAP health policy server. Not applicable

State migration point System Health Validator point Windows Intune connector
1

Requires the default IIS configuration Not applicable Features: .NET Framework 4.5

With System Center 2012 Configuration Manager, distribution points do not require BITS. When BITS is configured on the distribution point computer, BITS on the distribution point computer is not used to facilitate the download of content by clients that use BITS. Minimum Hardware Requirements for Site Systems This section identifies the minimum required hardware requirements for Configuration Manager site systems. These requirements are sufficient to support all features of Configuration Manager
183

in an environment with up to 100 clients. This information is suitable for testing environments. For guidance about the recommended hardware for Configuration Manager in full-scale production environments, see Planning for Hardware Configurations for Configuration Manager. The following minimum requirements apply to all site types (central administration site, primary site, secondary site) when you install all available site system roles on the site server computer.
Hardware component Requirement

Processor

Minimum: AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support Minimum: 1.4 GHz Minimum: 2 GB Available: 10 GB Total: 50 GB

RAM Free disk space

Operating System Requirements for Site Servers, Database Servers, and the SMS Provider The following table specifies the operating systems that can support System Center 2012 Configuration Manager site servers, the database server, and the SMS Provider site system role. The table also specifies the Configuration Manager versions that support each operating system.
Operatin g system Syste m archite cture Central administratio n site Primary site Secondary site
1

Site database server

1, 2

SMS Provider

Windows Server 2 008 Stan dard Editi on (SP2 ) Enter prise Editi on

x64

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center

System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager no with no service service pack pack System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager SP1 with SP1 System Center System Center
184

Operatin g system

Syste m archite cture

Central administratio n site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

(SP2 ) Data cent er Editi on (SP2 ) Windows Server 2 008 R2 Stan dard Editi on with no servi ce pack, or with SP1) Enter prise Editi on (with no servi ce pack, or x64

2012 R2 Configur ation Manager

2012 R2 Configur ation Manager

2012 R2 Configur ation Manager

2012 R2 Configura tion Manager

2012 R2 Configur ation Manager

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager no with no service service pack pack System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager SP1 with SP1 System Center 2012 R2 Configura tion Manager System Center 2012 R2 Configur ation Manager

185

Operatin g system

Syste m archite cture

Central administratio n site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

with SP1) Data cent er Editi on (with no servi ce pack, or with SP1) Windows Server 2 012 Stan dard Data cent er Windows Server 2 012 R2 Stan dard x64 x64 System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager SP1 with SP1 System Center 2012 R2 Configura tion Manager Syste m Center 2012 Configura tion Mana ger with 3 SP1 System Center
186

System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager

Operatin g system

Syste m archite cture

Central administratio n site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

Data cent er

2012 R2 Configura tion Manager

Site database servers are not supported on a read-only domain controller (RODC). For more information, see You may encounter problems when installing SQL Server on a domain controller in the Microsoft Knowledge Base. Additionally, secondary site servers are not supported on any domain controller. 2 For more information about the versions of SQL Server that Configuration Manager supports, see Configurations for the SQL Server Site Database in this topic.
3

To support this operating system as a database server for System Center 2012 Configuration Manager with SP1, you must install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. Note Windows Server 2012 R2 does not support the Windows Assessment and Deployment Kit 8.0 (Windows ADK). For Configuration Manager SP1, the Windows ADK is a prerequisite for a computer that is a site server or that hosts an instance of the SMS Provider. Therefore, Windows Server 2012 R2 remains unsupported for use as a site server or as a host for the SMS Provider for Configuration Manager SP1 even when cumulative update 3 is installed. Operating System Requirements for Typical Site System Roles The following table specifies the operating systems that can support multi-function site system roles, and the Configuration Manager versions that support each operating system.
Operatin g system Syste m archite cture Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Windows Vista Busi ness Editi

x64

System Cent Not er 2012 supported Configura tion Man ager with no service

Not supported

Not supported

Not supported

187

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

on (SP1 ) Enter prise Editi on (SP1 ) Ultim ate Editi on (with no servi ce pack, or with SP1) Windows 7 Profe ssion al (with no servi ce pack, or with SP1) x86, x64

pack

1, 2

System Cent er 2012 Configura tion Man ager with 1, 2 SP1 System Center 2012 R2 Configura tion 1 Manager
,2

System Cent Not er 2012 supported Configura tion Man ager with no service 1, 2 pack System Cent er 2012 Configura tion Man ager with 1, 2 SP1

Not supported

Not supported

Not supported

188

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Enter prise Editi ons (with no servi ce pack, or with SP1) Ultim ate Editi ons (with no servi ce pack, or with SP1) Windows 8 Enter prise Pro x86, x64

System Center 2012 R2 Configura tion 1 Manager

,2

System Cent Not er 2012 supported Configura tion Man ager with 1, 2 SP1 System Center 2012 R2 Configura tion 1 Manager

Not supported

Not supported

Not supported

189

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

,2

Windows 8.1 Enter prise Pro

x86, x64

System Cent Not er 2012 supported Configura tion Man ager with 2, 4, 7 SP1 System Center 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

Windows Server 2 003 Standard Editi on (SP2 ) Enterpris e Editi on (SP2 ) Datacent er Editi on (SP2 ) Windows Server 2

x86, x64

System Cent Not er 2012 supported Configura tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 4 SP1 System Center 2012 R2 Configura tion 2 Manager
,4

Not supported

Not supported

Not supported

x86

System Cent er 2012

Not

Not

Not

Not
190

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

003 Web Editi on (SP2 ) Stora ge Serv er Editi on (SP2 )

Configura supported tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 4 SP1 System Center 2012 R2 Configura tion 2 Manager
,4

supported

supported

supported

Windows Server 2 003 R2 Stan dard Editi on Enter prise Editi on

x86, x64

System Cent Not er 2012 supported Configura tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 4 SP1 System Center 2012 R2 Configura

Not supported

Not supported

Not supported

191

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

tion 2 Manager
,4

Windows Server 2 008 Stan dard Editi on (SP2 ) Enter prise Editi on (SP2 ) Data cent er Editi on (SP2 ) Windows Server 2 008 R2 Stan dard Editi

x86, x64

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man ager with ager with ager with ager with ager with no no no no SP1 service service service service System 2, 4 pack pack pack pack Center System Cent System Cent System Cent System Cent 2012 R2 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion tion Man tion Man tion Man tion Man Manager ager with ager with ager with ager with 2, 4 SP1 SP1 SP1 SP1 System System System System Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura tion tion tion tion 2 Manager Manager Manager Manager
,4

x64

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man ager with ager with ager with ager with ager with no no no no SP1 service service service service System 4 pack pack pack pack Center
192

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

on (with no servi ce pack, or with SP1) Enter prise Editi on (with no servi ce pack, or with SP1) Data cent er Editi on (SP1 ) Windows Storage Server 2 008 R2 Work grou x64

System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura tion Man tion Man tion Man tion Man ager with ager with ager with ager with 5 SP1 SP1 SP1 SP1 System System System System Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura tion tion tion tion 5 Manager Manager Manager Manager

2012 R2 Configura tion Manager

System Cent Not er 2012 supported Configura tion Man ager with no service 2, 4 pack

Not supported

Not supported

Not supported

193

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

p Stan dard Enter prise

System Cent er 2012 Configura tion Man ager with 2, 5 SP1 System Center 2012 R2 Configura tion 2 Manager
,5

Windows Server 2 012 Stan dard Data cent er

x64

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man ager with ager with ager with ager with ager with SP1 SP1 SP1 SP1 SP1 System System System System System Center Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura Configura tion tion tion tion tion 6 Manager Manager Manager Manager Manager System Not Center supported 2012 R2 Configura tion 1 Manager
,2

The x64 Server Core installatio n of Windows Server 2 012 Windows Server 2 012 R2 x64

Not supported

Not supported

Not supported

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man
194

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Stan dard Data cent er The x64 Server C ore installatio n of Windows Server 2 012 R2
1 2 3

ager with 7 SP1

ager with 7 SP1

ager with 7 SP1

ager with 7 SP1

ager with 7 SP1

System System System System System Center Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura Configura tion tion tion tion tion 6 Manager Manager Manager Manager Manager System Not Center supported 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

Distribution points on this operating system are not supported for PXE. Distribution points on this operating system version do not support Multicast.

Unlike other site system roles, distribution points are supported on some 32-bit operating systems. Distribution points also support several different configurations that each have different requirements and in some cases support installation not only on servers, but on client operating systems. For more information about the options available for distribution points, see Prerequisites for Content Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
4

Distribution points on this operating system version are supported for PXE, but they do not support network booting of client computers in EFI mode. Client computers with BIOS or with EFI booting in legacy mode are supported.
5

Distribution points on this operating system version are supported for PXE boot of x64 UEFI computers but do not support PXE boot of IA32 UEFI computers.
6

Distribution points on this operating system version are supported for PXE boot of both x64 and IA32 UEFI computers.
7

To support this operating system as a site system server for System Center 2012 Configuration Manager with SP1, you must install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1.
195

Operating System Requirements for Function-Specific Site System Roles The following table specifies the operating systems that are supported for use with each featurespecific Configuration Manager site system role, and the Configuration Manager versions that support each operating system.
Oper ating syste m Sys tem arc hite ctur e Applica tion Catalog web service point and Applica tion Catalog website point Asset Intellige nce synchr onizatio n point Cert ifica te regi strat ion poin t Endpoi nt Protecti on point Out of band service point Reporti ng service s point Softwar e update point State migratio n point System Health Validat or point

Wind x64 ows Serv er 20 08 S t a n d a r d E d it i o n ( S P 2 )

System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h no no ser ser vic vic e e pac pac k k System System Ce Ce nte nte r2 r2 012 012

Not sup port ed

System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura tion tion tion tion ana tion Ma Ma Ma Ma ger Ma nag nag nag nag with nag er er er er no er wit wit wit wit serv wit h h h h ice h no no no no pac no ser ser ser ser kSy ser vic vic vic vic ste vic e e e e mC e pac pac pac pac ente pac k k k k r 20 k 12 System System System System System Con Ce Ce Ce Ce Ce figur nte nte nte nte nte atio r2 r2 r2 r2 r2 nM 012 012 012 012 012
196

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

E n t e r p ri s e E d it i o n ( S P 2 ) D a t a c e n t e r

Co nfig ura tion Ma nag er wit h SP 1

Co nfig ura tion Ma nag er wit h SP 1

Co nfig ura tion Ma nag er wit h SP 1

Co nfig ura tion Ma nag er wit h SP 1

Co nfig ura tion Ma nag er wit h SP 1

Co nfig ura tion Ma nag er wit h SP 1

System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er

System System System System Ce Ce Ce Ce nte nte nte nte r r r r 201 201 201 201 2 2 2 2 R2 R2 R2 R2 Co Co Co Co nfig nfig nfig nfig ura ura ura ura tion tion tion tion Ma Ma Ma Ma nag nag nag nag er er er er

ana Co ger nfig with ura SP1 tion Syst Ma em nag Cen er ter wit 201 h 2 SP R2 1 Con System figur Ce atio nte n r Man 201 ager 2 R2 Co nfig ura tion Ma nag er

197

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

E d it i o n ( S P 2 ) Wind x64 ows Serv er 20 08 R 2 S t a n d a r d E d it i o System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h no no ser ser vic vic e e pac pac k k S y s t e m C e n t e r 2 0 1 2 System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura tion tion tion tion ana tion Ma Ma Ma Ma ger Ma nag nag nag nag with nag er er er er no er wit wit wit wit serv wit h h h h ice h no no no no pac no ser ser ser ser kSy ser vic vic vic vic ste vic e e e e mC e pac pac pac pac ente pac k k k k r 20 k
198

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

n ( w it h n o s e r v i c e p a c k , o r w it h S P 1 ) E n t

System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h SP SP 1 1 System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er

R System System System System 2 Ce Ce Ce Ce nte nte nte nte C r2 r2 r2 r2 o 012 012 012 012 n Co Co Co Co f nfig nfig nfig nfig i ura ura ura ura g tion tion tion tion u Ma Ma Ma Ma r nag nag nag nag a er er er er t wit wit wit wit i o h h h h n SP SP SP SP 1 1 1 1 M System System System System a Ce Ce Ce Ce n nte nte nte nte a r r r r g 201 201 201 201 e 2 2 2 2 r R2 R2 R2 R2 Co Co Co Co nfig nfig nfig nfig ura ura ura ura tion tion tion tion Ma Ma Ma Ma nag nag nag nag er er er er

12 System Con Ce figur nte atio r2 nM 012 ana Co ger nfig with ura SP1 tion Syst Ma em nag Cen er ter wit 201 h 2 SP R2 1 Con System figur Ce atio nte n r Man 201 ager 2 R2 Co nfig ura tion Ma nag er
199

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

e r p ri s e E d it i o n ( w it h n o s e r v i c e p a c k , o r w
200

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

it h S P 1 ) D a t a c e n t e r E d it i o n ( S P 1 ) Wind x64 ows Serv System Ce nte System Ce nte S System Ce nte System Ce nte System Ce nte System Ce nte System System Cen Ce ter 2 nte
201

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

er 20 12 S t a n d a r d D a t a c e n t e r

r2 012 Co nfig ura tion Ma nag er wit h SP 1

r2 012 Co nfig ura tion Ma nag er wit h SP 1

y s t e m C e n t e r

System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er

2 0 System System System System 1 Ce Ce Ce Ce 2 nte nte nte nte r r r r R 201 201 201 201 2 2 2 2 2 R2 R2 R2 R2 C Co Co Co Co o nfig nfig nfig nfig n ura ura ura ura f i tion tion tion tion g Ma Ma Ma Ma u nag nag nag nag r er er er er a t i o

r2 012 Co nfig ura tion Ma nag er wit h SP 1

r2 012 Co nfig ura tion Ma nag er wit h SP 1

r2 012 Co nfig ura tion Ma nag er wit h SP 12

r2 012 Co nfig ura tion Ma nag er wit h SP 1

012 r2 Con 012 figur Co atio nfig nM ura ana tion ger Ma with nag SP1 er Syst wit em h Cen SP ter 1 201 System 2 Ce R2 nte Con r figur 201 atio 2 n R2 Man Co ager nfig ura tion Ma nag er

202

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

n M a n a g e r Wind x64 ows Serv er 20 12 R 2 S t a n d a r d D a t a c System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h SP SP 1 1 1 1 System System Ce Ce nte nte r r 201 201 2 2 S y s t e m C e n t e r 2 0 1 2 R 2 System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura tion tion tion tion ana tion Ma Ma Ma Ma ger Ma nag nag nag nag with nag er er er er SP1 er 1 wit wit wit wit wit h h h h h System SP SP SP SP SP Cen 1 1 1 1 1 1 1 1 1 1 ter System System System System 201 System Ce Ce Ce Ce 2 Ce nte nte nte nte R2 nte r r r r Con r 201 201 201 201 figur 201 2 2 2 2 atio 2
203

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

e n t e r

R2 Co nfig ura tion Ma nag er

R2 Co nfig ura tion Ma nag er

C o n f i g u r a t i o n M a n a g e r

R2 Co nfig ura tion Ma nag er

R2 Co nfig ura tion Ma nag er

R2 Co nfig ura tion Ma nag er

R2 Co nfig ura tion Ma nag er

n Man ager

R2 Co nfig ura tion Ma nag er

To support this operating system as a site system server for System Center 2012 Configuration Manager with SP1, you must install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. Computer Client Requirements The following sections describe the operating systems and hardware supported for System Center 2012 Configuration Manager computer client installation on Windows-based computers, Mac computers, and servers that run Linux or UNIX. Make sure that you also review
204

Prerequisites for Windows Client Deployment in Configuration Manager for a list of dependencies for the installation of the Configuration Manager client on Windows-based computers and mobile devices. Computer Client Hardware Requirements The following are minimum requirements for Windows-based computers that you manage with Configuration Manager.
Requirement Details

Processor and memory

Refer to the processor and RAM requirements for the computers operating system. Note An exception to this is Windows XP and Windows 2003, which both require a minimum of 256 MB of RAM.

Disk space

500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Less disk space is required if you use customized settings to install the Configuration Manager client: Use the CCMSetup command-line property /skippprereq to avoid installing files that the client does not require. For example, CCMSetup.exe /skipprereq:silverlight.exe if the client will not use the Application Catalog. Use the Client.msi property SMSCACHESIZE to set a cache file that is smaller than the default of 5120 MB. The minimum size is 1 MB. For example, CCMSetup.exe SMSCachesize=2 creates a cache that is 2 MB in size.

For more information about these client installation settings, see About Client Installation Properties in Configuration Manager. Tip Installing the client with minimal disk space is useful for Windows Embedded devices that typically have smaller disk
205

Requirement

Details

sizes than standard Windows computers. The following are additional hardware requirements for optional functionality in Configuration Manager.
Function Minimum hardware requirements

Operating system deployment Software Center

384 MB of RAM 500 MHz processor

Remote Control

Pentium 4 Hyper-Threaded 3 GHz (single core) or comparable CPU, with at least a 1 GB RAM for optimal experience. Desktop or portable computers must have the Intel vPro Technology or Intel Centrino Pro and a supported version of Intel AMT.

Out of Band Management

Operating System Requirements for Configuration Manager Client Installation The following table specifies the operating systems that are supported for Configuration Manager client installation, and the versions of Configuration Manager that support each operating system. For server platforms, client support is independent of any other service that runs on that server unless noted otherwise. For example, the client is supported on domain controllers and servers that run cluster services or terminal services.
Operating system System architecture Configuration Manager version

Windows XP Professional (SP3)

x86

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows XP Professional for 64-bit Systems (SP2)

x64

System Center 2012 Configuration Manager with no service pack System Center 2012
206

Operating system

System architecture

Configuration Manager version

Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows XP Tablet PC (SP3) x86 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2) x86, x64 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows 7 Professional (with no service pack, or with SP1) Enterprise Editions (with no service pack, or with SP1) Ultimate Editions (with no service pack, or with SP1) x86, x64 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager x86, x64 System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows 8.1 Pro Enterprise x86, x64 System Center 2012 Configuration Manager with 3 SP1 System Center 2012 R2
207

Windows 8 Pro Enterprise

Operating system

System architecture

Configuration Manager version

Configuration Manager

Windows Server 2003 Web Edition (SP2)

x86

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2003 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2003 R2 SP2 Standard Edition Enterprise Edition Datacenter Edition
1

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Storage Server 2003 R2 SP2

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2)

x86, x64

System Center 2012 Configuration Manager with no service pack

208

Operating system

System architecture
1

Configuration Manager version

Datacenter Edition (SP2)

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

The Server Core installation of Windows Server 2008 (SP2)

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1

Windows Storage Server 2008 R2 Workgroup Standard Enterprise

x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no 1 service pack, or with SP1)

x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

The Server Core installation of Windows Server 2008 R2 (with no service pack, or with SP1)

x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 Standard

x64

System Center 2012 Configuration Manager with

209

Operating system

System architecture

Configuration Manager version

Datacenter

SP1 System Center 2012 R2 Configuration Manager

The Server Core installation of 2 Windows Server 2012

x64

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 R2 Standard Datacenter

1

x64

System Center 2012 Configuration Manager with 3 SP1 System Center 2012 R2 Configuration Manager

Windows Storage Server 2012 R2

x64

System Center 2012 Configuration Manager with 3 SP1 System Center 2012 R2 Configuration Manager

The Server Core installation of 2 Windows Server 2012 R2

1

x64

System Center 2012 R2 Configuration Manager

Datacenter releases are supported but not certified for System Center 2012 Configuration Manager. Hotfix support is not offered for issues specific to Windows Server Datacenter Edition.
2

To support client push installation, the computer that runs this operating system version must run the File Server role service for the File and Storage Services server role.
3

To support this operating system as a client with System Center 2012 Configuration Manager with SP1, you must first install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. For more information about installing Windows features on a Server Core computer, see Install Server Roles and Features on a Server Core Server in the Windows Server 2012 TechNet library. Embedded Operating System Requirements for Configuration Manager Clients System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection support clients for integration with Windows Embedded. Support limitations for Windows Embedded: All client features are supported natively on supported Windows Embedded systems that do not have write filters enabled.
210

For System Center 2012 Configuration Manager with no service pack, Windows Embedded systems that have write filters enabled must use task sequences to deploy to embedded devices, and the task sequences must include steps to disable and then restore the write filters. Beginning with System Center 2012 Configuration Manager SP1, clients that use Enhanced Write Filters (EWF) RAM or File Based Write Filters (FBWF) are natively supported for all features except power management. Beginning with System Center 2012 R2 Configuration Manager, clients that use Unified Write Filters (UWF) are natively supported for all features except power management. The Application Catalog is not supported for any Windows Embedded device. Windows Embedded operating systems based on Windows XP are only supported for Endpoint Protection in Configuration Manager SP1. Before you can monitor detected malware on Windows Embedded devices based on Windows XP, you must install the Microsoft Windows WMI scripting package on the embedded device. Use Windows Embedded Target Designer to install this package. The files WBEMDISP.DLL and WBEMDISP.TLB must exist and be registered in the folder %windir%\System32\WBEM on the embedded device to ensure that detected malware is reported. Note Beginning with Configuration Manager SP1, new options are added to control the behavior of Windows Embedded write filters when you install the Endpoint Protection client. For more information, see Introduction to Endpoint Protection in Configuration Manager.

The following table specifies the Windows Embedded versions that are supported with Configuration Manager and Endpoint Protection, and the versions of Configuration Manager and Endpoint Protection that support each Windows Embedded version.
Windows Embedded operating system Base operating system System architectur e Configuration Manager version System Center 2012 Endpoint Protectio n version

Windows Embedded Standard 2009

Windows X P SP3

x86

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with SP1

Windows XP

Windows X

x86

System Center 2012

System
211

Windows Embedded operating system

Base operating system

System architectur e

Configuration Manager version

System Center 2012 Endpoint Protectio n version

Embedded SP3

P SP3

Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

Center 2012 Endpoint Prote ction with SP1

Windows Fundamental s for Legacy PCs (WinFLP)

Windows X P SP3

x86

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with SP1

Windows Embedded POSReady 2009

Windows X P SP3

x86

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with SP1

WEPOS 1.1 with SP3

Windows X P SP3

x86

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1

System Center 2012 Endpoint Prote ction with SP1

212

Windows Embedded operating system

Base operating system

System architectur e

Configuration Manager version

System Center 2012 Endpoint Protectio n version

System Center 2012 R2 Configuration Manager Windows Embedded Standard 7 with SP1 Windows 7 x86, x64 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager Windows Embedded POSReady 7 Windows 7 x86, x64 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager Windows Thin PC Windows 7 x86, x64 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager Windows Embedded 8 Pro Windows 8 x86, x64 System Center 2012 Configuration Man 1 ager with SP1 System Center 2012 Endpoint Prote ction with no service pack System Center 2012 Endpoint Prote ction with SP1

System Center 2012 Endpoint Prote ction with no service pack System Center 2012 Endpoint Prote ction with SP1

System Center 2012 Endpoint Prote ction with no service pack System Center 2012 Endpoint Prote ction with SP1

System Center 2012 Endpoint Prote

213

Windows Embedded operating system

Base operating system

System architectur e

Configuration Manager version

System Center 2012 Endpoint Protectio n version

System Center 2012 R2 Configuration Manager Windows Embedded 8 Standard Windows 8 x86, x64 System Center 2012 Configuration Man 1 ager with SP1 System Center 2012 Configuration Man 1 ager with SP1 System Center 2012 R2 Configuration Manager Windows Embedded 8.1 Industry Windows 8. 1 x86, x64 System Center 2012 R2 Configuration Manager

ction with SP1

System Center 2012 Endpoint Prote ction with SP1 System Center 2012 Endpoint Prote ction with SP1

Windows Embedded 8 Industry

Windows 8

x86, x64

System Center 2012 R2 Endpoint Protection

The Unified Write Filter (UWF) that is included with this version of Windows Embedded is not supported by System Center 2012 Configuration Manager SP1. Therefore, with System Center 2012 Configuration Manager SP1, the built-in features for write filter management will not work with UWF. Client Requirements for Mac Computers Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The client for Mac is supported only on Mac computers that use an Intel 64-bit chipset. The following operating systems are supported for the Configuration Manager client for Mac computers:
Operating system Configuration Manager version

Mac OS X 10.6 (Snow Leopard)

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012
214

Mac OS X 10.7 (Lion)

Operating system

Configuration Manager version

Configuration Manager with SP1 Mac OS X 10.8 (Mountain Lion) System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 cumulative update 1 System Center 2012 R2 Configuration Manager

For more information about computers that run Mac OS X, see How to Install Clients on Mac Computers in Configuration Manager. Client Requirements for Linux and UNIX Servers Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use the information in the following sections to identify the supported distributions of Linux and UNIX and the hardware requirements to run a Configuration Manager client for Linux and UNIX. For information about the operating system file dependencies for the client for Linux and UNIX, see Prerequisites for Client Deployment to Linux and UNIX Servers in the Planning for Client Deployment for Linux and UNIX Servers topic. For an overview of the management capabilities supported for computers that run Linux or UNIX, see the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic. Supported Distributions of Linux and UNIX The following table lists the different releases of the client for Linux and UNIX that you can use with each version of Configuration Manager:
Configuration Manager version Version of the client for Linux and UNIX

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1

Not supported System Center 2012 Configuration Manager SP1 Client for Linux and UNIX Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

System Center 2012 R2 Configuration Manager

215

The following table identifies the operating systems, platforms, and client installation packages that are supported for each release of the client for Linux and UNIX: Important Only the most recent update for the System Center 2012 Configuration Manager SP1 Client for Linux and UNIX or the System Center 2012 R2 Configuration Manager Agent for Linux and UNIX is available for download. You can download clients for additional operating systems, and view the Release History including the client build versions online at the Microsoft Download Center: System Center 2012 Configuration Manager SP1 Client for Linux and UNIX System Center 2012 R2 Configuration Manager Agent for Linux and UNIX
System Center 2012 Configuration Manager SP1 Client for Linux and UNIX Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

Operating Versio system n

Red Hat Enterpris e Linux (RHEL)

Versio n4 x86 Versio n4 x64 Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64

ccmccmRHEL4x86.<build>.ta RHEL4x86.<build>.tar r ccmccmRHEL4x64.<build>.ta RHEL4x64.<build>.tar r ccmccmRHEL5x86.<build>.ta Universalx86.<build>.tar r ccmccmRHEL5x64.<build>.ta Universalx64.<build>.tar r ccmccmRHEL6x86.<build>.ta Universalx86.<build>.tar r ccmccmRHEL6x64.<build>.ta Universalx64.<build>.tar r ccmSol9sparc.<build>.tar ccmSol9sparc.<build>.tar

ccmRHEL4x86.<build>.tar ccmRHEL4x64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmSol9sparc.<build>.tar

Solaris

Versio n9 SPAR C

216

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

Versio n 10 x86 Versio n 10 SPAR C Versio n 11 x86 Versio n 11 SPAR C SUSE Linux Enterpris e Server (SLES) Versio n9 x86 Versio n 10 SP1 x86 Versio n 10 SP1 x64 Versio n 11 SP1 x86 Versio n 11 SP1 x64

ccmSol10x86.<build>.tar ccmSol10sparc.<build>.t ar No support

ccmSol10x86.<build>.tar ccmSol10sparc.<build>.tar

ccmSol10x86.<build>.tar ccmSol10sparc.<build>.tar

ccmSol11x86.<build>.tar ccmSol11sparc.<build>.tar

ccmSol11x86.<build>.tar ccmSol11sparc.<build>.tar

No support

ccmSLES9x86.<build>.ta r ccmSLES10x86.<build>.t ar ccmSLES10x64.<build>.t ar ccmSLES11x86.<build>.t ar ccmSLES11x64.<build>.t ar

ccmSLES9x86.<build>.tar ccmUniversalx86.<build>.tar

ccmSLES9x86.<build>.tar ccmUniversalx86.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

217

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

CentOS

Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64

No support

ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar No support

ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar

No support

No support

No support

Debian

Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64 Versio n7 x86

No support

No support

No support

No support

No support

Versio n7 x64

No support

No support

ccmUniversalx64.<build>.tar

218

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

Ubuntu

Versio n 10.4 LTS x86 Versio n 10.4 LTS x64 Versio n 12.4 LTS x86 Versio n 12.4 LTS x64

No support

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

No support

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

No support

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

No support

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

Oracle Linux

Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64

No support

ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar

ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar

No support

No support

No support

HP-UX

Versio No support n 11iv2 IA64 Versio No support n 11iv2

ccmccmHpuxB.11.23i64.<build>.t HpuxB.11.23i64.<build>.t ar ar ccmccmHpuxB.11.23PA.<build>.t HpuxB.11.23PA.<build>.t

219

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

PARISC Versio No support n 11iv3 IA64 Versio No support n 11iv3 PARISC AIX Versio No support n 5.3 (Power ) Versio No support n 6.1 (Power ) Versio No support n 7.1 (Power )

ar

ar

ccmccmHpuxB.11.31i64.<build>.t HpuxB.11.31i64.<build>.t ar ar ccmccmHpuxB.11.31PA.<build>.t HpuxB.11.31PA.<build>.t ar ar ccm-Aix53ppc.<build>.tar ccm-Aix53ppc.<build>.tar

ccm-Aix61ppc.<build>.tar ccm-Aix61ppc.<build>.tar

ccm-Aix71ppc.<build>.tar ccm-Aix71ppc.<build>.tar

Note For the clients for Linux and UNIX, the listed version includes all subsequent minor versions. For example, where the table indicates support for CentOS version 6, this also includes any subsequent minor version of CentOS 6, such as CentOS 6.3. Similarly, where the table indicates support for an operating system that uses service packs, such as SUSE Linux Enterprise Server 11 SP1, support includes subsequent service packs for that operating system. For information about client installation packages and the Universal Agent, see How to Install Clients on Linux and UNIX Computers in Configuration Manager. Hardware and Disk Space Requirements The following are minimum hardware requirements for computers that you manage with the Configuration Manager client for Linux and UNIX.
220

Requirement

Details

Processor and memory Disk space

Refer to the processor and RAM requirements for the computers operating system. 500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Configuration Manager client computers must have network connectivity to Configuration Manager site systems to enable management.

Network connectivity

Mobile Device Requirements The following sections describe the hardware and operating systems that are supported for managing mobile devices in System Center 2012 Configuration Manager. Note The following mobile device clients are not supported in the Configuration Manager hierarchy: Device management clients from System Management Server 2003 and Configuration Manager 2007 Windows CE Platform Builder device management client (any version) System Center Mobile Device Manager VPN connection

Mobile Devices Enrolled by Configuration Manager The following table lists the platforms and languages that support Configuration Manager enrollment and the versions of Configuration Manager that support each platform.
Operating system Configuration Manager version Supported languages

Windows Mobile 6.1

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)
221

Operating system

Configuration Manager version

Supported languages

Windows Mobile 6.5

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Arabic Basque (Basque) Bulgarian Catalan Chinese (Hong Kong SAR) Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English (UK) English (US) Estonian Farsi Finnish French (Canada) French (France) Galician German Greek Hebrew Hungarian Icelandic
222

Nokia Symbian Belle

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Operating system

Configuration Manager version

Supported languages

Mobile Devices Enrolled by Windows Intune

Indonesian Italian Kazakh Korean Latvian Lithuanian Malay Norwegian Polish Portuguese (Brazil) Portuguese (Portugal) Romanian Russian Serbian (Latin/Cyrillic) Slovak Slovenian Spanish (Latin America) Spanish (Spain) Swedish Tagalog (Filipino) Thai Turkish Ukrainian Urdu Vietnamese

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The following table lists the platforms and languages that are supported for mobile devices that are enrolled by Windows Intune and you use the Windows Intune connector in Configuration Manager. Important You must have a subscription to Windows Intune to manage the following operating systems.

223

Operating system

Operating system version

Configuration Manager version

Company portal supported languages

Windows Phone 8

Not applicable

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish

Windows 8 RT Not applicable

Windows 8.1 RT Windows 8.1 iOS x86 x64 5.0 6.0 Android
1

Not applicable Not applicable

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

7.0 2.3 and later

Support for devices that run Android begins with Android 2.3, and includes all subsequent releases of Android. However, when you use System Center 2012 Configuration Manager SP1, or when you use System Center 2012 R2 Configuration Manager with a version of Android that is prior to 4.0, a limited set of functionality is available. Beginning with System Center 2012 R2 Configuration Manager, when you use the Company Portal app, Configuration Manager supports additional capabilities for devices that run Android 4.0 or later. For more information, see the How to Manage Mobile Devices by Using Configuration Manager and Windows Intune topic in the Deploying Clients for System Center 2012 Configuration Manager guide.
224

Mobile Device Support by Using the Exchange Server Connector System Center 2012 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online. For more information about which management functions Configuration Manager supports for mobile devices that the Exchange Server connector manages, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the platforms that support the Exchange Server connector and which versions of Configuration Manager support each platform.
Version of Exchange Server Configuration Manager version

Exchange Server 2010 SP1

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Exchange Server 2010 SP2

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Exchange Server 2013

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Exchange Online (Office 365)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Includes Business Productivity Online Standard Suite.

Mobile Device Legacy Client The following sections list the hardware and operating systems that are supported for the mobile device legacy client in System Center 2012 Configuration Manager. Mobile Device Legacy Client Hardware Requirements
225

The mobile device client requires 0.78 MB of storage space to install. In addition, logging on the mobile device can require up to 256 KB of storage space. Mobile Device Legacy Client Operating System Requirements System Center 2012 Configuration Manager supports management for Windows Phone, Windows Mobile, and Windows CE when you install the Configuration Manager mobile device legacy client. Features for these mobile devices vary by platform and client type. For more information about which management functions Configuration Manager supports for the mobile device legacy client, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the mobile device platforms that are supported with the mobile device legacy client for Configuration Manager, and the versions of Configuration Manager that support each platform.
Operating system Configuration Manager version Supported languages

Windows CE 5.0 (Arm and x86 processors)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US)
226

Windows CE 6.0 (Arm and x86 processors)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows CE 7.0 (Arm and x86 processors)

System Center 2012 Configuration Manager with no service pack

Operating system

Configuration Manager version

Supported languages

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)

Windows Mobile 6.0

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Configuration Manager Console Requirements The following table lists the operating systems that are supported to run the Configuration Manager console, the minimum version of the Microsoft .NET Framework they require, and the versions of the Configuration Manager console that support each operating system.
Operating system System architecture Minimum .NET Framework version
1

Configuration Manager version

Windows XP Professional (SP3)

x86

.NET Framework 4

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Vista

x86, x64

.NET Framework 4

System Center 2012

227

Operating system

System architecture

Minimum .NET Framework version

Configuration Manager version

Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager x86, x64 .NET Framework 4
1

Windows 7 Professional Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Ultimate Edition (with no service pack, or with SP1)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 8 Pro Enterprise

x86, x64

.NET Framework 4.5

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 8.1 Pro Enterprise

x86, x64

.NET Framework 4.5

System Center 2012 R2 Configuration Manager

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)

x86, x64

.NET Framework 4

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2008 R2 Standard Edition

x64

.NET Framework 4

System Center 2012 Configuration Manager with no service pack

228

Operating system

System architecture

Minimum .NET Framework version

Configuration Manager version

(with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no service pack, or with SP1) x64 .NET Framework 4.5

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 Standard Edition Datacenter Edition

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 R2 Standard Edition Datacenter Edition

x64

.NET Framework 4.5

System Center 2012 R2 Configuration Manager

The Configuration Manager console requires the full version of the .NET Framework 4 and is not supported with the .NET Framework Client Profile. The requirements in the following table apply to each computer that runs Configuration Manager console.
Minimum hardware configuration Screen resolution

1 x Pentium 4 Hyper-Threaded 3 GHz (Intel Pentium 4 HT 630 or comparable CPU) 2 GB of RAM 2 GB of disk space.

DPI setting 96 / 100% 120 /125% 144 / 150% 196 / 200%

Minimum resolution 1024x768 1280x960 1600x1200 2500x1600

229

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Beginning with Configuration Manager SP1, the Configuration Manager console supports PowerShell. When you install support for PowerShell on a computer that runs the Configuration Manager console, you can run PowerShell cmdlets on that computer to manage Configuration Manager. You can install a supported version of PowerShell before or after the Configuration Manager console installs. The following table lists the minimum required version of PowerShell for each version of Configuration Manager.
PowerShell version System architecture Configuration Manager version

PowerShell 3.0

x86

System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

For information about using a Configuration Manager console in an environment with multiple versions of Configuration Manager, see the Interoperability for the Configuration Manager Console section in the Interoperability between Different Versions of Configuration Manager topic.

Configurations for the SQL Server Site Database

Each System Center 2012 Configuration Manager site database can be installed on either the default instance or a named instance of a SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer. In a hierarchy with multiple sites, each site can use a different version of SQL Server to host the site database so long as that version of SQL Server is supported by the version of Configuration Manager that you use. For example, if your hierarchy runs Configuration Manager SP1, it is supported to use SQL Server 2008 R2 with SP1 and cumulative update 6 at the central administration site, and to use SQL Server 2012 with no service pack and cumulative update 2 at a child primary site, or vice versa. When you use a remote SQL Server, the instance of SQL Server used to host the site database can also be configured as a SQL Server failover cluster in a single instance cluster, or a multiple instance configuration. SQL Server cluster configurations that have multiple active nodes are supported for hosting the site database. The site database site system role is the only System Center 2012 Configuration Manager site system role supported on an instance of a Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. Note A SQL Server cluster in a Network Load Balancing (NLB) cluster configuration is not supported. Additionally, SQL Server database mirroring technology and peer-to-peer replication are not supported.

230

When you install a secondary site, you can use an existing instance of SQL Server or allow Setup to install and use an instance of SQL Server Express. Whichever option that you choose, SQL Server must be located on the secondary site server. The version of SQL Server Express that Setup installs depends on the version of Configuration Manager that you use: System Center 2012 Configuration Manager without a service pack: SQL Server 2008 Express System Center 2012 Configuration Manager with SP1: SQL Server 2012 Express

The following table lists the SQL Server versions that are supported by System Center 2012 Configuration Manager.
SQL Server version SQL Server service pack Minimum required SQL Server cumulative update Configuration Manager version Configuration Manager site type

SQL Server 2008 Standard

1

SP2

Enterprise Datacenter

Minimum of cumulative update 9

System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

Central administration site Primary site Secondary site

SP3

Minimum of cumulative update 4

System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

Central administration site Primary site Secondary site

SQL Server 2008 R2 Standard

1

SP1

Minimum of cumulative update 6

Enterprise Datacenter

System Center 2012 Configuration Manag er with no service pack System Center 2012

Central administration site Primary site Secondary site

231

SQL Server version

SQL Server service pack

Minimum required SQL Server cumulative update

Configuration Manager version

Configuration Manager site type

Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SP2 No minimum cumulative update System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SQL Server 2012 Standard
1

Central administration site Primary site Secondary site

No service pack

Enterprise

Minimum of cumulative update 2

System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

Central administration site Primary site Secondary site Central administration site Primary site Secondary site Secondary site

SP1

No minimum cumulative update

System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

SQL Server Express 2008 R2

SP1

Minimum of cumulative update 6

System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1

232

SQL Server version

SQL Server service pack

Minimum required SQL Server cumulative update

Configuration Manager version

Configuration Manager site type

System Center 2012 R2 Configuration Manager SP2 No minimum cumulative update System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SQL Server 2012 Express No service pack Minimum of cumulative update 2 System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SP1 No minimum cumulative update System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager
1

Secondary site

Secondary site

Secondary site

When you use SQL Server Standard for the database at the central administration site, the hierarchy can only support up to 50,000 clients. For more information, see Site and Site System Role Scalability.

SQL Server Requirements The following are required configurations for each database server with a full SQL Server installation, and on each SQL Server Express installation that you manually configure for

233

secondary sites. You do not have to configure SQL Server Express for a secondary site if SQL Server Express is installed by Configuration Manager.
Configuration More information

SQL Server version Database collation

Configuration Manager requires a 64-bit version of SQL Server to host the site database. At each site, both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS. Note Configuration Manager supports two exceptions to this collation to meet standards that are defined in GB18030 for use in China. For more information, see Technical Reference for International Support in Configuration Manager.

SQL Server features

Only the Database Engine Services feature is required for each site server. Note Configuration Manager database replication does not require the SQL Server replication feature.

Windows Authentication

Configuration Manager requires Windows authentication to validate connections to the database. You must use a dedicated instance of SQL Server for each site. When you use a database server that is colocated with the site server, limit the memory for SQL Server to 50 to 80 percent of the available addressable system memory. When you use a dedicated SQL Server, limit the memory for SQL Server to 80 to 90 percent of the available addressable system memory. Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of
234

SQL Server instance SQL Server memory

Configuration

More information

memory in the buffer pool used by an instance of SQL Server for the central administration site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio). Optional SQL Server Configurations The following configurations either support multiple choices or are optional on each database server with a full SQL Server installation.
Configuration More information

SQL Server service

On each database server, you can configure the SQL Server service to run by using a domain local account or the local system account of the computer that is running SQL Server. Use a domain user account as a SQL Server best practice. This kind of account can be more secure than the local system account but might require you to manually register the Service Principle Name (SPN) for the account. Use the local system account of the computer that is running SQL Server to simplify the configuration process. When you use the local system account, Configuration Manager automatically registers the SPN for the SQL Server service. Be aware that using the local system account for the SQL Server service is not a SQL Server best practice.

For information about SQL Server best practices, see the product documentation for the version of Microsoft SQL Server that you are using. For information about SPN
235

Configuration

More information

configurations for Configuration Manager, see How to Manage the SPN for SQL Server Site Database Servers. For information about how to change the account that is used by the SQL Service, see How to: Change the Service Startup Account for SQL Server (SQL Server Configuration Manager). SQL Server Reporting Services SQL Server ports Required to install a reporting services point that lets you run reports. For communication to the SQL Server database engine, and for intersite replication, you can use the default SQL Server port configurations or specify custom ports: Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP 1433. The following site system roles communicate directly with the SQL Server database: Management point SMS Provider computer Reporting Services point Site server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured to use a unique set of ports. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port
236

Configuration

More information

that you want to use for intrasite communication. If you have a firewall enabled on the computer that is running SQL Server, make sure that it is configured to allow the ports that are being used by your deployment and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

Function-Specific Requirements
The following sections identify function-specific requirements for Configuration Manager. Application Management For devices that run the Windows Mobile operating system, Configuration Manager only supports the Uninstall action for applications on Windows Mobile 6.1.4 or later versions. Operating System Deployment Configuration Manager requires several prerequisites to support deploying operating systems. The following prerequisites are required on the site server of each central administration site or primary site before you can install the site or upgrade the site to a new version of Configuration Manager. This requirement applies even when you do not plan to use operating system deployments: For System Center 2012 Configuration Manager with no service pack: Automated Installation Kit (Windows AIK) For System Center 2012 Configuration Manager with service pack 1: Windows Assessment and Deployment Kit 8.0 (Windows ADK) For System Center 2012 R2 Configuration Manager: Windows Assessment and Deployment Kit 8.1

For more information about prerequisites for operating system deployment, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

237

Out of Band Management System Center 2012 Configuration Manager supports out of band management for computers that have the following Intel vPro chip sets and Intel Active Management Technology (Intel AMT) firmware versions: Intel AMT version 3.2 with a minimum revision of 3.2.1 Intel AMT version 4.0, version 4.1, and version 4.2 Intel AMT version 5.0 and version 5.2 with a minimum revision of 5.2.10 Intel AMT version 6.0 and version 6.1 AMT provisioning is not supported on AMT-based computers that are running any version of Windows Server, Windows XP with SP2, or Windows XP Tablet PC Edition. Out of band communication is not supported to an AMT-based computer that is running the Routing and Remote Access service in the client operating system. This service runs when Internet Connection Sharing is enabled, and the service might be enabled by line of business applications. The out of band management console is not supported on workstations running Windows XP on versions earlier than Service Pack 3.

The following limitations apply:

For more information about out of band management in Configuration Manager, see Introduction to Out of Band Management in Configuration Manager. Remote Control Viewer The Configuration Manager remote control viewer is not supported on Windows Server 2003 or Windows Server 2008 operating systems. Software Center and the Application Catalog The minimal screen resolution supported for client computers to run Software Center and the Application Catalog is 1024 by 768. The following web browsers are supported for use with the Software Center and Application Catalog: Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Firefox 15 Note The Software Center and Application Catalog do not support web browsers that connect from computers that run Windows Server Core 2008.

238

Support for Active Directory Domains

All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. The following table identifies the Windows Active directory domain functional level that is supported with each version of System Center 2012 Configuration Manager:
Active Directory domain functional level Configuration Manager version

Windows 2000

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration
239

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012 Windows Server 2012 R2

Active Directory domain functional level

Configuration Manager version

Manager

Note If you configure discovery to filter and remove stale computer records, the Active Directory domain functional level must be a minimum of Windows Server 2003. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The following are limitations for site systems: Configuration Manager does not support the change of domain membership, domain name, or computer name of a Configuration Manager site system after the site system is installed.

Configuration Manager client computers can be domain members, or workgroup members. The following sections contain additional information about domain structures and requirements for Configuration Manager. Active Directory Schema Extensions Configuration Manager Active Directory schema extensions provide benefits for Configuration Manager sites. However, they are not required for all Configuration Manager functions. For more information about Active Directory schema extension considerations, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 sites or clients. For more information about how to extend the Active Directory schema for System Center 2012 Configuration Manager, see the Prepare Active Directory for Configuration Manager section in the Prepare the Windows Environment for Configuration Manager topic. Disjoint Namespaces Except for out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager. A disjoint namespace scenario is one in which the primary Domain Name System (DNS) suffix of a computer does not match the Active Directory DNS domain name where that computer resides. The computer that uses the primary DNS suffix that does not match is said to be disjoint. Another disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller does not match the Active Directory DNS domain name.
240

The following table identifies the supported scenarios for a disjoint namespace.
Scenario More information

Scenario 1:

In this scenario, the primary DNS suffix of the The primary DNS suffix of the domain controller domain controller differs from the Active Directory DNS domain name. The domain differs from the Active Directory DNS domain controller is disjoint in this scenario. Computers name. Computers that are members of the that are members of the domain, such as site domain can be either disjoint or not disjoint. servers and computers, can have a primary DNS suffix that either matches the primary DNS suffix of the domain controller or matches the Active Directory DNS domain name. Scenario 2: A member computer in an Active Directory domain is disjoint, even though the domain controller is not disjoint. In this scenario, the primary DNS suffix of a member computer on which a site system is installed differs from the Active Directory DNS domain name, even though the primary DNS suffix of the domain controller is the same as the Active Directory DNS domain name. In this scenario, you have a domain controller that is not disjoint and a member computer that is disjoint. Member computers that are running the Configuration Manager client can have a primary DNS suffix that either matches the primary DNS suffix of the disjoint site system server or matches the Active Directory DNS domain name.

To allow a computer to access domain controllers that are disjoint, you must change the msDSAllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to make sure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list. Important When you reference a computer in Configuration Manager, enter the computer by using its Primary DNS suffix. This suffix should match the Fully Qualified Domain Name registered as the dnsHostName attribute in the Active Directory domain and the Service Principal Name associated with the system.
241

Single Label Domains Except for out of band management, Configuration Manager supports site systems and clients in a single label domain when the following criteria are met: The single label domain in Active Directory Domain Services must be configured with a disjoint DNS namespace that has a valid top level domain. For example: The single label domain of Contoso is configured to have a disjoint namespace in DNS of contoso.com. Therefore, when you specify the DNS suffix in Configuration Manager for a computer in the Contoso domain, you specify Contoso.com and not Contoso. DCOM connections between site servers in the system context must be successful by using Kerberos authentication. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager.

Windows Environment
The following sections contain general support configuration information for System Center 2012 Configuration Manager. Support for Internet Protocol Version 6 Configuration Manager supports Internet Protocol version 6 (IPv6) in addition to Internet Protocol version 4 (IPv4). The following table lists the exceptions.
Function Exception to IPv6 support

Cloud-based distribution points Mobile devices that are enrolled by Windows Intune and the Windows Intune connector Network Discovery Operating system deployment Out of band management Wake-up proxy communication Windows CE

IPv4 is required to support Windows Azure and cloud-based distribution points. IPv4 is required to support mobile devices that are enrolled by Windows Intune and the Windows Intune connector. IPv4 is required when you configure a DHCP server to search in Network Discovery. IPv4 is required to support operating system deployment. IPv4 is required to support out of band management. IPv4 is required to support the client wake-up proxy packets. IPv4 is required to support the Configuration
242

Function

Exception to IPv6 support

Manager client on Windows CE devices.

Support for Specialized Storage Technology Configuration Manager works with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system that the Configuration Manager component is installed on. Site Server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager assumes that it has complete ownership of a logical drive, site systems that run on separate computers cannot share a logical partition on any storage technology. However, each computer can use a separate logical partition on the same physical partition of a shared storage device. Support considerations for the listed storage technologies: Storage Area Network: A Storage Area Network (SAN) is supported when a supported Windows-based server is attached directly to the volume that is hosted by the SAN. Single Instance Storage: Configuration Manager does not support configuration of distribution point package and signature folders on a Single Instance Storage (SIS)-enabled volume. Additionally, the cache of a Configuration Manager client is not supported on a SIS-enabled volume. Note Single Instance Storage (SIS) is a feature of the Windows Storage Server 2003 R2 operating system. Removable Disk Drive: Configuration Manager does not support install of Configuration Manager site system or clients on a removable disk drive.

Support for Computers in Workgroups System Center 2012 Configuration Manager provides support for clients in workgroups. Configuration Manager supports moving a client from a workgroup to a domain or from a domain to a workgroup. For more information, see How to Install Configuration Manager Clients on Workgroup Computers All System Center 2012 Configuration Manager site systems must be members of a supported Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Support for Virtualization Environments Configuration Manager supports installing the client and site system roles on supported operating systems that run as a virtual machine in the following virtualization environments. This support exists even when the virtual machine host (virtualization environment) is not supported as a client or site server. For example, if you use Microsoft Hyper-V Server 2012 to host a virtual machine
243

that runs Windows Server 2012, you can install the client or site system roles on the virtual machine (Windows Server 2012), but not on the host, (Microsoft Hyper-V Server 2012).
Virtualization environment Configuration Manager version

Windows Server 2008

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service
244

Microsoft Hyper-V Server 2008

Windows Server 2008 R2

Microsoft Hyper-V Server 2008 R2

Windows Server 2008

Microsoft Hyper-V Server 2008

Virtualization environment

Configuration Manager version

pack Windows Server 2012 Microsoft Hyper-V Server 2012 Windows Server 2012 R2 System Center 2012 Configuration Manager with SP1 System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager

Each virtual computer that you use must meet or exceed the same hardware and software configuration that you would use for a physical Configuration Manager computer. You can validate that your virtualization environment is supported for Configuration Manager by using the Server Virtualization Validation Program and its online Virtualization Program Support Policy Wizard. For more information about the Server Virtualization Validation Program, see Windows Server Virtualization Validation Program. Note Configuration Manager does not support Virtual PC or Virtual Server guest operating systems that run on a Mac. Configuration Manager cannot manage virtual machines unless they are online. An offline virtual machine image cannot be updated nor can inventory be collected by using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager might not determine whether an update has to be re-applied to a virtual machine image if the virtual machine is stopped and restarted without saving the state of the virtual machine to which the update was applied. Support for Network Address Translation Network Address Translation (NAT) is not supported in Configuration Manager, unless the site supports clients that are on the Internet and the client detects that it is connected to the Internet. For more information about Internet-based client management, see the Planning for InternetBased Client Management section in the Planning for Communications in Configuration Manager topic.

245

DirectAccess Feature Support Configuration Manager supports the DirectAccess feature in Windows Server 2008 R2 for communication between site system servers and clients. When all the requirements for DirectAccess are met, by using this feature, Configuration Manager clients on the Internet can communicate with their assigned site as if they were on the intranet. For server-initiated actions, such as remote control and client push installation, the initiating computer (such as the site server) must be running IPv6, and this protocol must be supported on all intervening networking devices. Configuration Manager does not support the following over DirectAccess: Deploying operating systems Communication between Configuration Manager sites Communication between Configuration Manager site system servers within a site

BranchCache Feature Support Windows BranchCache is integrated in System Center 2012 Configuration Manager. You can configure the BranchCache settings on a deployment type for applications, on the deployment for a package, and for task sequences. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is configured as a BranchCache server, the client computer downloads and caches the content. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this manner, successive clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. To support BranchCache with Configuration Manager, add the Windows BranchCache feature to the site system server that is configured as a distribution point. System Center 2012 Configuration Manager distribution points on servers configured to support BranchCache require no additional configuration. Note With Configuration Manager SP1, cloud-based distribution points support the download of content by clients that are configured for Windows BranchCache. To use BranchCache, the clients that can support BranchCache must be configured for BranchCache distributed mode, and the operating system setting for BITS client settings must be enabled to support BranchCache. The following table lists the Configuration Manager client operating systems that are supported with Windows BranchCache and identifies for each operating system if BranchCache distributed mode is supported natively by the operating system, or if the operating system requires the addition of the BITS 4.0 release.

246

Operating system

Support details
1

Windows Vista with SP2 Windows 7 with SP1 Windows 8 Windows 8.1

Requires BITS 4.0 Supported by default Supported by default Supported by default

1

Windows Server 2008 with SP2

Requires BITS 4.0 Supported by default Supported by default Supported by default

Windows Server 2008 R2 with no service pack, with SP1, or with SP2 Windows Server 2012 Windows Server 2012 R2
1

On this operating system, the BranchCache client functionality is not supported for software distribution that is run from the network or for SMB file transfers. Additionally, this operating system cannot use BranchCache functionality with cloud-based distribution points. You can install the BITS 4.0 release on Configuration Manager clients by using software updates or software distribution. For more information about the BITS 4.0 release, see Windows Management Framework. For more information about BranchCache, see BranchCache for Windows in the Windows Server documentation. Fast User Switching Fast User Switching, available in Windows XP in workgroup computers, is not supported in System Center 2012 Configuration Manager. Fast User Switching is supported for computers that are running Windows Vista or later versions. Dual Boot Computers System Center 2012 Configuration Manager cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, adjust the discovery and installation methods that are used to ensure that the Configuration Manager client is installed only on the operating system that has to be managed.

Supported Upgrade Paths for Configuration Manager

The following sections identify the upgrade options for System Center 2012 Configuration Manager, the operating system version of site servers and clients, and the SQL Server version of database servers.

247

Upgrade Configuration Manager The following table lists the versions of System Center 2012 Configuration Manager, and the supported upgrade paths between versions.
Configuration Manager version Release options Supported Upgrade Paths More information

System Center 2012 Configuration Manage r

An evaluation release that expires 180 days after installation. A complete release, to perform a new installation.

System Cente r 2012 Configuration Man ager evaluation release

You can install System Center 2012 Configuration Manager as either a full installation, or as a trial installation. If you install Configuration Manager as a trial installation, after 180 days, you can only connect a read-only Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager supports migration of your Configuration Manager 2007 infrastructure but does not support an in place upgrade of sites from Configuration Manager 2007. However, migration supports the upgrade of a Configuration Manager 2007 distribution point, or
248

Configuration Manager version

Release options

Supported Upgrade Paths

More information

secondary site that is co-located with a distribution point, to a System Center 2012 Configuration Manager distribution point. System Center 2012 Configuration Manage r SP1 An evaluation release that expires 180 days after installation. A complete release, to perform a new installation. An upgrade from System Center 20 12 Configuration Man ager. System Cente r 2012 Configuration Man ager SP1 evaluation release System Cente r 2012 Configuration Man ager with no service pack You can install System Center 2012 Configuration Manager SP1 as a trial installation, a full install, or as an upgrade to existing infrastructure that runs System Center 2012 Configuration Manager with no service pack. However, an upgrade from Configuration Manager 2007 to System Center 2012 Configuration Manager SP1 is not supported. If you install Configuration Manager as a trial installation, after 180 days you can only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager
249

Configuration Manager version

Release options

Supported Upgrade Paths

More information

SP1 supports migration from Configuration Manager 2007. System Center 2012 R2 Configuration Manager An evaluation release that expires 180 days after installation. A complete release, to perform a new installation. An upgrade from System Center 20 12 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager evaluation release System Cente r 2012 Configuration Man ager SP1 You can install System Center 2012 R2 Configuration Manager as a trial installation, a full install, or as an upgrade to existing infrastructure that runs System Center 2012 Configuration Manager SP1. However, an upgrade from Configuration Manager 2007 or from System Center 2012 Configuration Manager with no service pack to System Center 2012 R2 Configuration Manager is not supported. If you use System Center 2012 Configuration Manager with no service pack, you must first upgrade your hierarchy to System Center 2012 Configuration Manager with SP1, and then you can upgrade to System Center 2012 R2 Configuration Manager. If you install Configuration Manager as a trial installation, after 180 days you can
250

Configuration Manager version

Release options

Supported Upgrade Paths

More information

only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 R2 Configuration Manager supports migration from Configuration Manager 2007. For information about how to upgrade an evaluation release of Configuration Manager to a full installation, see the Upgrade an Evaluation Installation to a Full Installation section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager. Infrastructure Upgrade for Configuration Manager In addition to upgrading the version of System Center 2012 Configuration Manager you use for sites, Configuration Manager clients and Configuration Manager consoles, you can upgrade the operating systems that run Configuration Manager site servers, database servers, site system servers, and clients. The information in the following sections can help you upgrade the infrastructure for Configuration Manager. Upgrade of the Site Server Operating System Configuration Manager supports an in-place upgrade of the operating system of the site server in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager. In-place upgrade from Windows Server 2012 to Windows Server 2012 R2. Any version of Windows Server 2008 to any version of Windows Server 2008 R2 or later. Any version of Windows Server 2008 to any version of Windows Server 2012 or later.
251

Configuration Manager does not support the following Windows Server upgrade scenarios.

Any version of Windows Server 2008 R2 to any version of Windows Server 2012 or later.

When a direct operating system upgrade is not supported, perform one of the following procedures after you have installed the new operating system: Install System Center 2012 Configuration Manager with the service pack level that you want, and configure the site according to your requirements. Install System Center 2012 Configuration Manager with the service pack level that you want and perform a site recovery. This scenario requires you to have a site backup that was created by using the Backup Site Server maintenance task on the original Configuration Manager site, and that you use the same installation settings for the new System Center 2012 Configuration Manager site.

Client Operating System Upgrade Configuration Manager supports an in-place upgrade of the operating system for Configuration Manager clients in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager.

SQL Server Upgrade for the Site Database Server Configuration Manager supports an in-place upgrade of SQL Server from a supported version of SQL on the site database server. The following sections provide information about the different upgrade scenarios supported by Configuration Manager and any requirements for each scenario. Upgrade of the Service Pack Version of SQL Server Configuration Manager supports the in-place upgrade of SQL Server to a higher service pack as long as the resulting SQL Server service pack level remains supported by Configuration Manager. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different service pack version of SQL Server, and there is no limitation to the order in which sites upgrade the service pack version of SQL Server that is used for the site database. SQL Server 2008 to SQL Server 2008 R2 Configuration Manager supports the in-place upgrade of SQL Server from SQL Server 2008 to SQL Server 2008 R2. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different version of SQL Server, and there is no limitation to the order in which sites upgrade the version of SQL Server in use for the site database. SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: System Center 2012 Configuration Manager with SP1 supports the in-place upgrade of SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 with the following limitations: Each Configuration Manager site must run service pack 1 before you can upgrade the version of SQL Server to SQL Server 2012 at any site.

252

When you upgrade the version of SQL Server that hosts the site database at each site to SQL Server 2012, you must upgrade the SQL Server version that is used at sites in the following order: Upgrade SQL Server at the central administration site first. Upgrade secondary sites before you upgrade a secondary sites parent primary site. Upgrade parent primary sites last. This includes both child primary sites that report to a central administration site, and stand-alone primary sites that are the top-level site of a hierarchy. Important Although you upgrade the service pack version of a Configuration Manager site by upgrading the top-tier site first and then upgrading down the hierarchy, when you upgrade SQL Server to SQL Server 2012, you must use the previous sequence, upgrading the primary sites last. This does not apply to upgrades of SQL Server 2008 to SQL Server 2008 R2.

To upgrade SQL Server on the site database server 1. Stop all Configuration Manager services at the site. 2. Upgrade SQL Server to a supported version. 3. Restart the Configuration Manager services. Note When you change the SQL Server edition in use at the central administration site from a Standard edition to either a Datacenter or Enterprise edition, the database partition that limits the number of clients the hierarchy supports does not change.

See Also
Planning for Configuration Manager Sites and Hierarchy

Frequently Asked Questions for Configuration Manager

Review the following sections for some frequently asked questions about System Center 2012 Configuration Manager: The Configuration Manager Console and Collections Sites and Hierarchies Migration Security and Role-Based Administration Client Deployment and Operations Mobile Devices Remote Control Software Deployment Endpoint Protection
253

The Configuration Manager Console and Collections

The following frequently asked questions relate to the Configuration Manager console and collections. Does the Configuration Manager console support a 64-bit operating system? Yes. The Configuration Manager console is a 32-bit program that can run on a 32-bit version of Windows and on a 64-bit version of Windows. What is a limiting collection and why would I use it? In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection. For more information, see How to Create Collections in Configuration Manager. Can I include or exclude the members of another collection from my collection? Yes. System Center 2012 Configuration Manager includes two new collection rules, the Include Collections rule and the Exclude Collections rule that allow you to include or exclude the membership of specified collections. For more information, see How to Create Collections in Configuration Manager. Are incremental updates supported for all collection types? No. Collections configured by using query rules that use certain classes do not support incremental updates. For a list of these classes, see How to Create Collections in Configuration Manager. What is the All Unknown Computers collection? The All Unknown Computers collection contains two objects that represent records in the Configuration Manager database so that you can deploy operating systems to computers that are not managed by Configuration Manager, and so are unknown to Configuration Manager. These computers can include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager. Why does Install Client from the ribbon install the client to the whole collection when Ive selected a single computer but installs to the selected computer only if I right-click the computer and then select Install Client? If you choose Install Client from the ribbon when the Collection ribbon tab is selected, the client installs to all computers in the collection rather than to just the selected computer. To install the client to just the selected computer, click the Home tab on the ribbon before you click Install Client from the ribbon, or use the right-click option.
254

How can I create a collection that contains only Mac computers, or only Linux servers? For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Because an ID for each device type (for example Windows computers, Mac computers, or Linux computers) is stored in the Configuration Manager database, you can create a collection that contains a query rule to return only devices with a specified ID. For an example query to use, see the Example WQL Queries section in the How to Create Queries in Configuration Manager topic. For information about how to create collections, see How to Create Collections in Configuration Manager. How can I create a collection of Windows 8 computers that are Always On Always Connected capable? For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Create a collection with a query-based rule. Query the attribute class System Resource and the attribute Connected Standby Capable = Yes to return computers that are Always On Always Connected capable. Why does the Configuration Manager console use HTTP to the Internet and what would stop working if this is blocked by my firewall? The Configuration Manager console uses HTTP to the Internet in two scenarios: When you use the geographical view from the Site Hierarchy node in the Monitoring workspace, which uses Internet Explorer to access Bing Maps. When you use the Configuration Manager help file and click a link to view or search for information on TechNet.

If you do not require these functions, your firewall can block HTTP connections from the console without additional loss of functionality to Configuration Manager. For more information about the geographical view, see the About the Site Hierarchy Node section in the Monitor Configuration Manager Sites and Hierarchy topic. How can I increase the number of search results in the Configuration Manager console? By default, the Configuration Manager console limits search results to 1,000 items. You can change this value by using the Search tab. In the Options group. click Search Settings and then change the Search Results value in the Search Settings dialog box. When I search folders, how can I automatically include subfolders in the search? By default, the Configuration Manager console limits searches to the current folder. You can change this behavior by first clicking in the Search box in the results pane. Then, in the Search tab, in the Scope group. click All Subfolders. In the results pane, the search is extended to AND Path <Current Node + Subfolders>. Add criteria if required, and type your search text to search the current folder and its subfolders.

255

Sites and Hierarchies

The following frequently asked questions relate to sites and hierarchies in Configuration Manager. Are there new Active Directory schema extensions for System Center 2012 Configuration Manager? No. The Active Directory schema extensions for System Center 2012 Configuration Manager are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1. Where is the documentation for Setup? See Install Sites and Create a Hierarchy for Configuration Manager. Can I upgrade a prerelease version of System Center 2012 Configuration Manager to the released version? No. Unless you were in a prerelease program that was supported by Microsoft (such as the Technology Adoption Program or the Community Evaluation Program) there is no supported upgrade path for prerelease versions of System Center 2012 Configuration Manager. For more information, see the Release Notes for System Center 2012 Configuration Manager. Can I manage SMS 2003 clients with System Center 2012 Configuration Manageror migrate SMS 2003 sites and clients to System Center 2012 Configuration Manager? No. SMS 2003 sites and SMS 2003 clients are not supported by System Center 2012 Configuration Manager. You have two choices to move these sites and clients to System Center 2012 Configuration Manager: Upgrade SMS 2003 sites and clients to Configuration Manager 2007 SP2, and then migrate them to System Center 2012 Configuration Manager. Uninstall SMS 2003 sites and clients and then install System Center 2012 Configuration Manager sites and clients.

For more information about supported upgrade paths, see the Supported Upgrade Paths section in the Supported Configurations for Configuration Manager topic. For more information about migrating Configuration Manager 2007 to System Center 2012 Configuration Manager, see the Migrating Hierarchies in System Center 2012 Configuration Manager guide. Can I upgrade an evaluation version of System Center 2012 Configuration Manager? Yes. If the evaluation version is not a prerelease version of System Center 2012 Configuration Manager, you can upgrade it to the full version. For more information, see the Upgrade an Evaluation Installation to a Full Installation section in the Install Sites and Create a Hierarchy for Configuration Manager topic.
256

Have the site types changed from Configuration Manager 2007? System Center 2012 Configuration Manager introduces changes to both primary and secondary sites while the central administration site is new site type. The central administration site replaces the primary site referred to as a central site as the top-level site of a multi-primary site hierarchy. This site does not directly manage clients but does coordinate a shared database across your hierarchy, and it is designed to provide centralized reporting and configurations for your entire hierarchy. Can I join a pre-existing site to another site in System Center 2012 Configuration Manager? In System Center 2012 Configuration Manager with no service pack, you cannot change the parent relationship of an active site. You can only add a site as a child of another site at the time you install the new site. Because the database is shared between all sites, joining a site that has already created default objects or that has custom configurations can result in conflicts with similar objects that already exist in the hierarchy. However, in System Center 2012 Configuration Manager SP1, you can expand a stand-alone primary site into a hierarchy that includes a new central administration site. For more information, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic. Why cant I install a primary site as a child of another primary site as I did in Configuration Manager 2007? With System Center 2012 Configuration Manager, primary sites have changed to support only secondary sites as child sites, and the new central administration site as a parent site. Unlike Configuration Manager 2007, primary sites no longer provide a security or configuration boundary. Because of this, you should only need to install additional primary sites to increase the maximum number of clients your hierarchy can support, or to provide a local point of contact for administration. Why does Configuration Manager require SQL Server for my secondary site? In System Center 2012 Configuration Manager, secondary sites require either SQL Server, or SQL Server Express to support database replication with their parent primary site. When you install a secondary site, Setup automatically installs SQL Server Express if a local instance of SQL Server is not already installed. What is database replication? Database replication uses SQL Server to quickly transfer data for settings and configurations to other sites in the Configuration Manager hierarchy. Changes that are made at one site merge with the information stored in the database at other sites. Content for deployments, and other filebased data, still replicate by file-based replication between sites. Database replication configures automatically when you join a new site to an existing hierarchy.

257

How can I monitor and troubleshoot replication in Configuration Manager? See the Monitor Infrastructure for Configuration Manager section in the Monitor Configuration Manager Sites and Hierarchy topic. This section includes information about database replication and how to use the Replication Link Analyzer. What is Active Directory forest discovery? Active Directory Forest discovery is a new discovery method in System Center 2012 Configuration Manager that allows you to discover network locations from multiple Active Directory forests. This discovery method can also create boundaries in Configuration Manager for the discovered network locations and you can publish site data to another Active Directory forest to help support clients, sites, and site system servers in those locations. Can I provide clients with unique client agent configurations without installing additional sites? Yes. System Center 2012 Configuration Manager applies a hierarchy-wide set of default client settings (formerly called client agent settings) that you can then modify on clients by using custom client settings that you assign to collections. This creates a flexible method of delivering customized client settings to any client in your hierarchy, regardless of the site it is assigned to, or where it is located on your network. For more information, see How to Configure Client Settings in Configuration Manager. Can a site or hierarchy span multiple Active Directory forests? Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust exists between the forests. Within a site, Configuration Manager supports placement of site system roles on computers in an untrusted forest. Configuration Manager also supports clients that are in a different forest from their sites site server when the site system role that they connect to is in the same forest as the client. For more information, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic. To support computers in an untrusted forest, do I have to create a new primary site and configure a two-way forest trust? No. Because System Center 2012 Configuration Manager supports installing most site system roles in untrusted forests, there is no requirement to have a separate site for this scenario, unless you have exceeded the maximum number of supported clients for a site. For more information about communications across forests, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic. For more information about the number of computers that are supported, see the Site and Site System Role Scalability section in the Supported Configurations for Configuration Manager topic Tip The Application Catalog web service role and the enrollment point must be installed in the same forest as the site server. In this case, you can install the Application Catalog
258

website point and the enrollment proxy point in the other forest, and these site system roles communicate with the site by using the Application Catalog web service role and the enrollment point, respectively. After these site system roles are installed in the other forest, they communicate with their counterpart role by using certificates (self-signed or PKI). For more information about how this communication is secured, see the Cryptographic Controls for Server Communication section in the Technical Reference for Cryptographic Controls Used in Configuration Manager topic. How do clients find management points and has this changed since Configuration Manager 2007? System Center 2012 Configuration Manager clients can find available management points by using the management point that you specify during client deployment, Active Directory Domain Services, DNS, and WINS. Clients can connect to more than one management point in a site, always preferring communication that uses HTTPS, when this is possible because the client and management point uses PKI certificates. There are some changes here since Configuration Manager 2007, which accommodate the change that clients can now communicate with more than one management point in site, and that you can have a mix of HTTPS and HTTP site system roles in the same site. For more information, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic. How do I configure my sites for native-mode? System Center 2012 Configuration Manager has replaced the native mode site configuration in Configuration Manager 2007 with individual site system role configurations that accept client communication over HTTPS or HTTP. Because you can have site system roles that support HTTPS and HTTP in the same site, you have more flexibility in how you introduce PKI to secure the intranet client endpoints within the hierarchy. Clients over the Internet and mobile devices must use HTTPS connections. For more information, see the Planning a Transition Strategy for PKI Certificates and InternetBased Client Management section in the Planning for Security in Configuration Manager topic. Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007? Unlike Configuration Manager 2007, there are no design restrictions to support clients on the Internet, providing you meet the requirements in the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. Because of the following improvements, you can more easily support clients on the Internet to fit your existing infrastructure: The whole site does not have to be using HTTPS client connections Support for installing most site system roles in another forest Support for multiple management points in a site

259

If you use multiple management points and dedicate one or more for client connections from the Internet, you might want to consider using database replicas for management points. For more information, see Configure Database Replicas for Management Points. Do I have to configure my site for Internet-based client management before I can use cloud-based distribution points in Configuration Manager SP1? No. Although both configurations use the Internet, they are independent from each other. Clients on the intranet can use cloud-based distribution points and these clients do not require a PKI client certificate. However, you still require PKI certificates if you want to use cloud-based distribution points; one for the Windows Azure management certificate that you install on the site system server that hosts the cloud-based distribution points, and one for the cloud-based distribution point service certificate that you import when you configure the cloud-based distribution point. For more information about the PKI certificate requirements for Internet-based client management and for cloud-based distribution points, see PKI Certificate Requirements for Configuration Manager. For more information about cloud-based distribution points, see the Planning for Cloud-Based Distribution Points section in the Planning for Content Management in Configuration Manager topic. Why isnt the site system role that I want available in the Add Site System Roles Wizard? Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them. When Configuration Manager does not support the installation of a site system role, it is not listed in the wizard. For example, the Endpoint Protection point cannot be installed in a secondary site, or in a primary site if you have a central administration site. So if you have a central administration site, you will not see the Endpoint Protection point listed if you run the Add Site System Roles Wizard on a primary site. Other examples include you cannot add a second management point to a secondary site, and you cannot add a management point or distribution point to a central administration site. In addition, in Configuration Manager SP1, you do not see the Windows Intune connector listed as an available site system role until you have created the Windows Intune subscription. For more information about how to create the subscription, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. For more information about which site system roles can be installed where, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. Where do I configure the Network Access Account? Use the following procedure to configure the Network Access Account: How to configure the Network Access Account for a site
260

1. In the Administration workspace, expand Site Configuration, click Sites, and then select the site. 2. On the Settings group, click Configure Site Components, and then click Software Distribution. 3. Click the Network Access Account tab, configure the account, and then click OK. What High Availability does Configuration Manager have? Configuration Manager offers a number of high availability solutions. For information, see Planning for High Availability with Configuration Manager.

Migration
The following frequently asked questions relate to migrating Configuration Manager 2007 to System Center 2012 Configuration Manager. What versions of Configuration Manager, or Systems Management Server are supported for migration? The version of System Center 2012 Configuration Manager that you use to run migration determines the versions of Configuration Manager 2007 or System Center 2012 Configuration Manager that are supported for migration: When you use System Center 2012 Configuration Manager with no service pack, Configuration Manager 2007 sites with SP2 are supported for migration. When you use System Center 2012 Configuration Manager with SP1, Configuration Manager 2007 sites with SP2 and System Center 2012 Configuration Manager sites with SP1 are supported for migration.

Configuration Manager hierarchies that have data you want to migrate are called source hierarchies. The Configuration Manager hierarchy you re migrating data into, is called the destination hierarchy. For more information about prerequisites for Migration, see Prerequisites for Migration in System Center 2012 Configuration Manager. Can I use Configuration Manager SP1 to migrate my existing System Center 2012 Configuration Manager hierarchy with no service pack to a new Configuration Manager SP1 hierarchy? No. The new functionality in Configuration Manager SP1 supports migration from an existing Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy, in addition to supporting migration from Configuration Manager 2007 SP2 to Configuration Manager SP1. For more information about the new migration functionality, see Introduction to Migration in System Center 2012 Configuration Manager.
261

Why cant I upgrade my existing Configuration Manager 2007 sites to System Center 2012 Configuration Manager sites? Several important changes introduced with System Center 2012 Configuration Manager prevent an in-place upgrade; however, System Center 2012 Configuration Manager does support migration from Configuration Manager 2007 with a side-by-side deployment. For example, System Center 2012 Configuration Manager is native 64 bit application with a database that is optimized for Unicode and that is shared between all sites. Additionally, site types and site relationships have changed. These changes, and others, mean that many existing hierarchy structures cannot be upgraded. For more information, see Migrating Hierarchies in System Center 2012 Configuration Manager. Do I have to migrate my entire Configuration Manager 2007 hierarchy or System Center 2012 Configuration Manager hierarchy at one time? Typically, you will migrate data from a Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy (the source hierarchy) over a period of time that you define. During the period of migration, you can continue to use your source hierarchy to manage clients that have not migrated to your new System Center 2012 Configuration Manager hierarchy (the destination hierarchy). Additionally if you update an object in the source hierarchy after you have migrated that object to your destination hierarchy, you can re-migrate that object again up until you decide to complete your migration. After I migrate software and packages from a Configuration Manager 2007 hierarchy, do I have to use the new application model? When you migrate a Configuration Manager 2007 package to System Center 2012 Configuration Manager, it remains a package after migration. If you want to deploy the software and packages that migrate from your Configuration Manager 2007 hierarchy by using the new application model, you can use Microsoft System Center Configuration Manager Package Conversion Manager to convert them into System Center 2012 Configuration Manager applications. For more information, see Configuration Manager Package Conversion Manager. Why cant I migrate inventory history or compliance data for my clients? This type of information is easily recreated by an active client when it sends data to its new site in the destination hierarchy. Typically, it is only the current information from each client that provides useful information. To retain access to historical inventory information you can keep a Configuration Manager 2007 or System Center 2012 Configuration Manager source site active until the historical data is no longer required. Why must I assign a site in my new hierarchy as a content owner for migrated content? When you assign a site in the destination hierarchy to own the content, you are selecting the site that maintains that content in the destination hierarchy. Because the site that owns the content is responsible for monitoring the source files for changes, plan to specify a site that is near to the source file location on the network. When you migrate content between a source and destination hierarchy, you are really migrating the metadata about that content. The content itself might remain hosted on a shared distribution
262

point during migration, or on a distribution point that you will upgrade or reassign to the destination hierarchy. What are shared distribution points and why cant I use them after migration has finished? Shared distribution points are distribution points at sites in the source hierarchy that can be used by clients in the destination herarchy during the migration period. A distribution point can be shared only when the source hierarchy that contains the distribution point remains the active source hierarchy and distribution point sharing is enabled for the source site that contains the distribution point. Sharing distribution points ends when you complete migration from the source hierarchy. How can I avoid redistributing content that I migrate to a System Center 2012 Configuration Manager hierarchy? System Center 2012 Configuration Manager can upgrade supported distribution points from Configuration Manager 2007 source hierarchies, and reassign supported distribution points from System Center 2012 Configuration Manager source hierarchies. When you upgrade or reassign a shared distribution point, the distribution point site system role and the distribution point computer are removed from the source hierarchy, and installed as a distribution point at a site you select in the destination hierarchy. This process allows you to maintain your existing distribution points with minimal effort or disruption to your network. For more information, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager. You can also use the prestage option for System Center 2012 Configuration Manager distribution points to reduce the transfer of large files across low-bandwidth network connections. For more information, see the Prestaging Content section in the Introduction to Content Management in Configuration Manager topic. Can I perform an in-place upgrade of a Configuration Manager 2007 distribution point (including a branch distribution point) to a System Center 2012 Configuration Manager distribution point? You can perform an in-place upgrade of a Configuration Manager 2007 distribution point that preserves all content during the upgrade. This includes an upgrade of a distribution point on a server share, a branch distributing point, or standard distribution point. Can I perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point? You can perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point. During the upgrade, all migrated content is preserved. What happens to the content when I upgrade a Configuration Manager 2007 secondary site or distribution point to a System Center 2012 Configuration Manager distribution point? During the upgrade to a System Center 2012 Configuration Manager distribution point, all migrated content is copied and then converted to the single instance store. When you migrate to a hierarchy that runs System Center 2012 Configuration Manager with no service pack, the original Configuration Manager 2007 content remains on the server until it is manually removed.
263

However, when you migrate to a hierarchy that runs System Center 2012 Configuration Manager SP1, the original Configuration Manager 2007 content is removed after the copy of the content is converted. Can I combine more than one Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy in a single System Center 2012 Configuration Manager hierarchy? You can migrate data from more than one source hierarchy, and the source hierarchies do not need to be the same version as each other. This means you can migrate from one or more Configuration Manager 2007 hierarches, one or more System Center 2012 Configuration Manager hierarchies, and from one or more hierarchies that each run a different version of Configuration Manager. However, you can only migrate from one hierarchy at a time. You can migrate the hierarchies in any order. However, you cannot migrate data from multiple hierarchies that use the same site code. If you try to migrate data from a site that uses the same site code as a migrated site, or that uses the same site code as a site in your destination hierarchy, this corrupts the data in the System Center 2012 Configuration Manager database. What Configuration Manager 2007 hierarchy can I use as a source hierarchy? System Center 2012 Configuration Manager supports migrating a Configuration Manager 2007 environment that is at a minimum of Service Pack 2. For more information, see Prerequisites for Migration in System Center 2012 Configuration Manager. What objects can I migrate? The list of objects you can migrate depends on the version of your source hierarchy. You can migrate most objects from Configuration Manager 2007 to System Center 2012 Configuration Manager, including the following: Advertisements Boundaries Collections Configuration baselines and configuration items Operating system deployment boot images, driver packages, drivers, images, and packages Software distribution packages Software metering rules Software update deployment packages and templates Software update deployments Software update lists Task sequences Virtual application packages

When you migrate between System Center 2012 Configuration Manager hierarchies, the list is similar, and includes objects that are only available in System Center 2012 Configuration Manager, such as Applications. For more information, see Objects That Can Migrate by Migration Job Type
264

Can I migrate maintenance windows? Yes. When a collection migrates, Configuration Manager also migrates collection settings, which includes maintenance windows and collection variables. However, collection settings for AMT provisioning do not migrate. Will advertisements rerun after they are migrated? No. Clients that you upgrade from Configuration Manager 2007 will not rerun advertisements that you migrate. System Center 2012 Configuration Manager retains the Configuration Manager 2007 Package ID for packages you migrate and clients that upgrade retain their advertisement history.

Security and Role-Based Administration

The following frequently asked questions relate to security and role-based administration in Configuration Manager. Where is the documentation for role-based administration? Because role-based administration is integrated into the configuration of the hierarchy and management functions, there is no separate documentation section for role-based administration. Instead, information is integrated throughout the documentation library. For example, information about planning and configuring role-based administration is in the Planning for Security in Configuration Manager topic and the Configuring Security for Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide and the Security and Privacy for System Center 2012 Configuration Manager guide. The Configuration Manager console lists the description of each role-based security role that is installed with Configuration Manager, and the minimum permissions and suitable security roles for each management function is included as a prerequisite in the relevant topic. For example, Prerequisites for Application Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide list the minimum security permissions to manage and to deploy applications, and the security roles that meet these requirements. What is the minimum I have to configure if I dont want to use role-based administration while Im testing System Center 2012 Configuration Manager? If you install System Center 2012 Configuration Manager, there is no additional configuration because the Active Directory user account used to install Configuration Manager is automatically assigned to the Full Administrator security role, assigned to All Scopes, and has access to the All Systems and All Users and User Groups collections. However, if you want to provide full administrative permissions for other Active Directory users to access System Center 2012 Configuration Manager, create new administrative users in Configuration Manager using their Windows accounts and then assign them to the Full Administrator security role.
265

How can I partition security with System Center 2012 Configuration Manager? Unlike Configuration Manager 2007, sites no longer provide a security boundary. Instead, use role-based administration security roles to configure the permissions different administrative users have, and security scopes and collections to define the set of objects they can view and manage. These settings can be configured at a central administration site or any primary site and are enforced at all sites throughout the hierarchy. Should I use security groups or user accounts to specify administrative users? As a best practice, specify a security group rather than user accounts when you configure administrative users for role-based administration. Can I deny access to objects and collections by using role-based administration? Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user. How do I find which object types can be assigned to security roles? Run the report Security for a specific or multiple Configuration Manager objects to find the object types that can be assigned to security roles. Additionally you can view the list of objects for a security role by viewing the security roles Properties and selecting the Permissions tab. Can I use security scopes to restrict which distribution points are shown in the Distribution Status node in the Monitoring workspace? No, although you can configure role-based administration and security scopes so that administrative users can distribute content to selected distribution points only, Configuration Manager always displays all distribution points in the Monitoring workspace.

Client Deployment and Operations

The following frequently asked questions relate to deploying and managing clients on computers and mobile devices in Configuration Manager. Does System Center 2012 Configuration Manager support the same client installation methods as Configuration Manager 2007? Yes. System Center 2012 Configuration Manager supports the same client installation methods that Configuration Manager 2007 supports: client push, software update-based, group policy,

266

manual, logon script, and image-based. For more information, see How to Install Clients on Windows-Based Computers in Configuration Manager. Whats the minimum permission an administrative user requires for the Client Push Installation Wizard? To install a Configuration Manager client by using the Client Push Installation Wizard, the administrative user must have at least the Modify resource permission. Whats the difference between upgrading clients by using the supplied package definition file and a package and program, and using automatic client upgrade that also uses a package and program? When you create a package and program to upgrade Configuration Manager clients, this installation method is designed to upgrade existing System Center 2012 Configuration Manager clients. You can control which distribution points hosts the package and the client computers that install the package. This installation method supports only System Center 2012 Configuration Manager clients and cannot upgrade Configuration Manager 2007 clients. In comparison, the automatic client upgrade method automatically creates the client upgrade package and program and this installation method can be used with Configuration Manager 2007 clients as well as System Center 2012 Configuration Manager clients. The package is automatically distributed to all distribution points in the hierarchy and the deployment is sent to all clients in the hierarchy for evaluation. This installation method supports System Center 2012 Configuration Manager clients and Configuration Manager 2007 clients that are assigned to a System Center 2012 Configuration Manager site. Because you cannot restrict which distribution points are sent the upgrade package or which clients are sent the deployment, use automatic client upgrade with caution and do not use it as your main method to deploy the client software. For more information, see How to Upgrade Configuration Manager Clients by Using a Package and Program and How to Automatically Upgrade the Configuration Manager Client for the Hierarchy in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. Do references to devices in System Center 2012 Configuration Manager mean mobile devices? The term device in System Center 2012 Configuration Manager applies to a computer or a mobile device such as a Windows Mobile Phone. How does System Center 2012 Configuration Manager support clients in a VDI environment? For information about supporting clients for a virtual desktop infrastructure (VDI), see the Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) section in the Introduction to Client Deployment in Configuration Manager topic.

267

Why might there be differences between a clients assigned, installed, and resident site values when I look at the client properties in the Configuration Manager console? A clients assigned site is the primary site that creates the client policy to manage the device. Clients are always assigned to primary sites, even if they roam into another primary site or reside within the boundaries of a secondary site. The clients installed site refers to the site that sent the client the client installation files to run CCMSetup.exe. For example, if you used the Client Push Installation Wizard, you can specify Install the client software from a specified site and select any site in the hierarchy. The resident site refers to the site that owns the boundaries that the client currently resides in. For example, this might be a secondary site of the clients primary site. Or, it might be another primary site if the client is roaming and temporarily connected to a network that belongs to another site in the hierarchy. Is it true that System Center 2012 Configuration Manager has a new client health solution? Yes, client status is new in System Center 2012 Configuration Manager and allows you to monitor the activity of clients and check and remediate various problems that can occur. How do I find out what client health checks Configuration Manager makes and can I add my own? Review the checks that client health makes in the section Monitoring the Status of Client Computers in Configuration Manager in the topic Introduction to Client Deployment in Configuration Manager. You can use compliance settings in Configuration Manager to check for additional items that you consider required for the health of your clients. For example, you might check for specific registry key entries, files, and permissions. What improvements have you made for Internet-based client management? Configuration Manager contains many improvements since Configuration Manager 2007 to help you manage clients when they are on the Internet: Configuration Manager supports a gradual transition to using PKI certificates, and not all clients and site systems have to use PKI certificates before you can manage clients on the Internet. For more information, see Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management. The certificate selection process that Configuration Manager uses is improved by using a certificate issuers list. For more information, see Planning for the PKI Trusted Root Certificates and the Certificate Issuers List. Although deploying an operating system is still not supported over the Internet, you can deploy generic task sequences for clients that are on the Internet. If the Internet-based management point can authenticate the user, user polices are now supported when clients are on the Internet. This functionality supports user-centric management and user device affinity for when you deploy applications to users. Configuration Manager Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

268

What is the difference between Internet-based client management and DirectAccess? DirectAccess is a Windows solution for managing domain computers when they move from the intranet to the Internet. This solution requires the minimum operating systems of Windows Server 2008 R2 and Windows 7 on clients. Internet-based client management is specific to Configuration Manager, and it allows you to manage computers and mobile devices when they are on the Internet. The Configuration Manager clients can be on workgroup computers and never connect to the intranet, and they can also be mobile devices. The Configuration Manager solution works for all operating system versions that are supported by Configuration Manager. Unless you are using Windows Server 2012 with only Windows 8 clients for DirectAccess, both solutions require PKI certificates on clients and servers. However, DirectAccess requires a Microsoft enterprise certification authority, whereas Configuration Manager can use any PKI certificate that meets the requirements documented in PKI Certificate Requirements for Configuration Manager. Not all Configuration Manager features are supported for Internet-based client management. For more information, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. In comparison, because a client that connects over DirectAccess behaves as if it is on the intranet, all features, with the exception of deploying an operating system, are supported by Configuration Manager. Warning Some Configuration Manager communications are server-initiated, such as client push installation and remote control. For these connections to succeed over DirectAccess, the initiating computer on the intranet and all intervening network devices must support IPv6. For support information about how Configuration Manager supports DirectAccess, see the DirectAccess Feature Support section in the Supported Configurations for Configuration Manager topic. Tip Do not configure a Configuration Manager client for both intranet and Internet-based client management and DirectAccess. If DirectAccess allows access to intranet management points when computers are on the Internet, the client will never connect to the Internet-based site system roles. Can I install the Configuration Manager client on my Windows Embedded devices that have very small disks? Probably. You can reduce the disk space required to install the Configuration Manager client by using customized settings, such as excluding installation files that the client does not require and specifying the client cache to be smaller than the default size. For more information, see the Computer Client Hardware Requirements section in the Supported Configurations for Configuration Manager topic.

269

Where can I find information about managing vPro computers? You can manage Intel vPro computers by using out of band management in System Center 2012 Configuration Manager. For more information, see Out of Band Management in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide. I want to move my Intel AMT-based computers that I provisioned with Configuration Manager 2007 to System Center 2012 Configuration Manager. Can I use the same Active Directory security group, OU, and web server certificate template? AMT-based computers that were provisioned with Configuration Manager 2007 must have their provisioning data removed before you migrate them to System Center 2012 Configuration Manager, and then provisioned again by System Center 2012 Configuration Manager. Because of functional changes between the versions, the security group, OU, and web server certificate template have different requirements: If you used a security group in Configuration Manager 2007 for 802.1X authentication, you can continue to use this group if it is a universal security group. If it is not a universal group, you must convert it or create a new universal security group for System Center 2012 Configuration Manager. The security permissions of Read Members and Write Members for the site server computer account remain the same. The OU can be used without modification. However, System Center 2012 Configuration Manager no longer requires Full Control to this object and all child objects. You can reduce these permissions to Create Computer Objects and Delete Computer Objects on this object only. The web server certificate template from Configuration Manager 2007 cannot be used in System Center 2012 Configuration Manager without modification. This certificate template no longer uses Supply in the request and the site server computer account no longer requires Read and Enroll permissions.

For more information about the security group and OU, see Step 1 in How to Provision and Configure AMT-Based Computers in Configuration Manager. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager and the example deployment, Deploying the Certificates for AMT. Is there a limit to the number of certificate templates that I can use with certificate profiles? Yes, you are limited to three certificate templates per hierarchy and each of these certificate templates are restricted to the three key usages that the Network Device Enrollment Service supports: signing, encryption, and both signing and encryption. So, for example, you couldnt use two certificate templates that supported both signing and encryption. Although different servers running the Network Device Enrollment Service can be configured to use different certificate templates, Configuration Manager cannot support this configuration because you cannot assign clients to specific servers. If you have multiple certificate registration point site system servers in the hierarchy that communicate with multiple servers running the Network Device Enrollment Service, Configuration Manager non-deterministically assigns clients to the available servers to automatically load balance the requests.
270

For more information about the certificate templates that Configuration Manager uses to deploy certificate profiles, see the SCEP certificate information procedure in Step 3: Provide Information about the Certificate Profile from the How to Create Certificate Profiles in Configuration Manager topic. Do I really need Windows Server 2012 R2 to deploy certificate profiles? Yes, although you do not need Windows Server 2012 R2 for the certificate registration point, you do need this operating system version (or later) to install the Configuration Manager Policy Module on the server that runs the Network Device Enrollment Service. Before this version of the operating system, the Network Device Enrollment Service was designed for secured intranet environments only, to accept interactive computer certificate requests for network equipment such as routers. Changes in Windows Server 2012 R2 now accommodate user certificates as well as computer certificates, and the new support for a policy module makes this solution scalable for an enterprise environment. In addition, the increased security now supports running this service in a perimeter network (also known as a DMZ), which is important for devices that you manage on the Internet, such as iOS and Android devices. For more information about the changes to the Network Device Enrollment Service in Windows Server 2012 R2, see What's New in Certificate Services in Windows Server 2012 R2. How can I tell which collections of computers have a power plan applied? There is no report in System Center 2012 Configuration Manager that displays which collections of computers have a power plan applied. However, in the Device Collections list, you can select the Power Configurations column to display whether a collection has a power plan applied. Does wake-up proxy have its own service? Yes. Wake-up proxy in Configuration Manager SP1 has its own client service named ConfigMgr Wake-up Proxy that runs separately from the SMS Agent Host (CCMExec.exe). This service is installed when a client is configured for wake-up proxy and then new client checks make sure that this wake-up proxy service is running and that the startup type is automatic. Does disabling the wake-up proxy client setting remove or just stop the wake-up proxy service on clients? If you have enabled the wake-up proxy client setting on Configuration Manager SP1 clients, and then disable it, the ConfigMgr Wake-up Proxy service is removed from clients. Why does my first connection attempt for Remote Desktop always fail to a sleeping a computer when I use wake-up proxy? A manager computer for the sleeping computers subnet responds to the first connection attempt and wakes up the sleeping computer, which then contacts the network switch. After the computer is awake and the network switch is updated, subsequent connection attempts will successfully connect to the destination computer. Most TCP connections automatically retry and you will not see that the first connection (and possibly additional connections) time out. For Remote Desktop connections, however, you are more likely to see an initial failed connection and must manually
271

retry. For computers that must come out of hibernation, you will probably experience a longer delay than for computers that are in other sleep states. Why dont clients run scheduled activities such as inventory, software updates, and application evaluation and installations at the time I schedule them? To better support virtual desktop infrastructure (VDI) environments and large-scale client deployments, System Center 2012 Configuration Manager has a randomization delay for scheduled activities. This means that for scheduled activities, clients are unlikely to run the action at the exact time that you configure. In Configuration Manager SP1 only, you can use client settings to enable or disable the randomization delay for required software updates and required applications. By default, this setting is disabled. For more information, see the Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) section in the Introduction to Client Deployment in Configuration Manager topic. Where is the documentation for the Configuration Manager client for Mac Computers? For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Because the management of computers that run the Mac OS X operating system is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Mac computers. Instead, information is integrated throughout the documentation library. For example, information about how to install the client on Mac computers is in the Deploying Clients for System Center 2012 Configuration Manager guide, and information about how to deploy software to Mac computers is in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Some of the main topics that contain information about the Configuration Manager client for Mac computers include the following:
Topic More information

Introduction to Client Deployment in Configuration Manager

See the Deploying the Configuration Manager Client to Mac Computers section in the Introduction to Client Deployment in Configuration Manager topic for information about the Configuration Manager client for Mac computers, which includes the following: Configuration Manager functionality that the client supports

Supported Configurations for Configuration Manager

See the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic to check whether Configuration Manager can support your version of the Mac OS X operating
272

Topic

More information

system. PKI Certificate Requirements for Configuration Manager How to Install Clients on Mac Computers in Configuration Manager How to Create and Deploy Applications for Mac Computers in Configuration Manager How to Create Mac Computer Configuration Items in Configuration Manager Contains certificate requirements for managing Mac computers in Configuration Manager. Contains information about how to install the Configuration Manager client on Mac computers. Contains information to help you deploy software to Mac computers. Contains information about how to use compliance settings for Mac computers.

Where is the documentation for the Configuration Manager client for Linux and UNIX? For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Because the management of computers that run Linux and UNIX is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Linux and UNIX. Instead, information is integrated throughout the documentation library. For example, information about how to install the client on computers that run Linux or UNIX is in the Deploying Clients for System Center 2012 Configuration Manager guide, and information about how to deploy software to computers that run Linux and UNIX computers is in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Some of the main topics that contain information about the Configuration Manager client for Linux and UNIX include the following:
Topic More information

Introduction to Client Deployment in Configuration Manager

See the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic for information about the Configuration Manager client for Linux and UNIX, which includes: Configuration Manager functionality that the client supports

Supported Configurations for Configuration Manager

See the Client Requirements for Linux and UNIX Servers section Supported Configurations for Configuration Manager topic
273

Topic

More information

to check whether Configuration Manager can support your version of Linux or UNIX. PKI Certificate Requirements for Configuration Manager Planning for Client Deployment for Linux and UNIX Servers How to Install Clients on Linux and UNIX Computers in Configuration Manager Planning for Communications in Configuration Manager Contains certificate requirements for the Configuration Manager client for Linux and UNIX. Contains information about deploying the Configuration Manager client to Linux and UNIX servers. Contains information about installing the Configuration Manager client on Linux and UNIX servers. For information about planning for communications from Linux and UNIX computers to Configuration Manager site system servers, see the Planning for Client Communication in Configuration Manager section of the Planning for Communications in Configuration Manager topic. Contains information about using the following functionality in Configuration Manager to manage clients that run Linux and UNIX: Hardware Inventory for Linux and UNIX in Configuration Manager Collections Machine policy Maintenance Windows Client settings

How to Manage Linux and UNIX Clients in Configuration Manager

Contains information about using hardware inventory with clients that run Linux and UNIX, including the following: Configuring inventory Extending hardware inventory Viewing inventory

Deploying Software to Linux and UNIX Servers in Configuration Manager How to Monitor Linux and UNIX Clients in Configuration Manager

Contains information about how to deploying software to Linux and UNIX clients. Contains information about how to monitoring clients that run Linux and UNIX.

274

Mobile Devices
The following frequently asked questions relate specifically to mobile devices in Configuration Manager. Where is the documentation for mobile devices? A good place to begin is with How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. Some of the main topics that contain information about mobile devices include the following:
Topic More information

Supported Configurations for Configuration Manager PKI Certificate Requirements for Configuration Manager

See the Mobile Device Requirements section to check whether Configuration Manager can support your mobile device environment. Contains certificate requirements if you install the Configuration Manager client on mobile devices. No certificates are required by Configuration Manager if you manage mobile devices that connect to Exchange Server. Contains information about where to install the site system roles that are required to manage mobile devices. Contains information on how to wipe company content from mobile devices. Contains information on compliance settings for mobile devices. Contains information on deploying apps to mobile devices. Contains information on mobile device hardware inventory. Contains information on gathering software inventory for personal or company-owned mobile devices. Contains information on deploying wireless network settings to mobile devices in your
275

Planning for Site Systems in Configuration Manager Wiping Company Content from Mobile Devices Compliance Settings for Mobile Devices in Configuration Manager How to Create and Deploy Applications for Mobile Devices in Configuration Manager How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager Introduction to Software Inventory in Configuration Manager Introduction to Wi-Fi Profiles in Configuration Manager

Topic

More information

organization. Introduction to Certificate Profiles in Configuration Manager Contains information on provisioning authentication certificates for mobile devices so that users can seamlessly access company resources. Contains information on how to deploy VPN settings to users in your organization. See the Mobile Devices section for the list of log files that are created when you manage mobile devices in Configuration Manager.

Introduction to VPN Profiles in Configuration Manager Technical Reference for Log Files in Configuration Manager

If you have mobile device legacy clients in your System Center 2012 Configuration Manager hierarchy, the installation and configuration for these mobile devices is the same as in Configuration Manager 2007. For more information, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library. If I wipe a mobile device that is enrolled by Configuration Manager and discovered by the Exchange Server connector, will it be wiped twice? No. In this dual management scenario, Configuration Manager sends the wipe command in the client policy and by using the Exchange Server connector, and then monitors the wipe status for the mobile device. As soon as Configuration Manager receives a wipe confirmation from the mobile device, it cancels the second and pending wipe command so that the mobile device is not wiped twice. Can I configure the Exchange Server connector for read-only mode? Yes, if you only want to find mobile devices and retrieve inventory data from them as a read-only mode of operation, you can do this by granting a subset of the cmdlets that the account uses to connect to the Exchange Client Access server. The required cmdlets for a read-only mode of operation are as follows: Get-ActiveSyncDevice Get-ActiveSyncDeviceStatistics Get-ActiveSyncOrganizationSettings Get-ActiveSyncMailboxPolicy Get-ExchangeServer Get-Recipient Set-ADServerSettings Warning When the Exchange Server connector operates with these limited permissions, you cannot create access rules, or wipe mobile devices, and mobile devices will not be
276

configured with the settings that you define. In addition, Configuration Manager will generate alerts and status messages to notify you that it could not complete operations that are related to the Exchange Server connector. Do I need a Windows Intune organizational account to use the Windows Intune connector? Yes. You must specify a Windows Intune organizational account before you can install the Windows Intune connector in Configuration Manager SP1. Do I need special certificates before I can make applications available to users who have mobile devices that run Windows RT, Windows Phone 8, iOS, and Android? Yes. You require specific application certificates before users can install applications on Windows RT, Windows Phone 8, and iOS. You do not require certificates to make applications available to mobile devices that run Android. For more information about these certificates, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. Do I need a my own PKI to enroll mobile devices by using Windows Intune? No. Although the Windows Intune connector uses PKI certificates, Windows Intune automatically requests and installs these certificates for you. For more information about these certificates, see PKI Certificate Requirements for Configuration Manager. Does enrolling mobile devices by using the Windows Intune connector install the Configuration Manager client on them? No. Windows RT and Windows Phone 8 includes a management client that Configuration Manager uses, and Configuration Manager manages mobile devices that run iOS by directly calling APIs. Do I need the Windows Intune connector to manage Android devices? No. Without the Windows Intune connector, you can manage these devices by collecting hardware inventory, configure settings such as passwords and roaming, and remotely wipe the device. However, if you want to make company apps available to Android devices, you must install the Windows Intune connector. Can users go to the Application Catalog to install apps on their mobile devices? No. Mobile devices that are enrolled by Configuration Manager support only required apps, so users cannot choose company apps to install. Users who have mobile devices that are enrolled by Windows Intune install company apps from the company portal. However, if these apps require approval, users must first request approval from the Application Catalog.

277

Remote Control
The following frequently asked questions relate to remote control in Configuration Manager. Is remote control enabled by default? By default, remote control is disabled on client computers. Enable remote control as a default client setting for the hierarchy, or by using custom client settings that you apply to selected collections. What ports does remote control use? TCP 2701 is the only port that System Center 2012 Configuration Manager uses for remote control. When you enable remote control as a client setting, you can select one of three firewall profiles that automatically configure this port on Configuration Manager clients: Domain, Private, or Public. What is the difference between a Permitted Viewers List and granting a user the role-based administration security role of Remote Tools Operator? The Permitted Viewers List grants an administrative user the Remote Control permission for a computer, and the role-based administration security role of Remote Tools Operator grants an administrative user the ability to connect a Configuration Manager console to a site so that audit messages are sent when they manage computers by using remote control. Can I send a CTRL+ALT+DEL command to a computer during a remote control session? Yes. In the Configuration Manager remote control window, click Action, and then click Send Ctrl+Alt+Del. How can I find out how the Help Desk is using remote control? You can find this out by using the remote control reports: Remote Control All computers remote controlled by a specific user and Remote Control All remote control information. For more information, see How to Audit Remote Control Usage in Configuration Manager. What happened to the Remote Control program in Control Panel on Configuration Manager clients? The remote control settings for System Center 2012 Configuration Manager clients are now in Software Center, on the Options tab.

Software Deployment
The following frequently asked questions relate to content management, software updates, applications, packages and programs, scripts, and operating system deployment with supporting task sequences and device drivers in Configuration Manager.

278

When distribution points are enabled for bandwidth control, does the site server compress the content that it distributes to them in the same way as site-to-site data is compressed? No, site servers do not compress the content that it distributes to distribution points that are enabled for bandwidth control. Whereas site-to-site transfers potentially resend files that might already be present, only to be discarded by the destination site server, a site server sends only the files that a distribution point requires. With a lower volume of data to transfer, the disadvantages of high CPU processing to compress and decompress the data usually outweigh the advantages of compressing the data. What is an application and why would I use it? System Center 2012 Configuration Manager applications contain the administrative details and Application Catalog information necessary to deploy a software package or software update to a computer or mobile device. What is a deployment type and why would I use one? A deployment type is contained within an application and specifies the installation files and method that Configuration Manager will use to install the software. The deployment type contains rules and settings that control if and how the software is installed on client computers. What is the deployment purpose and why would I use this? The deployment purpose defines what the deployment should do and represents the administrators intent. For example, an administrative user might require the installation of software on client computers or might just make the software available for users to install themselves. A global condition can be set to check regularly that required applications are installed and to reinstall them if they have been removed. What is a global condition and how is it different from a deployment requirement? Global conditions are conditions used by requirement rules. Requirement rules set a value for a deployment type for a global condition. For example, operating system = is a global condition; a requirement rule is operating system = Win7. How do I make an application deployment optional rather than mandatory? To make a deployment optional, configure the deployment purpose as Available in the applications deployment type. Available applications display in the Application Catalog where users can install them. Can users request applications? Yes. Users can browse a list of available software in the Application Catalog. Users can then request an application which, if approved, will be installed on their computer. To make a deployment optional, configure the deployment purpose as Available in the applications deployment type.

279

Why would I use a package and program to deploy software rather than an application deployment? Some scenarios, such as the deployment of a script that runs on a client computer but that does not install software, are more suited to using a package and program rather than an application. Can I deploy Office so that it installs locally on a users main workstation but is available to that user as a virtual application from any computer? Yes. You can configure multiple deployment types for an application. Rules that specify which deployment type is run allows you to specify how the application is made available to the user. Does Configuration Manager help identify which computers a user uses to support the user device affinity feature? Yes. Configuration Manager collects usage statistics from client devices that can be used to automatically define user device affinities or to help you manually create affinities. Can I change a simulated application deployment to a standard application deployment? No. you must create a new deployment that can include extra options that include scheduling and user experience. If the same application is deployed to a user and a device, which one takes priority? In this case, the following rules apply: If both deployments have a purpose of Available, the user deployment will be installed. If both deployments have a purpose of Required, the deployment with the earliest deadline will be installed. If one deployment has a purpose of Available and the other deployment has a purpose of Required, the deployment with the purpose of Required will be installed. Note A deployment to a user that is scheduled to be installed out of business hours is treated as a required deployment. Can I migrate my existing packages and programs from Configuration Manager 2007 to a System Center 2012 Configuration Manager hierarchy? Yes. You can see migrated packages and programs in the Packages node in the Software Library workspace. You can also use the Import Package from Definition Wizard to import Configuration Manager 2007 package definition files into your site. Does the term software include scripts and drivers? Yes. In System Center 2012 Configuration Manager, the term software includes software updates, applications, scripts, task sequences, device drivers, configuration items, and configuration baselines.

280

What does state-based deployment mean in reference to System Center 2012 Configuration Manager? Depending on the deployment purpose you have specified in the deployment type of an application, System Center 2012 Configuration Manager periodically checks that the state of the application is the same as its purpose. For example, if an applications dep loyment type is specified as Required, Configuration Manager reinstalls the application if it has been removed. Only one deployment type can be created per application and collection pair. Do I have to begin using System Center 2012 Configuration Manager applications immediately after migrating from Configuration Manager 2007? No, you can continue to deploy packages and programs that have been migrated from your Configuration Manager 2007 site. However, packages and programs cannot use some of the new features of System Center 2012 Configuration Manager such as requirement rules, dependencies and supersedence. If an application that has been deployed to a user is installed on multiple devices, how is the deployment summarized for the user? Deployments to users or devices are summarized based on the worst result. For example, if a deployment is successful on one device and the application requirements were not met on another device then the deployment for the user is summarized as Requirements Not Met. If none of the users devices has received the application, the deployment is summarized as Unknown. Is there a quick guide to installing the Application Catalog? If you dont require HTTPS connections (for example, users will not connect from the Intern et), you can use the following the quick guide instructions: 1. Make sure that you have all the prerequisites for the Application Catalog site roles. For more information, see Prerequisites for Application Management in Configuration Manager. 2. Install the following Application Catalog site system roles and select the default options: Application Catalog web service point Application Catalog website point

3. Configure the following Computer Agent device client settings by editing the default client settings, or by creating and assigning custom client settings: Default Application Catalog website point : Automatically detect Add default Application Catalog website to Internet Explorer trusted site zone: True Install Permissions: All users

For full instructions, see Configuring the Application Catalog and Software Center in Configuration Manager. Can I deploy applications by using task sequences? You can use a task sequence to deploy applications. However, when you configure an application deployment rather than use a task sequence, you benefit from the following: You have a richer monitoring and compliance experience.
281

You can supersede a previous version of the application and can uninstall or upgrade the previous version. You can deploy applications to users.

For more information about how to deploy applications, see Introduction to Application Management in Configuration Manager. How often are application deployments summarized? Although you can configure the application deployment summarization interval, by default, the following values apply: Deployments that were modified in the last 30 days 1 hour Deployments that were modified in the last 31 to 90 days 1 day Deployments that were modified over 90 days ago 1 week

You can modify the application deployment summarization intervals from the Status Summarizers dialog box. Click Status Summarizers from the Sites node in the Administration workspace to open this dialog box. How does the processing of requirements differ between a deployment with the action of Install and a deployment with the action of Uninstall? In most cases, a deployment with an action of Uninstall will always uninstall a deployment type if it is detected unless the client type is different. For example, if you deploy a mobile device application with an action of Uninstall to a desktop computer, the deployment will fail with a status of Requirements not met as it is impossible to enforce this uninstall. What happens if a simulated deployment and a standard deployment for the same application are deployed to a computer? Although you cannot deploy a simulated and a standard deployment of an application to the same collection, you can target a computer with both if you deploy them to different collections and the computer is a member of both collections. In this scenario, for both deployments, the computer reports the results of the standard deployment. This explains how you might see deployment states for a simulated deployment that you would usually only see for a standard deployment, such as In Progress and Error. Why do I see an error message about insufficient permissions from a Windows Embedded device when I try to install software from Software Center? You can install applications only when the write filter on the Windows Embedded device is disabled. If you try to install an application on a Windows Embedded device that has write filters enabled, you see an error message that you have insufficient permissions to install the application and the installation fails. Should I use collections or application requirements to control software deployments? In Configuration Manager 2007, you had to use collections to identify which devices should install software, such as applications, task sequences, and software updates. In System Center 2012 Configuration Manager, you must continue to use collections for task sequences, but for applications, you can now use requirement rules as a method to control which devices install the
282

software. For example, you could deploy an application to the All Desktop and Server Clients collection, but include a requirement rule that specifies that the application should be installed only on computers that run Windows 8. Software updates already have this requirements capability built in, so you do not need to configure this yourself. Although defining the requirements within the application deployment usually requires more work initially, it has longer term benefits because it reduces the administrative overhead of maintaining, using, and searching many collections. Additionally, requirements are evaluated by the client at deployment time, whereas query-based collections are evaluated periodically and often depend on the results of hardware inventory collection that might run only once a week. Another consideration when you have many collections with complex query rules is that the collection evaluation can result in noticeable CPU processing on the site server. In summary, we recommend that for most application deployments, you use requirement rules instead of collections. Continue to use collections for task sequences, package and programs, testing purposes, and one-off application deployments. Can I use update lists in System Center 2012 Configuration Manager? No. Software update groups are new in System Center 2012 Configuration Manager and replace update lists that were used in Configuration Manager 2007. What is an update group and why would I use one? Software update groups provide a more effective method for you to organize software updates in your environment. You can manually add software updates to a software update group or software updates can be automatically added to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and they will automatically be deployed. Does System Center 2012 Configuration Manager have automatic approval rules like Windows Server Update Services (WSUS)? Yes. You can create automatic deployment rules to automatically approve and deploy software updates that meet specified search criteria. What changes have been made in System Center 2012 Configuration Manager to manage superseded software updates? In Configuration Manager 2007, superseded software updates are automatically expired during full software updates synchronization. In System Center 2012 Configuration Manager, you can choose to automatically expire superseded software updates during software updates synchronization just as it is in Configuration Manager 2007. Or, you can specify a number of months before a superseded software update is expired. This allows you to deploy a superseded software update for the period of time while you validate and approve the superseding software update in your environment.

283

How are superseded and expired software updates removed in System Center 2012 Configuration Manager? System Center 2012 Configuration Manager might automatically remove expired and superseded software updates. Consider the following scenarios: Expired software updates that are not associated with a deployment are automatically removed up every 7 days by a site maintenance task. Expired software updates that are associated with a deployment are not automatically removed by the site maintenance task. Superseded software updates that you have configured not to expire for a specified period of time are not removed or deleted by the site maintenance task.

You can remove expired software updates from all software update groups and software update deployments so that they are automatically removed. To do this, search for expired software updates, select the returned results, choose edit membership, and remove the expired software updates from any software update group for which they are members. What do the software update group icons represent in Configuration Manager? The software update group icons are different in the following scenarios: When a software update group contains at least one expired software update, the icon for that software update group contains a black X. When a software update group contains no expired software updates, but at least one superseded software update, the icon for that software update group contains a yellow star. When a software update group has no expired or superseded software updates, the icon for that software update group contains a green arrow.

When you view the status of an application deployment in the Deployments node of the Monitoring workspace, how is the displayed Compliance % calculated? The compliance percentage (Compliance %) is calculated by taking the number of users or devices with a deployment state of Success added to the number of devices with a deployment state of Requirements Not Met and then dividing this total by the number of users or devices that the deployment was sent to. While monitoring the deployment of an application, the numbers displayed in the Completion Statistics do not match the numbers displayed in the View Status pane. What reasons might cause this? The following reasons might cause the numbers shown in Completions Statistics and the View Status pane to differ: The completion statistics are summarized and the View Status pane displays live data Select the deployment in the Deployments node of the Monitoring workspace and then, in the Home tab, in the Deployment group, click Run Summarization. Refresh the display in the Configuration Manager console and after summarization completes, the updated completion statistics will display in the Configuration Manager console. An application contains multiple deployment types. The completion statistics display one status for the application; the View Status pane displays status for each deployment type in the application.
284

The client encountered an error. It was able to report status for the application, but not for the deployment types contained in the application. You can use the report Application Infrastructure Errors to troubleshoot this scenario.

When I view the report named Distribution Point Usage Summary, why do I see a value for more clients than I expect to see in the column named Client Accessed (Unique)? When a pull-distribution point downloads content from a source distribution point, that access is counted as a client access for the purpose of this report. Why does the value for Bytes Sent (MB), in the Distribution Point Usage Summary report, not always reflect the actual volume of data I deploy? The report does not track the value of bytes sent over multicast. Can I deploy operating systems by using a DVD or a flash drive? Yes. You can use media such as a CD, DVD set, or a USB flash drive to capture an operating system image and to deploy an operating system. Deployment media includes bootable media, prestaged media, and stand-alone media. For more information, see Planning for Media Operating System Deployments in Configuration Manager. When I upgrade an operating system, can I retain the users information so that they have all their files, data, and preferences when they log on to the new operating system? Yes. When you deploy an operating system you can add steps to your task sequence that capture and restore the user state. The captured data can be stored on a state migration point or on the computer where the operating system is deployed. For more information, see How to Manage the User State in Configuration Manager. Can I deploy operating systems to computers that are not managed by Configuration Manager? Yes. These types of computers are referred to as unknown computers. For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager. When I deploy an operating system to multiple computers, can I optimize how the operating system image is sent to the destination computers? Yes. Use multicast to simultaneously send data to multiple Configuration Manager clients rather than sending a copy of the data to each client over a separate connection. For more information, see Planning a Multicast Strategy in Configuration Manager.

Endpoint Protection
The following frequently asked questions relate to Endpoint Protection in Configuration Manager.

285

Whats new for Endpoint Protection in System Center 2012 Configuration Manager? Endpoint Protection is fully integrated with System Center 2012 Configuration Manager and no longer requires a separate installation. In addition, there are a number of new features and enhancements in Endpoint Protection. For more information, see the Endpoint Protection section in the Whats New in System Center 2012 Configuration Manager topic. Can I deploy definitions by using Configuration Manager distribution points? Yes, you can deploy Endpoint Protection definitions by using Configuration Manager software updates. For more information, see Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client Computers in the How to Configure Endpoint Protection in Configuration Manager topic. Are malware notifications faster in System Center 2012 Endpoint Protection than in Forefront Endpoint Protection 2010? Yes, System Center 2012 Endpoint Protection uses Configuration Manager alerts to more quickly notify you when malware is detected on client computers. Which antimalware solutions can Endpoint Protection uninstall? For a list of the antimalware solutions that Configuration Manager can automatically uninstall when you install the Endpoint Protection client, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic. For more information about how to configure Endpoint Protection to uninstall these antimalware solutions, see How to Configure Endpoint Protection in Configuration Manager.

See Also
Getting Started with System Center 2012 Configuration Manager

Accessibility Features of Configuration Manager

This topic provides information about features in Microsoft System Center 2012 Configuration Manager that make the product more accessible for people with disabilities. For general information about Microsoft accessibility products and services, visit the Microsoft Accessibility website.

Accessibility Features for the Configuration Manager Console

In addition to accessibility features and tools in Windows, the following features make Configuration Manager more accessible for people with disabilities: To access a workspace, use the following keyboard shortcuts:

286

Workspace

Keyboard shortcut

Assets and Compliance Software Library Monitoring Administration

Ctrl+1 Ctrl+2 Ctrl+3 Ctrl+4

To access a workspace menu, press the Tab key until the Expand/Collapse icon is in focus. Then, press the Down Arrow key to access the workspace menu. To navigate through a workspace menu, use the arrow keys. To access different areas in the workspace, use the Tab key and Shift+Tab keys. To navigate within an area of the workspace, such as the ribbon, use the arrow keys. To access the address bar when your focus is in the tree node, use the back tab 3 times. On a wizard or property page, you can move between the boxes with keyboard shortcuts. Press the Alt key plus the underlined character (Alt+_) to select a specific box. Note The information in this section may apply only to users who license Microsoft products in the United States. If you obtained this product outside of the United States, you can use the subsidiary information card that came with your software package or visit the Microsoft Accessibility website for a list of Microsoft support services telephone numbers and addresses. You can contact your subsidiary to find out whether the type of products and services described in this section are available in your area. Information about accessibility is available in other languages, including Japanese and French.

Accessibility Features for Configuration Manager Help

Configuration Manager Help includes features that make it accessible to a wider range of users, including those who have limited dexterity, low vision, or other disabilities.
To do this Use this keyboard shortcut

Display the Help window. Move the cursor between the Help topic pane and the navigation pane (the Contents, Search, and Index tabs). Change between tabs (for example, Contents, Search, and Index) while in the navigation pane. Select the next hidden text or hyperlink.

F1 F6

Alt + underlined letter of the tab

Tab

287

To do this

Use this keyboard shortcut

Select the previous hidden text or hyperlink. Perform the action for the selected Show All, Hide All, hidden text, or hyperlink. Display the Options menu to access any Help toolbar command. Hide or show the pane containing the Contents, Search, and Index tabs. Display the previously viewed topic. Display the next topic in a previously displayed sequence of topics. Return to the specified home page. Stop the Help window from opening a Help topic, such as to stop a webpage from downloading. Open the Internet Options dialog box for Windows Internet Explorer, where you can change accessibility settings. Refresh the topic, such as a linked webpage. Print all topics in a book or a selected topic only. Close the Help window.

Shift+Tab Enter Alt+O Alt+O, and then press T Alt+O, and then press B Alt+O, and then press F Alt+O, and then press H Alt+O, and then press S

Alt+O, and then press I

Alt+O, and then press R Alt+O, and then press P Alt+F4

To change the appearance of a Help topic 1. To prepare to customize the colors, font styles, and font sizes in Help, open the Help window. 2. Click Options, and then click Internet Options. 3. On the General tab, click Accessibility. Select Ignore colors specified on Web pages, Ignore font styles specified on Web pages, and Ignore font sizes specified on Web pages. You also can choose to use the settings specified in your own style sheet. To change the color of the background or text in Help 1. Open the Help window. 2. Click Options, and then click Internet Options. 3. On the General tab, click Accessibility. Then, select Ignore colors specified on Web
288

pages. You also can choose to use the settings specified in your own style sheet. 4. To customize the colors used in Help, on the General tab, click Colors. Clear the Use Windows Colors check box, and then select the font and background colors that you want to use. Note If you change the background color of the Help topics in the Help window, the change also affects the background color for webpages in Windows Internet Explorer. To change the font in Help 1. Open the Help window. 2. Click Options, and then click Internet Options. 3. On the General tab, click Accessibility. To use the same settings as those used in your instance of Windows Internet Explorer, select Ignore font styles specified on Web pages and Ignore font sizes specified on Web pages. You also can choose to use the settings specified in your own style sheet. 4. To customize the font style used in Help, on the General tab, click Fonts, and then click the font style that you want. Note If you change the font of the Help topics in the Help window, the change also affects the font for webpages in Windows Internet Explorer.

See Also
Getting Started with System Center 2012 Configuration Manager

Information and Support for Configuration Manager

Use the following resources for additional information about System Center 2012 Configuration Manager. To access the most current System Center 2012 Configuration Manager product documentation: To provide feedback about the documentation or ask a question about the documentation: To receive Twitter feeds from the documentation team (for example, notification of documentation updates): Use the TechNet Documentation Library for System Center 2012 Configuration Manager Email [email protected] See the Configuration Manager Documentation Team Twitter feed

The following sections provide additional information to support Configuration Manager:

289

Search the Configuration Manager Documentation Library The Configuration Manager Product Group Blog Support Options and Community Resources

Search the Configuration Manager Documentation Library

Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. This customized Bing search query scopes your search on TechNet so that you see results from the Documentation Library for System Center 2012 Configuration Manager only. For example, search results do not include topics from Configuration Manager 2007 or from community resources. It uses the placeholder search text Configuration Manager, which you can replace in the search bar with your own search string or strings, and choice of search operators, to help you narrow the search results. Example Searches Use the Find information online link and customize the search by using the following examples. Single search string: To search for topics that contain the search string Endpoint Protection, replace Configuration Manager with Endpoint Protection: ("Endpoint Protection") site:technet.microsoft.com/enus/library meta:search.MSCategory(gg682056) Combining search strings: To search for topics that contain the search strings Endpoint Protection and monitoring, use the AND operator: ("Endpoint Protection") AND ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Alternative search strings: To search for topics that contain the search string Endpoint Protection or monitoring, use the OR operator: ("Endpoint Protection" OR "monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Exclude search strings: To search for topics that contain the search string Endpoint Protection and exclude topics about monitoring, use the NOT operator: ("Endpoint Protection)" NOT ("monitoring") site:technet.microsoft.com/en-us/library meta:search.MSCategory(gg682056) Search Tips Use the following search tips to help you find the information that you need: Use search terms that match those that you see in the user interface (UI) and TechNet documentation, rather than unofficial terms or abbreviations that you might see in community content. For example, search for "management point" rather than "MP," "deployment type"
290

rather than "DT," and "software updates" rather than "SUM." You can use the Glossary for Microsoft System Center 2012 Configuration Manager to help identify terms that are specific to Configuration Manager. When you search on a page in TechNet or in the help file (for example, press Ctrl-F1, and enter search terms in the Find box), the results exclude text that is in collapsed sections. To search for text in collapsed sections, expand the sections before you search on the page. To do this, you can click the Expand All button at the top of the page, or double-click any collapsed section. When all sections are expanded, a search on the page can then search all sections on that page. To search a topic in the help file, press F1, and enter search terms in the Find dialog box. The help file does not support the Expand All option and you must manually expand individual sections that are collapsed before search on the page finds text in those sections. Whenever possible, use the TechNet online library rather than downloaded documentation. TechNet contains the most up-to-date information and the information that you are searching for might not be in the downloaded documentation or there might be corrections or additional information online. If you find it easier and faster to search documentation when it is stored locally, you can select multiple topics on TechNet and save them locally. For more information, see the following instructions on the TechNet wiki: How to Build Your Own Custom TechNet Documentation.

The Configuration Manager Product Group Blog

The Configuration Manager product group and partner teams use the System Center Configuration Manager Team Blog to provide you with technical information and other news about Configuration Manager and related technologies. Our blog posts supplement the product documentation and support information.

Support Options and Community Resources

The following links provide information about support options and community resources: System Center Configuration Manager Support Microsoft Help and Support System Center 2012 Configuration Manager Survival Guide Configuration Manager Community Page Configuration Manager Forums Page myITforum System Center Community Support

Note All information and content at myITforum.com is provided by the owner or the users of the website. Microsoft makes no warranties, express, implied or statutory, as to the information on this website.

291

In addition, visit the System Center 2012 TechCenter to find other supporting resources for System Center 2012 Configuration Manager.

See Also
Getting Started with System Center 2012 Configuration Manager

Site Administration for System Center 2012 Configuration Manager

The Site Administration for System Center 2012 Configuration Manager guide provides documentation to help you plan, install, configure, and maintain Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Site Administration Topics

Use the following topics to help you plan, configure, and maintain System Center 2012 Configuration Manager sites: Introduction to Site Administration in Configuration Manager Planning for Configuration Manager Sites and Hierarchy Configuring Sites and Hierarchies in Configuration Manager Operations and Maintenance for Site Administration in Configuration Manager Reporting in Configuration Manager Security and Privacy for Site Administration in Configuration Manager Technical Reference for Site Administration in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Introduction to Site Administration in Configuration Manager

Site administration in System Center 2012 Configuration Manager refers to the planning, installation, management, and monitoring of a System Center 2012 Configuration Manager hierarchy of sites. A hierarchy of sites can be described by one of three basic configurations: A single stand-alone primary site that has no additional sites. A primary site that has one or more secondary sites. A central administration site as the top-level site that has one or more primary child sites. The primary sites can each support secondary sites.

Several configurations in Configuration Manager apply to objects at every site in the hierarchy. Other configurations are site-specific and require that you configure each site separately. For
292

example, you can configure most site system roles at a primary site, but some site system roles can only be installed at the top-level site of a hierarchy, which might be a primary site in one hierarchy and a central administration site in another hierarchy. Your available network infrastructure, the network and geographical locations of the resources that you manage, and the management features that you use can influence your hierarchy design and approach to administration. Use the following sections for more information about planning, configuring, and managing your Configuration Manager site or hierarchy: Plan and Deploy a Hierarchy of Sites Deploy Site Systems at Sites Configure Hierarchy-Wide and Site-Specific Options Monitor and Maintain the Hierarchy

Plan and Deploy a Hierarchy of Sites

Before you deploy your first site, review the planning information for Configuration Manager. The type of site that you first deploy can define the structure for your hierarchy. For example, if the first site that you install is a primary site because you do not expect to manage a complex or geographically dispersed environment, your hierarchy is initially limited to a single primary site. This primary site can support secondary sites and in the future can expand by adding a central administration site, when the primary site runs Configuration Manager SP1. However, if you deploy a central administration site as your first site, you have the option to add more primary sites as child sites to the central administration site in the future. This provides you with the flexibility to expand your hierarchy as your company grows and when management requirements change. For more information about sites and hierarchies, see Planning for Sites and Hierarchies in Configuration Manager. When you plan your hierarchy, consider the external dependencies of Configuration Manager, such as a public key infrastructure (PKI) if you plan to use certificates, or your Active Directory domain structure. Determine whether you manage resources in untrusted forests or resources that are on the Internet, and determine how Configuration Manager will support these scenarios. These factors and other considerations can influence your hierarchy design and site and site system role placement. For more information, see PKI Certificate Requirements for Configuration Manager and Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy.

Deploy Site Systems at Sites

In each site that you install, you must install and configure site system roles to support management operations. If you plan to install more than a single primary site, review the site system roles and if you can deploy them at different sites. Some site system roles, which include the Endpoint Protection point, require that you install just one instance in the hierarchy to provide a service to all sites in the hierarchy. Other site system roles, which include the Application Catalog web service point, must be installed at each site where you require them to provide a
293

service to that site. Finally, some site system roles, which include the management point and distribution point, support the installation of multiple instances at a site. Refer to the site system role requirements to help you identify the best locations to place the site system roles at each site. For example: For central administration sites, you can deploy site system roles that are useful for hierarchy-wide monitoring, such as the reporting services point. You can also deploy site system roles that provide services to the whole hierarchy, such as the Endpoint Protection point. Some roles, such as the software update point, must be installed in the central administration site, but you can also install them in primary and secondary sites. In this scenario, the software update point in the central administration site provides the other software update points with a central location to synchronize software updates. For primary sites, you must have site system roles for client communication, such as management points and software update points. Review your network infrastructure and the locations of computers and users on your network to ensure that you put these client-facing site systems in the best locations to optimize network connectivity. For secondary sites, you can install a limited set of site system roles. Additionally, if content distribution to a remote network location is your main concern, you might decide to install distribution points from a primary site instead of installing a secondary site.

For more information about site systems, see Planning for Site Systems in Configuration Manager.

Configure Hierarchy-Wide and Site-Specific Options

After you deploy your first site, you can configure settings that apply across the hierarchy and settings that are specific to individual sites. Regardless of when you configure sites or hierarchywide settings, plan to periodically revisit these tasks to adjust configurations to meet changing business requirements. Hierarchy-wide and site-specific configurations affect how sites operate and how client management tasks in each site function. Some of the hierarchy-wide configurations that you can set include the following: Role-based administration, which includes the following: Identify administrative users who manage your Configuration Manager infrastructure and assign them security roles, security scopes, and collections to manage their permissions to objects, and the objects that they can interact with. Create custom security roles and security scopes that you require to help partition security and administrative user access to different objects.

Discovery to locate resources that you can manage. Boundaries and boundary groups to control client site assignment, and the site system servers from which clients can obtain content such as applications or operating system deployments. Client settings to specify how and when Configuration Manager clients perform various operations, which includes when to check for new applications or to submit hardware or software inventory data to their assigned site.

Some of the site-specific configurations that you can set include the following:
294

Communication settings for site system roles that control how clients communicate with the site system roles at that site. Settings to specify how sites summarize status message details that are collected from clients and site system servers. Site maintenance tasks and schedules to help maintain the local Configuration Manager database. Site component configurations that control how site system roles operate in a site.

For more information about how to configure sites and hierarchy-wide settings, see Configure Sites and the Hierarchy in Configuration Manager, and Operations and Maintenance for Site Administration in Configuration Manager.

Monitor and Maintain the Hierarchy

You must monitor and maintain the health of the hierarchy and individual site systems. Over time, conditions in your environment can change. These changes might include network issues that decrease the replication performance between sites, the number of clients that report to a site and that might affect site system role performance, and an increase in the amount of data that is stored in the Configuration Manager database that can decrease data processing and site performance. To keep your site systems, intersite data replication, and the database healthy, you must monitor your hierarchy for problems and take actions to maintain these systems to prevent critical problems. You can monitor the health of your hierarchy by using the Monitoring workspace in the Configuration Manager console. Additionally, you can configure site maintenance tasks at each site to help maintain the operational efficiency of the database, and to remove aged data that you no longer require. Periodically review the configurations and operational settings for site system roles to ensure that they continue to provide a service to your clients, and review the frequency and extent of the data that you collect from clients to ensure that you collect only the data that you really require. Configuration Manager provides built-in functionality that you can use to monitor and maintain your infrastructure. For example, you can do the following: Run reports that inform you about the success or failure of typical Configuration Manager tasks and that summarize the operational status of your sites and hierarchy. View status messages and receive alerts that can help you identify current or emerging problems, which include information about application deployments or site and hierarchy infrastructure problems. View the status of clients, which includes clients that are inactive, and view the status of Endpoint Protection clients. Configure more than 30 site maintenance tasks to help maintain the health of the Configuration Manager database.

295

For more information about monitoring, see Monitor Configuration Manager Sites and Hierarchy, and Reporting in Configuration Manager. For more information about site maintenance tasks, see Configure Maintenance Tasks for Configuration Manager Sites.

See Also
Site Administration for System Center 2012 Configuration Manager

Planning for Configuration Manager Sites and Hierarchy

You can install Microsoft System Center 2012 Configuration Manager by using many different design configurations that range from a single site to multiple sites that span diverse geographical network locations. Even single site designs often use multiple Windows servers to provide services to users and devices on your network. When you install multiple System Center 2012 Configuration Manager sites, they form a hierarchy of sites that share information by using a distributed database. Sites communicate with each other and share information by using database replication that is based on SQL Server replication and file-based transfers. Sites in a hierarchy use parent-child relationships to define communication paths. Because the data that is transferred between computers within a site and between different Configuration Manager sites can significantly affect the efficiency of your network, plan your site or hierarchy before you install any Configuration Manager site.

Planning Topics
Use the following topics to help you plan for sites and hierarchies by gathering the information that you will need to plan the design of your System Center 2012 Configuration Manager deployment to best meet your business requirements and make efficient use of your network infrastructure. Supported Configurations for Configuration Manager Interoperability between Different Versions of Configuration Manager Planning for Hardware Configurations for Configuration Manager PKI Certificate Requirements for Configuration Manager Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012 Configuration Manager Determine Whether to Extend the Active Directory Schema for Configuration Manager Planning for Sites and Hierarchies in Configuration Manager Planning to Upgrade System Center 2012 Configuration Manager Planning for Publishing of Site Data to Active Directory Domain Services Planning for Discovery in Configuration Manager Planning for Client Settings in Configuration Manager
296

Planning for Site Systems in Configuration Manager Planning for Cloud Services in Configuration Manager Planning for Content Management in Configuration Manager Planning for Boundaries and Boundary Groups in Configuration Manager Planning to Use Extensions in Configuration Manager Planning for Security in Configuration Manager Planning for Communications in Configuration Manager Planning for Site Operations in Configuration Manager Planning for High Availability with Configuration Manager Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Supported Configurations for Configuration Manager

Note This topic appears in the Getting Started with System Center 2012 Configuration Manager guide and in the Site Administration for System Center 2012 Configuration Manager guide. This topic specifies the requirements to implement and maintain Microsoft System Center 2012 Configuration Manager in your environment. The following sections list products that are supported with System Center 2012 Configuration Manager. No extension of support for these products beyond their current product life-cycles is implied. Products that are beyond their current support life cycle are not supported for use with Configuration Manager. For more information about Microsoft Support Lifecycles, visit the Microsoft Support Lifecycle website at Microsoft Support Lifecycle. Warning Microsoft provides support for the current service pack and, in some cases, the immediately previous service pack. For more information about Microsoft support lifecycle policy, go to the Microsoft Support Lifecycle Support Policy FAQ website at Microsoft Support Lifecycle Policy FAQ. Products that are not listed in this document are not supported with System Center 2012 Configuration Manager unless they are announced on the System Center Configuration Manager Team Blog. Configuration Manager System Requirements Site and Site System Role Scalability Client Support Numbers for Sites and Hierarchies
297

Site System Requirements Prerequisites for Site System Roles Prerequisites for Site System Roles on Windows Server 2012 Minimum Hardware Requirements for Site Systems Operating System Requirements for Site Servers, Database Servers, and the SMS Provider Operating System Requirements for Typical Site System Roles Operating System Requirements for Function-Specific Site System Roles Computer Client Hardware Requirements Operating System Requirements for Configuration Manager Client Installation Embedded Operating System Requirements for Configuration Manager Clients Client Requirements for Mac Computers Client Requirements for Linux and UNIX Servers Mobile Devices Enrolled by Configuration Manager Mobile Devices Enrolled by Windows Intune Mobile Device Support by Using the Exchange Server Connector Mobile Device Legacy Client

Computer Client Requirements

Mobile Device Requirements

Configuration Manager Console Requirements SQL Server Requirements Application Management Operating System Deployment Out of Band Management Remote Control Viewer Software Center and the Application Catalog Active Directory Schema Extensions Disjoint Namespaces Single Label Domains Support for Internet Protocol Version 6 Support for Specialized Storage Technology Support for Computers in Workgroups Support for Virtualization Environments Support for Network Address Translation
298

Configurations for the SQL Server Site Database Function-Specific Requirements

Support for Active Directory Domains

Windows Environment

DirectAccess Feature Support BranchCache Feature Support Fast User Switching Dual Boot Computers Upgrade Configuration Manager Infrastructure Upgrade for Configuration Manager SQL Server Upgrade for the Site Database Server

Supported Upgrade Paths for Configuration Manager

Configuration Manager System Requirements

The following sections specify the hardware and software requirements that you must have to implement and maintain Configuration Manager in your environment. Site and Site System Role Scalability The following table contains information about the support limits at each site type and for clientfacing site system role. This information is based on the recommended hardware for site systems. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. For information about the minimum required hardware to run a Configuration Manager site, see Minimum Hardware Requirements for Site Systems, in this topic. For information about the number of clients supported by each site or hierarchy, see Client Support Numbers for Sites and Hierarchies, in this topic.
Site or site system role More information

Central administration site Primary site

A central administration site can support up to 25 child primary sites. Each primary site can support up to 250 secondary sites. Note The number of secondary sites per primary site is based on continuously connected and reliable wide area network (WAN) connections. For locations that have fewer than 500 clients, consider a distribution point instead of a secondary site. For information about the numbers of clients and devices a primary site can support, see the Client Support Numbers for Sites and Hierarchies section in this topic.
299

Site or site system role

More information

Secondary site

For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. Management points per site: Each primary site can support up to 10 management points. Tip Do not position management points across a slow link from their primary site server or from the site database server. Each secondary site supports a single management point that must be installed on the secondary site server.

Management point

For information about the numbers of clients and devices a management point can support, see the Clients per Management Point section in this topic. Distribution point The number of distribution points that are supported by an individual site depends on the version of Configuration Manager that you use: System Center 2012 Configuration Manager with no service pack Each primary and secondary site supports up to 250 distribution points. Each distribution point supports connections from up to 4,000 clients.

System Center 2012 Configuration Manager with SP1 Each primary and secondary site supports up to 250 distribution points. Each distribution point supports connections from up to 4,000 clients. A pull-distribution point is considered to be a client when it accesses another distribution point to obtain content.

System Center 2012 R2 Configuration

300

Site or site system role

More information

Manager Each primary and secondary site supports up to 250 distribution points. Each primary and secondary site supports up to 2000 additional distribution points configured as pulldistribution points. For example, a single primary site supports 2250 distribution points when 2000 of those distribution points are configured as pull-distribution points. Each distribution point supports connections from up to 4,000 clients. A pull-distribution point is considered to be a client when it accesses another distribution point to obtain content.

Each primary site supports a combined total of up to 5,000 distribution points. This total includes all the distribution points at the primary site and all distribution points that belong to the primary sites child secondary sites. Each distribution point supports a combined total of up to 10,000 packages and applications. Note The number of clients that one distribution point can support depends on the speed of the network, and the hardware configuration of the distribution point computer. Software update point The number of software update points supported by each site depends on the version of Configuration Manager that you use: For Configuration Manager without service pack, each site supports one active software update point for use on the intranet, and optionally, one software update point for use on the Internet. You can configure each of these software update points as a Network Load Balancing (NLB) cluster. You can have up to four
301

Site or site system role

More information

software update points in the NLB cluster. Beginning with Configuration Manager SP1, each site supports multiple software update points for use on the intranet and on the Internet. By default, beginning with Configuration Manager SP1, the Configuration Manager console does not support configuring software update points as NLB clusters. However, you can use the Configuration Manager SDK to configure a software update point on a NLB cluster. A software update point that is installed on the site server can support up to 25,000 clients. A software update point that is installed on a computer that is remote from the site server can support up to 100,000 clients when the remote computer meets the WSUS requirements to support this number. Note For more information, see Planning for Software Updates in Configuration Manager. Fallback status point Application Catalog website point Each fallback status point can support up to 100,000 clients. You can install multiple instances of the Application Catalog website point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point
302

Site or site system role

More information

together on the same site system when they provide service to clients that are on the intranet. Application Catalog web service point You can install multiple instances of the Application Catalog web service point at primary sites. For improved performance, plan to support up to 50,000 clients per instance. Each instance of this site system role supports up to 400,000 clients, which provides service for the whole hierarchy. Tip As a best practice, install the Application Catalog website point and Application Catalog web service point together on the same site system when they provide service to clients that are on the intranet. System Health Validator point Each System Health Validator point can support up to 100,000 clients.

Client Support Numbers for Sites and Hierarchies Use the following information to determine how many clients (devices) are supported by Configuration Manager sites and hierarchies. The following table identifies logical groups that combine different types of supported devices into one of three client groups. These client groups are then referenced in this topic to identify how many devices are supported by each type of Configuration Manager site, and as a combined total of devices for a hierarchy of Configuration Manager sites.
Logical groups Details

Client group 1

This client group includes computers that run a client for Configuration Manager and includes Windows Server, Windows Client, and Windows Embedded operating systems. It also includes the Configuration Manager client for Linux and UNIX. For more information, see the following sections of this topic:
303

Logical groups

Details

Operating System Requirements for Configuration Manager Client Installation Client Requirements for Linux and UNIX Servers Embedded Operating System Requirements for Configuration Manager Clients

Client group 2

This client group includes devices that are managed using Windows Intune with Configuration Manager, and devices supported by using the Exchange Server connector. For more information, see the following sections of this topic: Mobile Devices Enrolled by Windows Intune Mobile Device Support by Using the Exchange Server Connector Note Prior to Configuration Manager SP1, only mobile devices supported by using the Exchange Server connector are supported by Configuration Manager.

Client group 3

This client group includes devices that are enrolled by Configuration Manager, devices supported by the mobile device legacy client, and computers that run the client for Mac. For more information, see the following sections of this topic: Mobile Devices Enrolled by Configuration Manager Mobile Device Legacy Client Client Requirements for Mac Computers

Clients per Hierarchy This section contains information about the number of clients (devices) that are supported by a Configuration Manager hierarchy. The following table lists the maximum number of devices supported by different hierarchy designs and configurations, and is followed by supplemental details about the different designs and the maximum number of devices each design supports:
304

Note Configuration Manager supports up to the listed number of devices from each client group for each listed hierarchy design when you use the default settings for all Configuration Manager features.
Hierarchy design Client group 1 Client group 2 Client group 3

Stand-alone primary site Central administration site with a site database created on a Datacenter or Enterprise edition of SQL Server Central administration site with a site database created on a Standard edition of SQL Server
1

100,000 400,000

50,000

25,000 25,000

300,000

50,000

300,000

25,000

When a stand-alone primary site supports only devices from client group 2, the site can support up to 100,000 devices. Stand-alone primary: For a hierarchy that has a stand-alone primary site as the top-level site, Configuration Manager supports up to 100,000 devices from client group 1. Additional devices from client group 2 and client group 3 are also supported. Unlike a central administration site, the edition of SQL Server that you use at a primary site does not affect the maximum number of clients that the hierarchy can support. Central administration site: For a hierarchy that has a central administration site as the toplevel site, the combined number of clients from client group 1 that the hierarchy can support depends on the edition of SQL Server that you use to host the site database at the central administration site. Regardless of the edition of SQL Server that you use, the number of devices from client group 2 and from client group 3 that a hierarchy supports does not change. If you expand a stand-alone primary site into a hierarchy by installing a new central administration site, the edition of SQL Server in use at the primary site does not place limits on the number of devices that the hierarchy can support. Instead, it is the edition of SQL Server in use at the new central administration site that determines the maximum number of devices that the new hierarchy can support. When you install a central administration site and use an Enterprise or Datacenter edition of SQL Server, the hierarchy can support a combined total of up to 400,000 devices from client group 1. Additional devices from client group 2 and client group 3 are also supported. In this configuration, the number of devices that each child primary site can support remains limited by the configuration of that primary site. For more information, see the Clients per Site section in this topic.
305

When you install a central administration site and use a Standard edition of SQL Server, the hierarchy can support a total of up to 50,000 devices from client group 1. This total of devices is combined from all child primary sites in the hierarchy. This limitation exists because of how the database is partitioned when its created by using a Standard edition of SQL Server at the central administration site. Additional devices from client group 2 and client group 3 are also supported. After you install a central administration site, if you then upgrade the edition of SQL Server at the central administration site from Standard to an Enterprise or Datacenter edition, the database does not repartition and the 50,000 device limitation remains in place.

Clients per Site The maximum number of clients (devices) that a site can support depends on the site type, and the version of Configuration Manager that you use. Although you can only assign a device to a primary site, secondary sites support communications from devices. To help identify the supported number of devices, devices are divided into three logical client groups. A site is not limited to supporting devices from a single client group. A primary site can support a separate number of devices from each of the three client groups. For example, a standalone primary site that runs Configuration Manager SP1 can support up to 100,000 devices from client group 1, up to 50,000 devices from client group 2, and up to 25,000 devices from client group 3; for a total of 175,000 devices. However, Configuration Manager does not support replacing any number of devices from one client group with devices from another client group. For example, you have a stand-alone primary site that has 100,000 assigned devices from client group 1 and you do not assign any devices from client group 2 or client group 3. In this scenario, the site cannot support additional devices from client group 1 even though it is not supporting additional clients from the additional client groups. The following table identifies the maximum number of devices per client group that are supported at primary and secondary sites: Tip The maximum number of clients that a primary or secondary site can support is not affected by the edition of SQL Server you use at that site. However, a child primary site that uses a local site database (installed on the site server) is limited to 50,000 clients from client group 1.
Site type Configuration Manager version Client group 1 Client group 2
4

Client group 3

Stand-alone primary site, with a local site database, or a remote site database

System Center 2012 Configuration Manager 1 with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2

100,000

50,000

25,000

100,000

50,000

25,000

100,000

50,000

25,000
306

Site type

Configuration Manager version

Client group 1

Client group 2

Client group 3

Configuration Manager Child primary site System Center 2012 with a local site Configuration Manager 1 database with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Child primary site System Center 2012 with a remote Configuration Manager 1 site database with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Secondary site
1

50,000

50,000

25,000

50,000

50,000

25,000

50,000

50,000 50,000

25,000 25,000

100,000

100,000

2, 3

50,000

25,000

100,000 5,000
5

2, 3

50,000

25,000

Any version

System Center 2012 Configuration Manager with no service pack does not support the cilent for Linux and UNIX (client group 1) and does not support the client for Mac (client group 3). Additioanlly, client group 2 includes only mobile devices supported by using the Exchange Server connector. Support for the additional device types in this client group is introduced with System Center 2012 Configuration Manager SP1.
2

Beginning with System Center 2012 Configuration Manager SP1, primary sites support Windows Embedded devices that have File-Based Write Filters (FBWF) enabled. When embedded devices do not have write filters enabled, a primary site can support a number of embedded devices up to the allowed number of devices for that site (50,000 or 100,000). Of the total number of devices that a primary site supports, a maximum of 10,000 of these can be Windows Embedded devices when those devices are configured for the exceptions listed in the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. A primary site supports only 3,000 Windows Embedded devices that have FBWF enabled and that are not configured for the exceptions.
3

In a hierarchy that has a central administration site that uses a Standard edition of SQL Server, child primary sites are limited to 50,000 devices from client group 1 because this is the maximum number of devices that are supported by that hierarchy configuration.
307

When a site supports only devices from client group 2, the site can support up to 100,000 devices. With this configuration, there is no change to the total number of devices that are supported in the hierarchy.
5

Each secondary site can support communications from up to 5,000 devices when you use a secondary site server that has the recommended hardware and a fast and reliable network connection to its primary parent site. This number includes a mix of devices from any of the three client groups. A secondary site could support communications from additional devices when its hardware configuration exceeds the recommended hardware configuration. For information about the recommended hardware for Configuration Manager sites, see Planning for Hardware Configurations for Configuration Manager. Clients per Management Point The number of devices that a management point supports depends on the type of site where the management point is located, and the type and numbers of clients that might use the management point. To help you understand the following details, you should be familiar with the three logical client groups which define different types of clients. For information about the client groups, see Client Support Numbers for Sites and Hierarchies, in this topic.
Site type Client group 1 Client group 2 Client group 3

Primary site: Each primary site supports up to 10 management points

Allocate at least one management point for every 25,000 clients

For example, if you have a stand-alone primary site that can support up to 100,000 clients from client group 1, and you have 100,000 active clients from client group 1, you must have at least four management points. It is a best practice to provide additional management points. Note When you use more than four management points in a primary site, you do not increase the number of clients that site can support beyond the

Not applicable. Clients in client group 2 do not require the use of a management point.

Allocate at least one management point that is enabled for mobile devices for every 25,000 devices that run the mobile device legacy client in addition to any management points you use to manage devices that run the client for Mac. Allocate at least one management point that is enabled for mobile devices for every 10,000
308

Site type

Client group 1

Client group 2

Client group 3

documented limits. Instead, any additional management points provide redundancy for communications from clients.

devices that run the client for Mac, in addition to any management points you use for devices that run the mobile device legacy client.

Secondary site: Each secondary site supports a single management point which must be installed on the site server computer.

The management point at a secondary site always supports communications from the same number of clients as supported by the secondary site server. For information about the number of clients supported by a secondary site, see, Clients per Site, in this topic.

For example, you have a site that supports the following devices: 35,000 clients that include a mix of Windows client and server operating systems, Linux, and Windows Embedded devices (group 1) 15,000 devices that run the client for Mac, (group 3) 10,000 devices that run the mobile device legacy client (group 3) Two management points to support the various devices from group 1 Two management points enabled for mobile devices to support the clients for Mac One additional management point enable for mobile devices to support the devices that run the mobile device legacy client Note In most scenarios you cannot control the specific management point that is used by a client that runs the mobile device legacy client or the Mac client. Therefore, it is a best practice to plan for extra capacity, providing additional management points per device. Site System Requirements Each System Center 2012 Configuration Manager site system server must use a 64-bit operating system. The only exception to this is the distribution point site system role which can be installed on limited 32-bit operating system versions.
309

To support this distribution of devices, you deploy five management points:

Limitations for site systems: Site systems are not supported on Server Core installations for the following operating systems: Windows Server 2008 or Windows Server 2008 R2. Windows Server 2008 Foundation or Windows Server 2008 R2 Foundation. Windows Server 2012 or Windows Server 2012 R2. An exception to this is that beginning with System Center 2012 R2 Configuration Manager, these operating systems support the distribution point site system role, without PXE or multicast support. Windows Server 2012 Foundation or Windows Server 2012 R2 Foundation.

It is not supported to change the domain membership or computer name of a Configuration Manager site system after it is installed. Site system roles are not supported on an instance of a Windows Server cluster. The only exception to this is the site database server.

The following sections list the hardware requirements and operating system requirements for System Center 2012 Configuration Manager sites, typical site system roles, and function-specific site system roles. Prerequisites for Site System Roles The following table identifies prerequisites that are required by Configuration Manager for each site system role on supported operating systems prior to Windows Server 2012. For information about prerequisites for site system roles on Windows Server 2012 and Windows Server 2012 R2, see Prerequisites for Site System Roles on Windows Server 2012. Important Except where specifically noted, prerequisites apply to all versions of System Center 2012 Configuration Manager. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role .NET Framework version
1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Site

Requires both Not

Not

Windows feature:
310

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

server

of the following: 3.5 SP1 4.0

applicabl e

applicable

Remote Differential Compression

The computer where you install a central administration site or a primary site must have the required version of Windows AIK or Windows ADK installed before you install Configuration Manager. Similarly, when you upgrade a Configuration Manager site, you must install the version of the Windows ADK that the new version of Configuration Manager requires before you can upgrade the site. For more information about this requirement, see Operating System Deployment in this topic. By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system roles.

Database Not server applicable

Not applicabl e

Not applicable

A version of SQL Server that Configuration Manager supports must be installed on this computer. During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express.

SMS Provider Server

Not applicable

Not applicabl e

Not applicable

The computer where you install an instance of the SMS Provider must have the required version of Windows AIK or Windows ADK installed before you install the SMS Provider. Similarly, when you upgrade a Configuration Manager site, on
311

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

each computer that runs an instance of the SMS Provider you must install the version of the Windows ADK that the new version of Configuration Manager requires. For more information about this requirement, see Operating System Deploymentin this topic. Applicatio n Catalog web service point Requires both Requires of the the following: following options 3.5 SP1 for WCF 4.0 activatio n: HTT P Activ ation NonHTT P Activ ation Requires the Not applicable default IIS configuratio n with the following additions: Appl ication Develop ment: ASP .NE T (and auto mati cally sele cted opti ons) IIS 6 Manage ment Compati bility:
312

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

IIS 6 Met aba se Co mpa tibilit y

Applicatio Requires the n Catalog following: website 4.0 point

Not applicabl e

Requires the Not applicable default IIS configuratio n with the following additions: Co mmon HTTP Feature s: Stati c Con tent Def ault Doc ume nt Appl ication
313

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Develop ment: ASP .NE T (and auto mati cally sele cted opti ons)
3

Sec urity: Win dow s Auth enti cati on IIS 6 Manage ment Compati bility: IIS 6 Met aba se
314

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Co mpa tibilit y Asset Requires the Intelligen following: ce 4.0 synchroni zation point Certificat e registrati on point Requires the following: 4.0 Not applicabl e Not applicable Not applicable

Requires the following options for WCF activatio n: HTT P Activ ation

Requires the Not applicable default IIS configuratio n with the following additions: IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y IIS 6 WMI Co mpa tibilit y
315

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Distributi 4 on point

Not applicable

Not applicabl e

You can use the default IIS configuratio n, or a custom configuratio n. To use a custom IIS configuratio n, you must enable the following options for IIS: Appl ication Develop ment: ISA PI Exte nsio ns Sec urity: Win dow s

Windows feature: Remote Differential Compression To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note For Windows Server 2008, Windows Server 2008 R2, WDS is installed and configured automatically when you configure a distribution point to support PXE or Multicast. For Windows Server 2003, you must install and configure WDS manually. For System Center 2012 Configuration Manager with no service pack, to support PXE on a distribution point that is on a computer remote from the site server, you should install the following: Microsoft Visual C++ 2008 Redistributable. Note You can run the Microsoft Visual C++ 2008 Redistributable Setup from the Configuration Manager installation at: <ConfigMgrInstallationFolder>\ Client\x64\vcredist_x64.exe For Configuration Manager SP1, vcredist_x64.exe is installed
316

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in IIS 6 Configuration Manager topic. Met aba Note se With System Center 2012 Co Configuration Manager, the mpa distribution point site system role tibilit does not require Background y Intelligent Transfer Service (BITS). IIS 6 When BITS is configured on the WMI distribution point computer, BITS Co on the distribution point computer mpa is not used to facilitate the tibilit download of content by clients that y use BITS When you IIS 6 Manage ment Compati bility: use a custom IIS configuratio n, you can remove options that are not required, such as the following: Co
317

Auth enti cati on

automatically when you configure a distribution point to support PXE.

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

mmon HTTP Feature s: HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable

Endpoint Protectio n point Enrollme nt point

Requires the following: 3.5 SP1

Not applicabl e

Not applicable

Requires the following:

Requires the following 3.5 SP1 options for System C for WCF enter 201 activatio 2 n: Configura tion Mana ger with HTT no P service Activ pack ation 4.0 for System C enter 201 NonHTT

Requires the Not applicable default IIS configuratio n with the following additions: Appl ication Develop ment: ASP .NE T
318

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

2 Configura tion Mana ger with SP1

P Activ ation

(and auto mati cally sele cted opti ons)

3

Enrollme nt proxy point

Requires the following:

Requires the following 3.5 SP1 options for System C for WCF enter 201 activatio 2 n: Configura tion Mana ger with HTT no P service Activ pack ation 4.0 for NonSystem C HTT enter 201 P 2 Activ Configura ation tion Mana ger with SP1

Requires the Not applicable default IIS configuratio n with the following additions: Appl ication Develop ment: ASP .NE T (and auto mati cally sele cted opti ons)
3

Fallback status

Not applicable

Not applicabl

Requires the Not applicable default IIS

319

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

point

configuratio n with the following additions: IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y Windows feature: BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options)

Manage ment point

System Cent er 2012 Configuration Manager with no service pack: Mana gement points that support mobile devices require the .NET Framewo rk 3.5 5 SP1

Not applicabl e

You can use the default IIS configuratio n, or a custom configuratio 5 n. To use a custom IIS configuratio n, you must enable the following options for IIS: Appl

320

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

System Cent er 2012 Configuration Manager with SP1: All managem ent points require the .NET Framewo rk 4

ication Develop ment: ISA PI Exte nsio ns Sec urity: Win dow s Auth enti cati on IIS 6 Manage ment Compati bility: IIS 6 Met aba se Co mpa tibilit y IIS 6 WMI
321

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

Co mpa tibilit y When you use a custom IIS configuratio n you can remove options that are not required, such as the following: Co mmon HTTP Feature s: HTT P Redi recti on IIS Manage ment Scripts and Tools Not applicable

Out of band

Requires the following:

Requires the

Not applicable

322

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

service point

4.0

following options for WCF activatio n: HTT P Activ ation NonHTT P Activ ation Not applicable SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center products do not have restrictions for sharing the instance of SQL Server. Windows Server Update Services (WSUS) 3.0 SP2 must be installed on this computer. For more information, see the Planning for Software Update Point Installation section in the Planning for Software Updates in Configuration Manager topic.

Reporting Requires the services following: point 4.0

Not applicabl e

Software update point

Requires both Not of the applicabl following: e 3.5 SP1 4.0

Requires the default IIS configuratio n

323

Site system role

.NET Framework version

1

Windows cation Foundati on (WCF) activatio n

2

Role the web server (IIS) role

Additional prerequisites

Communi services for

State migration point System Health Validator point Windows Intune connecto r
1

Not applicable

Not applicabl e Not applicabl e Not applicabl e

Requires the Not applicable default IIS configuratio n Not applicable This site system role is supported only on a NAP health policy server.

Not applicable

Requires the following: 4.0

Not applicable

Not applicable

Install the full version of the Microsoft.NET Framework before you install the site system roles. For example, see the Microsoft .NET Framework 4 (Stand-Alone Installer). Important The Microsoft .NET Framework 4 Client Profile is insufficient for this requirement.
2

You can configure WCF activation as part of the .NET Framework Windows feature on the site system server. For example, on Windows Server 2008 R2, run the Add Features Wizard to install additional features on the server. On the Select Features page, expand NET Framework 3.5.1 Features, then expand WCF Activation, and then select the check box for both HTTP Activation and Non-HTTP Activation to enable these options.
3

In some scenarios, such as when IIS is installed or reconfigured after the .NET Framework version 4.0 is installed, you must explicitly enable ASP.NET version 4.0. For example, on a 64-bit computer that runs the .NET Framework version 4.0.30319, run the following command: %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i -enable
4

You must manually install IIS on computers that run a supported version of Windows Server 2003. Additionally, to install IIS and configure the additional Windows features, the computer might require access to the Windows Server 2003 source media.
5

Each management point that you enable to support mobile devices requires the additional IIS configuration for ASP.NET (and its automatically selected options). With this requirement, review note 3 for applicability to your installation.
324

Prerequisites for Site System Roles on Windows Server 2012 For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The following table identifies prerequisites that are required by Configuration Manager site system roles you install on Windows Server 2012 or Windows Server 2012 R2. For information about prerequisites for site system roles on supported operating systems prior to Windows Server 2012, see Prerequisites for Site System Roles. Some prerequisites, such as SQL Server for the site database server, or Windows Server Update Services (WSUS) for the software update point, might require additional prerequisites that are not directly required by the site system role. For site system roles that require Internet Information Services (IIS), use a version of IIS that the computer supports that runs the site system role. For information, see the following sections, Operating System Requirements for Typical Site System Roles and Operating System Requirements for Function-Specific Site System Roles, in this topic.
Site system role Windows Server Roles and Features Additional prerequisites

Site server

Features: .NET Framework 3.5 .NET Framework 4.5 Remote Differential Compression

The computer where you install a central administration site or a primary site must have the required version of Windows AIK or Windows ADK installed before you install Configuration Manager. Similarly, when you upgrade a Configuration Manager site, you must install the version of the Windows ADK that the new version of Configuration Manager requires before you can upgrade the site. For more information about this requirement, see Operating System Deployment in this topic. By default, a secondary site installs a management point and a distribution point. Therefore secondary sites must meet the prerequisites for these site system roles.

Database server

Not applicable

A version of SQL Server that Configuration Manager supports must be installed on this computer.
325

Site system role

Windows Server Roles and Features

Additional prerequisites

During installation of the Configuration Manager site, the remote registry service must be enabled on the computer that hosts the site database. When you install SQL Server Express as part of a secondary site installation, the secondary site server computer must meet the requirements for SQL Server Express. SMS Provider Server Not applicable The computer where you install an instance of the SMS Provider must have the required version of Windows AIK or Windows ADK installed before you install the SMS Provider. Similarly, when you upgrade a Configuration Manager site, on each computer that runs an instance of the SMS Provider you must install the version of the Windows ADK that the new version of Configuration Manager requires. For more information about this requirement, see Operating System Deploymentin this topic. Not applicable

Application Catalog web service point

Features: .NET Framework 3.5 HTTP Activation (and automatically selected options) ASP.NET 4.5

.NET Framework 4.5

IIS Configuration: Common HTTP Features: Default Document IIS 6 Management Compatibility:
326

Site system role

Windows Server Roles and Features

Additional prerequisites

IIS 6 Metabase Compatibility ASP.NET 3.5 (and automatically selected options) .NET Extensibility 3.5 Not applicable

Application Development:

Application Catalog website point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options) .NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Application Development:

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Asset Intelligence synchronization point Certificate registration point

Features: .NET Framework 4.5

Features: .NET Framework 4.5 HTTP Activation

Not applicable

327

Site system role

Windows Server Roles and Features

Additional prerequisites

IIS Configuration: Application Development: ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options)

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

1

Distribution point

Features : Remote Differential Compression Application Development: ISAPI Extensions Windows Authentication Security:

To support PXE or multicast, install and configure the following Windows role: Windows Deployment Services (WDS) Note WDS installs and configures automatically when you configure a distribution point to support PXE or Multicast on Windows Server 2012. For Configuration Manager with SP1, to support PXE on a distribution point that is on a computer remote from the site server, install the following: Microsoft Visual C++ 2008 Redistributable. Note For Windows Server 2012, the vcredist_x64.exe is
328

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility

Site system role

Windows Server Roles and Features

Additional prerequisites

installed automatically when you configure a distribution point to support PXE. PowerShell 3.0 is required on Windows Server 2012 before you install the distribution point.

With Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. For more information, see the section Planning for Distribution Points for Windows Azure in the Planning for Content Management in Configuration Manager topic. Note With System Center 2012 Configuration Manager, the distribution point site system role does not require Background Intelligent Transfer Service (BITS). When BITS is configured on the distribution point computer, BITS on the distribution point computer is not used to facilitate the download of content by clients that use BITS Endpoint Protection point Features: Enrollment point .NET Framework 3.5 SP1 Not applicable Not applicable

Features: .NET Framework 3.5 HTTP Activation ASP.NET 4.5 .NET Framework 4.5 Common HTTP Features:

329

Site system role

Windows Server Roles and Features

Additional prerequisites

Default Document ASP.NET 3.5 .NET Extensibility 3.5

Application Development:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Enrollment proxy point

Features: .NET Framework 3.5 .NET Framework 4.5 ASP.NET 4.5

IIS Configuration: Common HTTP Features: Default Document Static Content ASP.NET 3.5 (and automatically selected options) ASP.NET 4.5 (and automatically selected options) .NET Extensibility 3.5 .NET Extensibility 4.5 Windows Authentication

Application Development:

Security:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility Not applicable

Fallback status point

Requires the default IIS configuration with the following additions: IIS Configuration: IIS 6 Management

330

Site system role

Windows Server Roles and Features

Additional prerequisites

Compatibility: Management point IIS 6 Metabase Compatibility Not applicable

Features: .NET Framework 4.5 BITS Server Extensions (and automatically selected options), or Background Intelligent Transfer Services (BITS) (and automatically selected options) Application Development: ISAPI Extensions Windows Authentication Security:

IIS Configuration:

IIS 6 Management Compatibility: IIS 6 Metabase Compatibility IIS 6 WMI Compatibility Not applicable

Out of band service point

Features: .NET Framework 4.5 HTTP Activation Non-HTTP Activation

Reporting services point

Features: .NET Framework 4.5

SQL Server Reporting Services installed and configured to use at least one instance for the reporting services point. The instance you use for SQL Server Reporting Services can be the same instance you use for the site database. Additionally, the instance you use can be shared with other System Center products as long as the other System Center
331

Site system role

Windows Server Roles and Features

Additional prerequisites

products do not have restrictions for sharing the instance of SQL Server. Software update point Features: .NET Framework 3.5 SP1 .NET Framework 4.5 Windows server role: Windows Server Update Services

Requires the default IIS configuration

For more information, see the Planning for Software Update Point Installation section in the Planning for Software Updates in Configuration Manager topic. Not applicable This site system role is supported only on a NAP health policy server. Not applicable

State migration point System Health Validator point Windows Intune connector
1

Requires the default IIS configuration Not applicable Features: .NET Framework 4.5

With System Center 2012 Configuration Manager, distribution points do not require BITS. When BITS is configured on the distribution point computer, BITS on the distribution point computer is not used to facilitate the download of content by clients that use BITS. Minimum Hardware Requirements for Site Systems This section identifies the minimum required hardware requirements for Configuration Manager site systems. These requirements are sufficient to support all features of Configuration Manager in an environment with up to 100 clients. This information is suitable for testing environments. For guidance about the recommended hardware for Configuration Manager in full-scale production environments, see Planning for Hardware Configurations for Configuration Manager. The following minimum requirements apply to all site types (central administration site, primary site, secondary site) when you install all available site system roles on the site server computer.
Hardware component Requirement

Processor

Minimum: AMD Opteron, AMD Athlon 64, Intel Xeon with Intel EM64T support, Intel Pentium IV with EM64T support Minimum: 1.4 GHz Minimum: 2 GB Available: 10 GB
332

RAM Free disk space

Hardware component

Requirement

Total: 50 GB

Operating System Requirements for Site Servers, Database Servers, and the SMS Provider The following table specifies the operating systems that can support System Center 2012 Configuration Manager site servers, the database server, and the SMS Provider site system role. The table also specifies the Configuration Manager versions that support each operating system.
Operatin g system Syste m archite cture Central administratio n site Primary site Secondary site
1

Site database server

1, 2

SMS Provider

Windows Server 2 008 Stan dard Editi on (SP2 ) Enter prise Editi on (SP2 ) Data cent er Editi on (SP2 ) Windows Server 2

x64

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

System Cent er 2012 Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager no with no service service pack pack System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager SP1 with SP1 System Center 2012 R2 Configura tion Manager System Center 2012 R2 Configur ation Manager

x64

System Cent er 2012

System Cent er 2012

System Cent er 2012

System Cente System Cent r 2012 er 2012

333

Operatin g system

Syste m archite cture

Central administratio n site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

008 R2 Stan dard Editi on with no servi ce pack, or with SP1) Enter prise Editi on (with no servi ce pack, or with SP1) Data cent er Editi on (with no servi ce pack,

Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

Configur ation Ma nager with no service pack System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager

Configura tion Mana ger with no service pack

Configur ation Ma nager with no service pack

System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager SP1 with SP1 System Center 2012 R2 Configura tion Manager System Center 2012 R2 Configur ation Manager

334

Operatin g system

Syste m archite cture

Central administratio n site

Primary site

Secondary site
1

Site database server

1, 2

SMS Provider

or with SP1) Windows Server 2 012 Stan dard Data cent er Windows Server 2 012 R2 Stan dard Data cent er x64 x64 System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager System Cent er 2012 Configur ation Ma nager with SP1 System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager System Cente System Cent r 2012 er 2012 Configura Configur tion Mana ation Ma ger with nager SP1 with SP1 System Center 2012 R2 Configura tion Manager Syste m Center 2012 Configura tion Mana ger with 3 SP1 System Center 2012 R2 Configura tion Manager System Center 2012 R2 Configur ation Manager System Center 2012 R2 Configur ation Manager

Site database servers are not supported on a read-only domain controller (RODC). For more information, see You may encounter problems when installing SQL Server on a domain controller in the Microsoft Knowledge Base. Additionally, secondary site servers are not supported on any domain controller. 2 For more information about the versions of SQL Server that Configuration Manager supports, see Configurations for the SQL Server Site Database in this topic.
3

To support this operating system as a database server for System Center 2012 Configuration Manager with SP1, you must install cumulative update 3 for System Center 2012
335

Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. Note Windows Server 2012 R2 does not support the Windows Assessment and Deployment Kit 8.0 (Windows ADK). For Configuration Manager SP1, the Windows ADK is a prerequisite for a computer that is a site server or that hosts an instance of the SMS Provider. Therefore, Windows Server 2012 R2 remains unsupported for use as a site server or as a host for the SMS Provider for Configuration Manager SP1 even when cumulative update 3 is installed. Operating System Requirements for Typical Site System Roles The following table specifies the operating systems that can support multi-function site system roles, and the Configuration Manager versions that support each operating system.
Operatin g system Syste m archite cture Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Windows Vista Busi ness Editi on (SP1 ) Enter prise Editi on (SP1 ) Ultim ate Editi on (with

x64

System Cent Not er 2012 supported Configura tion Man ager with no service 1, 2 pack System Cent er 2012 Configura tion Man ager with 1, 2 SP1 System Center 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

336

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

no servi ce pack, or with SP1) Windows 7 Profe ssion al (with no servi ce pack, or with SP1) Enter prise Editi ons (with no servi ce pack, or with SP1) Ultim ate
337

x86, x64

System Cent Not er 2012 supported Configura tion Man ager with no service 1, 2 pack System Cent er 2012 Configura tion Man ager with 1, 2 SP1 System Center 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Editi ons (with no servi ce pack, or with SP1) Windows 8 Enter prise Pro x86, x64 System Cent Not er 2012 supported Configura tion Man ager with 1, 2 SP1 System Center 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

Windows 8.1 Enter prise Pro

x86, x64

System Cent Not er 2012 supported Configura tion Man ager with 2, 4, 7 SP1 System Center 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

Windows

x86,

System Cent

Not

Not

Not

Not
338

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Server 2 003 Standard Editi on (SP2 ) Enterpris e Editi on (SP2 ) Datacent er Editi on (SP2 ) Windows Server 2 003 Web Editi on (SP2 ) Stora ge Serv er Editi on (SP2 )

x64

er 2012 supported Configura tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 4 SP1 System Center 2012 R2 Configura tion 2 Manager
,4

supported

supported

supported

x86

System Cent Not er 2012 supported Configura tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 4 SP1 System Center 2012 R2

Not supported

Not supported

Not supported

339

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Configura tion 2 Manager

,4

Windows Server 2 003 R2 Stan dard Editi on Enter prise Editi on

x86, x64

System Cent Not er 2012 supported Configura tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 4 SP1 System Center 2012 R2 Configura tion 2 Manager
,4

Not supported

Not supported

Not supported

Windows Server 2 008 Stan dard Editi on (SP2 )

x86, x64

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man ager with ager with ager with ager with ager with no no no no SP1 service service service service System 2, 4 pack pack pack pack Center System Cent System Cent System Cent System Cent 2012 R2 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion tion Man tion Man tion Man tion Man Manager
340

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Enter prise Editi on (SP2 ) Data cent er Editi on (SP2 ) Windows Server 2 008 R2 Stan dard Editi on (with no servi ce pack, or with SP1) Enter prise Editi on (with x64

ager with 2, 4 SP1

ager with SP1

ager with SP1

ager with SP1

System System System System Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura tion tion tion tion 2 Manager Manager Manager Manager
,4

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man ager with ager with ager with ager with ager with no no no no SP1 service service service service System 4 pack pack pack pack Center System Cent System Cent System Cent System Cent 2012 R2 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion tion Man tion Man tion Man tion Man Manager ager with ager with ager with ager with 5 SP1 SP1 SP1 SP1 System System System System Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura tion tion tion tion 5 Manager Manager Manager Manager

341

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

no servi ce pack, or with SP1) Data cent er Editi on (SP1 ) Windows Storage Server 2 008 R2 Work grou p Stan dard Enter prise x64 System Cent Not er 2012 supported Configura tion Man ager with no service 2, 4 pack System Cent er 2012 Configura tion Man ager with 2, 5 SP1 System Center 2012 R2 Configura tion 2 Manager
,5

Not supported

Not supported

Not supported

Windows

x64

System Cent

System Cent

System Cent

System Cent

System Cent
342

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Server 2 012 Stan dard Data cent er The x64 Server Core installatio n of Windows Server 2 012 Windows Server 2 012 R2 Stan dard Data cent er The x64 Server C ore installatio n of Windows x64

er 2012 Configura tion Man ager with SP1

er 2012 Configura tion Man ager with SP1

er 2012 Configura tion Man ager with SP1

er 2012 Configura tion Man ager with SP1

er 2012 Configura tion Man ager with SP1

System System System System System Center Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura Configura tion tion tion tion tion 6 Manager Manager Manager Manager Manager System Not Center supported 2012 R2 Configura tion 1 Manager
,2

Not supported

Not supported

Not supported

System Cent System Cent System Cent System Cent System Cent er 2012 er 2012 er 2012 er 2012 er 2012 Configura Configura Configura Configura Configura tion Man tion Man tion Man tion Man tion Man ager with ager with ager with ager with ager with 7 7 7 7 7 SP1 SP1 SP1 SP1 SP1 System System System System System Center Center Center Center Center 2012 R2 2012 R2 2012 R2 2012 R2 2012 R2 Configura Configura Configura Configura Configura tion tion tion tion tion 6 Manager Manager Manager Manager Manager System Not Center supported 2012 R2 Configura tion 1 Manager Not supported Not supported Not supported

343

Operatin g system

Syste m archite cture

Distribution point
3

Enrollment point and enrollment proxy point

Fallback status point

Management point

Windows Intune connector

Server 2 012 R2
1 2 3

,2

Distribution points on this operating system are not supported for PXE. Distribution points on this operating system version do not support Multicast.

Unlike other site system roles, distribution points are supported on some 32-bit operating systems. Distribution points also support several different configurations that each have different requirements and in some cases support installation not only on servers, but on client operating systems. For more information about the options available for distribution points, see Prerequisites for Content Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
4

Distribution points on this operating system version are supported for PXE, but they do not support network booting of client computers in EFI mode. Client computers with BIOS or with EFI booting in legacy mode are supported.
5

Distribution points on this operating system version are supported for PXE boot of x64 UEFI computers but do not support PXE boot of IA32 UEFI computers.
6

Distribution points on this operating system version are supported for PXE boot of both x64 and IA32 UEFI computers.
7

To support this operating system as a site system server for System Center 2012 Configuration Manager with SP1, you must install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. Operating System Requirements for Function-Specific Site System Roles The following table specifies the operating systems that are supported for use with each featurespecific Configuration Manager site system role, and the Configuration Manager versions that support each operating system.

344

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

Wind x64 ows Serv er 20 08 S t a n d a r d E d it i o n ( S P 2 ) E n t e

System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h no no ser ser vic vic e e pac pac k k System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma

Not sup port ed

System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura tion tion tion tion ana tion Ma Ma Ma Ma ger Ma nag nag nag nag with nag er er er er no er wit wit wit wit serv wit h h h h ice h no no no no pac no ser ser ser ser kSy ser vic vic vic vic ste vic e e e e mC e pac pac pac pac ente pac k k k k r 20 k 12 System System System System System Con Ce Ce Ce Ce Ce figur nte nte nte nte nte atio r2 r2 r2 r2 r2 n M 012 012 012 012 012 ana Co Co Co Co Co ger nfig nfig nfig nfig nfig with ura ura ura ura ura SP1 tion tion tion tion tion Syst Ma Ma Ma Ma Ma
345

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

r p ri s e E d it i o n ( S P 2 ) D a t a c e n t e r E d it i o

nag er wit h SP 1

nag er wit h SP 1

nag er wit h SP 1

nag er wit h SP 1

nag er wit h SP 1

nag er wit h SP 1

System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er

System System System System Ce Ce Ce Ce nte nte nte nte r r r r 201 201 201 201 2 2 2 2 R2 R2 R2 R2 Co Co Co Co nfig nfig nfig nfig ura ura ura ura tion tion tion tion Ma Ma Ma Ma nag nag nag nag er er er er

em nag Cen er ter wit 201 h 2 SP R2 1 Con System figur Ce atio nte n r Man 201 ager 2 R2 Co nfig ura tion Ma nag er

346

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

n ( S P 2 ) Wind x64 ows Serv er 20 08 R 2 S t a n d a r d E d it i o n ( w it h System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h no no ser ser vic vic e e pac pac k k System Ce nte r2 System Ce nte r2 S y s t e m C e n t e r 2 0 1 2 R 2 C o System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura tion tion tion tion ana tion Ma Ma Ma Ma ger Ma nag nag nag nag with nag er er er er no er wit wit wit wit serv wit h h h h ice h no no no no pac no ser ser ser ser kSy ser vic vic vic vic ste vic e e e e mC e pac pac pac pac ente pac k k k k r 20 k 12 System System System System System Con Ce Ce Ce Ce Ce figur nte nte nte nte nte atio r2 r2 r2 r2 r2 nM
347

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

n o s e r v i c e p a c k , o r w it h S P 1 ) E n t e r p ri s

012 Co nfig ura tion Ma nag er wit h SP 1

012 Co nfig ura tion Ma nag er wit h SP 1

n f i g u r a t i o n

System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er

M a System System System System n Ce Ce Ce Ce a nte nte nte nte g r r r r e 201 201 201 201 r 2 2 2 2 R2 R2 R2 R2 Co Co Co Co nfig nfig nfig nfig ura ura ura ura tion tion tion tion Ma Ma Ma Ma nag nag nag nag er er er er

012 Co nfig ura tion Ma nag er wit h SP 1

012 Co nfig ura tion Ma nag er wit h SP 1

012 Co nfig ura tion Ma nag er wit h SP 1

012 Co nfig ura tion Ma nag er wit h SP 1

ana 012 ger Co with nfig SP1 ura Syst tion em Ma Cen nag ter er 201 wit 2 h R2 SP Con 1 figur System atio Ce n nte Man r ager 201 2 R2 Co nfig ura tion Ma nag er

348

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

e E d it i o n ( w it h n o s e r v i c e p a c k , o r w it h S P 1
349

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

) D a t a c e n t e r E d it i o n ( S P 1 ) Wind x64 ows Serv er 20 12 S System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura S y s t e m System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura
350

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

t a n d a r d D a t a c e n t e r

tion Ma nag er wit h SP 1

tion Ma nag er wit h SP 1

C e n t e r

System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er

2 0 System System System System Ce Ce Ce Ce 1 2 nte nte nte nte r r r r R 201 201 201 201 2 2 2 2 2 R2 R2 R2 R2 C Co Co Co Co o nfig nfig nfig nfig n ura ura ura ura f tion tion tion tion i Ma Ma Ma Ma g nag nag nag nag u er er er er r a t i o n M a n

tion Ma nag er wit h SP 1

tion Ma nag er wit h SP 1

tion Ma nag er wit h SP 12

tion Ma nag er wit h SP 1

ana tion ger Ma with nag SP1 er Syst wit em h Cen SP ter 1 201 System 2 Ce R2 nte Con r figur 201 atio 2 n R2 Man Co ager nfig ura tion Ma nag er

351

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

a g e r Wind x64 ows Serv er 20 12 R 2 S t a n d a r d D a t a c e n t e System System Ce Ce nte nte r2 r2 012 012 Co Co nfig nfig ura ura tion tion Ma Ma nag nag er er wit wit h h SP SP 1 1 1 1 System System Ce Ce nte nte r r 201 201 2 2 R2 R2 Co Co nfig nfig ura ura S y s t e m C e n t e r 2 0 1 2 R 2 C o n f System System System System System System Ce Ce Ce Ce Cen Ce nte nte nte nte ter 2 nte r2 r2 r2 r2 012 r2 012 012 012 012 Con 012 Co Co Co Co figur Co nfig nfig nfig nfig atio nfig ura ura ura ura nM ura tion tion tion tion ana tion Ma Ma Ma Ma ger Ma nag nag nag nag with nag er er er er SP1 er 1 wit wit wit wit wit h h h h h System SP SP SP SP SP Cen 1 1 1 1 1 1 1 1 1 1 ter System System System System 201 System Ce Ce Ce Ce 2 Ce nte nte nte nte R2 nte r r r r Con r 201 201 201 201 figur 201 2 2 2 2 atio 2 R2 R2 R2 R2 n R2 Co Co Co Co Man Co nfig nfig nfig nfig ager nfig ura ura ura ura ura
352

Oper ating syste m

Sys tem arc hite ctur e

Applica tion Catalog web service point and Applica tion Catalog website point

Asset Intellige nce synchr onizatio n point

Cert ifica te regi strat ion poin t

Endpoi nt Protecti on point

Out of band service point

Reporti ng service s point

Softwar e update point

State migratio n point

System Health Validat or point

tion Ma nag er

tion Ma nag er

i g u r a t i o n M a n a g e r

tion Ma nag er

tion Ma nag er

tion Ma nag er

tion Ma nag er

tion Ma nag er

To support this operating system as a site system server for System Center 2012 Configuration Manager with SP1, you must install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. Computer Client Requirements The following sections describe the operating systems and hardware supported for System Center 2012 Configuration Manager computer client installation on Windows-based computers, Mac computers, and servers that run Linux or UNIX. Make sure that you also review Prerequisites for Windows Client Deployment in Configuration Manager for a list of dependencies for the installation of the Configuration Manager client on Windows-based computers and mobile devices. Computer Client Hardware Requirements
353

The following are minimum requirements for Windows-based computers that you manage with Configuration Manager.
Requirement Details

Processor and memory

Refer to the processor and RAM requirements for the computers operating system. Note An exception to this is Windows XP and Windows 2003, which both require a minimum of 256 MB of RAM.

Disk space

500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Less disk space is required if you use customized settings to install the Configuration Manager client: Use the CCMSetup command-line property /skippprereq to avoid installing files that the client does not require. For example, CCMSetup.exe /skipprereq:silverlight.exe if the client will not use the Application Catalog. Use the Client.msi property SMSCACHESIZE to set a cache file that is smaller than the default of 5120 MB. The minimum size is 1 MB. For example, CCMSetup.exe SMSCachesize=2 creates a cache that is 2 MB in size.

For more information about these client installation settings, see About Client Installation Properties in Configuration Manager. Tip Installing the client with minimal disk space is useful for Windows Embedded devices that typically have smaller disk sizes than standard Windows computers.

354

The following are additional hardware requirements for optional functionality in Configuration Manager.
Function Minimum hardware requirements

Operating system deployment Software Center

384 MB of RAM 500 MHz processor

Remote Control

Pentium 4 Hyper-Threaded 3 GHz (single core) or comparable CPU, with at least a 1 GB RAM for optimal experience. Desktop or portable computers must have the Intel vPro Technology or Intel Centrino Pro and a supported version of Intel AMT.

Out of Band Management

Operating System Requirements for Configuration Manager Client Installation The following table specifies the operating systems that are supported for Configuration Manager client installation, and the versions of Configuration Manager that support each operating system. For server platforms, client support is independent of any other service that runs on that server unless noted otherwise. For example, the client is supported on domain controllers and servers that run cluster services or terminal services.
Operating system System architecture Configuration Manager version

Windows XP Professional (SP3)

x86

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows XP Professional for 64-bit Systems (SP2)

x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager
355

Operating system

System architecture

Configuration Manager version

Windows XP Tablet PC (SP3)

x86

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Vista Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 7 Professional (with no service pack, or with SP1) Enterprise Editions (with no service pack, or with SP1) Ultimate Editions (with no service pack, or with SP1)

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 8 Pro Enterprise

x86, x64

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 8.1 Pro Enterprise

x86, x64

System Center 2012 Configuration Manager with 3 SP1 System Center 2012 R2 Configuration Manager

Windows Server 2003 Web Edition (SP2)

x86

System Center 2012 Configuration Manager with

356

Operating system

System architecture

Configuration Manager version

no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows Server 2003 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2003 R2 SP2 Standard Edition Enterprise Edition Datacenter Edition
1

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Storage Server 2003 R2 SP2

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)
1

x86, x64

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2
357

Operating system

System architecture

Configuration Manager version

Configuration Manager The Server Core installation of Windows Server 2008 (SP2) x86, x64 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 Windows Storage Server 2008 R2 Workgroup Standard Enterprise x64 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows Server 2008 R2 Standard Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no 1 service pack, or with SP1) x64 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager x64 System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager Windows Server 2012 Standard Datacenter
1

The Server Core installation of Windows Server 2008 R2 (with no service pack, or with SP1)

x64

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

The Server Core installation of

x64

System Center 2012

358

Operating system

System architecture
2

Configuration Manager version

Windows Server 2012

Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 R2 Standard Datacenter

1

x64

System Center 2012 Configuration Manager with 3 SP1 System Center 2012 R2 Configuration Manager

Windows Storage Server 2012 R2

x64

System Center 2012 Configuration Manager with 3 SP1 System Center 2012 R2 Configuration Manager

The Server Core installation of 2 Windows Server 2012 R2

1

x64

System Center 2012 R2 Configuration Manager

Datacenter releases are supported but not certified for System Center 2012 Configuration Manager. Hotfix support is not offered for issues specific to Windows Server Datacenter Edition.
2

To support client push installation, the computer that runs this operating system version must run the File Server role service for the File and Storage Services server role.
3

To support this operating system as a client with System Center 2012 Configuration Manager with SP1, you must first install cumulative update 3 for System Center 2012 Configuration Manager SP1. For more information see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack 1. For more information about installing Windows features on a Server Core computer, see Install Server Roles and Features on a Server Core Server in the Windows Server 2012 TechNet library. Embedded Operating System Requirements for Configuration Manager Clients System Center 2012 Configuration Manager and System Center 2012 Endpoint Protection support clients for integration with Windows Embedded. Support limitations for Windows Embedded: All client features are supported natively on supported Windows Embedded systems that do not have write filters enabled. For System Center 2012 Configuration Manager with no service pack, Windows Embedded systems that have write filters enabled must use task sequences to deploy to embedded devices, and the task sequences must include steps to disable and then restore the write filters.
359

Beginning with System Center 2012 Configuration Manager SP1, clients that use Enhanced Write Filters (EWF) RAM or File Based Write Filters (FBWF) are natively supported for all features except power management. Beginning with System Center 2012 R2 Configuration Manager, clients that use Unified Write Filters (UWF) are natively supported for all features except power management. The Application Catalog is not supported for any Windows Embedded device. Windows Embedded operating systems based on Windows XP are only supported for Endpoint Protection in Configuration Manager SP1. Before you can monitor detected malware on Windows Embedded devices based on Windows XP, you must install the Microsoft Windows WMI scripting package on the embedded device. Use Windows Embedded Target Designer to install this package. The files WBEMDISP.DLL and WBEMDISP.TLB must exist and be registered in the folder %windir%\System32\WBEM on the embedded device to ensure that detected malware is reported. Note Beginning with Configuration Manager SP1, new options are added to control the behavior of Windows Embedded write filters when you install the Endpoint Protection client. For more information, see Introduction to Endpoint Protection in Configuration Manager.

The following table specifies the Windows Embedded versions that are supported with Configuration Manager and Endpoint Protection, and the versions of Configuration Manager and Endpoint Protection that support each Windows Embedded version.
Windows Embedded operating system Base operating system System architectur e Configuration Manager version System Center 2012 Endpoint Protectio n version

Windows Embedded Standard 2009

Windows X P SP3

x86

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with SP1

Windows XP Embedded SP3

Windows X P SP3

x86

System Center 2012 Configuration Man ager with no service pack System Center 2012

System Center 2012 Endpoint Prote ction with SP1

360

Windows Embedded operating system

Base operating system

System architectur e

Configuration Manager version

System Center 2012 Endpoint Protectio n version

Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager Windows Fundamental s for Legacy PCs (WinFLP) Windows X P SP3 x86 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager Windows Embedded POSReady 2009 Windows X P SP3 x86 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager WEPOS 1.1 with SP3 Windows X P SP3 x86 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager Windows Embedded Windows 7 x86, x64 System Center 2012 System
361

System Center 2012 Endpoint Prote ction with SP1

System Center 2012 Endpoint Prote ction with SP1

System Center 2012 Endpoint Prote ction with SP1

Windows Embedded operating system

Base operating system

System architectur e

Configuration Manager version

System Center 2012 Endpoint Protectio n version

Standard 7 with SP1

Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

Center 2012 Endpoint Prote ction with no service pack System Center 2012 Endpoint Prote ction with SP1

Windows Embedded POSReady 7

Windows 7

x86, x64

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with no service pack System Center 2012 Endpoint Prote ction with SP1

Windows Thin PC

Windows 7

x86, x64

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with no service pack System Center 2012 Endpoint Prote ction with SP1

Windows Embedded 8 Pro

Windows 8

x86, x64

System Center 2012 Configuration Man 1 ager with SP1 System Center 2012 R2 Configuration Manager

System Center 2012 Endpoint Prote ction with SP1

Windows Embedded 8

Windows 8

x86, x64

System Center 2012

System
362

Windows Embedded operating system

Base operating system

System architectur e

Configuration Manager version

System Center 2012 Endpoint Protectio n version

Standard

Configuration Man 1 ager with SP1 Windows 8 x86, x64 System Center 2012 Configuration Man 1 ager with SP1 System Center 2012 R2 Configuration Manager

Center 2012 Endpoint Prote ction with SP1 System Center 2012 Endpoint Prote ction with SP1

Windows Embedded 8 Industry

Windows Embedded 8.1 Industry

Windows 8. 1

x86, x64

System Center 2012 R2 Configuration Manager

System Center 2012 R2 Endpoint Protection

The Unified Write Filter (UWF) that is included with this version of Windows Embedded is not supported by System Center 2012 Configuration Manager SP1. Therefore, with System Center 2012 Configuration Manager SP1, the built-in features for write filter management will not work with UWF. Client Requirements for Mac Computers Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The client for Mac is supported only on Mac computers that use an Intel 64-bit chipset. The following operating systems are supported for the Configuration Manager client for Mac computers:
Operating system Configuration Manager version

Mac OS X 10.6 (Snow Leopard)

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012
363

Mac OS X 10.7 (Lion)

Mac OS X 10.8 (Mountain Lion)

Operating system

Configuration Manager version

Configuration Manager with SP1 cumulative update 1 System Center 2012 R2 Configuration Manager

For more information about computers that run Mac OS X, see How to Install Clients on Mac Computers in Configuration Manager. Client Requirements for Linux and UNIX Servers Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use the information in the following sections to identify the supported distributions of Linux and UNIX and the hardware requirements to run a Configuration Manager client for Linux and UNIX. For information about the operating system file dependencies for the client for Linux and UNIX, see Prerequisites for Client Deployment to Linux and UNIX Servers in the Planning for Client Deployment for Linux and UNIX Servers topic. For an overview of the management capabilities supported for computers that run Linux or UNIX, see the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic. Supported Distributions of Linux and UNIX The following table lists the different releases of the client for Linux and UNIX that you can use with each version of Configuration Manager:
Configuration Manager version Version of the client for Linux and UNIX

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1

Not supported System Center 2012 Configuration Manager SP1 Client for Linux and UNIX Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

System Center 2012 R2 Configuration Manager

The following table identifies the operating systems, platforms, and client installation packages that are supported for each release of the client for Linux and UNIX: Important
364

Only the most recent update for the System Center 2012 Configuration Manager SP1 Client for Linux and UNIX or the System Center 2012 R2 Configuration Manager Agent for Linux and UNIX is available for download. You can download clients for additional operating systems, and view the Release History including the client build versions online at the Microsoft Download Center: System Center 2012 Configuration Manager SP1 Client for Linux and UNIX System Center 2012 R2 Configuration Manager Agent for Linux and UNIX
System Center 2012 Configuration Manager SP1 Client for Linux and UNIX Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

Operating Versio system n

Red Hat Enterpris e Linux (RHEL)

Versio n4 x86 Versio n4 x64 Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64

ccmccmRHEL4x86.<build>.ta RHEL4x86.<build>.tar r ccmccmRHEL4x64.<build>.ta RHEL4x64.<build>.tar r ccmccmRHEL5x86.<build>.ta Universalx86.<build>.tar r ccmccmRHEL5x64.<build>.ta Universalx64.<build>.tar r ccmccmRHEL6x86.<build>.ta Universalx86.<build>.tar r ccmccmRHEL6x64.<build>.ta Universalx64.<build>.tar r ccmSol9sparc.<build>.tar ccmSol9sparc.<build>.tar

ccmRHEL4x86.<build>.tar ccmRHEL4x64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmSol9sparc.<build>.tar

Solaris

Versio n9 SPAR C Versio n 10 x86

ccmSol10x86.<build>.tar

ccmSol10x86.<build>.tar

ccmSol10x86.<build>.tar

365

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

Versio n 10 SPAR C Versio n 11 x86 Versio n 11 SPAR C SUSE Linux Enterpris e Server (SLES) Versio n9 x86 Versio n 10 SP1 x86 Versio n 10 SP1 x64 Versio n 11 SP1 x86 Versio n 11 SP1 x64 CentOS Versio n5 x86

ccmSol10sparc.<build>.t ar No support

ccmSol10sparc.<build>.tar

ccmSol10sparc.<build>.tar

ccmSol11x86.<build>.tar ccmSol11sparc.<build>.tar

ccmSol11x86.<build>.tar ccmSol11sparc.<build>.tar

No support

ccmSLES9x86.<build>.ta r ccmSLES10x86.<build>.t ar ccmSLES10x64.<build>.t ar ccmSLES11x86.<build>.t ar ccmSLES11x64.<build>.t ar No support

ccmSLES9x86.<build>.tar ccmUniversalx86.<build>.tar

ccmSLES9x86.<build>.tar ccmUniversalx86.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

366

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

Versio n5 x64 Versio n6 x86 Versio n6 x64 Debian Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64 Versio n7 x86

No support

ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar No support

ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar

No support

No support

No support

No support

No support

No support

No support

Versio n7 x64

No support

No support

ccmUniversalx64.<build>.tar

Ubuntu

Versio n 10.4 LTS

No support

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

367

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

x86 Versio n 10.4 LTS x64 Versio n 12.4 LTS x86 Versio n 12.4 LTS x64 Oracle Linux Versio n5 x86 Versio n5 x64 Versio n6 x86 Versio n6 x64 HP-UX No support ccmUniversalx64.<build>.tar ccmUniversalx64.<build>.tar

No support

ccmUniversalx86.<build>.tar

ccmUniversalx86.<build>.tar

No support

ccmUniversalx64.<build>.tar

ccmUniversalx64.<build>.tar

No support

ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar

ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar ccmUniversalx86.<build>.tar ccmUniversalx64.<build>.tar

No support

No support

No support

Versio No support n 11iv2 IA64 Versio No support n 11iv2 PARISC Versio No support

ccmccmHpuxB.11.23i64.<build>.t HpuxB.11.23i64.<build>.t ar ar ccmccmHpuxB.11.23PA.<build>.t HpuxB.11.23PA.<build>.t ar ar ccmccm368

Operating Versio system n

System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

Cumulative Update 1 for System Center 2012 Configuration Manager SP1 Client for Linux and UNIX

System Center 2012 R2 Configuration Manager Agent for Linux and UNIX

n 11iv3 IA64 Versio No support n 11iv3 PARISC AIX Versio No support n 5.3 (Power ) Versio No support n 6.1 (Power ) Versio No support n 7.1 (Power )

HpuxB.11.31i64.<build>.t HpuxB.11.31i64.<build>.t ar ar ccmccmHpuxB.11.31PA.<build>.t HpuxB.11.31PA.<build>.t ar ar ccm-Aix53ppc.<build>.tar ccm-Aix53ppc.<build>.tar

ccm-Aix61ppc.<build>.tar ccm-Aix61ppc.<build>.tar

ccm-Aix71ppc.<build>.tar ccm-Aix71ppc.<build>.tar

Note For the clients for Linux and UNIX, the listed version includes all subsequent minor versions. For example, where the table indicates support for CentOS version 6, this also includes any subsequent minor version of CentOS 6, such as CentOS 6.3. Similarly, where the table indicates support for an operating system that uses service packs, such as SUSE Linux Enterprise Server 11 SP1, support includes subsequent service packs for that operating system. For information about client installation packages and the Universal Agent, see How to Install Clients on Linux and UNIX Computers in Configuration Manager. Hardware and Disk Space Requirements The following are minimum hardware requirements for computers that you manage with the Configuration Manager client for Linux and UNIX.

369

Requirement

Details

Processor and memory Disk space

Refer to the processor and RAM requirements for the computers operating system. 500 MB available disk space, with 5 GB recommended for the Configuration Manager client cache. Configuration Manager client computers must have network connectivity to Configuration Manager site systems to enable management.

Network connectivity

Mobile Device Requirements The following sections describe the hardware and operating systems that are supported for managing mobile devices in System Center 2012 Configuration Manager. Note The following mobile device clients are not supported in the Configuration Manager hierarchy: Device management clients from System Management Server 2003 and Configuration Manager 2007 Windows CE Platform Builder device management client (any version) System Center Mobile Device Manager VPN connection

Mobile Devices Enrolled by Configuration Manager The following table lists the platforms and languages that support Configuration Manager enrollment and the versions of Configuration Manager that support each platform.
Operating system Configuration Manager version Supported languages

Windows Mobile 6.1

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)

370

Operating system

Configuration Manager version

Supported languages

Windows Mobile 6.5

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Arabic Basque (Basque) Bulgarian Catalan Chinese (Hong Kong SAR) Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English (UK) English (US) Estonian Farsi Finnish French (Canada) French (France) Galician German Greek Hebrew Hungarian Icelandic
371

Nokia Symbian Belle

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Operating system

Configuration Manager version

Supported languages

Mobile Devices Enrolled by Windows Intune

Indonesian Italian Kazakh Korean Latvian Lithuanian Malay Norwegian Polish Portuguese (Brazil) Portuguese (Portugal) Romanian Russian Serbian (Latin/Cyrillic) Slovak Slovenian Spanish (Latin America) Spanish (Spain) Swedish Tagalog (Filipino) Thai Turkish Ukrainian Urdu Vietnamese

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The following table lists the platforms and languages that are supported for mobile devices that are enrolled by Windows Intune and you use the Windows Intune connector in Configuration Manager. Important You must have a subscription to Windows Intune to manage the following operating systems.

372

Operating system

Operating system version

Configuration Manager version

Company portal supported languages

Windows Phone 8

Not applicable

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) Czech Danish Dutch English (US) Finnish French (France) German Greek Hungarian Italian Japanese Korean Norwegian Polish Portuguese (Brazil) Romanian Russian Spanish (Spain) Swedish Turkish

Windows 8 RT Not applicable

Windows 8.1 RT Windows 8.1 iOS x86 x64 5.0 6.0 Android
1

Not applicable Not applicable

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

7.0 2.3 and later

Support for devices that run Android begins with Android 2.3, and includes all subsequent releases of Android. However, when you use System Center 2012 Configuration Manager SP1, or when you use System Center 2012 R2 Configuration Manager with a version of Android that is prior to 4.0, a limited set of functionality is available. Beginning with System Center 2012 R2 Configuration Manager, when you use the Company Portal app, Configuration Manager supports additional capabilities for devices that run Android 4.0 or later. For more information, see the How to Manage Mobile Devices by Using Configuration Manager and Windows Intune topic in the Deploying Clients for System Center 2012 Configuration Manager guide.
373

Mobile Device Support by Using the Exchange Server Connector System Center 2012 Configuration Manager offers limited management for mobile devices when you use the Exchange Server connector for Exchange Active Sync (EAS) capable devices that connect to a server running Exchange Server or Exchange Online. For more information about which management functions Configuration Manager supports for mobile devices that the Exchange Server connector manages, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the platforms that support the Exchange Server connector and which versions of Configuration Manager support each platform.
Version of Exchange Server Configuration Manager version

Exchange Server 2010 SP1

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Exchange Server 2010 SP2

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Exchange Server 2013

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Exchange Online (Office 365)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Includes Business Productivity Online Standard Suite.

Mobile Device Legacy Client The following sections list the hardware and operating systems that are supported for the mobile device legacy client in System Center 2012 Configuration Manager. Mobile Device Legacy Client Hardware Requirements
374

The mobile device client requires 0.78 MB of storage space to install. In addition, logging on the mobile device can require up to 256 KB of storage space. Mobile Device Legacy Client Operating System Requirements System Center 2012 Configuration Manager supports management for Windows Phone, Windows Mobile, and Windows CE when you install the Configuration Manager mobile device legacy client. Features for these mobile devices vary by platform and client type. For more information about which management functions Configuration Manager supports for the mobile device legacy client, see Determine How to Manage Mobile Devices in Configuration Manager. The following table lists the mobile device platforms that are supported with the mobile device legacy client for Configuration Manager, and the versions of Configuration Manager that support each platform.
Operating system Configuration Manager version Supported languages

Windows CE 5.0 (Arm and x86 processors)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US)
375

Windows CE 6.0 (Arm and x86 processors)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows CE 7.0 (Arm and x86 processors)

System Center 2012 Configuration Manager with no service pack

Operating system

Configuration Manager version

Supported languages

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain) Chinese (Simplified) Chinese (Traditional) English (US) French (France) German Italian Japanese Korean Portuguese (Brazil) Russian Spanish (Spain)

Windows Mobile 6.0

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Configuration Manager Console Requirements The following table lists the operating systems that are supported to run the Configuration Manager console, the minimum version of the Microsoft .NET Framework they require, and the versions of the Configuration Manager console that support each operating system.
Operating system System architecture Minimum .NET Framework version
1

Configuration Manager version

Windows XP Professional (SP3)

x86

.NET Framework 4

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Vista

x86, x64

.NET Framework 4

System Center 2012

376

Operating system

System architecture

Minimum .NET Framework version

Configuration Manager version

Business Edition (SP2) Enterprise Edition (SP2) Ultimate Edition (SP2)

Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager x86, x64 .NET Framework 4
1

Windows 7 Professional Edition (with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Ultimate Edition (with no service pack, or with SP1)

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 8 Pro Enterprise

x86, x64

.NET Framework 4.5

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows 8.1 Pro Enterprise

x86, x64

.NET Framework 4.5

System Center 2012 R2 Configuration Manager

Windows Server 2008 Standard Edition (SP2) Enterprise Edition (SP2) Datacenter Edition (SP2)

x86, x64

.NET Framework 4

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2008 R2 Standard Edition

x64

.NET Framework 4

System Center 2012 Configuration Manager with no service pack

377

Operating system

System architecture

Minimum .NET Framework version

Configuration Manager version

(with no service pack, or with SP1) Enterprise Edition (with no service pack, or with SP1) Datacenter Edition (with no service pack, or with SP1) x64 .NET Framework 4.5

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 Standard Edition Datacenter Edition

System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Windows Server 2012 R2 Standard Edition Datacenter Edition

x64

.NET Framework 4.5

System Center 2012 R2 Configuration Manager

The Configuration Manager console requires the full version of the .NET Framework 4 and is not supported with the .NET Framework Client Profile. The requirements in the following table apply to each computer that runs Configuration Manager console.
Minimum hardware configuration Screen resolution

1 x Pentium 4 Hyper-Threaded 3 GHz (Intel Pentium 4 HT 630 or comparable CPU) 2 GB of RAM 2 GB of disk space.

DPI setting 96 / 100% 120 /125% 144 / 150% 196 / 200%

Minimum resolution 1024x768 1280x960 1600x1200 2500x1600

378

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Beginning with Configuration Manager SP1, the Configuration Manager console supports PowerShell. When you install support for PowerShell on a computer that runs the Configuration Manager console, you can run PowerShell cmdlets on that computer to manage Configuration Manager. You can install a supported version of PowerShell before or after the Configuration Manager console installs. The following table lists the minimum required version of PowerShell for each version of Configuration Manager.
PowerShell version System architecture Configuration Manager version

PowerShell 3.0

x86

System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

For information about using a Configuration Manager console in an environment with multiple versions of Configuration Manager, see the Interoperability for the Configuration Manager Console section in the Interoperability between Different Versions of Configuration Manager topic.

Configurations for the SQL Server Site Database

Each System Center 2012 Configuration Manager site database can be installed on either the default instance or a named instance of a SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer. In a hierarchy with multiple sites, each site can use a different version of SQL Server to host the site database so long as that version of SQL Server is supported by the version of Configuration Manager that you use. For example, if your hierarchy runs Configuration Manager SP1, it is supported to use SQL Server 2008 R2 with SP1 and cumulative update 6 at the central administration site, and to use SQL Server 2012 with no service pack and cumulative update 2 at a child primary site, or vice versa. When you use a remote SQL Server, the instance of SQL Server used to host the site database can also be configured as a SQL Server failover cluster in a single instance cluster, or a multiple instance configuration. SQL Server cluster configurations that have multiple active nodes are supported for hosting the site database. The site database site system role is the only System Center 2012 Configuration Manager site system role supported on an instance of a Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. Note A SQL Server cluster in a Network Load Balancing (NLB) cluster configuration is not supported. Additionally, SQL Server database mirroring technology and peer-to-peer replication are not supported.

379

When you install a secondary site, you can use an existing instance of SQL Server or allow Setup to install and use an instance of SQL Server Express. Whichever option that you choose, SQL Server must be located on the secondary site server. The version of SQL Server Express that Setup installs depends on the version of Configuration Manager that you use: System Center 2012 Configuration Manager without a service pack: SQL Server 2008 Express System Center 2012 Configuration Manager with SP1: SQL Server 2012 Express

The following table lists the SQL Server versions that are supported by System Center 2012 Configuration Manager.
SQL Server version SQL Server service pack Minimum required SQL Server cumulative update Configuration Manager version Configuration Manager site type

SQL Server 2008 Standard

1

SP2

Enterprise Datacenter

Minimum of cumulative update 9

System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

Central administration site Primary site Secondary site

SP3

Minimum of cumulative update 4

System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

Central administration site Primary site Secondary site

SQL Server 2008 R2 Standard

1

SP1

Minimum of cumulative update 6

Enterprise Datacenter

System Center 2012 Configuration Manag er with no service pack System Center 2012

Central administration site Primary site Secondary site

380

SQL Server version

SQL Server service pack

Minimum required SQL Server cumulative update

Configuration Manager version

Configuration Manager site type

Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SP2 No minimum cumulative update System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SQL Server 2012 Standard
1

Central administration site Primary site Secondary site

No service pack

Enterprise

Minimum of cumulative update 2

System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

Central administration site Primary site Secondary site Central administration site Primary site Secondary site Secondary site

SP1

No minimum cumulative update

System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager

SQL Server Express 2008 R2

SP1

Minimum of cumulative update 6

System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1

381

SQL Server version

SQL Server service pack

Minimum required SQL Server cumulative update

Configuration Manager version

Configuration Manager site type

System Center 2012 R2 Configuration Manager SP2 No minimum cumulative update System Center 2012 Configuration Manag er with no service pack System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SQL Server 2012 Express No service pack Minimum of cumulative update 2 System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager SP1 No minimum cumulative update System Center 2012 Configuration Manag er with SP1 System Center 2012 R2 Configuration Manager
1

Secondary site

Secondary site

Secondary site

When you use SQL Server Standard for the database at the central administration site, the hierarchy can only support up to 50,000 clients. For more information, see Site and Site System Role Scalability.

SQL Server Requirements The following are required configurations for each database server with a full SQL Server installation, and on each SQL Server Express installation that you manually configure for

382

secondary sites. You do not have to configure SQL Server Express for a secondary site if SQL Server Express is installed by Configuration Manager.
Configuration More information

SQL Server version Database collation

Configuration Manager requires a 64-bit version of SQL Server to host the site database. At each site, both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS. Note Configuration Manager supports two exceptions to this collation to meet standards that are defined in GB18030 for use in China. For more information, see Technical Reference for International Support in Configuration Manager.

SQL Server features

Only the Database Engine Services feature is required for each site server. Note Configuration Manager database replication does not require the SQL Server replication feature.

Windows Authentication

Configuration Manager requires Windows authentication to validate connections to the database. You must use a dedicated instance of SQL Server for each site. When you use a database server that is colocated with the site server, limit the memory for SQL Server to 50 to 80 percent of the available addressable system memory. When you use a dedicated SQL Server, limit the memory for SQL Server to 80 to 90 percent of the available addressable system memory. Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of
383

SQL Server instance SQL Server memory

Configuration

More information

memory in the buffer pool used by an instance of SQL Server for the central administration site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio). Optional SQL Server Configurations The following configurations either support multiple choices or are optional on each database server with a full SQL Server installation.
Configuration More information

SQL Server service

On each database server, you can configure the SQL Server service to run by using a domain local account or the local system account of the computer that is running SQL Server. Use a domain user account as a SQL Server best practice. This kind of account can be more secure than the local system account but might require you to manually register the Service Principle Name (SPN) for the account. Use the local system account of the computer that is running SQL Server to simplify the configuration process. When you use the local system account, Configuration Manager automatically registers the SPN for the SQL Server service. Be aware that using the local system account for the SQL Server service is not a SQL Server best practice.

For information about SQL Server best practices, see the product documentation for the version of Microsoft SQL Server that you are using. For information about SPN
384

Configuration

More information

configurations for Configuration Manager, see How to Manage the SPN for SQL Server Site Database Servers. For information about how to change the account that is used by the SQL Service, see How to: Change the Service Startup Account for SQL Server (SQL Server Configuration Manager). SQL Server Reporting Services SQL Server ports Required to install a reporting services point that lets you run reports. For communication to the SQL Server database engine, and for intersite replication, you can use the default SQL Server port configurations or specify custom ports: Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022. Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP 1433. The following site system roles communicate directly with the SQL Server database: Management point SMS Provider computer Reporting Services point Site server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured to use a unique set of ports. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port
385

Configuration

More information

that you want to use for intrasite communication. If you have a firewall enabled on the computer that is running SQL Server, make sure that it is configured to allow the ports that are being used by your deployment and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

Function-Specific Requirements
The following sections identify function-specific requirements for Configuration Manager. Application Management For devices that run the Windows Mobile operating system, Configuration Manager only supports the Uninstall action for applications on Windows Mobile 6.1.4 or later versions. Operating System Deployment Configuration Manager requires several prerequisites to support deploying operating systems. The following prerequisites are required on the site server of each central administration site or primary site before you can install the site or upgrade the site to a new version of Configuration Manager. This requirement applies even when you do not plan to use operating system deployments: For System Center 2012 Configuration Manager with no service pack: Automated Installation Kit (Windows AIK) For System Center 2012 Configuration Manager with service pack 1: Windows Assessment and Deployment Kit 8.0 (Windows ADK) For System Center 2012 R2 Configuration Manager: Windows Assessment and Deployment Kit 8.1

For more information about prerequisites for operating system deployment, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

386

Out of Band Management System Center 2012 Configuration Manager supports out of band management for computers that have the following Intel vPro chip sets and Intel Active Management Technology (Intel AMT) firmware versions: Intel AMT version 3.2 with a minimum revision of 3.2.1 Intel AMT version 4.0, version 4.1, and version 4.2 Intel AMT version 5.0 and version 5.2 with a minimum revision of 5.2.10 Intel AMT version 6.0 and version 6.1 AMT provisioning is not supported on AMT-based computers that are running any version of Windows Server, Windows XP with SP2, or Windows XP Tablet PC Edition. Out of band communication is not supported to an AMT-based computer that is running the Routing and Remote Access service in the client operating system. This service runs when Internet Connection Sharing is enabled, and the service might be enabled by line of business applications. The out of band management console is not supported on workstations running Windows XP on versions earlier than Service Pack 3.

The following limitations apply:

For more information about out of band management in Configuration Manager, see Introduction to Out of Band Management in Configuration Manager. Remote Control Viewer The Configuration Manager remote control viewer is not supported on Windows Server 2003 or Windows Server 2008 operating systems. Software Center and the Application Catalog The minimal screen resolution supported for client computers to run Software Center and the Application Catalog is 1024 by 768. The following web browsers are supported for use with the Software Center and Application Catalog: Internet Explorer 7 Internet Explorer 8 Internet Explorer 9 Internet Explorer 10 Firefox 15 Note The Software Center and Application Catalog do not support web browsers that connect from computers that run Windows Server Core 2008.

387

Support for Active Directory Domains

All System Center 2012 Configuration Manager site systems must be members of a Windows Active Directory domain. The following table identifies the Windows Active directory domain functional level that is supported with each version of System Center 2012 Configuration Manager:
Active Directory domain functional level Configuration Manager version

Windows 2000

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration
388

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012 Windows Server 2012 R2

Active Directory domain functional level

Configuration Manager version

Manager

Note If you configure discovery to filter and remove stale computer records, the Active Directory domain functional level must be a minimum of Windows Server 2003. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). The following are limitations for site systems: Configuration Manager does not support the change of domain membership, domain name, or computer name of a Configuration Manager site system after the site system is installed.

Configuration Manager client computers can be domain members, or workgroup members. The following sections contain additional information about domain structures and requirements for Configuration Manager. Active Directory Schema Extensions Configuration Manager Active Directory schema extensions provide benefits for Configuration Manager sites. However, they are not required for all Configuration Manager functions. For more information about Active Directory schema extension considerations, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. If you have extended your Active Directory schema for Configuration Manager 2007, you do not have to update your schema for System Center 2012 Configuration Manager. You can update the Active Directory schema before or after you install Configuration Manager. Schema updates do not interfere with an existing Configuration Manager 2007 sites or clients. For more information about how to extend the Active Directory schema for System Center 2012 Configuration Manager, see the Prepare Active Directory for Configuration Manager section in the Prepare the Windows Environment for Configuration Manager topic. Disjoint Namespaces Except for out of band management, Configuration Manager supports installing site systems and clients in a domain that has a disjoint namespace. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager. A disjoint namespace scenario is one in which the primary Domain Name System (DNS) suffix of a computer does not match the Active Directory DNS domain name where that computer resides. The computer that uses the primary DNS suffix that does not match is said to be disjoint. Another disjoint namespace scenario occurs if the NetBIOS domain name of a domain controller does not match the Active Directory DNS domain name.
389

The following table identifies the supported scenarios for a disjoint namespace.
Scenario More information

Scenario 1:

In this scenario, the primary DNS suffix of the The primary DNS suffix of the domain controller domain controller differs from the Active Directory DNS domain name. The domain differs from the Active Directory DNS domain controller is disjoint in this scenario. Computers name. Computers that are members of the that are members of the domain, such as site domain can be either disjoint or not disjoint. servers and computers, can have a primary DNS suffix that either matches the primary DNS suffix of the domain controller or matches the Active Directory DNS domain name. Scenario 2: A member computer in an Active Directory domain is disjoint, even though the domain controller is not disjoint. In this scenario, the primary DNS suffix of a member computer on which a site system is installed differs from the Active Directory DNS domain name, even though the primary DNS suffix of the domain controller is the same as the Active Directory DNS domain name. In this scenario, you have a domain controller that is not disjoint and a member computer that is disjoint. Member computers that are running the Configuration Manager client can have a primary DNS suffix that either matches the primary DNS suffix of the disjoint site system server or matches the Active Directory DNS domain name.

To allow a computer to access domain controllers that are disjoint, you must change the msDSAllowedDNSSuffixes Active Directory attribute on the domain object container. You must add both of the DNS suffixes to the attribute. In addition, to make sure that the DNS suffix search list contains all DNS namespaces that are deployed within the organization, you must configure the search list for each computer in the domain that is disjoint. Include in the list of namespaces the primary DNS suffix of the domain controller, the DNS domain name, and any additional namespaces for other servers with which Configuration Manager might interoperate. You can use the Group Policy Management console to configure the Domain Name System (DNS) suffix search list. Important When you reference a computer in Configuration Manager, enter the computer by using its Primary DNS suffix. This suffix should match the Fully Qualified Domain Name registered as the dnsHostName attribute in the Active Directory domain and the Service Principal Name associated with the system.
390

Single Label Domains Except for out of band management, Configuration Manager supports site systems and clients in a single label domain when the following criteria are met: The single label domain in Active Directory Domain Services must be configured with a disjoint DNS namespace that has a valid top level domain. For example: The single label domain of Contoso is configured to have a disjoint namespace in DNS of contoso.com. Therefore, when you specify the DNS suffix in Configuration Manager for a computer in the Contoso domain, you specify Contoso.com and not Contoso. DCOM connections between site servers in the system context must be successful by using Kerberos authentication. Note For more information about namespace limitations for when you manage AMT-based computers out of band, see Prerequisites for Out of Band Management in Configuration Manager.

Windows Environment
The following sections contain general support configuration information for System Center 2012 Configuration Manager. Support for Internet Protocol Version 6 Configuration Manager supports Internet Protocol version 6 (IPv6) in addition to Internet Protocol version 4 (IPv4). The following table lists the exceptions.
Function Exception to IPv6 support

Cloud-based distribution points Mobile devices that are enrolled by Windows Intune and the Windows Intune connector Network Discovery Operating system deployment Out of band management Wake-up proxy communication Windows CE

IPv4 is required to support Windows Azure and cloud-based distribution points. IPv4 is required to support mobile devices that are enrolled by Windows Intune and the Windows Intune connector. IPv4 is required when you configure a DHCP server to search in Network Discovery. IPv4 is required to support operating system deployment. IPv4 is required to support out of band management. IPv4 is required to support the client wake-up proxy packets. IPv4 is required to support the Configuration
391

Function

Exception to IPv6 support

Manager client on Windows CE devices.

Support for Specialized Storage Technology Configuration Manager works with any hardware that is certified on the Windows Hardware Compatibility List for the version of the operating system that the Configuration Manager component is installed on. Site Server roles require NTFS file systems so that directory and file permissions can be set. Because Configuration Manager assumes that it has complete ownership of a logical drive, site systems that run on separate computers cannot share a logical partition on any storage technology. However, each computer can use a separate logical partition on the same physical partition of a shared storage device. Support considerations for the listed storage technologies: Storage Area Network: A Storage Area Network (SAN) is supported when a supported Windows-based server is attached directly to the volume that is hosted by the SAN. Single Instance Storage: Configuration Manager does not support configuration of distribution point package and signature folders on a Single Instance Storage (SIS)-enabled volume. Additionally, the cache of a Configuration Manager client is not supported on a SIS-enabled volume. Note Single Instance Storage (SIS) is a feature of the Windows Storage Server 2003 R2 operating system. Removable Disk Drive: Configuration Manager does not support install of Configuration Manager site system or clients on a removable disk drive.

Support for Computers in Workgroups System Center 2012 Configuration Manager provides support for clients in workgroups. Configuration Manager supports moving a client from a workgroup to a domain or from a domain to a workgroup. For more information, see How to Install Configuration Manager Clients on Workgroup Computers All System Center 2012 Configuration Manager site systems must be members of a supported Active Directory domain. This requirement includes site systems that support Internet-based client management in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet). Support for Virtualization Environments Configuration Manager supports installing the client and site system roles on supported operating systems that run as a virtual machine in the following virtualization environments. This support exists even when the virtual machine host (virtualization environment) is not supported as a client or site server. For example, if you use Microsoft Hyper-V Server 2012 to host a virtual machine
392

that runs Windows Server 2012, you can install the client or site system roles on the virtual machine (Windows Server 2012), but not on the host, (Microsoft Hyper-V Server 2012).
Virtualization environment Configuration Manager version

Windows Server 2008

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service
393

Microsoft Hyper-V Server 2008

Windows Server 2008 R2

Microsoft Hyper-V Server 2008 R2

Windows Server 2008

Microsoft Hyper-V Server 2008

Virtualization environment

Configuration Manager version

pack Windows Server 2012 Microsoft Hyper-V Server 2012 Windows Server 2012 R2 System Center 2012 Configuration Manager with SP1 System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager

Each virtual computer that you use must meet or exceed the same hardware and software configuration that you would use for a physical Configuration Manager computer. You can validate that your virtualization environment is supported for Configuration Manager by using the Server Virtualization Validation Program and its online Virtualization Program Support Policy Wizard. For more information about the Server Virtualization Validation Program, see Windows Server Virtualization Validation Program. Note Configuration Manager does not support Virtual PC or Virtual Server guest operating systems that run on a Mac. Configuration Manager cannot manage virtual machines unless they are online. An offline virtual machine image cannot be updated nor can inventory be collected by using the Configuration Manager client on the host computer. No special consideration is given to virtual machines. For example, Configuration Manager might not determine whether an update has to be re-applied to a virtual machine image if the virtual machine is stopped and restarted without saving the state of the virtual machine to which the update was applied. Support for Network Address Translation Network Address Translation (NAT) is not supported in Configuration Manager, unless the site supports clients that are on the Internet and the client detects that it is connected to the Internet. For more information about Internet-based client management, see the Planning for InternetBased Client Management section in the Planning for Communications in Configuration Manager topic.

394

DirectAccess Feature Support Configuration Manager supports the DirectAccess feature in Windows Server 2008 R2 for communication between site system servers and clients. When all the requirements for DirectAccess are met, by using this feature, Configuration Manager clients on the Internet can communicate with their assigned site as if they were on the intranet. For server-initiated actions, such as remote control and client push installation, the initiating computer (such as the site server) must be running IPv6, and this protocol must be supported on all intervening networking devices. Configuration Manager does not support the following over DirectAccess: Deploying operating systems Communication between Configuration Manager sites Communication between Configuration Manager site system servers within a site

BranchCache Feature Support Windows BranchCache is integrated in System Center 2012 Configuration Manager. You can configure the BranchCache settings on a deployment type for applications, on the deployment for a package, and for task sequences. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is configured as a BranchCache server, the client computer downloads and caches the content. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this manner, successive clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. To support BranchCache with Configuration Manager, add the Windows BranchCache feature to the site system server that is configured as a distribution point. System Center 2012 Configuration Manager distribution points on servers configured to support BranchCache require no additional configuration. Note With Configuration Manager SP1, cloud-based distribution points support the download of content by clients that are configured for Windows BranchCache. To use BranchCache, the clients that can support BranchCache must be configured for BranchCache distributed mode, and the operating system setting for BITS client settings must be enabled to support BranchCache. The following table lists the Configuration Manager client operating systems that are supported with Windows BranchCache and identifies for each operating system if BranchCache distributed mode is supported natively by the operating system, or if the operating system requires the addition of the BITS 4.0 release.

395

Operating system

Support details
1

Windows Vista with SP2 Windows 7 with SP1 Windows 8 Windows 8.1

Requires BITS 4.0 Supported by default Supported by default Supported by default

1

Windows Server 2008 with SP2

Requires BITS 4.0 Supported by default Supported by default Supported by default

Windows Server 2008 R2 with no service pack, with SP1, or with SP2 Windows Server 2012 Windows Server 2012 R2
1

On this operating system, the BranchCache client functionality is not supported for software distribution that is run from the network or for SMB file transfers. Additionally, this operating system cannot use BranchCache functionality with cloud-based distribution points. You can install the BITS 4.0 release on Configuration Manager clients by using software updates or software distribution. For more information about the BITS 4.0 release, see Windows Management Framework. For more information about BranchCache, see BranchCache for Windows in the Windows Server documentation. Fast User Switching Fast User Switching, available in Windows XP in workgroup computers, is not supported in System Center 2012 Configuration Manager. Fast User Switching is supported for computers that are running Windows Vista or later versions. Dual Boot Computers System Center 2012 Configuration Manager cannot manage more than one operating system on a single computer. If there is more than one operating system on a computer that must be managed, adjust the discovery and installation methods that are used to ensure that the Configuration Manager client is installed only on the operating system that has to be managed.

Supported Upgrade Paths for Configuration Manager

The following sections identify the upgrade options for System Center 2012 Configuration Manager, the operating system version of site servers and clients, and the SQL Server version of database servers.

396

Upgrade Configuration Manager The following table lists the versions of System Center 2012 Configuration Manager, and the supported upgrade paths between versions.
Configuration Manager version Release options Supported Upgrade Paths More information

System Center 2012 Configuration Manage r

An evaluation release that expires 180 days after installation. A complete release, to perform a new installation.

System Cente r 2012 Configuration Man ager evaluation release

You can install System Center 2012 Configuration Manager as either a full installation, or as a trial installation. If you install Configuration Manager as a trial installation, after 180 days, you can only connect a read-only Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager supports migration of your Configuration Manager 2007 infrastructure but does not support an in place upgrade of sites from Configuration Manager 2007. However, migration supports the upgrade of a Configuration Manager 2007 distribution point, or
397

Configuration Manager version

Release options

Supported Upgrade Paths

More information

secondary site that is co-located with a distribution point, to a System Center 2012 Configuration Manager distribution point. System Center 2012 Configuration Manage r SP1 An evaluation release that expires 180 days after installation. A complete release, to perform a new installation. An upgrade from System Center 20 12 Configuration Man ager. System Cente r 2012 Configuration Man ager SP1 evaluation release System Cente r 2012 Configuration Man ager with no service pack You can install System Center 2012 Configuration Manager SP1 as a trial installation, a full install, or as an upgrade to existing infrastructure that runs System Center 2012 Configuration Manager with no service pack. However, an upgrade from Configuration Manager 2007 to System Center 2012 Configuration Manager SP1 is not supported. If you install Configuration Manager as a trial installation, after 180 days you can only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 Configuration Manager
398

Configuration Manager version

Release options

Supported Upgrade Paths

More information

SP1 supports migration from Configuration Manager 2007. System Center 2012 R2 Configuration Manager An evaluation release that expires 180 days after installation. A complete release, to perform a new installation. An upgrade from System Center 20 12 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager evaluation release System Cente r 2012 Configuration Man ager SP1 You can install System Center 2012 R2 Configuration Manager as a trial installation, a full install, or as an upgrade to existing infrastructure that runs System Center 2012 Configuration Manager SP1. However, an upgrade from Configuration Manager 2007 or from System Center 2012 Configuration Manager with no service pack to System Center 2012 R2 Configuration Manager is not supported. If you use System Center 2012 Configuration Manager with no service pack, you must first upgrade your hierarchy to System Center 2012 Configuration Manager with SP1, and then you can upgrade to System Center 2012 R2 Configuration Manager. If you install Configuration Manager as a trial installation, after 180 days you can
399

Configuration Manager version

Release options

Supported Upgrade Paths

More information

only connect a readonly Configuration Manager console and Configuration Manager functionality is limited. At any time before or after the 180 day period, you have the option to upgrade the trial installation to a full installation. System Center 2012 R2 Configuration Manager supports migration from Configuration Manager 2007. For information about how to upgrade an evaluation release of Configuration Manager to a full installation, see the Upgrade an Evaluation Installation to a Full Installation section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For more information about migration, see Migrating Hierarchies in System Center 2012 Configuration Manager. Infrastructure Upgrade for Configuration Manager In addition to upgrading the version of System Center 2012 Configuration Manager you use for sites, Configuration Manager clients and Configuration Manager consoles, you can upgrade the operating systems that run Configuration Manager site servers, database servers, site system servers, and clients. The information in the following sections can help you upgrade the infrastructure for Configuration Manager. Upgrade of the Site Server Operating System Configuration Manager supports an in-place upgrade of the operating system of the site server in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager. In-place upgrade from Windows Server 2012 to Windows Server 2012 R2. Any version of Windows Server 2008 to any version of Windows Server 2008 R2 or later. Any version of Windows Server 2008 to any version of Windows Server 2012 or later.
400

Configuration Manager does not support the following Windows Server upgrade scenarios.

Any version of Windows Server 2008 R2 to any version of Windows Server 2012 or later.

When a direct operating system upgrade is not supported, perform one of the following procedures after you have installed the new operating system: Install System Center 2012 Configuration Manager with the service pack level that you want, and configure the site according to your requirements. Install System Center 2012 Configuration Manager with the service pack level that you want and perform a site recovery. This scenario requires you to have a site backup that was created by using the Backup Site Server maintenance task on the original Configuration Manager site, and that you use the same installation settings for the new System Center 2012 Configuration Manager site.

Client Operating System Upgrade Configuration Manager supports an in-place upgrade of the operating system for Configuration Manager clients in the following situations: In-place upgrade to a higher Windows Server service pack as long as the resulting service pack level remains supported by Configuration Manager.

SQL Server Upgrade for the Site Database Server Configuration Manager supports an in-place upgrade of SQL Server from a supported version of SQL on the site database server. The following sections provide information about the different upgrade scenarios supported by Configuration Manager and any requirements for each scenario. Upgrade of the Service Pack Version of SQL Server Configuration Manager supports the in-place upgrade of SQL Server to a higher service pack as long as the resulting SQL Server service pack level remains supported by Configuration Manager. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different service pack version of SQL Server, and there is no limitation to the order in which sites upgrade the service pack version of SQL Server that is used for the site database. SQL Server 2008 to SQL Server 2008 R2 Configuration Manager supports the in-place upgrade of SQL Server from SQL Server 2008 to SQL Server 2008 R2. When you have multiple Configuration Manager sites in a hierarchy, each site can run a different version of SQL Server, and there is no limitation to the order in which sites upgrade the version of SQL Server in use for the site database. SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: System Center 2012 Configuration Manager with SP1 supports the in-place upgrade of SQL Server 2008 or SQL Server 2008 R2 to SQL Server 2012 with the following limitations: Each Configuration Manager site must run service pack 1 before you can upgrade the version of SQL Server to SQL Server 2012 at any site.

401

When you upgrade the version of SQL Server that hosts the site database at each site to SQL Server 2012, you must upgrade the SQL Server version that is used at sites in the following order: Upgrade SQL Server at the central administration site first. Upgrade secondary sites before you upgrade a secondary sites parent primary site. Upgrade parent primary sites last. This includes both child primary sites that report to a central administration site, and stand-alone primary sites that are the top-level site of a hierarchy. Important Although you upgrade the service pack version of a Configuration Manager site by upgrading the top-tier site first and then upgrading down the hierarchy, when you upgrade SQL Server to SQL Server 2012, you must use the previous sequence, upgrading the primary sites last. This does not apply to upgrades of SQL Server 2008 to SQL Server 2008 R2.

To upgrade SQL Server on the site database server 1. Stop all Configuration Manager services at the site. 2. Upgrade SQL Server to a supported version. 3. Restart the Configuration Manager services. Note When you change the SQL Server edition in use at the central administration site from a Standard edition to either a Datacenter or Enterprise edition, the database partition that limits the number of clients the hierarchy supports does not change.

See Also
Planning for Configuration Manager Sites and Hierarchy

Interoperability between Different Versions of Configuration Manager

It is supported to install and operate multiple, independent hierarchies of System Center 2012 Configuration Manager on the same network. However, because different hierarchies of Configuration Manager do not interoperate outside of migration, each hierarchy requires configurations to prevent conflicts between them. Additionally, you can make certain configurations to help resources that you manage to interact with the site systems from the correct hierarchy. The following sections provide information about using different versions of Configuration Manager on the same network:

402

Interoperability between System Center 2012 Configuration Manager and Configuration Manager 2007 Interoperability between Sites with Different Service Pack Versions in System Center 2012 Configuration Manager Interoperability for the Configuration Manager Console

Interoperability between System Center 2012 Configuration Manager and Configuration Manager 2007
A System Center 2012 Configuration Manager site or hierarchy cannot interoperate with a Configuration Manager 2007 site or hierarchy. A Configuration Manager 2007 site cannot report to a System Center 2012 Configuration Manager parent site, and you cannot upgrade a Configuration Manager 2007 site to a System Center 2012 Configuration Manager site. Instead of an in-place upgrade, you use System Center 2012 Configuration Manager migration to migrate your Configuration Manager 2007 SP2 objects and data to System Center 2012 Configuration Manager. For information about migrating from Configuration Manager 2007 SP2 to System Center 2012 Configuration Manager, see Migrating Hierarchies in System Center 2012 Configuration Manager. Because you can deploy a System Center 2012 Configuration Manager site or hierarchy side-byside with a Configuration Manager 2007 site or hierarchy, take action to prevent clients from either version from trying to join a site from the other Configuration Manager version. For example, if your Configuration Manager hierarchies have overlapping boundaries, including the same network locations, you might assign each new client to a specific site instead of using automatic site assignment. For information about automatic site assignment in System Center 2012 Configuration Manager, see How to Assign Clients to a Site in Configuration Manager. Additionally, it is not supported to install a client from Configuration Manager 2007 on a computer that hosts a site system role from System Center 2012 Configuration Manager, nor to install a System Center 2012 Configuration Manager client on a computer that hosts a site system role from Configuration Manager 2007. System Center 2012 Configuration Manager supports only System Center 2012 Configuration Manager device and mobile device clients. The following clients and the following Virtual Private Network (VPN) connection are not supported: Any Configuration Manager 2007 or earlier computer client version Any Configuration Manager 2007 or earlier device management client Windows CE Platform Builder device management client (any version) System Center Mobile Device Manager VPN connection

Client Site Assignment Considerations

System Center 2012 Configuration Manager clients can be assigned to only one site. When automatic site assignment is used to assign clients to a site during client installation, and more
403

than one boundary group includes the same boundary, and the boundary groups have different assigned sites, the actual site assignment of a client cannot be predicted. If boundaries overlap across multiple System Center 2012 Configuration Manager and Configuration Manager 2007 site hierarchies, clients might not get assigned to the correct site hierarchy or might not get assigned to a site at all. System Center 2012 Configuration Manager clients check the version of the Configuration Manager site before they complete site assignment and cannot assign to a Configuration Manager 2007 site if boundaries overlap. However, Configuration Manager 2007 clients do not check for the site version and can incorrectly be assigned to a System Center 2012 Configuration Manager site. To prevent Configuration Manager 2007 clients from unintentionally being assigned to a System Center 2012 Configuration Manager site when the two hierarchies have overlapping boundaries, configure Configuration Manager 2007 client installation parameters to assign clients to a specific site.

Interoperability between Sites with Different Service Pack Versions in System Center 2012 Configuration Manager
System Center 2012 Configuration Manager requires that each site in a hierarchy be of the same service pack level. However, while you are actively upgrading a hierarchy to a new service pack (including an upgrade to System Center 2012 R2 Configuration Manager), different sites in the hierarchy upgrade at different times. Therefore, to support the upgrade process, Configuration Manager supports limited interactions between different service pack versions in a single hierarchy.

Limitations to Configuration Manager Capabilities in a MixedVersion Hierarchy

When different sites in a single hierarchy use different service pack versions, some Configuration Manager functionality is not available. This can affect how you manage Configuration Manager objects in the Configuration Manager console, and what functionality is available to clients. Typically, functionality from the newer version of Configuration Manager is not accessible at sites or to clients that run a lower service pack version. The following sections list the objects and functionality that are affected when you have sites in a hierarchy with different service pack versions, and provide details about the limitations for those objects.

Limitations when upgrading to System Center 2012 Configuration Manager SP1

404

Object

Details

Endpoint Protection and anti-malware policies

The following are limitations for using Endpoint Protection and anti-malware policies in a hierarchy with sites that use different service pack versions: Anti-malware polices that you create when you use a Configuration Manager console that connects to a Configuration Manager SP1 site apply only to clients that run Configuration Manager SP1. Clients that run Configuration Manager with no service pack do not receive these new policies until they upgrade to SP1. Anti-malware policies that are created on a site that runs Configuration Manager SP1 cannot be viewed on a Configuration Manager console that connects to a Configuration Manager site with no service pack unless the user who runs the console is associated with the All security scope. If the user is not associated with this security scope, grant the user the necessary security scope or manage anti-malware policies from the central administration site until all sites in the hierarchy update to Configuration Manager SP1. To initiate a malware scan on a Configuration Manager SP1 client, you must use a Configuration Manager console that connects to a Configuration Manager SP1 site. You cannot add new alerts for Endpoint Protection until all sites in the hierarchy have been upgraded to Configuration Manager SP1.

New deployment types in Configuration Manager SP1

Due to the global data replication, new deployment types that are available with Configuration Manager cannot be created nor used until all sites in the hierarchy run Configuration Manager SP1. These deployment types include the following: Mac OS X Microsoft Application Virtualization (App-V)
405

Object

Details

5 Windows app package Windows app package (in the Windows Store) Windows Phone 8 Windows Phone 8 deep link iOS (all) Android (all)

For information about deployment types, see How to Create Deployment Types in Configuration Manager. App-V virtual environments You cannot configure, nor use App-V virtual environments until all sites in the hierarchy run Configuration Manager SP1. For more information about App-V virtual environments, see the Using App-V Virtual Applications with Configuration Manager section in the Introduction to Application Management in Configuration Manager topic. Boot images for operating system deployment The default boot images are automatically updated to Windows ADK-based boot images, which use Windows PE 4, when the top-level site is upgraded to Configuration Manager SP1. Use these boot images only for deployments to clients at Configuration Manager SP1 sites. For more information, see Planning for Operating System Deployment Interoperability. A Configuration Manager client that communicates with a management point from a site that runs a lower service pack version than the client can only use functionality that the down-level version of Configuration Manager supports. For example, if you deploy content from a Configuration Manager SP1 site to a Configuration Manager SP1 client that communicates with a management point that is installed at a secondary site that has not yet upgraded to SP1, that client cannot use new functionality from SP1. This includes receiving
406

Client to down-level management point communications

Object

Details

new deployment types that are available in SP1, or receiving a cloud-based distribution point as a content location. Client to up-level Application Catalog website point Configuration Manager clients require Microsoft Silverlight 5 to use an Application Catalog website point from a Configuration Manager SP1 site. When a computer that runs the Configuration Manager client with no service pack and that does not have Silverlight 5 installed connects to an Application Catalog website point from a Configuration Manager SP1 site, the client is prompted to install Silverlight 5. When a computer that runs the Configuration Manager SP1 client connects to an Application Catalog website point from a Configuration Manager site with no service pack, the end user can view the application list, but cannot request or install applications. Additionally, the end user cannot configure the setting I regularly use this computer to do my work on the My Devices tab.

Client to down-level Application Catalog website point

Limitations when Upgrading to System Center 2012 R2 Configuration Manager

Object Details

Network access account

When you use a Configuration Manager console connected to a System Center 2012 R2 Configuration Manager central administration site to view the network access account details, the console does not display details for accounts that are configured at primary sites that run Configuration Manager SP1. After the site upgrades to System Center 2012 R2 Configuration Manager, the account details will be visible in the console. Beginning with System Center 2012 R2
407

Object

Details

Configuration Manager you can create multiple network access accounts for use at each primary site. To accommodate this change, Configuration Manager stores the information about the accounts in a new location in the site database than was used by previous versions of Configuration Manager. Configuration Manager SP1 clients that talk to a System Center 2012 R2 Configuration Manager site only use the first Network Access Account from the list of available accounts at that site. Boot images for operating system deployment The default boot images are automatically updated to Windows ADK 8.1-based boot images, which use Windows PE 4, when the top-level site is upgraded to System Center 2012 R2 Configuration Manager. Use these boot images only for deployments to clients at System Center 2012 R2 Configuration Manager sites. For more information, see Planning for Operating System Deployment Interoperability. A Configuration Manager client that communicates with a management point from a site that runs a lower service pack version than the client can only use functionality that the down-level version of Configuration Manager supports. For example, if you deploy content from a System Center 2012 R2 Configuration Manager site to a System Center 2012 R2 Configuration Manager client that communicates with a management point that is installed at a secondary site that has not yet upgraded to System Center 2012 R2 Configuration Manager, that client cannot use new functionality from System Center 2012 R2 Configuration Manager. After you update a central administration site from Configuration Manager SP1 to System Center 2012 R2 Configuration Manager, VPN, Wi-Fi and Certificate Profiles might not replicate to child primary sites that have not yet
408

Client to down-level management point communications

VPN, Wi-Fi and Certificate profiles do not replicate to primary sites

Object

Details

upgraded to System Center 2012 R2 Configuration Manager. After you upgrade the child primary sites, normal replication resumes.

Interoperability for the Configuration Manager Console

The following table contains information about the use of the Configuration Manager console in an environment that has a mix of Configuration Manager versions.
Interoperability environment More information

An environment with both Configuration Manager 2007 and System Center 2012 Configuration Manager

To manage a Configuration Manager site, both the console and the site the console connects to must run the same version of Configuration Manager. For example, you cannot use a System Center 2012 Configuration Manager console to manage a Configuration Manager 2007 site, or vice versa. It is supported to install both the System Center 2012 Configuration Manager console and the Configuration Manager 2007 console on the same computer. You can use this configuration to manage sites or hierarchies of each product from a single computer.

An environment with multiple versions of System Center 2012 Configuration Manager

System Center 2012 Configuration Manager does not support using a console from one version of System Center 2012 Configuration Manager to connect to a site that runs a different version of System Center 2012 Configuration Manager. For example, you cannot use console from Configuration Manager with SP1 to directly connect to a site that runs System Center 2012 R2 Configuration Manager. To connect a console, both the site and the console that connects to the site must be of the same version. System Center 2012 Configuration Manager does not support installing more than a single
409

Interoperability environment

More information

Configuration Manager console on a computer. To use multiple consoles that are specific to different versions of System Center 2012 Configuration Manager, you must install the different consoles on separate computers. During the process of upgrading sites in a hierarchy, you can connect a console to a site and view information about other sites in that hierarchy, even when those sites run a different version of System Center 2012 Configuration Manager. However, in this scenario some features that are available in the latest product version are not available in the console until all sites in the hierarchy upgrade to the latest product version.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Hardware Configurations for Configuration Manager

This topic identifies recommended hardware configurations for System Center 2012 Configuration Manager site system servers, clients, and the Configuration Manager console. Use these recommendations as guidelines when you plan to scale your Configuration Manager environment to support more than a very basic deployment of sites, site systems, and clients. Use the information in this topic as a guide for the hardware to use when you run Configuration Manager at scale. For information about supported configurations for Configuration Manager, see Supported Configurations for Configuration Manager. These recommendations are not intended to cover each possible site and hierarchy configuration. Instead, use this information as a guide to help you plan for hardware that can meet the processing loads for clients and sites that use the available Configuration Manager features with the default configurations. Configuration Manager Site Systems Site Servers Disk Space Configurations Remote Site System Servers
410

Configuration Manager Site Systems

This section identifies recommended hardware configurations for Configuration Manager site systems. In general, the key factors that limit performance of the overall system include the following, in order: 1. Disk I/O performance 2. Available memory 3. CPU For best performance, use RAID 10 configurations for all data drives and 1Gbps Ethernet network connectivity between site system servers, including the database server.

Site Servers
Use the following recommendations for each Configuration Manager site server. For information about the disk space requirements, see Disk Space Configurations.
Site details Suggested minimum configuration

Central administration site with the Standard edition of SQL Server SQL Server is located on the site server computer. This configuration supports a hierarchy with up to 50,000 clients Note Database replication represents the largest processing load on the central administration site. Central administration site with the Enterprise or Datacenter edition of SQL Server SQL Server is located on the site server computer This configuration supports a hierarchy with up to 400,000 clients Note Database replication represents the largest processing load on the central administration site. Stand-alone primary site Up to 100,000 clients SQL Server is installed on the site server

8 cores (Intel Xeon 5504 or comparable CPU) 32 GB of RAM 300 GB of disk space for the operating system, Configuration Manager, SQL Server, and all database files.

16 cores (Intel Xeon L5520 or comparable CPU) 64 GB of RAM 1.5 TB of disk space for the operating system, Configuration Manager, SQL Server, and all database files.

8 cores (Intel Xeon E5504 or comparable CPU) 32 GB of RAM

411

Site details

Suggested minimum configuration

computer Primary site in a hierarchy Up to 50,000 clients SQL Server is installed on the site server computer

550 GB hard disk space for the operating system, SQL Server, and all database files 4 cores (Intel Xeon 5140 or comparable CPU) 16 GB of RAM 300 GB of hard disk space for the operating system, Configuration Manager, SQL Server, and all database files.

Primary site in a hierarchy Up to 100,000 clients SQL Server is remote from the site server computer

Site Server: 4 cores (Intel Xeon 5140 or comparable CPU) 8GB of RAM 200 GB of disk space for the operating system and Configuration Manager. 8 cores (Intel Xeon E5504 or comparable CPU) 32 GB of RAM 550 GB of hard disk space for the operating system, SQL Server, and all database files. 4 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM 100 GB of hard disk space for the operating system, Configuration Manager, SQL Server, and all database files.

Remote SQL Server: Secondary site Communications from up to 5,000 clients SQL Server must be installed on the site server computer

Disk Space Configurations

Because disk allocation and configuration contributes to the performance of System Center 2012 Configuration Manager, disk space requirements can be greater than for previous product versions. Use the following information as guidelines when you determine the amount of disk space Configuration Manager requires. Because each Configuration Manager environment is different, these values can vary from the following guidance. For the best performance, place each object on a separate, dedicated RAID volume. For all data volumes (Configuration Manager and its database files), use RAID 10 for the best performance.

412

Data usage

Minimum disk space

25,000 clients

50,000 clients

100,000 clients

Operating system

See guidance for See guidance for See guidance for See guidance for the operating the operating the operating the operating system. system. system. system. 25 GB 50 GB 100 GB 200 GB

Configuration Manager Application and Log Files Site database .mdf file Site database .ldf file

75 GB for every 25,000 clients 25 GB for every 25,000 clients

75 GB 25 GB As needed

150 GB 50 GB As needed
1

300 GB 100 GB As needed

1

Temp database files As needed (.mdf and .ldf) Content (distribution point shares)
1

As needed

As needed

As needed

As needed

The disk space guidance does not include the space required for content that is located in the content library on the site server or distribution points. For information about planning for the content library, see the Plan for Content Libraries section in the Planning for Content Management in Configuration Manager topic. In addition to the preceding guidance, consider the following general guidelines when you plan for disk space requirements: Each client requires approximately 3 MB of space in the database When planning for the size of the Temp database for a primary site, plan for a size that is 25% to 30% of the site database .mdf file. The actual size can be significantly smaller, or larger, and depends on the performance of the site server and the volume of incoming data over both short and long periods of time. The Temp database size for a central administration site is typically much smaller than that for a primary site. The secondary site database is limited in size to the following: SQL Server 2008 Express: 4 GB SQL Server 2008 R2 Express: 10 GB

Remote Site System Servers

Use the following as recommended hardware configurations for computers that run the following site system roles. These recommendations are for computers that hold a single site system role
413

and you should make adjustments when you install multiple site system roles on the same computer. For more information about the disk space requirements, see Disk Space Configurations in this topic.
Site system role Suggested minimum configuration

Management point

4 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM 50 GB of disk space for the operating system and Configuration Manager. Note Management point performance relies most on memory and processor capacity.

Distribution point

2 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM Disk space as required for the operating system and content you deploy to the distribution point. Note Distribution point performance relies most on network I/O and disk I/O.

Application Catalog, with the web service and website on the site system computer

4 cores (Intel Xeon 5140 or comparable CPU) 16 GB of RAM 50 GB of disk space for the operating system and Configuration Manager. 4 cores (Intel Xeon 5140 or comparable CPU) 8 GB of RAM 50 GB of disk space for the operating system and Configuration Manager.

All other site system roles

See Also
Planning for Configuration Manager Sites and Hierarchy

414

PKI Certificate Requirements for Configuration Manager

The public key infrastructure (PKI) certificates that you might require for System Center 2012 Configuration Manager are listed in the following tables. This information assumes basic knowledge of PKI certificates. For step-by-step guidance for an example deployment of these certificates, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority. For more information about Active Directory Certificate Services, see the following documentation: For Windows Server 2012: Active Directory Certificate Services Overview For Windows Server 2008: Active Directory Certificate Services in Windows Server 2008

With the exception of the client certificates that Configuration Manager enrolls on mobile devices and Mac computers, the certificates that Windows Intune automatically creates for managing mobile devices, and the certificates that Configuration Manager installs on AMT-based computers, you can use any PKI to create, deploy, and manage the following certificates. However, when you use Active Directory Certificate Services and certificate templates, this Microsoft PKI solution can ease the management of the certificates. Use the Microsoft certificate template to use column in the following tables to identify the certificate template that most closely matches the certificate requirements. Template-based certificates can be issued only by an enterprise certification authority running on the Enterprise Edition or Datacenter Edition of the server operating system, such as Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. Important When you use an enterprise certification authority and certificate templates, do not use the version 3 templates. These certificate templates create certificates that are incompatible with Configuration Manager. Instead, use version 2 templates by using the following instructions: For a CA on Windows Server 2012: On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option. For a CA on Windows Server 2008: When you duplicate a certificate template, keep the default selection of Windows Server 2003 Enterprise when you are prompted by the Duplicate Template popup dialog box. Do not select Windows Server 2008, Enterprise Edition.

Use the following sections to view the certificate requirements.

PKI Certificates for Servers

415

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Site systems that run Internet Information Services (IIS) and that are configured for HTTPS client connections : Man agemen t point Dist ribution point Soft ware update point State migratio n point Enr ollment point Enr ollment proxy point

Server authentica tion

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). If the site system accepts connections from the Internet, the Subject Name or Subject Alternative Name must contain the Internet fully qualified domain name (FQDN). If the site system accepts connections from the intranet, the Subject Name or Subject Alternative Name must contain either the intranet FQDN (recommended) or the computer's name, depending on how the site system is configured. If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer name) must be specified by using the ampersand (&) symbol delimiter between the two names. Important When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN. SHA-1 and SHA-2 hash

This certificate must reside in the Personal store in the Computer certificate store. This web server certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL).

416

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

App lication Catalog web service point App lication Catalog website point Cloudbased distribution point Server authentica tion Web Server

algorithms are supported. Configuration Manager does not specify a maximum supported key length for this certificate. Consult your PKI and IIS documentation for any key-size related issues for this certificate.

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain a customer-defined service name and domain name in an FQDN format as the Common Name for the specific instance of the cloud-based distribution point. The private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. Supported key lengths: 2048 bits.

For System Center 2012 Configuration Manag er SP1 and System Center 2012 R2 Configuration Manag er only: This service certificate is used to authenticate the cloud-based distribution point service to Configuration Manager clients and to encrypt all data transferred between them by using Secure Sockets Layer (SSL). This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the
417

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

password must be known so that it can be imported when you create a cloudbased distribution point. Note This certificate is used in conjunction with the Windows Azure management certificate. For more information about this certificate, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library.
418

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Network Server Load authentica Balancing tion (NLB) cluster for a software update point

Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). 1. The FQDN of the NLB cluster in the Subject Name field, or Subject Alternative Name field: For network load balancing servers that support Internet-based client management, use the Internet NLB FQDN. For network load balancing servers that support intranet clients, use the intranet NLB FQDN.

For System Center 2012 Configuration Manag er with no service pack: This certificate is used to authenticate the network load balancing software update point to the client, and to encrypt all data transferred between the client and these servers by using SSL. Note This certificate is applicable to Configuration Manager with no service pack only because NLB software update points are not supported in Configuration Manager SP 1.

2. The computer name of the site system in the NLB cluster in the Subject Name field or Subject Alternative Name field. This server name must be specified after the NLB cluster name and the ampersand (&) symbol delimiter: For site systems on the intranet, use the intranet FQDN if you specify them (recommended) or the computer NetBIOS name. For site systems supporting Internetbased client management, use the Internet FQDN.

SHA-1 and SHA-2 hash

419

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

algorithms are supported. Site system servers that run Microsoft SQL Server Server authentica tion Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain the intranet fully qualified domain name (FQDN). SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits. This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server. These certificates are used for serverto-server authentication. SQL Server cluster: Site system servers that run Microsoft SQL Server Server authentica tion Web server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain the intranet fully qualified domain name (FQDN) of the cluster. The private key must be exportable. The certificate must have a validity period of at least two years when you configure Configuration Manager to use the SQL Server cluster. SHA-1 and SHA-2 hash After you have requested and installed this certificate on one node in the cluster, export the certificate and import it to each additional node in the SQL Server cluster. This certificate must reside in the Personal store in the Computer certificate store and Configuration Manager
420

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

algorithms are supported. Maximum supported key length is 2048 bits.

automatically copies it to the Trusted People Store for servers in the Configuration Manager hierarchy that might have to establish trust with the server. These certificates are used for serverto-server authentication.

Site system monitoring for the following site system roles: Man agemen t point State migratio n point

Client authentica tion

Workstatio n Authentica tion

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). Computers must have a unique value in the Subject Name field or in the Subject Alternative Name field. Note If you are using multiple values for the Subject Alternative Name, only the first value is used. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits.

This certificate is required on the listed site system servers, even if the System Center 2012 Configuration Manag er client is not installed, so that the health of these site system roles can be monitored and reported to the site. The certificate for these site systems must reside in the Personal store of the Computer certificate store. The information in this topic applies only to System Center 2012 R2 Configuration Manager.
421

Servers running the Configuratio n Manager Policy Module with

Client authentica tion

Workstation Authenticati on

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). There are no specific requirements for the certificate

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

the Network Device Enrollment Service role service.

Subject or Subject Alternative Name (SAN), and you can use the same certificate for multiple servers running the Network Device Enrollment Service.

This certificate authenticates the Configuration Manager Policy Module to the SHA-1, SHA-2, and SHA-3 hash certificate registration point site system algorithms are supported. server so that Supported key lengths: 1024 Configuration bits and 2048 bits. Manager can enroll certificates for users and devices. Client authentica tion Workstatio n Authentica tion Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). There are no specific requirements for the certificate Subject or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points. The private key must be exportable. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits. This certificate has two purposes: It authenticates the distribution point to an HTTPS-enabled management point before the distribution point sends status messages. When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that so that if task sequences in the operating system deployment process include client actions such as client policy retrieval or
422

Site systems that have a distribution point installed

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

sending inventory information, the client computers can connect to a HTTPS-enabled management point during the deployment of the operating system. This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every operating system deployment if you do not want to use multiple client certificates. This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the distribution point properties.
423

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Note The requirements for this certificate are the same as the client certificate for boot images for deploying operating systems. Because the requirements are the same, you can use the same certificate file. Out of band service point AMT Provisioni ng Web Server (modified) Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) and the following object identifier: 2.16.840.1.113741.1.2.3. The subject name field must contain the FQDN of the server that is hosting the out of band service point. Note If you request an AMT provisioning certificate from an external CA instead of from your own internal CA, and it does not support the This certificate resides in the Personal store in the Computer certificate store of the out of band service point site system server. This AMT provisioning certificate is used to prepare computers for out of band management. You must request this certificate from a CA that supplies AMT provisioning
424

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

AMT provisioning object identifier of 2.16.840.1.113741.1.2. 3, you can alternatively specify the following text string as an organizational unit (OU) attribute in the certificate subject name: Intel(R) Client Setup C ertificate. This exact text string in English must be used, in the same case, without a trailing period, and in addition to the FQDN of the server that is hosting the out of band service point. SHA-1 is the only supported hash algorithm. Supported key lengths: 1024 and 2048. For AMT 6.0 and later versions, the key length of 4096 bits is also supported.

certificates, and the BIOS extension for the Intel AMT-based computers must be configured to use the root certificate thumbprint (also referred to as the certificate hash) for this provisioning certificate. VeriSign is a typical example of an external CA that provides AMT provisioning certificates, but you can also use your own internal CA. Install the certificate on the server that hosts the out of band service point, which must be able to chain successfully to the certificate's root CA. (By default, the root CA certificate and intermediate CA certificate for VeriSign are installed when Windows installs.) This certificate is automatically requested and installed to the Configuration
425

Site system Client server that authentica runs the tion Windows Int une

Not applicable: Windows Intune automaticall

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2). 3 custom extensions uniquely

Configuratio n Manager component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

connector

y creates this certificate.

identify the customer Windows Intune subscription. The key size is 2048 bits and uses the SHA-1 hash algorithm. Note You cannot change these settings: This information is provided for informational purposes only.

Manager database when you subscribe to Windows Intune. When you install the Windows Intune connector, this certificate is then installed on the site system server that runs the Windows Intune connector. It is installed into the Computer certificate store. This certificate is used to authenticate the Configuration Manager hierarchy to Windows Intune by using the Windows Intune connector. All data that is transferred between them uses Secure Sockets Layer (SSL).

Proxy Web Servers for Internet-Based Client Management

If the site supports Internet-based client management, and you are using a proxy web server by using SSL termination (bridging) for incoming Internet connections, the proxy web server has the certificate requirements listed in the following table. Note If you are using a proxy web server without SSL termination (tunneling), no additional certificates are required on the proxy web server.

426

Network infrastructure component

Certificate purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Proxy web server accepting client connections over the Internet

Server authentication and client authentication

1. Web Server 2. Workstation Authenticati on

Internet FQDN in the Subject Name field or in the Subject Alternative Name field (if you are using Microsoft certificate templates, the Subject Alternative Name is available with the workstation template only). SHA-1 and SHA-2 hash algorithms are supported.

This certificate is used to authenticate the following servers to Internet clients and to encrypt all data transferred between the client and this server by using SSL: Internet-based management point Internet-based distribution point Internet-based software update point

The client authentication is used to bridge client connections between the System Center 2012 Configuration Manager clients and the Internetbased site systems.

PKI Certificates for Clients

Configuratio Certificate n Manager component purpose Microsoft certificate template to use Specific information in the certificate How the certificate is used in Configuration Manager

Windows client computers

Client authenticati on

Workstation Authentication

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). Client computers must have a

By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
427

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

unique value in the Subject Name field or in the Subject Alternative Name field. Note If you are using multiple values for the Subject Alternativ e Name, only the first value is used. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits. Mobile device clients Client authenticati on Authenticated Session Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). SHA-1 is the only supported hash algorithm. Maximum supported key length is 2048 bits.

With the exception of the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are configured to use HTTPS.

This certificate authenticates the mobile device client to the site system servers that it communicates with, such as management points and distribution points.

428

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

Important These certificate s must be in Distinguis hed Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported . Boot images for deploying operating systems Client authenticati on Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). There are no specific requirements for the certificate Subject Name field or Subject Alternative Name (SAN), and you can use the same certificate for all boot mages. The private key The certificate is used if task sequences in the operating system deployment process include client actions such as client policy retrieval or sending inventory information. This certificate is used for the duration of the operating system deployment process only and is not installed on the client. Because of this temporary use, the same certificate can be used for every
429

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

must be exportable. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048 bits.

operating system deployment if you do not want to use multiple client certificates. This certificate must be exported in a Public Key Certificate Standard (PKCS #12) format, and the password must be known so that it can be imported into the Configuration Manager boot images. Note The requirements for this certificate are the same as the server certificate for site systems that have a distribution point installed. Because the requirements are the same, you can use the same certificate file.

Mac client computers

Client authenticati on

For Configuration Manager enrollment:Authentic ated Session For certificate installation

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). For Configuration

For System Center 2012 Configuration Manager SP1 and System Center 2012 R 2
430

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

independent from Configuration Manager: Workstation Authentication

Manager that creates a User certificate, the certificate Subject value is automatically populated with the user name of the person who enrolls the Mac computer. For certificate installation that does not use Configuration Manager enrollment but deploys a Computer certificate independently from Configuration Manager, the certificate Subject value must be unique. For example, specify the FQDN of the computer. The Subject Alternative Name field is not supported. SHA-1 and SHA-2 hash algorithms are supported. Maximum supported key length is 2048

Configuration Manager only: This certificate authenticates the Mac client computer to the site system servers that it communicates with, such as management points and distribution points.

431

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

bits. Linux and UNIX client computers Client authenticati on Workstation Authentication Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). The Subject Alternative Name field is not supported. The private key must be exportable. SHA-1 hash algorithm is supported. SHA-2 hash algorithm is supported if the operating system of the client supports SHA-2. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA256 section in the Planning for Client Deployment for Linux and UNIX Servers topic. Supported key lengths: 2048 bits. Important
432

For System Center 2012 Configuration Manager SP1 and System Center 2012 R 2 Configuration Manager only: This certificate authenticates the client for Linux and UNIX to the site system servers that it communicates with, such as management points and distribution points. This certificate must be exported in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate. For additional information, see the Planning for Security and Certificates for Linux and UNIX Servers section in Planning for Client Deployment for Linux and UNIX Servers topic.

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

These certificate s must be in Distinguis hed Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported . Root certification authority (CA) certificates for the following scenarios: Op erating system deploy ment Mobile device enrollm ent Certificate chain to a trusted source Not applicable. Standard root CA certificate. The root CA certificate must be provided when clients have to chain the certificates of the communicating server to a trusted source. This applies in the following scenarios: When you deploy an operating system, and task sequences run that connect the client computer to a management point that is configured to use HTTPS. When you enroll a mobile device to be managed by
433

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

RA DIUS server authent ication for Intel AMTbased comput ers Client certifica te authent ication

System Center 201 2 Configuration Mana ger. When you use 802.1X authentication for AMT-based computers, and you want to specify a file for the RADIUS servers root certificate.

In addition, the root CA certificate for clients must be provided if the client certificates are issued by a different CA hierarchy than the CA hierarchy that issued the management point certificate. Server authenticati on. Web Server (modified) You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject name format. You must grant Read and Enroll permissions to the universal security group that you specify in the out of band Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1). The Subject Name must contain the FQDN of the AMT-based computer, which is supplied automatically from Active Directory Domain Services. SHA-1 is the only supported hash This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface. Each Intel AMT-based computer requests this certificate during AMT provisioning and for subsequent updates. If you remove AMT provisioning information
434

Intel AMTbased computers

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

management algorithm. component properties. Maximum supported key length: 2048 bits.

from these computers, they revoke this certificate. When this certificate is installed on Intel AMTbased computers, the certificate chain to the root CA is also installed. AMT-based computers cannot support CA certificates with a key length larger than 2048 bits. After the certificate is installed on Intel AMTbased computers, this certificate authenticates the AMT-based computers to the out of band service point site system server and to computers that are run the out of band management console, and encrypts all data transferred between them by using Transport Layer Security (TLS).

Intel AMT 802.1X client certificate

Client authenticati on

Workstation Authentication You must configure the Subject Name for Build from this Active Directory information, and then select Common name for the Subject

Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2). The subject name field must contain the FQDN of the AMT-based

This certificate resides in the nonvolatile random access memory of the management controller in the computer and is not viewable in the Windows user interface.

435

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

name format, clear the DNS name and select the User principal name (UPN) for the alternative subject name. You must grant the universal security group that you specify in the out of band management component properties Read and Enroll permissions to this certificate template.

computer and the subject alternative name must contain the UPN. Maximum supported key length: 2048 bits.

Each Intel AMT-based computer can request this certificate during AMT provisioning but they do not revoke this certificate when their AMT provisioning information is removed. After the certificate is installed on AMT-based computers, this certificate authenticates the AMT-based computers to the RADIUS server so that it can then be authorized for network access.

Mobile Client devices that authenticati are enrolled on by Windows Intune

Not applicable: Windows Intune automatically creates this certificate.

Enhanced Key Usage value contains Client Authentication (1.3.6.1.5.5.7.3.2). 3 custom extensions uniquely identify the customer Windows Intune subscription. Users can supply the certificate Subject value during enrollment. However, this value is not used by Windows Intune to identify the device.

This certificate is automatically requested and installed when authenticated users enroll their mobiles devices by using Windows Intune. The resulting certificate on the device resides in the Computer store and authenticates the enrolled mobile device to Windows Intune, so that it can then be managed. Because of the custom extensions in the certificate, authentication is restricted to the Windows Intune
436

Configuratio Certificate n Manager component purpose

Microsoft certificate template to use

Specific information in the certificate

How the certificate is used in Configuration Manager

The key size is 2048 bits and uses the SHA-1 hash algorithm. Note You cannot change these settings: This informatio n is provided for informatio nal purposes only.

subscription that has been established for the organization.

See Also
Planning for Configuration Manager Sites and Hierarchy

Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy
Before you install a System Center 2012 Configuration Manager hierarchy of sites, or a single site, you must understand your network structure, organizational requirements, and the resources that are available to use with Configuration Manager. You can then combine this information with the requirements for Configuration Manager to make decisions about your hierarchy and site designs, and site system server placement. Use the information in the following sections when you plan your Configuration Manager hierarchy:
437

Collect Data about Available Resources Understand Your Organization Understand Your Physical Networks Use Your Active Directory Information Use Collected Information to Plan for Discovery Use Collected Information to Plan for Boundaries and Boundary Groups Use Collected Information to Plan for Site and Hierarchy Design Use Collected Information to Plan for Site Systems

Use the Data That You Collected to Plan Configuration Manager Sites

Collect Data about Available Resources

Before you design your System Center 2012 Configuration Manager deployment, you must understand the available network infrastructure and your companys IT organization and requirements.

Understand Your Organization

It is important that you know the structure of your organization because this information can influence how you deploy, use, and support Configuration Manager. It is also useful to know your organizations long-term plans. Changes such as mergers and acquisitions can have a significant effect on IT infrastructure. External factors that require changes and internal projects (either planned or in progress) can affect how you design and deploy Configuration Manager. Use the following guidelines to help you collect data about your organization.
Considerations Details

Departmental organization

Include the following information: High-level organization charts to help determine the divisional structure of your organization, the design of your Configuration Manager hierarchy, and your method of communicating Configuration Manager implementation updates to different departments Reporting hierarchy Communications methods Service level agreements (SLAs)

IT organization and administrative policies

Consider the following factors: The structure and technical level of local and remote IT divisions, their reporting hierarchies, and local and global IT
438

Considerations

Details

administrative policies Long-term business direction Organizational structure Reporting hierarchy Local administrative policies and SLAs Global IT administrative policies and SLAs

Any major business changes planned for the future, such as mergers, acquisitions, major physical moves, or network migrations

Geographic Profile
To deploy an efficient hierarchy of Configuration Manager sites, and to place individual sites in optimal locations, you must understand the geographic profile of your organization. Many organizations have centrally located headquarters with branch offices located in other regions as remote sites. Organizations that have locations in different cities must consider how to manage resources at those locations. This requires evaluation of the available network bandwidth between locations and an understanding of date and time zone differences that can affect how and when you distribute software to different locations. Use the following guidelines to collect geographic information.
Geographic information Details

Date and time zone information

List the time zone for each location, and list any date and time difference between the remote site and headquarters. Time zone. Date and time differences.

Operating systems and international operating system versions

List the operating systems that are in use and their locations.

Active Directory Structure

When you plan your Configuration Manager hierarchy, consider the layout of your Active Directory structure (hierarchical forest arrangement and domain structure) and its physical structure (Active Directory site topology). An Active Directory site typically includes one or more well connected TCP/IP subnets. A well connected TCP/IP subnet has a fast, reliable network connection. Document your physical Active Directory structure and domain structure before you start the planning phase. Later, when you plan your Configuration Manager deployment, pay attention to
439

the more detailed information of the logical structure, such as the organizational units, because these can help determine how you organize collections, distribute software, and perform queries in Configuration Manager. Use the following guidelines to collect Active Directory information.
Active Directory structure Details

Logical structure

The logical structure of your organization as represented by the following Active Directory components: organizational units, domains, trees, and forests. Information that you collect about domains and forests must include information about trusted and untrusted domains and forests that contain resources that you will use or manage with Configuration Manager. This includes information about existing domains and trusts across forests.

Physical structure

The physical structure of your organization as represented by the following Active Directory components: Active Directory sites (physical subnets) and domain controllers.

Information Technology Organization

It is important to determine your personnel resource requirements and to assign project roles when you plan your Configuration Manager deployment. To do this, you first must have an understanding of your current IT organization. You require this information during your Configuration Manager planning and deployment phases, and also for post-deployment operational tasks. Understand the structure of the IT staff in your organization. For example, you might have one central IT group with members in close communication. Or you might have many decentralized groups where communication is not optimal. There might be a central headquarters with IT responsibility, or many separate administrative units with widely varying goals and philosophies. Use the following guidelines to collect IT organization information.
Details

Collect information about your IT organization. Also create an organization chart that maps your IT organization to your geographic profile.
440

Details

IT reporting hierarchy. IT departmental divisions that produce an overlap in Configuration Manager tasks (for example, a department separate from the Configuration Manager team manages all database servers, including computers that are running Microsoft SQL Server). Locations where management control or policy issues exist. Level of technical sophistication and security clearance of IT staff members who are working with Configuration Manager before, during, or after deployment. Auditing policies. Service level agreements for departments, end users, and IT groups. Operating systems in use on the network. Sensitivity to security risks. Change control policy.

Security Environment
Use the following guidelines to collect security policy information.
Details

Collect information about your organizations security policies, such as the following: Account password policies Account reuse policies Account rights policies Client and server lockdown policies (restrictions on disks and registry, services that are stopped, whether services use Domain Administrator accounts, and hidden shared folders that are removed) Auditing policies
441

Details

Separation of or delegation of duties between IT divisions within the enterprise. The degree to which users must retain control of client devices, and any exceptions to such policies (such as servers, or computers in use by programmers). Collect information about how security-related issues will be handled and supported, such as the following information: Sensitivity to security risks Importance of ease of administration Special requirements for secure data access and transmission Service level agreements (SLAs) for applying security updates

Operating System Languages

Identify the client and server operating system languages that devices use that you will manage with Configuration Manager. By default, the Configuration Manager console and client-facing user interface displays information in English. However, each site can install support for multiple supported languages that can display information in the operating systems language. This information can help you plan for the languages you require at each site to provide your administrative users and endusers with the language support that they require.

Understand Your Physical Networks

It is important that you know the structure of your available networks, the network topology, available bandwidth, the location of servers, and the location of computers that might be installed as Configuration Manager clients. This information can influence your decisions about where and what type of sites your Configuration Manager design requires. Use the following sections to assist you when you collect data about your organization.

Network Topology
Create high-level diagrams of your network topology that include any available information that is listed in the following table. Later, after you make decisions about your Configuration Manager hierarchy structure and site system hardware requirements, you can determine whether any

442

equipment upgrades or additions are required before you begin your Configuration Manager deployment. Network diagrams are also helpful for when you create a representative test environment for a test network or pilot project. Ensure that your network diagram is detailed and specific. If your network is large or complex, consider creating a similar but separate diagram for your domain structure and server topology. Use the following guidelines to collect network topology information.
Network topology Details

High-level wide area network (WAN)/LAN architecture Network size Network bandwidth Network usage and traffic patterns

Links, gateways, firewalls, extranets, virtual private networks, and perimeter networks Number of servers and clients at each location Link speeds and available bandwidth, including any known bandwidth issues Categorize the amount of traffic, and identify the times of day when the network usage is heaviest (peak times) and the times that are scheduled for backup and maintenance (nonpeak times) Windows and non-Microsoft network operating systems TCP/IP, IPv4, IPv6, AppleTalk, and so on, and name resolution methods such as DNS and WINS The Internet Protocol (IP) subnets on your network by subnet ID Active Directory organizational units, site names, trees, and forests

Network types Network protocols

IP subnet structure Active Directory site structure

Server Environment
Configuration Manager uses typical network infrastructure, which includes Active Directory Domain Services, DNS, or WINS for name resolution, and Internet Information Services (IIS) for client communications with Configuration Manager site system servers. Use the following guidelines to assist in gathering server data.

443

Server data

Details

Location and function

Document the location and function of the computers that run the core services of your network, such as global catalog servers, domain controllers, DNS and WINS servers, IIS servers, certification authority (CA) servers, computers that run Microsoft SQL Server or Terminal Services, servers running Microsoft Exchange Server, print servers, and file servers. Document current naming conventions for products that you use with Configuration Manager, such as computers that run Windows Server 2008 and SQL Server. This helps you establish and document naming conventions for your Configuration Manager hierarchy elements. These elements include sites, site codes, servers, and the objects that are used by or created in the Configuration Manager console. Because the site code is used to identify each Configuration Manager site, it is important that these are centrally assigned and tracked.

Naming conventions

Hardware, software, and network information

Document hardware, software, and network information for each server to use as a site system role in your Configuration Manager hierarchy. For example, document the following information for each server that will be part of your Configuration Manager hierarchy: Processor type and speed Amount of random access memory (RAM) Disk and array controller configuration and characteristics, including size, cache size, and the drive models and types. Platform operating system, version, and language Whether the Windows Cluster service or Windows Network Load Balancing Service is enabled
444

Server data

Details

Relevant software applications located on servers, which includes firewall and antivirus software

Device Environment
Where applicable, identify information about devices in your network diagram. This type of information can help you determine whether you must upgrade operating systems before you deploy Configuration Manager, the scope of your client deployment for devices, and which discovery and Configuration Manager client installation methods you will employ. It is important to gather this information so that you can prepare for interoperability and connectivity issues that might prevent the Configuration Manager client from installing. For example, suppose that all members of the Contoso Pharmaceuticals sales group use portable computers: Some laptops run Windows XP Professional SP2 (which is not supported as a System Center 2012 Configuration Manager client), and others run Windows 7. Additionally, members of the sales team travel frequently from one location to another and use a custom remote access application to access the sales database located at headquarters. The Contoso Pharmaceuticals marketing group, however, uses desktop computers that run Windows Vista. Although they do not travel, the marketing members have home computers that they use to remotely connect to the corporate network over a virtual private network (VPN).

The information about operating systems, travel, and custom applications can help you prepare to manage the computer operating systems that are in use and plan for operating system upgrades before you deploy Configuration Manager. This information also helps you plan for the deployment of site systems servers for clients on the intranet and on the Internet, and make further plans to manage the custom applications that you use. Use the following guidelines to help you gather data about the devices to manage.
Device considerations Details

Number of devices to manage

Total number of devices in use on your network, and their physical and logical groupings. Number and types (operating systems) of devices on each IP subnet, which includes the projected number of managed devices in the next year. Whether users use logon scripts, and if those
445

IP subnet size

Logon scripts

Device considerations

Details

scripts are customized to users or groups. Note the file name and location of each script, and users and groups that are associated with each script. Security rights Operating systems Desktop security rights that are granted to end users. Windows operating systems (include the language version) in use on each IP subnet, and the locations of any computers running operating systems other than Windows. Computers that are shared by multiple users, laptops that travel from one location to another, mobile devices, all home-based computers that have remote access to the network, and any other device environments. A database or spreadsheet of all major applications that are in use in the enterprise, categorized by organizational division or by IP subnet. Divisions or departments that use Windows Terminal Services to run applications, or that use other special applications, such as internally manufactured or obsolete applications. The types of connectivity that different organizational groups use, which includes remote connection speeds (dependent on the remote access method in use, such as wireless, dial-up, the Internet, or others).

Device mobility

Software

Special applications

Connectivity

Use the Data That You Collected to Plan Configuration Manager Sites
After you collect relevant information about your networks and organization, you can combine this information with Configuration Manager options and requirements to plan a site or hierarchy that makes efficient use of your available resources and also meets your organizational goals. Use the following sections to help you use this data when you plan a site or hierarchy.
446

Use Your Active Directory Information

Combine the information about your Active Directory environment with the information in the following table to identify how you can use your existing Active Directory investment with Configuration Manager.
Active Directory planning Details

Add your Active Directory sites to Configuration Manager as boundaries

Consider using Active Directory Forest Discovery to first identify Active Directory sites and subnets, and then add them as Configuration Manager boundaries. For more information, see About Active Directory Forest Discovery.

Extend the Active Directory schema to simplify the management of client communication to sites in Configuration Manager sites

The preferred, but optional, method for clients to find information about Configuration Manager sites and the Configuration Manager services that are available is from Active Directory Domain Services. When you extend the Active Directory schema and enable sites to publish data to Active Directory, clients can automatically discover resources from this trusted source, and make efficient use of the network, based on their current location. For more information, see Determine Whether to Extend the Active Directory Schema for Configuration Manager.

Use Configuration Manager to manage sites that span multiple Active Directory forests

Configurations across forests within a site or between two sites require a full two-way forest trust so that Kerberos can be used for authentication. You can manage computers that are not members of a trusted Active Directory domain; however, you must implement additional configurations to support these computers. For more information, see Planning for Communications in Configuration Manager.

447

Use Collected Information to Plan for Discovery

Combine the information about your Active Directory structure, your network, and device resources, with the information in the following table to help you plan for discovery, which finds resources for Configuration Manager to manage.
Discovery planning Details

Use the Active Directory discovery methods to find computers, users, and groups that you can manage with Configuration Manager

To query Active Directory Domain Services for resources, you must understand your Active Directory container and location structure (local domain, local forest). Also understand how to construct custom lightweight Directory Access Protocol (LDAP) or Global Catalog queries so that you can search specific areas of Active Directory Domain Services to conserve network bandwidth for when you run the Active Directory Discovery method. For more information about which discovery method to use to discover different resources, see the Decide Which Discovery Methods to Use section in the Planning for Discovery in Configuration Manager topic.

Use Network Discovery to discover details of your network topology and computer resources that you can manage with Configuration Manager

To query your network with Network Discovery, understand your DHCP server infrastructure, available SNMP-enabled devices, or Active Directory domains. This information can help you configure a Network Discovery search to conserve network bandwidth for when you run Network Discovery. For more information about Network Discovery, see the About Network Discovery section in the Planning for Discovery in Configuration Manager topic.

Use Active Directory Forest Discovery to search your local forest, and any additional forests that you configure for Active Directory sites and subnets

Consider using Active Directory Forest Discovery to first identify Active Directory sites and subnets, and then add them as Configuration Manager boundaries. For more information, see the About Active Directory Forest Discovery section in the Planning for Discovery in Configuration Manager topic.
448

Use Collected Information to Plan for Boundaries and Boundary Groups

System Center 2012 Configuration Manager clients use boundary groups during client installation for site assignment, and after installation to locate resources for content deployment. You assign boundaries to boundary groups, and can also assign content servers to boundary groups. Each boundary group can support two distinct configurations; site assignment, and content location. When you configure two or more boundary groups to include the same boundary, directly or indirectly, they are considered to be overlapping. For example, you might add an IP subnet boundary of 5.5.5.5 directly to a boundary group. Next, you add an Active Directory site that includes that same IP Subnet to a second boundary group. These two boundary groups now overlap because each includes the 5.5.5.5 subnet. Configuration Manager supports overlapping boundaries for content location. This type of configuration can help to provide additional options for clients when they search for available content. However, Configuration Manager does not support overlapping boundaries for site assignments as the client cannot identify which site to join. For more information, see Planning for Boundaries and Boundary Groups in Configuration Manager. Combine the information about your network topology, available bandwidth, computer resources, and organization requirements, with the information in the following table to help you plan for boundaries and boundary groups.
Options to consider Details

Create separate boundary for site assignment and for content location

Although boundary groups support configurations for site assignment and content location, consider creating a distinct set of boundary groups for each purpose. Configure boundary groups for client site assignment without overlapping boundaries. If you assign a boundary to a boundary group, do not assign it to another boundary group that specifies a different site. You can configure boundary groups for content location with overlapping boundaries. Each boundary that you assign to a boundary group will be associated with each content location server that you associate to the same boundary group. Overlapping boundary configurations for content locations can provide flexibility for clients that request content.

For more information see, Planning for Boundaries and Boundary Groups in
449

Options to consider

Details

Configuration Manager. Content location Add specific network locations as boundaries to the boundary group, and then add distribution points that are on fast network connections to those network locations. Clients that are on the specified boundaries receive those servers as content locations during content requests. Note State migration points are also considered content location servers when you configure boundary groups. For more information about content location, see Planning for Content Management in Configuration Manager. Site assignment Add specific network locations as boundaries to the boundary group and then specify a site to the boundary group. Avoid assigning the same boundary, directly or indirectly, to more than one boundary group that you use for site assignment. For more information about client site assignment, see How to Assign Clients to a Site in Configuration Manager. Fallback site assignment Consider configuring the hierarchy with a fallback site assignment. The fallback site is assigned to a new client computer that automatically discovers its site when that client is on a network boundary that is not associated with any boundary group that is configured for site assignment. For more information, see the Configure a Fallback Site for Automatic Site Assignment section in the Configuring Settings for Client Management in Configuration Manager topic.

450

Use Collected Information to Plan for Site and Hierarchy Design

Combine the information about your network topology, available bandwidth, server and computer resources, and organization requirements, with the information in the following table to help you plan where to locate sites and site system roles in your hierarchy and how to manage communications between sites, site systems, and clients.
Considerations Details

Consider installing a Configuration Manager site only in a well connected network. Usually well connected networks correspond to geographic locations. For planning purposes, start with the assumption that each well connected network is one Configuration Manager site. Modify this number as you collect more information about your organization.

Identify the number and location of well connected networks that you have in your network. Within a site, clients expect communication with site system servers to be on a well connected network. When you use a boundary group that is configured for content location, you can manage which distribution points and state migration points a client can access. For more information, see Planning for Communications in Configuration Manager.

Remote subnets might be too small to justify their own Configuration Manager site.

If you have remote subnets that are too small to justify their own Configuration Manager site, list those IP subnets and their closest well connected network. From the nearest site, consider placing a distribution point that is enabled for bandwidth control on these subnets to help manage content deployment to clients at those locations. For more information, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager.

In a hierarchy that has multiple primary sites, the central administration site replicates data with each primary site.

Balance the location of the central administration site between a location that benefits the most administrative users, and a location that has a well connected network to your largest primary sites. Configuration Manager consoles that connect to a primary site cannot see or manage some data from other primary sites. Database replication occurs regularly between primary sites and the central administration
451

Considerations

Details

site, and a well connected network can help prevent replication delays of the Configuration Manager database. For more information about intersite replication, see the Planning for Inter-Site Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic. Each Configuration Manager primary site can manage up to 100,000 clients, with up to 400,000 clients in a single hierarchy. However, the practical number of clients that a primary site can manage also depends on the hardware configuration and performance constraints of the site server and site system servers. Although each primary site supports up to 100,000 clients, site system roles have lower limits. If you configure too few site system servers for critical roles at a site, you can create a performance and communication bottleneck that adversely affects the management of your environment. For example, management points support up to 25,000 clients. Therefore, in a site with 100,000 clients, you can expect to install at least four management points to provide adequate service to your clients. However, the addition of more management points can provide redundancy and can improve overall client-tosite communications, and compensate for any unexpected performance issues on those management point servers. For more information about site system server requirements and capacity, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Plan your hierarchy infrastructure by using the fewest number of sites necessary to reduced administrative overhead. Tip In a System Center 2012 Configuration Manager hierarchy, you can reduce the number of sites required to manage the same infrastructure than was required in Configuration Manager 2007. Configuration Manager can manage multiple instances of the following options at the same site: Note In previous product versions, the comparable configurations each required a separate site to manage different instances of the option. To partition administrative access to resources throughout the hierarchy, you
452

Considerations

Details

can use role-based administration. For more information, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. Use collections to assign custom settings to different groups of users or devices in the hierarchy. For more information, see Planning for Client Settings in Configuration Manager. To manage the display language of Configuration Manager consoles and the clients user-facing interface, plan to add support for the server and client operating system languages that you will require at each site. For more information about languages, see the Planning for Operating System Languages section in the Planning for Sites and Hierarchies in Configuration Manager topic. Additionally, when you distribute content to network locations that are not well connected and content distribution is your primary network bandwidth concern, you can use the site system role of a distribution point that is enabled for bandwidth control to replace a secondary site. For more information about how to use distribution points instead of secondary sites, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager. Choose the type of site to use for a given network or geographic location. Consider the following when you decide the type of site to deploy at a network or geographical location: Primary and central administration sites require an instance of SQL Server, and that instance must be installed on a well connected network.
453

Considerations

Details

You deploy primary sites to manage clients. Although you can deploy a secondary site to manage the client information from clients at remote locations, the clients must still assign to a primary site. It is from the primary site that clients obtain their policy. Secondary sites extend a primary site to a remote network location. You can deploy a distribution point that is enabled for bandwidth control from the primary site when content deployment to the network location is your primary concern and you are not concerned about the network bandwidth that is used when computers send their client information to the site. Configuration Manager consoles can only connect to a primary site or the central administration site.

For more information about site type options, see the About Site Types in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. As a security best practice, use a public key infrastructure (PKI) to deploy and manage the certificates that are required for communication in Configuration Manager. If you use a PKI, document how the certificates will be configured, deployed, and managed for site systems that require them, client computers, and mobile devices. For more information about the certificate requirements in Configuration Manager, see the Planning for Certificates (Self-Signed and PKI) section in the Planning for Security in Configuration Manager topic. Prepare Active Directory Domain Services to support client communications, or configure alternatives, which includes DNS or WINS. For information to help you decide whether to extend the Active Directory schema to support Configuration Manager, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. For information about client communication, see the Planning for Client Communication in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
454

Use Collected Information to Plan for Site Systems

Depending on the hardware configuration of your site system servers, the numbers of clients that will use each site system server and the security requirements for your organization, you might decide that one server can perform one or more site system roles. It is also possible that you will have to separate specific site system roles, such as those that use Internet Information Services (IIS) to communicate with Configuration Manager clients, from other site system roles such as the site database server. The following sections contain lists of typical planning considerations and questions for you to review when you plan for site systems that are typically used in Configuration Manager. Your organization might require additional considerations.

Database Servers
The database server stores information from clients and the configurations that you use to manage your environment. Each site uses database replication to share the information in its database with other sites in the hierarchy. You can install a database server on the site server or on another server that is on a well connected network location. This site system role requires Microsoft SQL Server, and when you have multiple sites in a hierarchy, the database at each site must use the same SQL Server database collation to enable the data to replicate between them. Use the following planning considerations to help you plan for database servers.
Planning considerations Details

Is this a central administration site, a primary site, or secondary site?

Central administration sites and primary sites must have access to a full installation of SQL Server to host the site database. Secondary sites can use a full installation of SQL Server, or SQL Server Express. For more information, see the Planning for Database Servers in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic.

Are you planning to locate the Configuration Manager site database on the site server?

You can install the site database on an instance of SQL Server on the site server or on another server. If you install the site database by using an instance of SQL Server on another server, or move it to another instance of SQL Server after site installation, Configuration Manager supports moving the site database back to the
455

Planning considerations

Details

site server at a later time. Note Secondary sites do not support SQL Server on another server. For more information, see the Planning for Database Servers in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. Decide whether to install more than a single SMS Provider at a site. A site server uses the SMS Provider to communicate with the site database. Configuration Manager supports installing multiple instances of the SMS Provider, but only one SMS Provider instance can be installed on each computer. Each SMS Provider can be installed on the site server, another server running SQL Server, or on another server. Multiple instances of the SMS Provider are supported at central administration sites and primary sites. Note Secondary sites do not support installation of the SMS Provider on another computer. For more information, see the Planning for the SMS Provider in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. For a hierarchy, do you have servers that run SQL Server with compatible configurations that will be available for each planned site? Each server running SQL Server that you use as a database server must meet specific configurations. For example, because sites replicate data directly with other sites, the SQL Server collation of each database server must match that of each other site in the hierarchy. For more information, see the SQL Server Configurations for Database Servers section in the Planning for Site Systems in Configuration
456

Planning considerations

Details

Manager topic.

Distribution Points
You can install one or more distribution points at each primary and secondary site.
Planning considerations Details

Will you deploy content to clients at this site?

Consider the number and size of the applications and packages that you expect to store on the distribution points at this site. This will help you understand the disk space requirements that you require for distribution point servers. For more information see, Planning for Content Management in Configuration Manager.

How many clients will access the distribution points at this site?

Plan for sufficient distribution points to service the number of clients that request content at the site. For more information, see the Determine the Distribution Point Infrastructure section in the Planning for Content Management in Configuration Manager topic.

Will you use distribution point groups to streamline the administration of content deployments?

Identify how you plan to group your distribution points. For more information, see the Plan for Distribution Point Groups section in the Planning for Content Management in Configuration Manager topic. For example, distribution points require Remote Differential Compression and Internet Information Services (IIS). For more information about the prerequisites for distribution points, see the Distribution Point Configurations section in the Planning for Content Management in Configuration Manager topic.

Do your distribution point servers have all the prerequisites installed?

Do you have distribution points in sites that are located on network locations that are not well

If so, configure those distribution points for

457

Planning considerations

Details

connected?

network bandwidth control. For more information, see the Network Bandwidth Considerations for Distribution Points section in the Planning for Content Management in Configuration Manager topic.

Management Points
A management point is the primary point of contact between Configuration Manager clients and the site server. A primary or secondary site can have multiple management points for clients on the intranet, and primary sites can support multiple Internet-based management points for mobile devices and client computers that are on the Internet. Use the following planning considerations to help you plan for management points.
Planning considerations Details

Consider the maximum number of clients that you will manage at this site.

If there will be more than 25,000 clients at a site, you must install more than one management point. Even when you have fewer than 25,000 clients, consider installing additional management points for redundancy and to compensate for less than optimal hardware or server operating conditions. For more information, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Consider how often the clients that are assigned to this site will retrieve new policy information.

Clients download client policy on a schedule that you configure as a client setting. Consider the frequency of this download when you plan for the number of management points to deploy at each site. For more information, see How to Manage Clients in Configuration Manager.

If you will collect hardware or software inventory from clients at this site, consider the inventory configurations and schedules.

Clients collect and send inventory data to a management point on a schedule that you configure as a client setting. Consider the information about the frequency of these actions and the data you will collect from clients when you plan for the number of management points to deploy at each site.
458

Planning considerations

Details

For more information, see How to Configure Hardware Inventory in Configuration Manager. If you will use software metering for clients at this site, consider the schedule for sending the metering data. Clients collect and send metering data to a management point on a schedule that you configure as a client setting. Consider the frequency of this schedule when you plan the number of management points to deploy at each site. For more information, see Planning for Software Metering in Configuration Manager.

Reporting Services Points

A reporting services point is a site server that hosts a site's Reporting website. A reporting point obtains report information from the database server of its Configuration Manager site.
Planning consideration Details

Will this site require a reporting services point?

You can install a reporting services point at a central administration site or a primary site. However, only the reporting services point at the top-level site of your hierarchy can provide reports with information from all sites in your hierarchy. For more information, see Introduction to Reporting in Configuration Manager.

Software Update Points

A software update point is a site system server you install on a site system that already has Windows Server Update Services (WSUS) installed on it. The central administration site and all primary child sites must have an active software update point to deploy software updates. You must determine on which sites to install an Internet-based software update point, when to configure the active software update point as a Windows network load balancing (NLB) cluster, and when to create an active software update point at a secondary site.
Planning considerations Details

What is the maximum number of clients you will

Each software update point can support up to

459

Planning considerations

Details

manage at this site?

25,000 clients. If there are more than 25,000 client computers assigned to the site, consider creating a Network Load Balancing (NLB) cluster for a group of WSUS servers, and then use the NLB cluster as the active software update point on the site. For more information, see Planning for Software Updates in Configuration Manager.

Is a supported version of WSUS installed on an existing site system? What is the computer name of the site system?

A supported version of WSUS must be installed on the site system computer before you add the software update point site role to the site system. For information about supported WSUS configurations, see Prerequisites for Software Updates in Configuration Manager.

Does this site support clients that are on the Internet?

The Internet-based software update point accepts communication from devices on the Internet. You can only create the Internetbased software update point when the active software update point is not configured to accept communication from devices on the Internet. For more information, see the Determine the Software Update Point Infrastructure section in the Planning for Software Updates in Configuration Manager topic.

See Also
Planning for Configuration Manager Sites and Hierarchy

Determine Whether to Migrate Configuration Manager 2007 Data to System Center 2012 Configuration Manager
In System Center 2012 Configuration Manager, the built-in migration functionality replaces inplace upgrades of existing Configuration Manager infrastructure by providing a process that
460

transfers data from active Configuration Manager 2007 sites. Migration can transfer most data from Configuration Manager 2007. If you do not migrate Configuration Manager 2007 to System Center 2012 Configuration Manager, or if you migrate data and want to maintain objects that migration does not migrate, you must re-create non-migrated objects in the new Configuration Manager hierarchy. Because of the design changes introduced in System Center 2012 Configuration Manager, you cannot upgrade existing Configuration Manager 2007 infrastructure with one exception. Migration does support the upgrade of qualifying Configuration Manager 2007 distribution points to System Center 2012 Configuration Manager distribution points. This includes the upgrade of a Configuration Manager 2007 secondary site that is co-located with a distribution point. If you upgrade a distribution point, the content on the distribution point computer is retained, and converted to the new System Center 2012 Configuration Manager format. Then the site system role is removed from the Configuration Manager 2007 hierarchy and the distribution point and site system server are added as a distribution point to the System Center 2012 Configuration Manager primary or secondary site of your choice. When a distribution point on a Configuration Manager 2007 secondary site upgrades, the secondary site is uninstalled and removed from the Configuration Manager 2007 hierarchy. The result is a System Center 2012 Configuration Manager distribution point with all migrated content converted to the single instance store. For more information about migrating from Configuration Manager 2007 to System Center 2012 Configuration Manager, see Migrating Hierarchies in System Center 2012 Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

Determine Whether to Extend the Active Directory Schema for Configuration Manager
When you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish site information to Active Directory Domain Services. Extending the Active Directory schema is optional for Configuration Manager. However, by extending the schema you can use all Configuration Manager features and functionality with the least amount of administrative overhead. If you decide to extend the Active Directory schema, you can do so before or after you run Configuration Manager Setup.
461

Considerations for Extending the Active Directory Schema for Configuration Manager
The Active Directory schema extensions for System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, and System Center 2012 R2 Configuration Manager, are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not have to extend the schema again for System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, or System Center 2012 R2 Configuration Manager. Similarly, if you extended the schema for one version of System Center 2012 Configuration Manager, you do not have to extend the schema again for a later version of Configuration Manager. Extending the Active Directory schema is a forest-wide action and can only be done one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after setup. Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Enable Active Directory publishing for the Configuration Manager site.

For information about how to extend the schema, create the System Management container, and configure setting security permissions on the container, see Prepare Active Directory for Configuration Manager in the Prepare the Windows Environment for Configuration Manager topic. For information about how to enable publishing for Configuration Manager sites, see Planning for Publishing of Site Data to Active Directory Domain Services. Mobile devices that are managed by the Exchange Server connector and the following clients do not use Active Directory schema extensions for Configuration Manager: The client for Mac computers The client for Linux and UNIX servers Mobile devices that are enrolled by Configuration Manager Mobile devices that are enrolled by Windows Intune Mobile device legacy clients Windows clients that are configured for Internet-only client management Windows clients that are detected by Configuration Manager to be on the Internet

The following table identifies Configuration Manager functions that use an Active Directory schema that is extended for Configuration Manager, and if there are workarounds that you can use if you cannot extend the schema.
462

Functionality

Active Directory

Details

Client computer installation and site assignment

Optional

When a new Configuration Manager Windows client installs, the client can search Active Directory Domain Services for installation properties. If you do not extend the schema, you must use one of the following workarounds to provide configuration details that computers require to install: Use client push installation. Before you use client installation method, make sure that all prerequisites are met. For more information, see the section Installation Method Dependencies in Prerequisites for Computer Clients. Install clients manually and provide client installation properties by using CCMSetup installation command-line properties. This must include the following: Specify a management point or source path from which the computer can download the installation files by using the CCMSetup property /mp:=<management point name computer name> or /source:<path to client source files> on the CCMSetup command line during client installation. Specify a list of initial management points for the client to use so that it can assign to the site and then download client policy and site settings. Use the CCMSetup Client.msi property SMSMP to do
463

Functionality

Active Directory

Details

this. Publish the management point in DNS or WINS and configure clients to use this service location method.

Port configuration for client-toserver communication

Optional

When a client installs, it is configured with port information. If you later change the client-toserver communication port for a site, a client can obtain this new port setting from Active Directory Domain Services. If you do not extend the schema, you must use one of the following workarounds to provide this new port configuration to existing clients: Reinstall clients and configure them to use the new port information. Deploy a script to clients to update the port information. If clients cannot communicate with a site because of the port change, you must deploy this script externally to Configuration Manager. For example, you could use Group Policy.

Network Access Protection

Required

Configuration Manager publishes health state references to Active Directory Domain Services so that the System Health Validator point can validate a clients statement of health. When you create content at one site and then deploy that content to another site in the hierarchy, the receiving site must be able to verify the signature of the signed content data. This requires access to the public key of the source site where
464

Content deployment scenarios Optional

Functionality

Active Directory

Details

you create this data. When you extend the Active Directory schema for Configuration Manager, a sites public key is made available to all sites in the hierarchy. If you do not extend the Active Directory schema, you can use the hierarchy maintenance tool, preinst.exe, to exchange the secure key information between sites. For example, if you plan to create content at a primary site and deploy that content to a secondary site below a different primary site, you must either extend the Active Directory schema to enable the secondary site to obtain the source primary sites public key, or use preinst.exe to share keys between the two sites directly.

Attributes and Classes Added by the Configuration Manager Schema Extensions

When you extend the schema for Configuration Manager, several classes and attributes are added that any Configuration Manager site in the Active Directory forest can use. Because the global catalog is replicated throughout the forest, consider the network traffic that might be generated. In Windows 2000 forests, extending the schema causes a full synchronization of the whole global catalog. Beginning with Windows 2003 forests, only the newly added attributes are replicated. Plan to extend the schema during a time when the replication traffic does not adversely affect other network-dependent processes. When you extend the Active Directory schema for System Center 2012 Configuration Manager, the following attributes and classes are added to Active Directory Domain Services: Attributes: cn=mS-SMS-Assignment-Site-Code cn=mS-SMS-Capabilities cn=MS-SMS-Default-MP cn=mS-SMS-Device-Management-Point
465

cn=mS-SMS-Health-State cn=MS-SMS-MP-Address cn=MS-SMS-MP-Name cn=MS-SMS-Ranged-IP-High cn=MS-SMS-Ranged-IP-Low cn=MS-SMS-Roaming-Boundaries cn=MS-SMS-Site-Boundaries cn=MS-SMS-Site-Code cn=mS-SMS-Source-Forest cn=mS-SMS-Version cn=MS-SMS-Management-Point cn=MS-SMS-Roaming-Boundary-Range cn=MS-SMS-Server-Locator-Point cn=MS-SMS-Site

Classes:

Note The Active Directory schema extensions might include attributes and classes that are carried forward from previous versions of the product but not used by Microsoft System Center 2012 Configuration Manager. For example: Attribute: cn=MS-SMS-Site-Boundaries Class: cn=MS-SMS-Server-Locator-Point

To ensure that these lists are current for your version of System Center 2012 Configuration Manager, review the ConfigMgr_ad_schema.LDF file that is located in the\SMSSETUP\BIN\x64 folder of the System Center 2012 Configuration Manager installation media.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Sites and Hierarchies in Configuration Manager

Before you deploy System Center 2012 Configuration Manager in a production environment, plan the design of your sites and site hierarchy. During the planning phase, identify the number and type of sites, and the location where you plan to deploy them. Plan for each site and identify where to install site system roles at each site. Tip
466

Ensure that your plan considers future server hardware changes in addition to current hardware requirements. You can deploy Configuration Manager as a single stand-alone primary site, or as multiple sites in a hierarchy. When you plan your initial deployment, consider a design that can expand for the future growth that your organization might require. Planning for expansion is an important step because the changes in System Center 2012 Configuration Manager from previous versions of the product mean that Configuration Manager can now support more clients with fewer sites. Important Configuration Manager does not support moving a site server between domains. If you must move a site server, you must uninstall Configuration Manager from the server, move the server to the new domain, and then install a new Configuration Manager site. You cannot successfully restore the original site to a server that has been moved to a new domain. Use the following sections in this topic to help you to implement a hierarchy design: Planning a Hierarchy in Configuration Manager About Site Types in Configuration Manager Determine Whether to Install a Central Administration Site Determine Whether to Install a Primary Site Determine Whether to Install a Secondary Site Determine Whether to Install a Site or Use Content Management Options

Planning to Expand a Stand-Alone Primary Site About Language Packs Planning for Server Language Packs Planning for Client Language Packs Best Practices for Managing Language Packs About the Read-Only Console

Planning for Client and Server Operating System Languages in Configuration Manager

Planning for the Configuration Manager Console Planning for Multiple Administrative Users and Global Data Replication in Configuration Manager About Multiple Edits to Global Data in Configuration Manager About Data Access From the Configuration Manager Console

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

467

System Center 2012 Configuration Manager introduces the central administration site and some changes to primary and secondary sites. The following tables summaries these sites and how they compare to sites in Configuration Manager 2007.
Site Purpose Change from Configuration Manager 2007

Central administration site

The central administration site coordinates intersite data replication across the hierarchy by using Configuration Manager database replication. It also enables the administration of hierarchy-wide configurations for client agents, discovery, and other operations. Use this site for all administration and reporting for the hierarchy.

Although this is the site at the top of the hierarchy in System Center 2012 Configuration Manager, it has the following differences from a central site in Configuration Manager 2007: Does not process data submitted by clients, except for the Heartbeat Discovery data record. Does not accept client assignments. Does not support all site system roles. Participates in database replication

Primary site

Manages clients in well connected networks.

Primary sites in System Center 2012 Configuration Manager have the following differences from primary sites in Configuration Manager 2007: Additional primary sites allow the hierarchy to support more clients. Cannot be tiered below other primary sites. No longer used as a boundary for client agent settings or security. Participates in database replication.

Secondary site

Controls content distribution Secondary sites in for clients in remote locations System Center 2012
468

Site

Purpose

Change from Configuration Manager 2007

across links that have limited network bandwidth.

Configuration Manager have the following differences from secondary sites in Configuration Manager 2007: SQL Server is required and SQL Server Express will be installed during site installation if required. A management point and distribution point are automatically deployed during the site installation. Secondary sites can send content distribution to other secondary sites. Participates in database replication.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. With Configuration Manager SP1 you can expand a stand-alone primary site into a hierarchy that includes a new central administration site. After you install the new central administration site, you can install additional primary sites. For more information, see Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site.

Planning a Hierarchy in Configuration Manager

When you plan for a Configuration Manager hierarchy, consider your network and computing environment and identify your business requirements. You can then plan to implement Configuration Manager by using the minimal number of servers and the least amount of administration overhead to meet your organizations goals. If you have an existing investment in Configuration Manager 2007, System Center 2012 Configuration Manager provides an in-box solution for automated migration from Configuration Manager 2007. However, it does not support in-place upgrades from earlier versions of Configuration Manager or interoperability with Configuration Manager 2007 with the following two exceptions. The first exception is that during the time that you are actively migrating from
469

Configuration Manager 2007 to System Center 2012 Configuration Manager, you can share Configuration Manager 2007 distribution points with System Center 2012 Configuration Manager making the content on these distribution points accessible to System Center 2012 Configuration Manager clients. The second exception is that you can upgrade Configuration Manager 2007 secondary sites to be System Center 2012 Configuration Manager distribution points. Therefore, to maintain the investment in your current Configuration Manager 2007 infrastructure, you must install System Center 2012 Configuration Manager as a new hierarchy, and then migrate Configuration Manager 2007 data and clients to System Center 2012 Configuration Manager. This side-by-side implementation provides an opportunity to redesign and simplify your hierarchy by using fewer site servers. Before you install the first site of a new System Center 2012 Configuration Manager hierarchy, consider your business and network environment requirements and review how new capabilities in Configuration Manager can help you meet these with a reduced amount of infrastructure. When possible, plan to only install a stand-alone primary site for your hierarchy, unless a single site cannot support the number of clients and devices that you manage. The stand-alone primary site hierarchy design avoids the overhead of managing additional sites, and the overhead of database replication between sites. If you must manage more devices than a single site supports, you will need to install a central administration site as your first site, and then install one or more primary child sites. For information about the number of clients a site supports, see the Clients per Site section in the Supported Configurations for Configuration Manager topic. Some of the capabilities that support a decision to install a single primary site in place of multiple primary sites are new in System Center 2012 Configuration Manager. With System Center 2012 Configuration Manager you can manage the use of network bandwidth to transfer content to remote distribution points in a site, similar to how you manage the bandwidth between sites in a hierarchy. This functionality can replace the need to install additional sites to manage content transfers across slower networks, as seen in past versions of Configuration Manager. Additional changes include the use of Client Settings and role-based administration, which remove the need to maintain separate sites for custom client settings or separate sites for security based partitions of access or responsibilities. When all of the changes in System Center 2012 Configuration Manager are understood and considered, the remaining decision point for installing multiple primary sites is often the number of devices and clients your hierarchy must support; not the location of those clients and devices. Prior to System Center 2012 Configuration Manager SP1, the initial hierarchy design you selected was permanent. Specifically, when you use System Center 2012 Configuration Manager with no service pack, there are no options to convert a stand-alone primary site into a child primary site that reports to a central administration site. Therefore, to change the configuration you would have to uninstall the stand-alone primary site and then install the site again as a child primary site below a central administration site. However, beginning with Configuration Manager SP1, you can expand a stand-alone primary site into a hierarchy that includes a central administration site, and then you can install additional child primary sites. This ability to expand a stand-alone primary site into a larger hierarchy is available to both new sites installed with
470

Configuration Manager SP1 and to sites you upgrade from System Center 2012 Configuration Manager with no service pack. However, Configuration Manager does not support converting a hierarchy that includes a central administration site into a stand-alone primary site. For information about expanding a stand-alone primary site, see the section Planning to Expand a Stand-Alone Primary Site later in this topic. The capability to expand a stand-alone primary site enables you to deploy Configuration Manager using the minimum server infrastructure, a single stand-alone primary site, with the capability to expand your hierarchy to support more devices at a later date. Additionally, beginning with Configuration Manager SP1, you can migrate data from one System Center 2012 Configuration Manager hierarchy to another Configuration Manager hierarchy when both hierarchies run the same service pack. For example, you could migrate data from one Configuration Manager SP1 site or hierarchy to a different Configuration Manager SP1 site or hierarchy. This means you can migrate data from a test environment to your production environment or migrate data from an acquisition, and then manage the combined environment of users and devices from a single System Center 2012 Configuration Manager hierarchy. For information about Migration, Migrating Hierarchies in System Center 2012 Configuration Manager.

About Site Types in Configuration Manager

Your Configuration Manager deployment consists of either a hierarchy of sites or a stand-alone site. A hierarchy consists of multiple sites, each with one or more site system servers. A standalone site also consists of one or more site system servers. The following diagrams show some example site designs.

471

Site system servers within a site extend the functionality of Configuration Manager. For example, you might install a site system in a site to support software deployment or to manage mobile devices. To successfully plan your hierarchy of sites and identify the best network and geographical locations to place site servers, ensure that you review the information about each site type and the alternatives to sites offered by site systems you use for content deployment. Use the following table to help you plan the type of sites that you might require in your hierarchy.
Server Purpose More information

Central administration site

The recommended location for all administration and reporting for the hierarchy.

SQL Server is required. Does not process client data. Does not support client assignment. Not all site system roles are available.
472

Server

Purpose

More information

Primary site A required site that manages clients in well connected networks. All clients are assigned to a primary site.

Participates in database replication. SQL Server is required. Additional primary sites provide support for a higher number of clients. Cannot be tiered below other primary sites. Participates in database replication. SQL Server Express or a full instance of SQL Server is required. If neither is installed when the site is installed, SQL Server Express is automatically installed. A management point and distribution point are automatically deployed when the site is installed. Secondary sites must be direct child sites below a primary site, but can be configured to send content to other secondary sites. Participates in database replication.

Secondary site Manages clients in remote locations where network bandwidth control is required.

When you plan a Configuration Manager hierarchy, consider the following: You can schedule and throttle network traffic when you distribute deployment content to distribution points. Therefore, you can use a distribution point instead of a site for some remote network locations. Discovery data records (DDRs) for unknown resources transfer by using file-based replication from a primary site to the central administration site for processing. Because discovery can create a large number of DDRs, plan where to place your central administration site and consider at which sites discovery operations will run to minimize the transfer of DDRs across low-bandwidth networks. DDRs for known resources are processed at the first primary site to receive them and do not transfer by using file-based replication to the central administration site. Instead, after being processed at the primary site, the discovery information replicates to other sites by using database replication.
473

Role-based administration provides a central administrative security model for the hierarchy, and you do not have to install sites to provide a security boundary. Instead, use security scopes, security roles, and collections to define what administrative users can see and manage in the hierarchy. Alerts in the Configuration Manager console provide state-based information for operations throughout the hierarchy.

Use the following sections to help you determine whether to install Configuration Manager sites and site systems.

Determine Whether to Install a Central Administration Site

Install a central administration site if you require multiple primary sites. However, unless you support more clients and devices than a single primary site can support, you can install a standalone primary site and reduce your administrative overhead and avoid unnecessary database replication between a primary site and a central administration site. In a stand-alone hierarchy design, a stand-alone primary site provides the same functionality as a central administration site. Prior to Configuration Manager SP1, this was a permanent decision. Beginning with Configuration Manager SP1, you can expand a stand-alone primary site into a hierarchy with a central administration site, and then add additional primary sites. However, System Center 2012 Configuration Manager does not supported the removal of a central administration site from a hierarchy to convert a hierarchy to a stand-alone hierarchy design. Use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. This site type does not manage clients directly but it does coordinate inter-site data replication, which includes the configuration of sites and clients throughout the hierarchy. Use the following information to help you plan for a central administration site: The central administration site is the top-level site in a hierarchy. When you configure a hierarchy that has more than one primary site, you must install a central administration site, and it must be the first site that you install. The central administration site supports only primary sites as child sites. The central administration site cannot have clients assigned to it. The central administration site does not support all site system roles. For more information, see Planning Where to Install Sites System Roles in the Hierarchy. You can manage all clients in the hierarchy and perform site management tasks for any primary site when you use a Configuration Manager console that is connected to the central administration site. When you use a central administration site, the central administration site is the only place where you can see site data from all sites. This data includes information such as inventory data and status messages. You can configure discovery operations throughout the hierarchy from the central administration site by assigning discovery methods to run at individual sites.
474

You can manage security throughout the hierarchy by assigning different security roles, security scopes, and collections to different administrative users. These configurations apply at each site in the hierarchy. You can configure file replication and database replication to control communication between sites in the hierarchy. This includes scheduling database replication for site data, and managing the bandwidth for the transfer of file-based data between sites.

Determine Whether to Install a Primary Site

Use primary sites to manage clients. You can install a primary site as a child primary site below a central administration site in a larger hierarchy, or as the first site of a new hierarchy. A primary site that installs as the first site of a hierarchy creates a stand-alone primary site. Both child primary sites and stand-alone primary sites support secondary sites as child sites of the primary site. Consider installing a primary site for any of the following reasons: To manage clients directly. To increase the number of clients and devices you can manage with a single hierarchy. For information about the number of clients and devices each primary site supports, see the Clients per Site section in the Supported Configurations for Configuration Manager topic. To provide a local point of connectivity for administration. To meet organizational management requirements. For example, you might install a primary site at a remote location to manage the transfer of deployment content across a lowbandwidth network. However, with System Center 2012 Configuration Manager you can use options to throttle the network bandwidth use when transferring data to a distribution point and this capability can replace the need to install additional sites. A primary site can be a stand-alone primary site or a child primary site in a larger hierarchy. When a primary site is a member of a hierarchy with a central administration site, the sites use database replication to replicate data between the sites. Unless you need to support more clients and devices than a single primary site can support, consider installing a standalone primary site. Beginning with Configuration Manager SP1, you can convert a standalone primary site into a larger hierarchy when your deployment exceeds the capacity of a single primary site. A primary site supports only a central administration site as a parent site. A primary site supports only secondary sites as child sites and can support one or more secondary child sites. When you use Configuration Manager with no service pack, a primary site cannot change its parent site relationship after installation. However, beginning with Configuration Manager SP1, you can install a new central administration site as a parent site of an existing stand-alone primary site. Primary sites are responsible for processing all client data from their assigned clients. When a primary site installs, it automatically configures database replication with its designated central administration site.
475

Use the following information to help you plan for primary sites:

Primary sites use database replication to communicate directly to their central administration site. You can install typically used site system roles when you install a primary site. For a list of site system roles that are supported on primary sites, see Planning Where to Install Sites System Roles in the Hierarchy.

Determine Whether to Install a Secondary Site

Use secondary sites to manage the transfer of deployment content and client data across lowbandwidth networks. You manage a secondary site from a central administration site or the secondary sites parent primary site. Secondary sites must be attached to a primary site, and you cannot move them to a different parent site without uninstalling them, and then re-installing them as a child site below the new primary site. You can route content between peer secondary sites to help manage the filebased replication of deployment content. To transfer client data to a primary site, the secondary site uses file-based replication. However, a secondary site also uses database replication to communicate with its parent primary site. Consider installing a secondary site if any of the following conditions apply: You do not require a local administrative user for the site. You have to manage the transfer of deployment content to sites lower in the hierarchy. You have to manage client information that is sent to sites higher in the hierarchy.

If you do not want to install a secondary site and you have clients in remote locations, consider using Windows BranchCache or distribution points that are enabled for bandwidth control and scheduling. You can use these content management options with or without secondary sites, and they can help you to reduce the number of sites and servers that you have to install. For information about content management options in Configuration Manager, see Determine Whether to Install a Site or Use Content Management Options. Use the following details to help you plan for secondary sites: Secondary sites automatically install SQL Server Express during site installation if a local instance of SQL Server is not available. Secondary site installation is initiated from the Configuration Manager console when it is connected to the central administration site or a primary site. When a secondary site is installed, it automatically configures database replication with its parent primary site. Secondary sites use database replication to communicate directly to their parent primary site and to obtain a subset of the shared Configuration Manager database. Secondary sites support the routing of file-based content to other secondary sites that have a common parent primary site. Secondary site installations automatically deploy a management point and distribution point that are located on the secondary site server.

476

Determine Whether to Install a Site or Use Content Management Options

If you have clients in remote network locations, consider using one or more content management options instead of a primary or secondary site. You can often remove the requirement for another site when you use Windows BranchCache, configure distribution points for bandwidth control, or manually copy content to distribution points (prestage content). Consider deploying a distribution point instead of installing another site if any of the following conditions apply: Your network bandwidth is sufficient for client computers at the remote location to communicate with a management point to download client policy, and send inventory, reporting status, and discovery information. Background Intelligent Transfer Service (BITS) does not provide sufficient bandwidth control for your network requirements.

For more information about content management options in Configuration Manager, see Introduction to Content Management in Configuration Manager.

Planning to Expand a Stand-Alone Primary Site

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Beginning with System Center 2012 Configuration Manager SP1, you can install a new central administration site as a parent site of an existing stand-alone primary site. This expands your stand-alone primary site into a larger hierarchy that supports the install of additional new primary sites. You can expand only one pre-existing primary site into the new hierarchy because the database of the new central administration site is based on the database of your stand-alone primary site. After this new central administration site installs, you cannot join or expand additional pre-existing primary sites to this same hierarchy. However, you can install new primary sites as child sites below the central administration site. To expand a stand-alone primary site into a larger hierarchy, run Configuration Manager Setup from the media for Configuration Manager SP1 (or a later version of Configuration Manager), and install a new central administration site on a new server. During setup you can install the new central administration site as the first site in a new hierarchy or expand an existing stand-alone primary site into a hierarchy. When you expand an existing stand-alone primary site, you must specify the stand-alone primary site server you want to expand. After Setup contacts the site server of the stand-alone primary site, Setup continues normally. After Setup completes, the primary site becomes a child primary site in a hierarchy with a central administration site, and is no longer a stand-alone primary site. After you expand a stand-alone primary site into a hierarchy, you cannot then detach the primary site from the hierarchy to restore it to operation as a stand-alone primary site. To remove the primary site from the hierarchy, you must uninstall the primary site.

477

Prerequisites for Expanding a Stand-Alone Primary Site

A stand-alone primary site must meet the following prerequisites before you can expand it into a hierarchy with a central administration site:
Prerequisite Details

The stand-alone primary site and new central administration site must run the same version of Configuration Manager The stand-alone primary site cannot be configured to migrate data from another Configuration Manager hierarchy

For example, if you use Setup for SP1 to install a central administration site and expand a stand-alone primary site, that stand-alone primary site must also be at SP1. You must stop active migration to the standalone primary site, from other Configuration Manager hierarchies, and remove all configurations for migration This includes migration jobs that have not completed, and the configuration of the active source hierarchy. This is because migration operations are performed by the top-tier site of the hierarchy, and the configurations for migration do not transfer to the central administration site when you expand a stand-alone primary site. After you expand the stand-alone primary site, if you reconfigure migration at the primary site, it will be the central administration site that performs the migration related operations. For more information about how to configure migration, see Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager.

The computer account of the computer that will host the new central administration site must be a member of the Administrators group on the stand-alone primary site

To successfully expand the stand-alone primary site, the computer account of the new central administration site must be a member of the stand-alone primary sites Administrators group. This is required only during site expansion and the account can be removed from the group on the primary site after site expansion completes. To install a central administration site as part of a site expansion scenario, the user account that runs setup to install the central
478

The user account that runs setup to install the new central administration site must be granted role-based administration permissions at the

Prerequisite

Details

stand-alone primary site

administration site must be defined in rolebased administration at the stand-alone primary site as either a Full Administrator or an Infrastructure Administrator. These site system roles are supported only at the top-tier site of the hierarchy. Therefore, you must uninstall these site system roles before you expand the site stand-alone primary site. After you expand the site, you can reinstall these site system roles at the central administration site. All other site system roles can remain installed at the primary site.

You must uninstall the following site system roles from the stand-alone primary site before you can expand the site: Asset Intelligence synchronization point Endpoint Protection point Windows Intune connector

The port for the SQL Server Service Broker must be open between the stand-alone primary site and the computer that will install the central administration site

To successfully replicate data between a central administration site and a primary site, Configuration Manager requires that a port for use by the SQL Server Service Broker is open between the two sites. When you install a central administration and expand a standalone primary site, the prerequisite check does not establish that the port you specify for the SQL Server Service Broker is open on the primary site. If you use migration to migrate data from another Configuration Manager hierarchy, you must stop all active Data Gathering before you expand the site. After the site expansion completes, you can reconfigure Data Gathering. For more information about stopping and reconfiguring data gathering for migration, see the Migration Data Gathering section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic.

When the stand-alone primary site is configured for migration, you must stop all active Data Gathering before you expand the site

479

Considerations when Expanding a Stand-Alone Primary Site

When you expand a stand-alone primary site, objects and configurations that exist in the primary site database are shared with the new central administration site. With the following exceptions, there are no special considerations when you expand a stand-alone primary site:
Considerations Details

Software update points

Prior to expanding a stand-alone primary site, you do not need to make configuration changes for software update points at the site. However, when you expand a stand-alone primary site, software update points at the primary site automatically reconfigure to synchronize with a software update point at the new central administration site. Therefore, after the new central administration site install completes, plan to install a software update point at that site as soon as possible, and configure it to synchronize with Windows Server Update Services (WSUS). Until you configure a software update point at the central administration site, software update points at the primary site will be unable to synchronize new software updates. Immediately after you expand a stand-alone primary site, expect a high level of data processing at the central administration site as that site synchronizes software update information from the primary site. The central administration site automatically creates new objects for software update management. The objects at the central administration site are authoritative for the hierarchy. Pre-existing configurations at the primary site automatically apply at the central administration site. These configurations include synchronization schedules, supersedence configurations, and additional related settings.

Packages for software deployment

Packages that were created at the stand-alone primary site before your expand the site, continue to be managed by the primary site. However, these packages replicate as global
480

Considerations

Details

data to all sites in the hierarchy, and you can manage these packages from the central administration site. The only exception to this is the client installation package. Client installation package When you expand a stand-alone primary site, ownership of the client installation package transfers to the central administration site. However the package ID for this package remains unchanged. Because the top tier site of a hierarchy manages this package, and modifies the package to support only the client operating system languages that are selected at that site, ensure that the central administration site supports the same client languages that are selected at your primary site. For more information, see Planning for Client Language Packs section in Planning for Sites and Hierarchies in Configuration Manager topic. Client settings After you expand a primary site, you must restart the SMS_POLICY_PROVIDER component on the primary site. Until you restart the policy provider, the primary site does not provide new or updated client settings to clients, and continues to provide the client settings that were configured at the primary site before the primary site was expanded. To restart the policy provider, use the Configuration Manager Service Manager. To use the Configuration Manager Service Manager to manage a component, select the component in the Component Status node under System Status in the Monitoring workspace of the Configuration Manager console. After you select the component, click Start in the Component group on the Home tab, and then select Configuration Manager Service Manager. In Configuration Manager Service Manager, locate the component you want to manage, and then click Component.
481

Considerations

Details

Next, click Query, and after you query the status of the component you can manage the status of that component. The policy provider also restarts when the SMS_EXECUTIVE service restarts on the site server, or after the site server computer reboots. Support for client languages When you expand a stand-alone primary site and install the central administration, plan to add support at the central administration site for the same client languages that the stand-alone primary site supports. Adding support for the same client languages is not a requirement; this is a best practice to ensure that new Configuration Manager clients you install support the client languages you expect. For more information about how to manage languages in Configuration Manager, see Planning for Client and Server Operating System Languages in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. Default Boot WIM The central administration site creates and deploys a new default boot WIM. This WIM becomes the new default WIM for use in the hierarchy. The boot WIM from the stand-alone primary site remains unmodified, and objects for operating system deployment that are based on this WIM continue to function.

Planning for Client and Server Operating System Languages in Configuration Manager
System Center 2012 Configuration Manager supports the display of information in multiple languages. By default, the Configuration Manager user interface displays in English although objects that an administrative user creates display in the Configuration Manager console and on the client in the language that is used to create them. In addition, you can install server and client
482

language packs to enable the user interface to display in a language that matches the preferences of the user. Use the information in the following sections to help you plan for language support by installing language packs. For information about how to manage language packs, see the Manage Language Packs at Configuration Manager Sites section in the Manage Site and Hierarchy Configurations topic.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for language support since Configuration Manager 2007: You no longer install site servers by using source files designed for a specific language. Additionally, you no longer install International Client Packs to support different languages on the client. Instead, you can choose to install only the server and client languages that you want to support. Available client and server language packs are included with the Configuration Manager installation media in the LanguagePack folder, and updates are available to download with the prerequisite files. You can add client and server language packs to a site when you install the site, and you can modify the language packs in use after the site installs.

You can install multiple languages at each site, and only need to install the languages that you use: Each site supports multiple languages for Configuration Manager consoles. At each site you can install individual client language packs, adding support for only the client languages that you want to support.

When you install support for a language that matches the display language of a computer, Configuration Manager consoles and the client user interface that run on that computer display information in that language. When you install support for a language that matches the language preference that is in use by the web browser of a computer, connections to web-based information, including the Application Catalog or SQL Server Reporting Services, display in that language.

About Language Packs

You add support for server and client language packs at the central administration site and at primary sites to enable Configuration Manager to display built-in text in a language that matches the users preference. Secondary sites automatically support the same client languages as their parent primary sites. For a list of supported languages, see the Supported Operating System Languages section in the Technical Reference for Language Packs in Configuration Manager topic.
483

Use server language packs for the Configuration Manager console and for site system roles such as the reporting services point. Use client language packs for Configuration Manager clients and the Application Catalog. The display language of a computer applies to the Configuration Manager console, client notifications, and Software Center. The display preference within a web browser applies to viewing reports and the Application Catalog. Note Even when language packs are installed, data created by an administrative user is not affected by using language packs.

Language packs use the following language preferences to display information:

When you run Setup, Configuration Manager copies the available languages from the LanguagePack folder on the Configuration Manager source media to the location that you specify for prerequisite downloads. If the source media is not accessible, Configuration Manager downloads language packs as part of the prerequisite files download. Additionally, any files that are missing or that have updates are also downloaded with the prerequisite files. Then, during Setup, you can select to add one or more of the available server and client language packs to the site. If you do not install language packs when you install a site server, you can add them later by running Setup on the site server. You must run Setup from the Start menu or by opening Setup.exe from the installation path, and then choose to modify the sites configuration. When you change the supported languages for a site Configuration Manager takes the following actions:
Language pack type Action

Server language pack

The site runs a site reset and reinstalls all site system roles at the site. For information about a site reset, see the Perform a Site Reset section in the Manage Site and Hierarchy Configurations topic. The language files are copied to the ConsoleSetup folder. The site runs a site reset and reinstalls all site system roles at the site. For information about a site reset, see the Perform a Site Reset section in the Manage Site and Hierarchy Configurations topic. When you modify client languages at the top-tier site (central administration site or stand-alone primary site), the site modifies the client installation package, and updates
484

Client language pack

Language pack type

Action

this package on each distribution point in the hierarchy. When you modify client languages at a primary site, the site updates the Client folder on the site server and on management points in that site. The site copies updated files to each Application Catalog website point and management point, and if you modify support for mobile device clients, it also updates the files on the enrollment proxy point.

Planning for Server Language Packs

Add support for a server language to a site to enable Configuration Manager consoles and reporting services points to display information in the supported language. You can install multiple server language packs at each site in your hierarchy. Each server language pack that a site supports is added to the Configuration Manager console installation source files on that site server. Before a Configuration Manager console can display information in a supported language, you must add the language pack to the site and install the Configuration Manager console from source files that include that language. Reporting services points automatically update to support the display of information in the language packs that you install at a site.

Planning for Client Language Packs

Configuration Manager supports client languages for device clients and mobile device clients: When a Configuration Manager client installs on a device, it adds support for each client language packs that is included with the client installation files. When a Configuration Manager client installs on a mobile device, it adds support for all languages at the same time.

You can add support for client languages when you install a site, or by rerunning Setup on the site server computer after a site installs. Before a client can display information in a supported language, you must add support for the language to the clients site, and install the client from source files that include that language. You must add support for the client language packs before you install the client. When a site adds support for a client language pack, it updates the client installation files. The set of client installation files that the site updates depends on the sites location in the hierarchy:

485

The top-tier site of a hierarchy manages the client installation package. This package is automatically distributed to each distribution point in the hierarchy. By default, when a client installs, it uses this package for the client installation source files. Note The top-tier site can be a central administration site, or a stand-alone primary site.

Primary sites manage the client upgrade package and update the supported languages in the Client folder on the site server and on management points in that site. Clients use the installation source files from their primary site when the client installation process cannot access the client installation package on a distribution point, or when the client installation command-line property /source is used to specify the these files. Tip When you use a central administration site, ensure that a client installs the client language packs you expect by adding support for each language pack to the central administration site and to each primary site.

When you change the supported client languages at a top-tier site, allow time for the client installation package to replicate to distribution points in your hierarchy. You can monitor the redistribution of the package to distribution points by using the Content Status node in the Monitoring workspace of the Configuration Manager console. For more information, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Alternately, you can monitor progress by viewing status messages for the redistribution of the package: The client installation package name is Configuration Manager Client Package. Distribution points generate a status message with Message ID 2330 when the package successfully updates on that distribution point.

After a new site server installs with support for client language packs, or after an existing site server updates the distribution points with the language pack changes, you can install new clients or reinstall existing clients on computers to add support for supported client language packs. Important Configuration Manager does not support reinstalling the mobile device client without first wiping the mobile device. Therefore, if you plan to support non-English mobile devices, enable support for mobile device client languages before you install the Configuration Manager mobile device client. When the Configuration Manager client installs on a new computer, CCMSetup modifies the Windows Installer command line to add support for each language pack that is included with the client installation source files. To update an existing client with new language packs, you must upgrade or reinstall the client. For example, you can modify the languages supported on a computer when you redeploy the client software by using client push installation or software deployment.

486

The following table lists the client upgrade and installation methods that are not supported for managing the language pack support for a previously installed client.
Method Details

Repairing

A Windows Installer repair action reuses the Windows Installer command line last used to install the client, as stored in the registry of the client computer. This command line will not reference new client language packs. This type of upgrade fails because automatic upgrades are based on a change of client version. New language packs do not change the client version. Software update points rely on a change of client version to install the client. New language packs do not change the client version.

Automatic client upgrade

Software update-based client installation

For information about how clients access source files for installation, see How to Install Clients on Windows-Based Computers in Configuration Manager. For information about client installation properties, see About Client Installation Properties in Configuration Manager

Best Practices for Managing Language Packs

Use the following best practices information to help you use language packs in System Center 2012 Configuration Manager.

Install languages at the time you install a site

When you modify the language packs that are supported at the top-tier site of a hierarchy, the site initiates an update of the client installation package on each distribution point in the hierarchy, reinstalls applicable site system roles, and performs a site reset. Additionally, you must reinstall clients before they can use new language packs that you add to their site.

When you add support for client language packs to your central administration site, also add these client language packs to each primary site
When you modify the client language packs at a site, the client installation files that update depend on the sites location in the hierarchy. When a client installs, it might use the client installation package that is managed by the top-tier site of the hierarchy, or it can fall back to using source files from the management point in the clients assigned s ite when it cannot access the client installation package on a distribution point.
487

Planning for the Configuration Manager Console

Administrative users use the Configuration Manager console to manage the Configuration Manager environment. Each Configuration Manager console connects to either a central administration site, or a primary site. After the initial connection is made, the Configuration Manager console can connect to other sites. However, you cannot connect a Configuration Manager console to a secondary site. To connect to a different site when you use the Configuration Manager console, on the Application Menu, select Connect to a New Site, and then specify the name of the site server. You can also specify a connection to a specific site when you open a new instance of the Configuration Manager console. To do so, you must specify the site server name as part of the command line to open the Configuration Manager console. For example, to connect to a site that runs on Server1, at the command prompt, type %path%\microsoft.configurationmanagement.exe Server1. Configuration Manager does not limit the number of simultaneous Configuration Manager console connections to a primary site or central administration site. When you connect to the central administration site, you can view and configure data for all sites in the hierarchy. If you have a central administration site but connect the Configuration Manager console directly to a primary site, you can view and manage Configuration Manager data from this connection, but you cannot see data from other primary sites or from the secondary sites of other primary sites. However, if you do not have a central administration site because your hierarchy has a stand-alone primary site, you can use the Configuration Manager console to access all the data in your hierarchy. Important When you manage objects or clients by using a Configuration Manager console that is connected to a child primary site in a hierarchy with other primary sites, the changes you make replicate throughout the hierarchy to other primary sites, even though you cannot see data from those other primary sites. Note When you connect a Configuration Manager console to an evaluation installation of Configuration Manager, the title bar of the console displays the number of days that remain before the evaluation installation expires. The number of days does not automatically refresh and only updates when you make a new connection to a site. After the evaluation period ends, the Configuration Manager console connects as a read-only console.

About the Read-Only Console

When you connect a Configuration Manager console to a primary site, there are certain conditions that result in the Configuration Manager console connecting as a read-only console. The read-only console lets you view objects and configuration settings but prevents you from making any changes that could be lost when the primary site completes initialization or is synchronized with the central administration site after replication issues are resolved.
488

Read-only consoles are established for the following reasons: You connect to a primary site before it completes the Configuration Manager site installation. You connect to a primary site that has intersite replication problems. You connect to a primary site during a site restoration of that site. You connect to a primary site when that site is initializing global data.

After the primary site is fully initialized, or replication issues between that site and the central administration site are resolved, you must close, and then reconnect the Configuration Manager console to establish a normal session where you can manage objects and configurations. Note A Configuration Manager console that connects to an evaluation installation of Configuration Manager after the evaluation period of 180 days ends will connect as a read-only console.

Planning for Multiple Administrative Users and Global Data Replication in Configuration Manager
Use the following sections to help you plan for multiple administrative users who access objects and configuration settings that are shared between sites. This data is referred to as global data, and it is available throughout the hierarchy.

About Multiple Edits to Global Data in Configuration Manager

Because different administrative users at one or more sites can attempt to manage the same object at the same time, Configuration Manager prevents one administrative user from editing an object if another administrative user in the hierarchy is currently editing the same object. When an object you want to manage is already in use, you have the option to view the object as a readonly instance, or to retry to obtain ownership of the object. If you retry to obtain ownership and the object is no longer in use by another administrative user, you are granted ownership and can edit the object. Do not confuse the read-only status for an object you want to manage with the readonly Configuration Manager console. Unlike the read-only console, this is an object-specific condition that is temporary and based on the individual objects current availability. This condition is not related to the status of the site to which your Configuration Manager console connects. Configuration Manager also resolves edits to an object when those edits are made at different sites when one of the sites is unable to replicate data. This scenario might occur if a network link is disconnected. In this scenario, the first edit to an object that replicates to the central administration site takes precedence over a later edit from the primary site that was unable to replicate the data.

489

About Data Access From the Configuration Manager Console

Use role-based administration to define the objects in the hierarchy that administrative users can see in the Configuration Manager console and the permissions that they have for those objects. Use a combination of security roles, security scopes, and collections to help manage access to data throughout the hierarchy for each administrative user. For more information, see Planning for Security in Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning to Upgrade System Center 2012 Configuration Manager

System Center 2012 Configuration Manager supports the upgrade of the version of a Configuration Manager site by installing a service pack or upgrading System Center 2012 Configuration Manager SP1 to System Center 2012 R2 Configuration Manager. When you upgrade Configuration Manager, plan for the changes that are required to install the new version, and the changes that the new version introduces. Changes in a new product version might require you to modify pre-upgrade configurations to support the upgrade, such as new prerequisites for site system roles. Also plan to modify post-upgrade configurations, which include the reconfiguration of some settings and the upgrade of Configuration Manager clients and Configuration Manager consoles. Note System Center 2012 Configuration Manager does not support an upgrade from Configuration Manager 2007 or earlier product versions. Additionally, you cannot share a site system server or site system role between a Configuration Manager 2007 site and a System Center 2012 Configuration Manager site. Before you install a System Center 2012 Configuration Manager site system role on a computer, you must uninstall all site system roles from the Configuration Manager 2007 site. The only exceptions are distribution points that you share between hierarchies during migration. For more information, see the Share Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic. Tip In a hierarchy, before you can upgrade a child site, the parent site of that site must complete its upgrade to the new version. Use the information in the following sections to plan for upgrading Configuration Manager sites to a new version.
490

Planning to Upgrade to Configuration Manager SP1 Configuration Manager SP1 Upgrade Checklist Considerations for Upgrading to Configuration Manager SP1 System Center 2012 R2 Configuration Manager Upgrade Checklist Considerations for Upgrading to System Center 2012 R2 Configuration Manager

Planning to Upgrade to System Center 2012 R2 Configuration Manager

Support for Uninstalling a Service Pack

Planning to Upgrade to Configuration Manager SP1

Configuration Manager supports installing System Center 2012 Configuration Manager Service Pack 1 (SP1) to upgrade a site that runs System Center 2012 Configuration Manager with no service pack. You can run the service pack upgrade on the site servers of central administration sites and primary sites. After a primary site upgrades to System Center 2012 Configuration Manager SP1, you can then use the Configuration Manager console to upgrade secondary sites to Configuration Manager SP1. Use the information in the following sections to help you plan for the upgrade to Configuration Manager SP1.

What's New in Configuration Manager SP1

The following items are new or have changed for installing Configuration Manager SP1: You can install a new System Center 2012 Configuration Manager SP1 site, or upgrade an existing site that runs Configuration Manager with no service pack. You can expand a stand-alone primary site that runs Configuration Manager SP1. When you expand a primary site, you install a new central administration site that becomes the parent site of the existing primary site.

Configuration Manager SP1 Upgrade Checklist

Use the information in the following check list to help you identify and plan for pre-upgrade configuration modifications and additional actions that are related to upgrading your sites and hierarchy to Configuration Manager SP1.
Step More information

Ensure that your computing environment meets the supported configurations that are required for upgrading to System Center 2012 Configuration Manager SP1.

Before you upgrade to Configuration Manager SP1, install the required prerequisites on each computer that hosts a site system role. Several site system roles require new or upgraded prerequisites.
491

Step

More information

For example, to deploy an operating system, Configuration Manager SP1 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK). Before you run Setup, you must download and install Windows ADK on the site server and on each computer that runs an instance of the SMS Provider. For general information about supported platforms and prerequisite configurations, see Supported Configurations for Configuration Manager. For information about how to use the Windows ADK with Configuration Manager, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Review the site and hierarchy status and verify that there are no unresolved issues. Before you upgrade a site, resolve all operational issues for the site server, the site database server, and site system roles that are installed on remote computers. A site upgrade can fail due to existing operational problems. For information about the status of sites and site system roles, see Monitor Configuration Manager Sites and Hierarchy. Install all applicable critical updates for operating systems on computers that host the site, the site database server, and remote site system roles. Before you upgrade a site, install any critical updates for each applicable site system. If an update that you install requires a restart, restart the applicable computers before you start the service pack update. For more information, see Windows Update. Disable database replicas for management points at primary sites. Configuration Manager cannot successfully upgrade a primary site that has a database replica for management points enabled. Disable database replication before you create the backup of the site database to test the database upgrade, and before you upgrade the production site to Configuration Manager SP1.
492

Step

More information

For more information, see Configure Database Replicas for Management Points. Reconfigure software update points that use NLBs. Configuration Manager cannot upgrade a site that uses a Network Load Balancing (NLB) cluster to host software update points. For more information, see the Upgrading from Configuration Manager with No Service Pack to Configuration Manager SP1 section in the Planning for Software Updates in Configuration Manager topic. Before you upgrade a site, back up the site database to ensure that you have a successful backup to use for disaster recovery. For more information, see Backup and Recovery in Configuration Manager. Disable all site maintenance tasks at each site for the duration of that sites upgrade. Before you upgrade the version of a Configuration Manager site, disable any site maintenance task that might run at that site during the time the upgrade process is active. This includes but is not limited to the following: Backup Site Server Delete Aged Client Operations Delete Aged Discovery Data

Back up the site database at the central administration site and primary sites.

When a site database maintenance task runs during the upgrade process, the site upgrade can fail. Before you disable a task, record the schedule of the task so you can restore its configuration after the site upgrade completes. For more information about site maintenance tasks, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic Create a copy of each built-in collection that you have modified. When you upgrade to Configuration Manager SP1, the built-in collections are overwritten in the site database. If you have customized a built-in collection, create a copy
493

Step

More information

of that collection before you upgrade. In Configuration Manager SP1, the built-in collections are read-only and cannot be modified. Run Setup Prerequisite Checker. Configuration Manager SP1 introduces new prerequisite checks. Before you upgrade a site, you can run the Prerequisite Checker independently from Setup to validate that your site meets the prerequisites. When you upgrade the site, Prerequisite Checker runs again. For more information, see the Prerequisite Checker section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For information about prerequisite checks, see Technical Reference for the Prerequisite Checker in Configuration Manager. Download prerequisite files and redistributable files for Configuration Manager SP1. Use Setup Downloader from the Configuration Manager SP1 source media to download prerequisite redistributable files, Configuration Manager SP1 language packs, and the latest product updates for the service pack upgrade. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Plan to manage server and client languages when you upgrade a site. Configuration Manager SP1 supports the same server and client languages as Configuration Manager with no service pack, and it also supports additional languages that are introduced with Configuration Manager SP1. However, when you upgrade to Configuration Manager SP1, the site upgrade installs new versions of each language pack. When you run Setup, Setup reviews the current language configuration of your site, and then identifies the language packs that are available in the folder where you store previously downloaded prerequisite files. You can then
494

Step

More information

affirm the selection of the current server and client language packs, or change the selections to add or remove support for languages. Only those language packs are available that are available with the prerequisite files that you download. Important Server and client language packs are service pack version-specific. You cannot use the language packs from Configuration Manager with no service pack to enable languages for a Configuration Manager SP1 site. If you have previously installed a language pack for servers or clients at a site, and a Configuration Manager SP1 version of that language pack is not available with the prerequisite files, that language cannot be selected. Support for that language is removed from the site when it upgrades. For more information about language packs, see the Planning for Client and Server Operating System Languages in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Plan for new site system role prerequisites. Important Prerequisite Checker for Configuration Manager does not verify the prerequisites for site system roles on the site server or on remote computers. Several site system roles have new prerequisites for Configuration Manager SP1. Before you upgrade a site, verify that each computer that hosts a site system role meets any new prerequisites for Configuration Manager SP1. During a site upgrade, Configuration Manager automatically upgrades site system roles at the site by reinstalling each site system role. When prerequisites are not met, the site system role might not reinstall or might reinstall, but might
495

Step

More information

fail to operate correctly. For information about prerequisites for site system roles, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Review the list of considerations for site upgrades. When you upgrade a site, some features and configurations reset to a default configuration. To help you plan for these and related changes in Configuration Manager SP1, review the information in the Considerations for Upgrading to Configuration Manager SP1 section in this topic. Before you upgrade a Configuration Manager central administration site or primary site to a new service pack, plan to test the site database upgrade process on a copy of the site database. You should test the site database upgrade process, because when you upgrade a site, the site database might be modified and although a test database upgrade is not required, it can identify problems for the upgrade before your production database is affected. A failed site database upgrade can render your site database inoperable and might require a site recovery to restore functionality. Note Configuration Manager supports neither the backup of secondary sites nor the test upgrade of a secondary site database. Although the site database is shared between sites in a hierarchy, plan to test the database at each applicable site before you upgrade that site. If you use database replicas for management points at a primary site, disable replication before you create the backup of the site database. Important It is not supported to run a test
496

Test the database upgrade process on a copy of the most recent site database backup.

Step

More information

database upgrade on the production site database. Doing so upgrades the site database and could render your site inoperable. For more information, see the Test the Configuration Manager Site Database for the Upgrade section in the Upgrade Configuration Manager to a New Service Pack topic. Restart the site server and each computer that Internal process that is company-specific. hosts a site system role to ensure that there are no pending actions from a recent installation of updates or from prerequisites. Install the service pack. Starting at the top-level site in the hierarchy, run Setup.exe from the Configuration Manager SP1 source media. After the top-level site completes the upgrade to Service Pack 1, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy upgrade to the same service pack version, your hierarchy operates in a mixed service pack version mode. For information about how to run the service pack installation, see the Upgrade a Configuration Manager Site section in the Upgrade Configuration Manager to a New Service Pack topic. For information about operating a Configuration Manager hierarchy in mixed mode, see the Interoperability between Sites with Different Service Pack Versions in System Center 2012 Configuration Manager section in the Interoperability between Different Versions of Configuration Manager topic. Upgrade stand-alone Configuration Manager consoles. By default, when you upgrade a central administration site or primary site, the installation also upgrades a Configuration Manager console that is installed on the site server. However, you must manually upgrade
497

Step

More information

each Configuration Manager console that is installed on a computer other than the site server. Tip When you use a Configuration Manager console that is of a lower service pack version than the site that you connect to, the console cannot display or create some objects and information that are available in the new service pack version. When you use a Configuration Manager console that is of a higher service pack version than the site that you connect to, the connection is blocked. When you upgrade a Configuration Manager console, the installation process uninstalls the existing Configuration Manager console, and then installs the new version of the software. Therefore, to upgrade a Configuration Manager console on computers other than site servers, you can use any method that Configuration Manager supports to install the Configuration Manager console. These supported methods can include a manual installation or a deployment that installs the console. Important Close an open Configuration Manager console before you start the upgrade. The installation process cannot upgrade an open console. For more information about how to install the Configuration Manager console, see the Install a Configuration Manager Console section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Reconfigure database replicas for management If you use database replicas for management points at primary sites. points at primary sites, you must uninstall the database replicas before you upgrade the site.
498

Step

More information

After you upgrade a primary site, reconfigure the database replica for management points. For more information, see the Configurations for Using a Database Replica section in the Configure Database Replicas for Management Points topic. Reconfigure any database maintenance tasks you disabled prior to the upgrade. If you disabled database maintenance tasks at a site prior to the upgrade, reconfigure those tasks at the site using the same settings that were in place prior to the upgrade. After you upgrade a primary site, plan to upgrade clients that are assigned to that site. Although a Configuration Manager primary site or secondary site can support communication from clients that have a lower service pack version, this communication should be a temporary configuration. Clients that run a previous service pack version of Configuration Manager cannot use the new functionality that is available with the new service pack version of Configuration Manager. When you upgrade a client, the current client software is uninstalled and the new client software version is installed. To upgrade clients, you can use any method that Configuration Manager supports. Tip When you upgrade the top-level site of a hierarchy to a new service pack, the client installation package on each distribution point in the hierarchy is also updated. When you upgrade a primary site, the client upgrade package that is available from that primary site is updated. For information about how to upgrade existing clients and how to install new clients, see How to Install Clients on Windows-Based Computers in Configuration Manager.
499

Upgrade clients.

Considerations for Upgrading to Configuration Manager SP1

Use the following information to help you prepare for changes to sites and the hierarchy when you upgrade to Configuration Manager SP1. Automatic actions: When you upgrade a Configuration Manager site to a new service pack, the following actions occur automatically: The site performs a site reset, which includes a reinstallation of all site system roles. If the site is the top-level site of a hierarchy, it updates the client installation package on each distribution point in the hierarchy. If the site is a primary site, it updates the client upgrade package for that site.

Manual actions for the administrative user after an upgrade: After you upgrade a Configuration Manager site to a new service pack, ensure that the following actions are performed: Ensure that clients that are assigned to each primary site upgrade and install the client software for the new service pack. Upgrade each Configuration Manager console that connects to the site and that runs on a computer that is remote from the site server. At primary sites where you use database replicas for management points, reconfigure the database replicas for Configuration Manager SP1.

Actions that affect configurations and settings: When a site upgrades to Configuration Manager SP1, some configurations and settings do not persist after the upgrade or are set to a new default configuration. The following table includes configurations and settings that do not persist or that change, and provides details to help you plan for them during a site upgrade.
Configuration or setting Details

Software Center

When you upgrade to Configuration Manager SP1, the following Software Center items are reset to their default values Work information is reset to business hours from 5.00am to 10.00pm Monday to Friday. The value for Computer maintenance is set to Suspend Software Center activities when my computer is in presentation mode. The value for Remote control is set to the value in the client settings that are assigned to the computer.

Software update summarization schedules

When you upgrade to Configuration Manager SP1, custom summarization

500

Configuration or setting

Details

schedules for software updates or software update groups are reset to the default value of 1 hour. After the upgrade finishes, reset custom summarization values to the required frequency.

Planning to Upgrade to System Center 2012 R2 Configuration Manager

Configuration Manager supports installing System Center 2012 R2 Configuration Manager to upgrade a site that runs Configuration Manager SP1. You can run the upgrade on the site servers of central administration sites and primary sites. After a primary site upgrades, you can then use the Configuration Manager console to upgrade secondary sites to System Center 2012 R2 Configuration Manager. It is not supported to upgrade a site that runs System Center 2012 Configuration Manager with no service pack to System Center 2012 R2 Configuration Manager. Instead, you must first upgrade to System Center 2012 Configuration Manager with SP1, and then upgrade to System Center 2012 R2 Configuration Manager. Use the information in the following sections to help you plan for the upgrade to System Center 2012 R2 Configuration Manager.

Whats New in System Center 2012 R2 Configuration Manager

The following items are new or have changed for installing System Center 2012 R2 Configuration Manager: You can install a new System Center 2012 R2 Configuration Manager site, or upgrade an existing site that runs Configuration Manager with SP1. When you run Setup to install a new primary site or central administration site, you can select non-default locations for the site database files. The option to specify non-default file locations is not available when you specify a SQL Server cluster.

System Center 2012 R2 Configuration Manager Upgrade Checklist

Use the information in the following check list to help you identify and plan for pre-upgrade configuration modifications and additional actions that are related to upgrading your sites and hierarchy to System Center 2012 R2 Configuration Manager.
Step More information

Ensure all sites in the hierarchy run System Center 2012 Configuration Manager with SP1.

You cannot upgrade a site to System Center 2012 R2 Configuration Manager until all sites in the hierarchy run System Center 2012 Configuration Manager with SP1. The version
501

Step

More information

of cumulative updates for Configuration Manager that are installed at sites is not evaluated and you can upgrade a System Center 2012 Configuration Manager SP1 site regardless of the cumulative update version that is installed, or even when no cumulative update is installed. Ensure that your computing environment meets the supported configurations that are required for upgrading to System Center 2012 R2 Configuration Manager. Before you upgrade to System Center 2012 R2 Configuration Manager, install the required prerequisites on each computer that hosts a site system role. Several site system roles require new or upgraded prerequisites. For example, to deploy an operating system, System Center 2012 R2 Configuration Manager uses Windows Assessment and Deployment Kit 8.1 instead of Windows Assessment and Deployment Kit 8.0. Before you run Setup, on the site server and on each computer that runs an instance of the SMS Provider you must uninstall the Windows Assessment and Deployment Kit 8.0, and then download and install Windows Assessment and Deployment Kit 8.1. For general information about supported platforms and prerequisite configurations, see Supported Configurations for Configuration Manager. For information about how to use the Windows Assessment and Deployment Kit 8.1 with Configuration Manager, see the Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Review the site and hierarchy status and verify that there are no unresolved issues. Before you upgrade a site, you must resolve all operational issues for the site server, the site database server, and site system roles that are installed on remote computers. A site upgrade can fail due to existing operational problems. For information about the status of sites and
502

Step

More information

site system roles, see Monitor Configuration Manager Sites and Hierarchy. Install all applicable critical updates for operating systems on computers that host the site, the site database server, and remote site system roles. Before you upgrade a site, install any critical updates for each applicable site system. If an update that you install requires a restart, restart the applicable computers before you start the upgrade. For more information, see Windows Update. Review requirements for any add-ins or extensions for Configuration Manager that you use. Before you upgrade a site, review available details for product add-ins and extensions that you use with Configuration Manager to ensure compatibility or potential issues during or after the upgrade of the Configuration Manager site. Configuration Manager cannot successfully upgrade a primary site that has a database replica for management points enabled. Disable database replication before you create the backup of the site database to test the database upgrade, and before you upgrade the production site to System Center 2012 R2 Configuration Manager. For more information, see Configure Database Replicas for Management Points. Reconfigure software update points that use NLBs. Configuration Manager cannot upgrade a site that uses a Network Load Balancing (NLB) cluster to host software update points. If you use NLB clusters for software update points, use PowerShell to remove the NLB cluster. (Beginning with Configuration Manager SP1, there is no option in the Configuration Manager console to configure an NLB cluster. For more information, see section in the Upgrade from Configuration Manager with No Service Pack to Configuration Manager SP1 section in the Planning for Software Updates in Configuration Manager topic. Back up the site database at the central administration site and primary sites. Before you upgrade a site, back up the site database to ensure that you have a successful
503

Disable database replicas for management points at primary sites.

Step

More information

backup to use for disaster recovery. For more information, see Backup and Recovery in Configuration Manager. Disable all site maintenance tasks at each site for the duration of that sites upgrade. Before you upgrade the version of a Configuration Manager site, disable any site maintenance task that might run at that site during the time the upgrade process is active. This includes but is not limited to the following: Backup Site Server Delete Aged Client Operations Delete Aged Discovery Data

When a site database maintenance task runs during the upgrade process, the site upgrade can fail. Before you disable a task, record the schedule of the task so you can restore its configuration after the site upgrade completes. For more information about site maintenance tasks, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic. Run Setup Prerequisite Checker. System Center 2012 R2 Configuration Manager introduces new prerequisite checks. Before you upgrade a site, you can run the Prerequisite Checker independently from Setup to validate that your site meets the prerequisites. When you upgrade the site, Prerequisite Checker runs again. For more information, see the Prerequisite Checker section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For information about prerequisite checks, see Technical Reference for the Prerequisite Checker in Configuration Manager. Download prerequisite files and redistributable files for System Center 2012 R2 Configuration Manager. Use Setup Downloader from the System Center 2012 R2 Configuration Manager source media to download prerequisite redistributable files,
504

Step

More information

language packs, and the latest product updates for the product version upgrade. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Prepare to upgrade secondary sites With System Center 2012 R2 Configuration Manager, when you plan to upgrade an existing secondary site that uses SQL Server 2012 Express with no service pack, or retry a failed secondary site installation, you must first apply cumulative update 2 to the SQL Server 2012 Express installation on the secondary site server. This is because, when System Center 2012 R2 Configuration Manager installs SQL Server Express as part of a new secondary site installation, it installs SQL Server 2012 Express with no service pack and is unable to install the required cumulative update 2 as part of the installation. When you direct Configuration Manager to install SQL Server Express as part of a new site, the prerequisite check does not detect an existing installation of SQL Server Express, and then installs SQL Server Express as part of the site installation. During an upgrade or retry, if an existing version of SQL Server Express is detected that does not meet the minimum version requirement for System Center 2012 R2 Configuration Manager of SQL Server 2012 Express with no service pack and cumulative update 2, the upgrade or retry will fail. System Center 2012 R2 Configuration Manager supports the same server and client languages as prior versions. However, when you upgrade the site, the upgrade process installs new versions of each language pack. When you run Setup, Setup reviews the current language configuration of your site, and then identifies the language packs that are available
505

Plan to manage server and client languages when you upgrade a site.

Step

More information

in the folder where you store previously downloaded prerequisite files. You can then affirm the selection of the current server and client language packs, or change the selections to add or remove support for languages. Only those language packs are available that are available with the prerequisite files that you download. Important Server and client language packs are service pack version-specific. You cannot use the language packs from Configuration Manager SP1 to enable languages for a System Center 2012 R2 Configuration Manager site. If you have previously installed a language pack for servers or clients at a site, and a version of that language pack is not available with the prerequisite files of the upgrade files, that language cannot be selected. Support for that language is removed from the site when it upgrades. For more information about language packs, see the Planning for Client and Server Operating System Languages in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Plan for prerequisites for new site system roles, and ensure site system servers still meet prerequisite for installed site system roles. Important Prerequisite Checker for Configuration Manager does not verify the prerequisites for site system roles on the site server or on remote computers. During a site upgrade, Configuration Manager automatically upgrades site system roles at the site by reinstalling each site system role. When prerequisites are not met, the site system role might not reinstall or might reinstall, but might fail to operate correctly. For information about prerequisites for site system roles, see the Site System Requirements section in the Supported
506

Step

More information

Configurations for Configuration Manager topic. Review the list of considerations for site upgrades. When you upgrade a site, some features and configurations reset to a default configuration. To help you plan for these and related changes in System Center 2012 R2 Configuration Manager, review the information in the Considerations for Upgrading to System Center 2012 R2 Configuration Manager section in this topic. Before you upgrade a Configuration Manager central administration site or primary site, plan to test the site database upgrade process on a copy of the site database. You should test the site database upgrade process, because when you upgrade a site, the site database might be modified and although a test database upgrade is not required, it can identify problems for the upgrade before your production database is affected. A failed site database upgrade can render your site database inoperable and might require a site recovery to restore functionality. Note Configuration Manager supports neither the backup of secondary sites nor the test upgrade of a secondary site database. Although the site database is shared between sites in a hierarchy, plan to test the database at each applicable site before you upgrade that site. If you use database replicas for management points at a primary site, disable replication before you create the backup of the site database. Important It is not supported to run a test database upgrade on the production site database. Doing so upgrades the site database and could render your site inoperable. Also, do not restore the
507

Test the database upgrade process on a copy of the most recent site database backup.

Step

More information

copy of the database that you use to test he database upgrade to the same SQL Server that hosts the production database. This is because the same SQL Server Service Broker endpoints can be used by each copy of the database, and messages sent to the copy during the upgrade test can be picked up by the production database, and vice versa. For more information, see the Test the Configuration Manager Site Database for the Upgrade section in the Upgrade Configuration Manager to a New Service Pack topic. Restart the site server and each computer that Internal process that is company-specific. hosts a site system role to ensure that there are no pending actions from a recent installation of updates or from prerequisites. Install System Center 2012 R2 Configuration Manager. Starting at the top-level site in the hierarchy, run Setup.exe from the System Center 2012 R2 Configuration Manager source media. After the top-level site completes the upgrade and replication is Active, you can begin the upgrade of each child site. Complete the upgrade of each site before you begin to upgrade the next site. Until all sites in your hierarchy upgrade to the new product version, your hierarchy operates in a mixed version mode. For information about how to run the upgrade installation, see the Upgrade a Configuration Manager Site section in the Upgrade Configuration Manager to a New Service Pack topic. For information about operating a Configuration Manager hierarchy in mixed mode, see the Interoperability between Sites with Different Service Pack Versions in System Center 2012 Configuration Manager section in the Interoperability between Different Versions of
508

Step

More information

Configuration Manager topic. Upgrade stand-alone Configuration Manager consoles. By default, when you upgrade a central administration site or primary site, the installation also upgrades a Configuration Manager console that is installed on the site server. However, you must manually upgrade each Configuration Manager console that is installed on a computer other than the site server. When you upgrade a Configuration Manager console, the installation process uninstalls the existing Configuration Manager console, and then installs the new version of the software. Therefore, to upgrade a console on computers other than site servers, you can use any method that Configuration Manager supports to install the Configuration Manager console. These supported methods can include a manual installation or a deployment that installs the console. Important Close an open Configuration Manager console before you start the upgrade. The installation process cannot upgrade an open console. For more information about how to install the Configuration Manager console, see the Install a Configuration Manager Console section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Reconfigure database replicas for management If you use database replicas for management points at primary sites. points at primary sites, you must uninstall the database replicas before you upgrade the site. After you upgrade a primary site, reconfigure the database replica for management points. For more information, see the Configurations for Using a Database Replica section in the Configure Database Replicas for Management Points topic.
509

Step

More information

Reconfigure any database maintenance tasks you disabled prior to the upgrade.

If you disabled database maintenance tasks at a site prior to the upgrade, reconfigure those tasks at the site using the same settings that were in place prior to the upgrade. After you upgrade a primary site, plan to upgrade clients that are assigned to that site. Although a Configuration Manager primary site or secondary site can support communication from clients that have a lower service pack version (including clients that run Configuration Manager SP1 talking to a site that runs System Center 2012 R2 Configuration Manager), this communication should be a temporary configuration. Clients that run a previous service pack version of Configuration Manager cannot use the new functionality that is available with the new version of Configuration Manager. When you upgrade a client, the current client software is uninstalled and the new client software version is installed. To upgrade clients, you can use any method that Configuration Manager supports. Tip When you upgrade the top-level site of a hierarchy to a new service pack, the client installation package on each distribution point in the hierarchy is also updated. When you upgrade a primary site, the client upgrade package that is available from that primary site is updated. For information about how to upgrade existing clients and how to install new clients, see How to Install Clients on Windows-Based Computers in Configuration Manager.

Upgrade clients.

510

Considerations for Upgrading to System Center 2012 R2 Configuration Manager

Use the following information to help you prepare for changes to sites and the hierarchy when you upgrade to System Center 2012 R2 Configuration Manager. Automatic actions: When you upgrade a Configuration Manager site to a new version, the following actions occur automatically: The site performs a site reset, which includes a reinstallation of all site system roles. If the site is the top-level site of a hierarchy, it updates the client installation package on each distribution point in the hierarchy. The site also updates the default boot images to use the new Windows PE version that is included with the Windows Assessment and Deployment Kit 8.1 and System Center 2012 R2 Configuration Manager. If the site is a primary site, it updates the client upgrade package for that site.

Manual actions for the administrative user after an upgrade: After you upgrade a Configuration Manager site to a new version, ensure that the following actions are performed: Ensure that clients that are assigned to each primary site upgrade and install the client software for the new version. Upgrade each Configuration Manager console that connects to the site and that runs on a computer that is remote from the site server. At primary sites where you use database replicas for management points, reconfigure the database replicas for System Center 2012 R2 Configuration Manager.

Actions that affect configurations and settings: When a site upgrades to System Center 2012 R2 Configuration Manager, some configurations and settings do not persist after the upgrade or are set to a new default configuration. The following table includes configurations and settings that do not persist or that change, and provides details to help you plan for them during a site upgrade.
Configuration or setting Details

Software Center

When you upgrade to System Center 2012 R2 Configuration Manager, the following Software Center items are reset to their default values Work information is reset to business hours from 5.00am to 10.00pm Monday to Friday. The value for Computer maintenance is set to Suspend Software Center activities when my computer is in presentation mode. The value for Remote control is set to the value in the client settings that are assigned to the computer.

Software update summarization schedules

When you upgrade to System Center 2012 R2

511

Configuration or setting

Details

Configuration Manager, custom summarization schedules for software updates or software update groups are reset to the default value of 1 hour. After the upgrade finishes, reset custom summarization values to the required frequency.

Support for Uninstalling a Service Pack

Configuration Manager does not support uninstalling service packs, and does not support uninstalling System Center 2012 R2 Configuration Manager to restore System Center 2012 Configuration Manager with SP1. However, Configuration Manager does provide limited support for uninstalling updates from clients. Updates are installed when you deploy updates from a cumulative update to a Configuration Manager client. For more information about updates, see Update System Center 2012 Configuration Manager. Use the information in the following sections to help restore Configuration Manager to an earlier service pack version.

Downgrading Configuration Manager Sites

Configuration Manager does not support the removal of a service pack to restore a site to a previous version. Instead, uninstall all site system roles and uninstall the Configuration Manager site. After the site is uninstalled, you can then reinstall a site with the version of Configuration Manager that you require. However, because sites in a Configuration Manager hierarchy share a common database, you cannot uninstall a site without first uninstalling its child sites. Additionally, when you reinstall sites, you cannot install a site that uses a lower service pack version than its parent site.

Downgrading Configuration Manager Clients

Configuration Manager does not support the removal of a service pack version from a Configuration Manager client. Instead, uninstall the client, and then reinstall the client software from the appropriate Configuration Manager version.

Downgrading Configuration Manager Consoles

Configuration Manager does not support downgrading a Configuration Manager console to a console of a previous version or service pack. Instead, uninstall the Configuration Manager console, and then reinstall the Configuration Manager console for the version that you require.

512

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Publishing of Site Data to Active Directory Domain Services

If you extend the Active Directory schema for System Center 2012 Configuration Manager, you can publish Configuration Manager sites to Active Directory Domain Services so that Active Directory computers can securely retrieve site information from a trusted source. Although publishing site information to Active Directory Domain Services is not required for basic Configuration Manager functionality, this configuration can reduce administrative overhead.

When you extend the Active Directory schema for Configuration Manager and a site is configured to publish to Active Directory Domain Services, Configuration Manager clients can automatically find management points through Active Directory publishing using an LDAP query to a global catalog server. If you do not extend the Active Directory schema for Configuration Manager, management points cannot be published to Active Directory Domain Services and clients must have an alternative mechanism to locate their default management point. For information about service location by clients, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic. The following are prerequisites you must configure before a Configuration Manager site can publish site data to Active Directory Domain Services: You must extend the Active Directory schema in each forest where you will publish site data. For more information, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. You must configure Active Directory Forests for use with Configuration Manager, and enable publishing to the forests you want to use. For information, see the About Active Directory Forest Discovery section in the Planning for Discovery in Configuration Manager topic. You must enable publishing at each site that will publish its data to Active Directory Domain Services. For information, see Configuring Sites to Publish to Active Directory Domain Services.

See Also
Planning for Configuration Manager Sites and Hierarchy

513

Planning for Discovery in Configuration Manager

System Center 2012 Configuration Manager discovery identifies computer and user resources that you can manage by using Configuration Manager. It can also discover the network infrastructure in your environment. Discovery creates a discovery data record (DDR) for each discovered object and stores this information in the Configuration Manager database. When discovery of a resource is successful, discovery puts information about the resource in a file that is referred to as a discovery data record (DDR). DDRs are in turn processed by site servers and entered into the Configuration Manager database where they are then replicated by database-replication with all sites. The replication makes discovery data available at each site in the hierarchy, regardless of where it was discovered or processed. You can use discovery information to create custom queries and collections that logically group resources for management tasks such as the assignment of custom client settings and software deployments. Computers must be discovered before you can use client push installation to install the Configuration Manager client on devices. Use the following sections to help you plan for discovery in Configuration Manager: Discovery Methods in Configuration Manager Decide Which Discovery Methods to Use About Active Directory System, User, and Group Discovery Methods Shared Discovery Options Active Directory System Discovery Active Directory User Discovery Active Directory Group Discovery

About Active Directory Forest Discovery About Delta Discovery About Heartbeat Discovery About Network Discovery About Discovery Data Records Decide Where to Run Discovery Best Practices for Discovery

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager introduces the following changes for discovery:
514

Each discovery data record is processed and entered into the database one time only, at a primary site or central administration site, and then the discovery data record is deleted without additional processing. Discovery information entered into the database at one site is shared to each site in the hierarchy by using Configuration Manager database replication. Active Directory Forest Discovery is a new discovery method that can discover subnets and Active Directory sites, and can add them as boundaries for your hierarchy. Active Directory System Group Discovery has been removed. Active Directory Security Group Discovery is renamed to Active Directory Group Discovery and discovers the group memberships of resources. Active Directory System Discovery and Active Directory Group Discovery support options to filter out stale computer records from discovery. Active Directory System, User, and Group Discovery support Active Directory Delta Discovery. Delta Discovery is improved from Configuration Manager 2007 R3 and can now detect when computers or users are added or removed from a group.

Discovery Methods in Configuration Manager

Before you enable discovery methods for Configuration Manager, ensure you understand what each method can discover. Because discovery can generate a large volume of network traffic, and the resultant DDRs can result in a significant use of CPU resources during processing, plan to use only those discovery methods that you require to meet your goals. You could use only one or two discovery methods to be successful, and you can always enable additional methods in a controlled manner to extend the level of discovery in your environment. Use the following table to help you plan for each of the six configurable discovery methods.
Discovery method Enabled by default Accounts that run discovery More information

Active Directory Forest Discovery

No

Active Directory Forest Discovery Account, or the computer account of the site server

Can discover Active Directory sites and subnets, and then create Configuration Manager boundaries for each site and subnet from the forests that you have configured for discovery. When Active Directory Forest Discovery identifies a supernet that is assigned to an Active Directory
515

Discovery method

Enabled by default

Accounts that run discovery

More information

site, Configuration Manager converts the supernet into an IP address range boundary. Supports a userdefined account to discover resources for each forest. Can publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified account has permissions to that forest. Discovers computers from the specified locations in Active Directory Domain Services. Discovers user accounts from the specified locations in Active Directory Domain Services. Discovers local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups
516

Active Directory System Discovery

No

Active Directory System Discovery Account, or the computer account of the site server Active Directory User Discovery Account, or the computer account of the site server

Active Directory User Discovery

No

Active Directory Group Discovery

No

Active Directory Group Discovery Account, or the computer account of the site server

Discovery method

Enabled by default

Accounts that run discovery

More information

are not discovered as group resources. Heartbeat Discovery Yes Computer account of the client Used by active Configuration Manager clients to update their discovery records in the database. Heartbeat Discovery can force discovery of a computer as a new resource record, or can repopulate the database record of a computer that was deleted from the database. Searches your network infrastructure for network devices that have an IP address. Can discover devices that might not be found by other discovery methods. This includes printers, routers, and bridges.

Network Discovery

No

Computer account of the site server

All configurable discovery methods support a schedule for when discovery runs. With the exception of Heartbeat Discovery, you can configure each method to search specific locations for resources to add to the Configuration Manager database. After discovery runs, you can change the locations that a discovery method searches. These new locations are searched during the next discovery run. However, the next run of the discovery method is not limited to the new locations and always attempts to discover information from all current configured locations. Heartbeat Discovery is the only discovery method that is enabled by default. To help maintain the database record of Configuration Manager clients, do not disable Heartbeat Discovery. In addition to these discovery methods, Configuration Manager also uses a process named Server Discovery (SMS_WINNT_SERVER_DISCOVERY_AGENT). This discovery method
517

creates resource records for computers that are site systems, such as a computer that is configured as a management point. This method of discovery runs daily and is not configurable.

Decide Which Discovery Methods to Use

To discover potential Configuration Manager client computers or user resources, you must enable the appropriate discovery methods. You can use different combinations of discovery methods to locate different resources and to discover additional information about those resources. The discovery methods that you use determine the type of resources that are discovered and which Configuration Manager services and agents are used in the discovery process. They also determine the type of information about resources that you can discover. Discover Computers When you want to discover computers, you can use Active Directory System Discovery or Network Discovery. As an example, if you want to discover resources that can install the Configuration Manager client before you use client push installation, you might run Active Directory System Discovery. Alternately you could run Network Discovery and use its options to discover the operating system of resources (required to later use client push installation). However, by using Active Directory System Discovery, you not only discover the resource, but discover basic information and can discover extended information about it from Active Directory Domain Services. This information might be useful in building complex queries and collections to use for the assignment of client settings or content deployment. Network Discovery, on the other hand, provides you with information about your network topology that you are not able to acquire with other discovery methods, but Network Discovery does not provide you any information about your Active Directory environment. It is also possible to use only Heartbeat Discovery to force the discovery of clients that you installed by methods other than client push installation. However, unlike other discovery methods, Heartbeat Discovery cannot discover computers that do not have an active Configuration Manager client, and returns a limited set of information. It is intended to maintain an existing database record and not to be the basis of that record. Information submitted by Heartbeat Discovery might not be sufficient to build complex queries or collections. If you use Active Directory Group Discovery to discover the membership of a specified group, you can discover limited system or computer information. This does not replace a full discovery of computers but can provide basic information. This basic information is insufficient for client push installation. Discover Users When you want to discover information about users, you can use Active Directory User Discovery. Similar to Active Directory System Discovery, this method discovers users from Active Directory and includes basic information in addition to extended Active Directory information. You can use this information to build complex queries and collections similar to those for computers.

518

Discover Group Information When you want to discover information about groups and group memberships, use Active Directory Group Discovery. This discovery method creates resource records for security groups. You can use this method to search a specific Active Directory group to identify the members of that group in addition to any nested groups within that group. You can also use this method to search an Active Directory location for groups, and recursively search each child container of that location in Active Directory Domain Services. This discovery method can also search the membership of distribution groups. This can identify the group relationships of both users and computers. When you discover a group, you can also discover limited information about its members. This does not replace Active Directory System or User Discovery and is usually insufficient to build complex queries and collections or serve as the bases of a client push installation. Discover Infrastructure There are two methods that you can use to discover network infrastructure, Active Directory Forest Discovery and Network Discovery. You can use Active Directory Forest Discovery to search an Active Directory forest for information about subnets and Active Directory site configurations. These configurations can then be automatically entered into Configuration Manager as boundary locations. When you want to discover your network topology, use Network Discovery. While other discovery methods return information related to Active Directory Domain Services and can identify the current network location of a client, they do not provide infrastructure information based on the subnets and router topology of your network.

About Active Directory System, User, and Group Discovery Methods

This section contains information about the following discovery methods: Active Directory System Discovery Active Directory User Discovery Active Directory Group Discovery Note The information in this section does not apply to Active Directory Forest Discovery. These three discovery methods are similar in configuration and operation, and can discover computers, users, and information about group memberships of resources that are stored in Active Directory Domain Services. The discovery process is managed by a discovery agent that runs on the site server at each site where discovery is configured to run. You can configure each of these discovery methods to search one or more Active Directory locations as location instances in the local forest or remote forests. When discovery searches an untrusted forest for resources, the discovery agent must be able to resolve the following to be successful:
519

To discover a computer resource with Active Directory System Discovery, the discovery agent must be able to resolve the FQDN of the resource. If it cannot resolve the FQDN, it will then attempt to resolve the resource by its NetBIOS name. To discovery user or group resource with Active Directory User Discovery or Active Directory Group Discovery, the discovery agent must be able to resolve the FQDN of the domain controller name you specify for the Active Directory location.

For each location instance that you specify, you can configure individual search options such as enabling a recursive search of the locations Active Directory child containers. You can also configure a unique account to use when it searches that location instance. This provides flexibility in configuring a discovery method at one site to search multiple Active Directory locations across multiple forests, without having to configure a single account that has permissions to all locations. When each of these three discovery methods run at a specific site, the Configuration Manager site server at that site contacts the nearest domain controller in the specified Active Directory forest to locate Active Directory resources. The domain and forest can be in any supported Active Directory mode, and the account that you assign to each location instance must have Read access permission to the specified Active Directory locations. Discovery searches the specified locations for objects and then attempts to collect information about those objects. A DDR is created when sufficient information about a resource can be identified. The required information varies depending on the discovery method that is being used. If you configure the same discovery method to run at different Configuration Manager sites to take advantage of querying local Active Directory servers, you can configure each site with a unique set of discovery options. Because discovery data is shared with each site in the hierarchy, avoid overlap between these configurations to efficiently discover each resource one time. For smaller environments, you might consider running each discovery method at only one single site in your hierarchy to reduce administrative overhead and the potential for multiple discovery actions to rediscover the same resources. When you minimize the number of sites that run discovery you can reduce the overall network bandwidth that is being used by discovery, and reduce the overall number of DDRs that are created and must be processed by your site servers. Many of the discovery method configurations are self-explanatory. Use the following sections for more information about the discovery options that might require additional information before you configure them.

Shared Discovery Options

The following table identifies configuration options that are available on multiple Active Directory Discovery methods. Key: = Supported = Unsupported

520

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

Delta Discovery

Delta Discovery is an option available for each Active Directory discovery method except Active Directory Forest Discovery. Configuration Manager can use Delta Discovery to search Active Directory Domain Services (AD DS) for specific attributes that have changed after the last full discovery cycle of the discovery method. You can configure a short interval for Delta Discovery to search for new resources because discovering only new resources does not affect the performance of the site server as much as a full discovery cycle does. Delta Discovery can detect the following new resource types: Computer objects User objects Security group objects System group objects

Delta Discovery cannot detect when a resource has been deleted from AD DS. You must run a full discovery cycle to detect this change. DDRs for objects that
521

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

Delta Discovery discovers are processed similarly to the DDRs that are created by a full discovery cycle. You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method. Filter stale computer records by domain logon You can configure discovery to exclude discovery of stale computer records based on the last domain logon of the computer. When this option is enabled, Active Directory System Discovery evaluates each computer it identifies. Active Directory Group Discovery evaluates each computer that is a member of a group that is discovered. Use of this option requires the following: Computers must be configured to update the lastLogonTimeStam p attribute in AD DS. The Active Directory domain functional level is set to Windows Server 2003 or later.

When configuring the time after the last logon,

522

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

consider the interval for replication between domain controllers. You configure filtering on the Option tab in both Active Directory System Discovery Properties and Active Directory Group Discovery Properties dialog boxes by selecting the option Only discover computers that have logged on to a domain in a given period of time. Warning When you configure both of the stale record filters on the same discovery method, computers that meet the criteria of either filter are excluded from discovery. Filter stale records by computer password You can configure discovery to exclude discovery of stale computer records based on the last computer account password update by the computer. When this option is enabled, Active Directory System Discovery evaluates each computer it identifies.
523

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

Active Directory Group Discovery evaluates each computer that is a member of a group that is discovered. Use of this option requires the following: Computers must be configured to update the pwdLastSet attribute in AD DS.

When configuring this option, consider the interval for updates to this attribute in addition to the replication interval between domain controllers. You configure filtering on the Option tab in both Active Directory System Discovery Properties and Active Directory Group Discovery Properties dialog boxes by selecting the option Only discover computers that have updated their computer account password in a given period of time. Warning When you configure both of the stale record filters on the same discovery method,
524

Discovery option

Active Directory System Discovery

Active Directory User Discovery

Active Directory Group Discovery

Details

computers that meet the criteria of either filter are excluded from discovery. Search customized Active Directory attributes Each discovery method supports a unique list of attributes that can be discovered. You configure Active Directory customized attributes on the Active Directory Attributes tab in both the Active Directory System Discovery Properties and Active Directory User Discovery Properties dialog boxes.

Active Directory System Discovery

Use Configuration Manager Active Directory System Discovery to search the specified Active Directory Domain Services (AD DS) locations for computer resources that can be used to create collections and queries. You can then install the client to discovered computers by using client push installation. To successfully create a discovery data record (DDR) for a computer, Active Directory System Discovery must be able to identify the computer account and then successfully resolve the computer name to an IP address. By default, Active Directory System Discovery discovers basic information about the computer including the following: Computer name Operating system and version Active Directory container name IP address Active Directory site Last Logon Timestamp
525

In addition to the basic information, you can configure the discovery of extended attributes from Active Directory Domain Services. You can view the default list of object attributes returned by Active Directory System Discovery, and configure additional attributes to be discovered in the Active Directory System Discovery Properties dialog box on the Active Directory Attributes tab. For more information about how to configure this discovery method, see Configure Active Directory Discovery in Configuration Manager. Active Directory System Discovery actions are recorded in the file adsysdis.log in the <InstallationPath>\LOGS folder on the site server.

Active Directory User Discovery

Use Configuration Manager Active Directory User Discovery to search Active Directory Domain Services (AD DS) to identify user accounts and associated attributes. You can view the default list of object attributes returned by Active Directory User Discovery, and configure additional attributes to be discovered in the Active Directory User Discovery Properties dialog box on the Active Directory Attributes tab. By default, Active Directory User Discovery discovers basic information about the user account including the following: User name Unique user name (includes domain name) Domain Active Directory container names

In addition to the basic information, you can configure the discovery of extended attributes from Active Directory Domain Services. For more information about how to configure this discovery method, see Configure Active Directory Discovery in Configuration Manager. Active Directory User Discovery actions are recorded in the file adusrdis.log in the <InstallationPath>\LOGS folder on the site server.

Active Directory Group Discovery

Use Configuration Manager Active Directory Group Discovery to search Active Directory Domain Services (AD DS) to identify the group memberships of computers and users. This discovery method searches a discovery scope that you configure, and then identifies the group memberships of resources in that discovery scope. By default, only security groups are discovered. However, you can discover the membership of distribution groups when you select the checkbox for the option Discover the membership of distribution groups on the Option tab in the Active Directory Group Discovery Properties dialog box. Use Active Directory Group Discovery to discover the following information: Groups
526

Membership of Groups Limited information about a groups member computers and users, even when those computers and users have not previously been discovered by another discovery method

This discovery method is intended to identify groups and the group relationships of members of groups. This method of discovery does not support the extended Active Directory attributes that can be identified by using Active Directory System Discovery or Active Directory User Discovery. Because this discovery method is not optimized to discover computer and user resources, consider running this discovery method after you have run Active Directory System Discovery and Active Directory User Discovery. This is because this discovery method creates a full DDR for groups, but only a limited DDR for computers and users that are members of groups. You can configure the following discovery scopes that control how Active Directory Group Discovery searches for information: Location: Use a location if you want to search one or more Active Directory containers. This scope option supports a recursive search of the specified Active Directory containers that also searches each child container under the container you specify. This process continues until no more child containers are found. Groups: Use groups if you want to search one or more specific Active Directory groups. You can configure the Active Directory Domain to use the default domain and forest, or limit the search to an individual domain controller. Additionally, you can specify one or more groups to search. If you do not specify at least one group, all groups found in the specified Active Directory Domain location are searched. Caution When you configure a discovery scope, select only the groups that you must discover. This is because Active Directory Group Discovery attempts to discover each member of each group in the discovery scope. Discovery of large groups can require extensive use of bandwidth and Active Directory resources. Note You have to run either Active Directory System Discovery or Active Directory User Discovery to create collections that are based on extended Active Directory attributes and to ensure accurate discovery results for computers and users. For more information about how to configure this discovery method, see Configure Active Directory Discovery in Configuration Manager. Active Directory Group Discovery actions are recorded in the file adsgdis.log in the <InstallationPath>\LOGS folder on the site server.

About Active Directory Forest Discovery

Use Configuration Manager Active Directory Forest Discovery to discover IP subnets and Active Directory sites and to add them to Configuration Manager as boundaries.

527

Unlike other discovery methods, Active Directory Forest Discovery does not discover resources that you can manage. Instead, this method discovers Active Directory network locations and can convert those locations into boundaries for use throughout your hierarchy. Use Active Directory Forest Discovery to do the following: Discover IP subnets in an Active Directory forest Discover Active Directory sites in an Active Directory forest Add the IP subnets and Active Directory sites that are discovered as boundaries in Configuration Manager Publish to the Active Directory Domain Services of a forest when publishing to that forest is enabled, and the specified Active Directory Forest Account has permissions to that forest

Manage Active Directory Forest Discovery in the Configuration Manager console from the following nodes under Hierarchy Configuration in the Administration workspace: Discovery Methods: Here you can enable Active Directory Forest Discovery to run at the top-level site of your hierarchy. You can also specify a simple schedule to run discovery, and configure it to automatically create boundaries from the IP subnets and Active Directory sites that it discovers. Active Directory Forest Discovery cannot be run at a child primary site or at a secondary site. Note This discovery method does not support Delta Discovery. Active Directory Forests: Here you configure the additional Active Directory forests that you want to discover, specify the account to use as the Active Directory Forest Account for each forest, and configure publishing to each forest. Additionally, you can monitor the discovery process and add IP subnets and Active Directory sites to Configuration Manager as boundaries and members of boundary groups.

When publishing is enabled for a forest and that forests schema is extended for Configuration Manager, the following information is published for each site that is enabled to publish to that Active Directory forest: SMS-Site-<site code> SMS-MP-<site code>-<site system server name> SMS-SLP-<site code>-<site system server name> SMS-<site code>-<Active Directory site name or subnet> Note Secondary sites always use the secondary site server computer account to publish to Active Directory. If you want secondary sites to publish to Active Directory, ensure the secondary site server computer account has permissions to publish to Active Directory. A secondary site cannot publish data to an untrusted forest. Tip To configure publishing for Active Directory forests for each site in your hierarchy, connect your Configuration Manager console to the top-level site of your hierarchy. The
528

Publishing tab in an Active Directory site Properties dialog box can only display the current site, and its child sites. Caution When you clear the option to publish a site to an Active Directory forest, all previously published information for that site, including available site system roles, is removed from the Active Directory of that forest. Active Directory Forest Discovery runs on the local Active Directory forest, each trusted forest, and each additional forest that you configure in the Active Directory Forests node of the Configuration Manager console. Active Directory Forest Discovery actions are recorded in the following logs: All actions, with the exception actions related to publishing, are recorded in the ADForestDisc.Log file in the <InstallationPath>\Logs folder on the site server. Active Directory Forest Discovery publishing actions are recorded in the hman.log and sitecomp.log in the <InstallationPath>\Logs folder on the site server.

About Delta Discovery

Delta Discovery is not a full discovery method in Configuration Manager, but an option available for the Active Directory System, User, and Group discovery methods. Delta Discovery can identify most changes to a previously discovered resource in Active Directory and use fewer resources than a full discovery cycle. When you enable Delta Discovery for a discovery method, the discovery method searches Active Directory Domain Services (AD DS) for specific attributes that have changed after the discovery methods last full discovery cycle. These changes are submitted to the Configuration Manager database to update the resources discovery record. By default, Delta Discovery runs on a five minute cycle. This is because it uses fewer resources during discovery than a full discovery cycle, and does not affect the performance of the site server as much as a full discovery cycle would. When you use Delta Discovery, consider reducing the frequency of the full discovery cycle for that discovery method. Delta Discovery can detect changes on Active Directory objects. The following are the most common changes that Delta Discovery detects: New computers or users added to Active Directory Changes to basic computer and user information New computers or users that are added to a group Computers or users that are removed from a group Changes to System group objects

Although Delta Discovery can detect new resources, and changes to group membership, it cannot detect when a resource has been deleted from AD DS. DDRs for objects that Delta Discovery discovers are processed similarly to the DDRs that are created by a full discovery cycle.
529

You configure Delta Discovery on the Polling Schedule tab in the properties for each discovery method.

About Heartbeat Discovery

Heartbeat Discovery differs from other Configuration Manager discovery methods. It is enabled by default and runs on each computer client to create a discovery data record (DDR). For mobile device clients, this DDR is created by the management point that is being used by the mobile device client. Heartbeat Discovery runs either on a schedule configured for all clients in the hierarchy, or if manually invoked, on a specific client by running the Discovery Data Collection Cycle on the Action tab in a clients Configuration Manager program. When Heartbeat Discovery runs, it creates a discovery data record (DDR) that contains the clients current information including network location, NetBIOS name, and operational status details. It is a small file, about 1KB, which is copied to a management point, and then processed by a primary site. The submission of a Heartbeat Discovery DDR can maintain an active clients record in the database, and also force discovery of an active client that might have been removed from the database, or that has been manually installed and not discovered by another discovery method. Heartbeat Discovery is the only discovery method that provides details about the client installation status by updating a system resource client attribute that has the value Yes. To send the Heartbeat Discovery record, the client computer must be able to contact a management point. Note With Configuration Manager SP1, the Heartbeat discovery data record also includes the version of the client agent. The default schedule for Heartbeat Discovery is set to every 7 days. If you change the heartbeat discovery interval, ensure that it runs more frequently than the site maintenance task Delete Aged Discovery Data, which deletes inactive client records from the site database. You can configure the Delete Aged Discovery Data task only for primary sites. Note Even when Heartbeat Discovery is disabled, DDRs are still created and submitted for active mobile device clients. This ensures that the Delete Aged Discovery Data task does not affect active mobile devices. When the Delete Aged Discovery Data task deletes a database record for a mobile device, it also revokes the device certificate and blocks the mobile device from connecting to management points. Heartbeat Discovery actions are logged in the following locations: For computer clients ,Heartbeat Discovery actions are recorded on the client in the InventoryAgent.log in the %Windir%\CCM\Logs folder. For mobile device clients, Heartbeat Discovery actions are recorded in the DMPRP.log in the %Program Files%\CCM\Logs folder of the management point that the mobile device client uses.

530

About Network Discovery

Use Configuration Manager Network Discovery to discover the topology of your network and devices on your network. Network Discovery searches your network for IP-enabled resources by querying servers that run a Microsoft implementation of DHCP, Address Resolution Protocol (ARP) caches in routers, SNMP-enabled devices and Active Directory domains. To successfully discover a resource, Network Discovery must identify the IP address and the subnet mask of the resource. Because different types of devices can connect to the network, Network Discovery can discover resources that cannot support the Configuration Manager client software. For example, devices that can be discovered but not managed include printers and routers. Network Discovery can return several attributes as part of the discovery record it creates. This includes the following: NetBIOS name IP addresses Resource domain System roles SNMP community name MAC addresses

To use Network Discovery, you must specify the level of discovery to run. You also configure one or more discovery mechanisms that enable Network Discovery to query for network segments or devices. You can also configure settings that help control discovery actions on the network. Finally, you define one or more schedules for when Network Discovery runs. Note Complex networks and low bandwidth connections can cause Network Discovery to run slowly and generate significant network traffic. As a best practice, run Network Discovery only when the other discovery methods cannot find the resources that you have to discover. For example, use Network Discovery if you must discover workgroup computers. Workgroup computers are not discovered by other discovery methods. When discovery identifies an IP-addressable object and can determine the objects subnet mask, it creates a discovery data record (DDR) for that object. Network Discovery activity is recorded in the Netdisc.log in <InstallationPath>\Logs on the site server that runs discovery.

Levels of Network Discovery

When you configure Network Discovery, you specify one of three levels of discovery:

531

Level of discovery

Details

Topology Topology and client

This level discovers routers and subnets but does not identify a subnet mask for objects. In addition to topology, this level discovers potential clients such as computers, and resources such as printers and routers. This level of discovery attempts to identify the subnet mask of objects it finds. In addition to topology and potential clients, this level attempts to discover the computer operating system name and version. This level uses Windows Browser and Windows Networking calls.

Topology, client, and client operating system

With each incremental level, Network Discovery increases its activity and network bandwidth usage. Consider the network traffic that can be generated before you enable all aspects of Network Discovery. For example, when you first use Network Discovery, you might start with only the topology level to identify your network infrastructure. Then, you could reconfigure Network Discovery to discover objects and their device operating systems. You could also configure settings that limit Network Discovery to a specific range of network segments to discover objects in network locations that you require and avoid unnecessary network traffic and discovery of objects from edge routers or from outside your network.

Network Discovery Options

To enable Network Discovery to search for IP-addressable devices, you must configure one or more options that specify how to query for devices. The options are listed in the following table.
Option Details Requirements

Domains

Specify each domain that you want Network Discovery to query. Network Discovery can discover any computer that you can view from your site server when you browse the network. Network Discovery retrieves the IP address and then uses an Internet Control Message Protocol echo request to ping each device that it finds. The

The site server that runs discovery must have permissions to read the domain controllers in each specified domain. Note To discover computers form the local domain, you must enable the Computer Browser
532

Option

Details

Requirements

ping command helps determine which computers are currently active.

service on at least one computer that is located on the same subnet as the site server that runs Network Discovery. To query a device, you must specify the IP Address or NetBIOS name of the device. You must configure Network Discovery to use the community name of the device, or the device rejects the SNMP-based query.

SNMP Devices

Specify each SNMP device that you want Network Discovery to query. Network Discovery retrieves the ipNetToMediaTable value from any SNMP device that responds to the query. This value returns arrays of IP addresses that are client computers or other resources such as printers, routers, or other IP-addressable devices.

DHCP

Specify each DHCP server that you want Network Discovery to query.

For Network Discovery to successfully query a DHCP server, the computer account of Network Discovery can query both the server that runs discovery 32-bit and 64-bit DHCP servers for must be a member of the a list of devices that are registered DHCP Users group on the DHCP server. with each server. Network Discovery retrieves information by using remote procedure calls to the database on the DHCP server. For example, this level of access exists when one of the following is true: The specified DHCP server is the DHCP server of the server that runs discovery. The computer that runs discovery and the DHCP server are in the same domain. A two-way trust exists between the computer that runs discovery and the DHCP server. The site server is a member of the DHCP users group.

When Network Discovery enumerates a DHCP server, it does not always discover static IP addresses. Network Discovery does not find IP addresses that are part of an excluded range of IP addresses on the DHCP server, and does not discover IP addresses that are reserved for manual assignment. Note Network Discovery

533

Option

Details

Requirements

supports only DHCP servers that run the Microsoft implementation of DHCP. Important To successfully configure a DHCP server in Network Discovery, your environment must support IPv4. You cannot configure Network Discovery to use a DHCP server in a native IPv6 environment.

Note Network Discovery runs in the context of the computer account of the site server that runs discovery. If the computer account does not have permissions to an untrusted domain, both the Domain and DHCP server configurations can fail to discover resources.

Limiting Network Discovery

When Network Discovery queries an SNMP device on the edge of you network, it can identify information about subnets and SNMP devices that are outside your immediate network. You can limit Network Discovery by configuring the SNMP devices that discovery can communicate with, and by specifying the network segments to query. Use the following configurations to limit the scope of Network Discovery:
Configuration Details

Subnets

Configure the subnets that Network Discovery queries when it uses the SNMP and DHCP options. Only the enabled subnets are searched by these two options. For example, a DHCP request can return devices from locations across your whole network. If you want to only discover devices on a specific subnet, specify and enable that specific subnet on the Subnets tab in the Network Discovery Properties dialog box. When you specify and enable subnets, you limit future DHCP and SNMP discovery operations to those subnets. Note
534

Configuration

Details

Subnet configurations do not limit the objects that the Domains discovery option discovers. SNMP Community names To enable Network Discovery to successfully query a SNMP device, configure Network Discovery with the community name of the device. Maximum hops If Network Discovery is not configured by using the community name of the SNMP device, the device rejects the query.

When you configure the maximum number of router hops, you limit the number of network segments and routers that Network Discovery can query by using SNMP. The number of hops that you configure limits the number of additional devices and network segments that Network Discovery can query.

For example, a topology-only discovery with 0 (zero) router hops discovers the subnet on which the originating server resides, and includes any routers on that subnet. The following diagram shows what a topology-only Network Discovery finds when it runs on Server 1 with 0 router hops specified: subnet D and Router 1.

The following diagram shows what a topology and client Network Discovery finds when it runs on Server 1 with 0 router hops specified: subnet D and Router 1, and all potential clients on subnet D.

To get a better idea of how additional router hops can increase the
535

Configuration

Details

amount of network resources that are discovered, consider the following network:

Running a topology-only Network Discovery from Server 1 with one router hop discovers the following: Router 1 and subnet 10.1.10.0 (found with zero hops). Subnets 10.1.20.0 and 10.1.30.0, subnet A, and Router 2 (found on the first hop). Warning Each increase to the number of router hops can significantly increase the number of discoverable resources and increase the network bandwidth that Network Discovery uses.

Discovery Data Records Created by Network Discovery

When Network Discovery discovers an object, it creates a discovery data record (DDR) for that object. For Network Discovery to discover an object, it must identify the object IP address and then identify its subnet mask. If Network Discovery cannot determine the subnet mask of an object, it does not create a DDR. Network Discovery uses the following methods to identify the subnet mask of an object:
Method Details Limitation

Router ARP cache

Network Discovery queries the ARP cache of a router to find subnet information.

Typically, data in a router ARP cache has a short time-to-live. When Network Discovery queries the ARP cache, the ARP cache might no longer contain
536

Method

Details

Limitation

information about the requested object. DHCP Network Discovery queries each DHCP server that you specify to discover the devices for which the DHCP server has provided a lease. Network Discovery can directly query a SNMP device. Network Discovery supports only DHCP servers that run the Microsoft implementation of DHCP. For Network Discovery to query a device, the device must have a local SNMP agent installed. You must also configure Network Discovery to use the community name that is being used by the SNMP agent.

SNMP Device

Configuration Manager processes DDRs that are created by Network Discovery just as it processes DDRs that are created by other discovery methods.

About Discovery Data Records

Discovery data records (DDRs) are files created by a discovery method that contain information about a resource you can manage in Configuration Manager. DDRs contain information about computers, users and in some cases, network infrastructure. They are processed at primary sites or at central administration sites. After the resource information in the DDR is entered into the database, the DDR is deleted and the information replicates as global data to all sites in the hierarchy. The site at which a DDR is processed depends on the information it contains: DDRs for newly discovered resources that are not in the database are processed at the toplevel site of the hierarchy. The top-level site creates a new resource record in the database and assigns it a unique identifier. DDRs transfer by file-based replication until they reach the top-level site. DDRs for previously discovered objects are processed at primary sites. Child primary sites do not transfer DDRs to the central administration site when the DDR contains information about a resource that is already in the database. Secondary site do not process discovery data records and always transfer them by file-based replication to their parent primary site.

DDR files are identified by the .ddr extension, and have a typical size of about 1 KB.

537

Decide Where to Run Discovery

When you plan to use discovery in Configuration Manager, you must consider where to run each discovery method. After Configuration Manager adds discovery data to a database, it is quickly shared between all sites in the hierarchy. Because there is no benefit to discovering the same information at multiple sites in your hierarchy, consider configuring a single instance of each discovery method that you use to run at a single site instead of running multiple instances of a single method at different sites. However, periodically it might help assign the same discovery method to run at multiple sites, each with a separate configuration and schedule. This is because at each site, all configurations for a single discovery method are evaluated every time that discovery method runs. If you do configure multiple instances of a single discovery method to run at different sites, plan the configuration of each carefully to avoid having two or more discovery processes discover the same resources. Discovering the same locations and resources at multiple sites can consume additional network bandwidth and create duplicate DDRs for resources that add no value and must still be processed by your site servers. The following table identifies at which sites you can configure the different discovery methods.
Discovery method Supported locations

Active Directory Forest Discovery Active Directory Group Discovery Active Directory System Discovery Active Directory User Discovery Heartbeat Discovery Network Discovery
1

Central administration site Primary Site Primary site Primary site Primary site Primary site Primary site Secondary site

Secondary sites cannot configure Heartbeat Discovery but can receive the Heartbeat DDR from a client. When secondary sites run Network Discovery, or receive Heartbeat Discovery DDRs, they transfer the DDR by file-based replication to their parent primary site. This is because only primary sites and central administration sites can process discovery data records (DDRs). For more information about how DDRs are processed, see About Discovery Data Records in this topic. Consider the following when you plan where to run discovery: When you use an Active Directory Discovery method for systems, users, or groups: Run discovery at a site that has a fast network connection to your domain controllers.
538

Consider the Active Directory replication topology to ensure discovery can access the latest information. Consider the scope of the discovery configuration and limit discovery to only those Active Directory locations and groups that you have to discover. Use a limited initial configuration to identify your network topography. After you identify your network topography, configure Network Discovery to run at specific sites that are central to the network areas that you want to more fully discover.

If you use Network Discovery:

Because Heartbeat Discovery does not run at a specific site, you do not have to consider it in general planning for where to run discovery. Because each site server and network environment is different, limit your initial discovery configurations and closely monitor each site server for its ability to process the discovery data that is generated.

Best Practices for Discovery

Use the following best practices information to help you use discovery in System Center 2012 Configuration Manager.

Run Active Directory System Discovery and Active Directory User Discovery before you run Active Directory Group Discovery
When Active Directory Group Discovery identifies a previously undiscovered user or computer as a member of a group, it attempts to discover basic details for the user or computer. Because Active Directory Group Discovery is not optimized for this type of discovery, this process can cause Active Directory Group Discovery to run slow. Additionally, Active Directory Group Discovery identifies only the basic details about users and computers is discovers, and does not create a complete user or computer discovery record. When you run Active Directory System Discovery and Active Directory User Discovery, the additional Active Directory attributes for each object type are available, and as a result, Active Directory Group Discovery runs more efficiently.

When you configure Active Directory Group Discovery, only specify groups that you use with Configuration Manager
To help control the use of resources by Active Directory Group Discovery, specify only those groups that you use with Configuration Manager. This is because Active Directory Group Discovery recursively searches each group it discovers for users, computers, and nested groups. The search of each nested group can expand the scope of Active Directory Group Discovery and reduce performance. Additionally, when you configure delta discovery for Active Directory Group Discovery, the discovery method monitors each group for changes. This further reduces performance when the method must search unnecessary groups.

539

Configure discovery methods with a longer interval between full discovery, and a more frequent period of delta discovery
Because delta discovery uses fewer resources than a full discovery cycle, and can identify new or modified resources in Active Directory, when you use delta discovery you can reduce the frequency of full discovery cycles to run one per week or less. Delta discovery for Active Directory System Discovery, Active Directory User Discovery and Active Directory Group Discovery identifies almost all the changes of Active Directory objects and can maintain accurate discovery data for resources.

Run Active Directory Discovery methods at primary site that has a network location that is closest to your Active Directory domain controller
To improve the performance of Active Directory discovery, it is recommended to run discover at a primary site that has a fast network connection to your domain controllers. If you run the same Active Directory discovery method at multiple sites, it is recommended to configure each discovery method to avoid overlap. Unlike past versions of Configuration Manager, discovery data is shared between sites. Therefore, it is not necessary to discovery the same information at multiple sites. For more information, see Decide Where to Run Discovery.

Run Active Directory Forest Discovery at a only one site when you plan to automatically create boundaries from the discovery data
If you run Active Directory Forest Discovery at more than one site in a hierarchy, it is recommended to only enable options to automatically create boundaries at a single site. This is because when Active Directory Forest Discovery runs at each site and creates boundaries, Configuration Manager cannot merge those boundaries into a single boundary object. When you configure Active Directory Forest Discovery to automatically create boundaries at multiple sites, the result can be duplicated boundary objects in the Configuration Manager console.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Client Settings in Configuration Manager

Use client settings in System Center 2012 Configuration Manager to configure user and device settings for the hierarchy. Client settings include configuration options such as the hardware inventory and schedule, and the polling schedule for client policy.
540

All Configuration Manager clients in the hierarchy use the Default Client Settings that are automatically created when you install Configuration Manager. However, you can modify the default client settings and you can create custom client settings to override the default client settings for specific users or devices. When you create a set of custom client settings, you must assign it to one or more collections for the settings to be applied to the collection members. If you apply multiple sets of custom client settings to the same user or device, you can control the order in which these settings are applied according to the order that you specify. Custom device or user settings with an Order value of 1 are always processed last and will override any other configurations. The Default Client Settings has a permanent order of 10,000, which ensures it is always applied before any custom settings are applied. When there is a conflict of settings, the client setting that was applied last (with the lower order value) overrides any previous settings. You can create custom client settings at the central administration site or from any primary site in the hierarchy. Custom settings replicate to all sites in the hierarchy. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. For information about client settings for clients that run Linux and UNIX in Configuration Manager SP1, see the Client Settings for Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. In Configuration Manager 2007, client agent settings are configured on a per-site basis and you cannot configure these settings for the whole hierarchy. In System Center 2012 Configuration Manager, client agent settings and other client settings are grouped into centrally configurable client settings objects that are applied at the hierarchy. To view and configure these, modify the default client settings. If you need additional flexibility for groups of users or computers, configure custom client settings and assign them to collections. For example, you can configure remote control to be available only on specified collections of computers.

See Also
Planning for Configuration Manager Sites and Hierarchy

541

Planning for Site Systems in Configuration Manager

System Center 2012 Configuration Manager uses site system roles to support operations at each site. Computers that host the Configuration Manager site are named site servers, and computers that host the other site system roles are named site system servers. The site server is also a site system server. Site system servers within the same site communicate with each other by using server message block (SMB), HTTP, or HTTPS, depending on the site configuration selections that you make. Because these communications are unmanaged and can occur at any time without network bandwidth control, review your available network bandwidth before you install site system servers and configure the site system roles. At each site, you can install available site system roles on the site server or install one or more site system roles on another site system server. Configuration Manager does not limit the number of site system roles that you can run on a single site system server. However, Configuration Manager does not support site system roles from different sites on the same site system server. Additionally, Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them. Configuration Manager uses the Site System Installation Account to install site system roles. You specify this account when you run the applicable wizard to create a new site system server or add site system roles to an existing site system server. By default, this account is the local system account of the site server computer, but you can specify a domain user account for use as the Site System Installation Account. For more information about this account, see the Site System Installation Account in the Technical Reference for Accounts Used in Configuration Manager topic. Use the following sections to help you plan for site systems: Site System Roles in Configuration Manager Planning for Proxy Servers Configurations for Site System Roles Planning Where to Install Sites System Roles in the Hierarchy Planning for Database Servers in Configuration Manager Planning for the SMS Provider in Configuration Manager Planning for Custom Websites with Configuration Manager

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide.

542

With Configuration Manager SP1, you can configure a proxy server on each site system server for use by all site system roles installed on that computer. This is not a new site system role, but a configuration for site system server computers.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following are new for site system roles in System Center 2012 R2 Configuration Manager: There is a new site system role, the certificate registration point. This new site system role requires IIS and works in conjunction with a policy module plugin for the Network Device Enrollment Service server role for Active Directory Domain Services that runs on Windows Server 2012 R2. This solution provides certificate enrollment for devices that Configuration Manager manages. For more information, see Introduction to Certificate Profiles in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide.

Site System Roles in Configuration Manager

When you install a site, several site system roles automatically are installed on the servers that you specify during Setup. After a site is installed, you can install additional site system roles on those servers or on additional computers that you decide to use as site system servers. The following sections identify the default site system roles and the optional site system roles that are available in Configuration Manager.

Default Site System Roles

When you install a Configuration Manager site, several default site system roles are automatically installed for the site. These site system roles are required for the core operation of each site and although some default site system roles can be moved to other servers, they cannot be removed from the site. Additionally, some default site system roles are installed on additional site system servers when you install optional site system roles. The default site system roles are described in the following table.
Site system role Description

Configuration Manager site server

The site server role is automatically installed on the server from which you run Configuration Manager Setup when you install a central administration site or primary site. When you
543

Site system role

Description

install a secondary site, the site server role is installed on the server that you specify as the secondary site server. Configuration Manager site system Site systems are computers that provide Configuration Manager functionality to a site. Each site system hosts one or more site system roles. Most site system roles are optional, and you install them only if you have to use them for specific management tasks. Other site system roles are automatically installed on a site system and cannot be configured. This role is assigned during Configuration Manager site installation or when you add an optional site system role to another server. Configuration Manager component site system role Any site system that runs the SMS Executive service also installs the component site system role. This role is required to support other roles, such as a management point, and it is installed and removed with the other site system roles. This role is always assigned to the site server when you install Configuration Manager. Configuration Manager site database server The site database server is a computer that runs a supported version of Microsoft SQL Server, and it stores information for Configuration Manager sites, such as discovery data, hardware and software inventory data, and configuration and status information. Each site in the Configuration Manager hierarchy contains a site database and a server that is assigned the site database server role. You can install SQL Server on the site server, or you can reduce the CPU usage of the site server when you install SQL Server on a computer other than the site server. Secondary sites can use SQL Server Express instead of a full SQL Server installation. The site database can be installed on the default instance of SQL Server or on a named
544

Site system role

Description

instance on a single computer that is running SQL Server. It can be installed on a named instance on a SQL Server cluster. Typically, a site system server supports site systems roles from a single Configuration Manager site only; however, you can use different instances of SQL Server on clustered or non-clustered servers running SQL Server to host the database for different Configuration Manager sites. For this configuration, you must configure each instance of SQL Server to use different ports. This role is installed when you install Configuration Manager. SMS Provider The SMS Provider is the interface between the Configuration Manager console and the site database. This role is installed when you install a central administration site or primary site. Secondary sites do not install the SMS Provider. You can install the SMS Provider on the site server, the site database server (unless the site database is hosted on a clustered instance of SQL Server), or on another computer. You can also move the SMS Provider to another computer after the site is installed, or install multiple SMS Providers on additional computers. To move or install additional SMS Providers for a site, run Configuration Manager Setup, select the option Perform site maintenance or reset the Site, click Next , and then on the Site Maintenance page, select the option Modify SMS Provider configuration. Note The SMS Provider is only supported on computers that are in the same domain as the site server.

545

Optional Site System Roles

Optional site system roles are site system roles that are not required for the core operation of a Configuration Manager site. However, by default, the management point and distribution point, which are optional site system roles, are installed on the site server when you install a primary or secondary site. Although these two site system roles are not required for the core operation of the site, you must have at least one management point to support clients at those locations. After you install a site, you can move the default location of the management point or distribution point to another server, install additional instances of each site system role, and install other optional site system roles to meet your business requirements. The optional site system roles are described in the following table.
Site system role Description

Application Catalog web service point

A site system role that provides software information to the Application Catalog website from the Software Library.

Application Catalog website point

A site system role that provides users with a list of available software from the Application Catalog.

Asset Intelligence synchronization point

A site system role that connects to Microsoft to download Asset Intelligence catalog information and upload uncategorized titles so that they can be considered for future inclusion in the catalog. This site system role can only be installed on the central administration site or a stand-alone primary site. For more information about planning for Asset Intelligence, see Prerequisites for Asset Intelligence in Configuration Manager. A site system role that communicates with a server that runs the Network Device Enrollment Service to manage device certificate requests that use the Simple Certificate Enrollment Protocol (SCEP). Important The certificate registration point must not be installed on the same server that runs the Network Device Enrollment
546

Certificate registration point

Site system role

Description

Service. Distribution point A site system role that contains source files for clients to download, such as application content, software packages, software updates, operating system images, and boot images. You can control content distribution by using bandwidth, throttling, and scheduling options. For more information, see Planning for Content Management in Configuration Manager. A site system role that helps you monitor client installation and identify the clients that are unmanaged because they cannot communicate with their management point. A site system role that provides policy and service location information to clients and receives configuration data from clients. You must install at least one management point at each primary site that manages clients, and at each secondary site where you want to provide a local point of contact for clients to obtain computer and user polices. Endpoint Protection point A site system role that Configuration Manager uses to accept the Endpoint Protection license terms and to configure the default membership for Microsoft Active Protection Service. A site system role that uses PKI certificates for Configuration Manager to enroll mobile devices and Mac computers, and to provision Intel AMT-based computers

Fallback status point

Management point

Enrollment point

Enrollment proxy point

A site system role that manages Configuration Manager enrollment requests from mobile devices and Mac computers.

Out of band service point

A site system role that provisions and configures Intel AMT-based computers for out of band management.
547

Site system role

Description

Reporting services point

A site system role that integrates with SQL Server Reporting Services to create and manage reports for Configuration Manager. For more information, see Planning for Reporting in Configuration Manager. A site system role that integrates with Windows Server Update Services (WSUS) to provide software updates to Configuration Manager clients. For more information, see Planning for Software Updates in Configuration Manager. A site system role that stores user state data when a computer is migrated to a new operating system. For more information about storing user state when you deploy an operating system, see How to Manage the User State in Configuration Manager. A site system role that validates Configuration Manager Network Access Protection (NAP) policies. It must be installed on a NAP health policy server.

Software update point

State migration point

System Health Validator point

Windows Intune connector

A site system role that was introduced in Configuration Manager SP1 that uses Windows Intune to manage mobile devices in the Configuration Manager console.

Planning for Proxy Servers Configurations for Site System Roles

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: During normal operation, several Configuration Manager site system roles require connections to the Internet. Typically, this connection is made in the system context of the computer where the site system role is installed and cannot use a proxy configuration for typical user accounts. When a proxy server is required to complete a connection to the Internet, you must configure the
548

computer to use a proxy server. For Configuration Manager with no service pack, you must manually configure the proxy server for the system context outside of Configuration Manager. Beginning with Configuration Manager SP1, you can use the Configuration Manager console to configure each site system server to use a proxy server. This proxy server configuration is used by each applicable site system role that is installed on that computer. For example, a software update point might connect to Microsoft to download updates, and with Configuration Manager SP1 when you use a cloud-based distribution point, the primary site server that manages the cloud-based distribution point must connect to Windows Azure. The following table identifies the site system roles that can use a proxy server:
Site system role Configuration Manager version Details

Asset Intelligence synchronization point

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Cloud-based distribution point

This site system role connects to Microsoft and will use a proxy server configuration on the computer that hosts the Asset Intelligence synchronization point. When you use a cloud-based distribution point, the primary site that manages the cloudbased distribution point must be able to connect to Windows Azure to provision, monitor, and distribute content to the distribution point. If a proxy server is required for this connection, you must configure the proxy server on the primary site server. You cannot configure a proxy server on the cloud-baseddistribution point in Windows Azure. For more information see the Configure Proxy Settings for Primary Sites that Manage Cloud Services section in the Install and Configure Site
549

Site system role

Configuration Manager version

Details

System Roles for Configuration Manager topic. Exchange Server connector System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager This site system role can require connections to Microsoft Update to download patches and synchronize information about updates. With Configuration Manager with no service pack you can configure proxy server settings for the active software update point. With Configuration Manager SP1, proxy server options are only available for the software update point when there is already a proxy configured for the site system server. For more information about proxy servers for software update points, see the Proxy Server Settings section in the Configuring Software Updates in Configuration Manager topic. Windows Intune connector System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager This site system role connects to Windows Intune and will use a proxy server configuration on the computer that hosts the Windows Intune connector.
550

This site system role connects to an Exchange Server and will use a proxy server configuration on the computer that hosts the Exchange Server connector.

Software updates point

Beginning with Configuration Manager SP1 you can configure the proxy server for a site system server when you install a site system role by using the Add Site System Roles Wizard or the Create Site System Server Wizard. After you have installed a site system server, you can configure a proxy server by editing the properties for the site system server. Each site system server supports only a single proxy server configuration. If you configure a new proxy server when you install site system role or edit the site system server properties, the new proxy server configuration replaces the previously configured proxy server for that site system server. The proxy server configuration is shared by all site system roles that run on a computer. There is no support for individual site system roles that run on the same computer to use different proxy server configurations. If you require different site system roles to use different proxy servers, you must install the site system roles on different site system server computers. Typically, when you configure the proxy server, each site system role on that computer that supports using the proxy server will use the proxy server with no additional configuration required. An exception to this is the software update point. By default, a software update point does not use an available proxy server unless you also enable the following options when you configure the software update point: Use a proxy server when synchronizing software updates Use a proxy server when downloading content by using automatic deployment rules Tip A proxy server must be configured on the site system server that hosts the software update point before you can select either option. The proxy server is only used for the specific options you select. Because each site system server supports a single proxy server configuration, if you add a new site system role to a computer and specify a different proxy server configuration than is already configured, the new replaces the previous proxy server configuration. Similarly, after you configure a proxy server for a site system server, if you edit the properties of the site system and change the proxy server configuration, this new configuration replaces the previous proxy server configuration. For procedures about configuring the proxy server for site system roles, see the Install and Configure Site System Roles for Configuration Manager topic.

Planning Where to Install Sites System Roles in the Hierarchy

Before you install site system roles, identify the site types that can or cannot support specific site system roles, and how many instances of each site system role you can install at a site or across a hierarchy. You can install some site system roles at only the top-level site in a hierarchy. A top-level site can be a central administration site of a multi-primary site hierarchy or a stand-alone primary site if your hierarchy consists of a single primary site with one or more secondary child sites.
551

Additionally, some site system roles support only a single instance per hierarchy. However, most site system roles support multiple instances across the hierarchy and at individual sites.

Site System Role Placement in the Hierarchy

Use the following table to identify the site system roles that you can install at each type of site in a System Center 2012 Configuration Manager hierarchy, and whether the site system role provides functionality for its site only, or for the entire hierarchy. You can install any supported site system role on the site server computer or on a remote site system server at a central administration site or primary site. At a secondary site, only the distribution point is supported on a remote site system server.
Site system role Central administration site Child primary site Stand-alone Secondary primary site site Site-specific or hierarchywide option

Application Catalog web service point Application Catalog website point Asset Intelligence synchronization 1 point Certificate registration point Distribution 2, 5 point Fallback status point Management 2, 3, 5 point Endpoint Protection point Enrollment point Enrollment proxy point Out of band

No

Yes

Yes

No

Hierarchy

No

Yes

Yes

No

Hierarchy

Yes

No

Yes

No

Hierarchy

Yes No No No Yes No No No

Yes Yes Yes Yes No Yes Yes Yes

Yes Yes Yes Yes Yes Yes Yes Yes

No Yes No Yes No No No No

Hierarchy Site Hierarchy Site Hierarchy Site Site Site

552

Site system role

Central administration site

Child primary site

Stand-alone Secondary primary site site

Site-specific or hierarchywide option

service point Reporting services point Software update 4, 5 point State migration 5 point System Health Validator point Windows Intune connector
1 2

Yes Yes No Yes Yes

Yes Yes Yes Yes No

Yes Yes Yes Yes Yes

No Yes Yes No No

Hierarchy Site Site Hierarchy Hierarchy

Configuration Manager supports only a single instance of this site system role in a hierarchy.

By default, when you install a secondary site, a management point and a distribution point are installed on the secondary site server.
3

This role is required to support clients in Configuration Manager. Secondary sites do not support more than one management point and this management point cannot support mobile devices that are enrolled by Configuration Manager. For more information about the site system roles that support clients in Configuration Manager, see Determine the Site System Roles for Client Deployment in Configuration Manager.
4

When your hierarchy contains a central administration site, install a software update point at this site that synchronizes with Windows Server Update Services (WSUS) before you install a software update point at any child primary site. When you install software update points at a child primary site, configure it to synchronize with the software update point at the central administration site.
5

Prior to System Center 2012 R2 Configuration Manager, all site system roles at a secondary site must be located on the site server computer. The only exception is the distribution point. Secondary sites support installing distribution points on the site server computer and on remote computers. Beginning with System Center 2012 R2 Configuration Manager, the state migration point can also be installed on the site server computer or on a remote computer, and can be colocated with a distribution point.

Considerations for Placement of Site System Roles

Use the following table to help you decide where to install the site system roles.

553

Site system role

Considerations

Application Catalog website point

When the Application Catalog supports client computers on the Internet, as a security best practice, install the Application Catalog website point in a perimeter network and the Application Catalog web service point on the intranet. Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy. Configuration Manager supports multiple instances of this site system role at each primary site or central administration site. In this scenario, clients are non-deterministically assigned to one of the certificate registration points, to help load balance certificate requests. However, a single certificate registration point can provide functionality to an entire hierarchy. Important The certificate registration point must not be installed on the same server that runs the Network Device Enrollment Service. Each certificate registration point requires access to a separate instance of a Network Device Enrollment Service. You cannot configure two or more certificate registration points to use the same Network Device Enrollment Service.

Asset Intelligence synchronization point

Certificate registration point

Endpoint Protection point

Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy. If a user enrolls mobile devices by using Configuration Manager and their Active Directory account is in a forest that is untrusted by the site server's forest, you must install an enrollment point in the users forest so that the user can be authenticated. When you support mobile devices on the Internet, as a security best practice, install the
554

Enrollment point

Enrollment proxy point

Site system role

Considerations

enrollment proxy point in a perimeter network and the enrollment point on the intranet. Fallback status point Although you can install more than one fallback status point in a primary site, clients can be assigned to only one fallback status point and this assignment occurs during client installation: If you install clients by using client push installation, the first fallback status point that is installed for the site is automatically assigned to clients. If you have two fallback status points in the site so that one fallback status point accepts client connections from the Internet (for example, it is in a perimeter network), and the other fallback status point accepts client connections on the intranet only, assign the Internet-based clients to the Internet-based fallback status point.

Management point

You cannot install a System Center 2012 Configuration Manager management point on a server that has a Configuration Manager 2007 client installed. You must first uninstall the Configuration Manager 2007 client. Install this site system to support out of band management for Intel AMT-based computers. In Configuration Manager, this site system must be installed in a primary site that also contains the enrollment point. The out of band service point cannot provision AMT-based computers in a different forest.

Out of band service point

Software update point

Install this site system in the central administration site to synchronize with Windows Server Update Services and in all primary sites that use the Software Updates feature. Also consider installing a software update point in secondary sites when data transfer across the network is slow. Install this site system role in either a primary site or a secondary site. Consider installing a
555

State migration point

Site system role

Considerations

state migration point in secondary sites when data transfer across the network is slow. Reporting services point Install this site system role in the central administration site and at any primary site. Note A reporting services point installed in a primary site rather than a central administration site can display data from that primary site only. Distribution point Install this site system role in primary sites and secondary sites to distribute software to clients by using Background Intelligent Transfer Service (BITS), Windows BranchCache, multicast for operating system deployment, and streaming for application virtualization. Note When the distribution point is offline or in sleep mode from a power management policy, for example, software deployments might fail. Windows Intune connector Configuration Manager supports a single instance of this site system role in a hierarchy and only at the top-level site in the hierarchy.

Planning for Database Servers in Configuration Manager

The site database server is a computer that runs a supported version of Microsoft SQL Server that stores information for Configuration Manager sites. Each site in a System Center 2012 Configuration Manager hierarchy contains a site database and a server that is assigned the site database server role. For central administration sites and primary sites, you can install SQL Server on the site server, or you can install SQL Server on a computer other than the site server. For secondary sites, you can use SQL Server Express instead of a full SQL Server installation; however, the database server must be co-located with the site server.

556

You can install the site database on the default instance of SQL Server, a named instance on a single computer running SQL Server, or on a named instance on a clustered instance of SQL Server. Typically, a site system server supports site system roles from only a single Configuration Manager site; however, you can use different instances of SQL Server, on clustered or nonclustered servers running SQL Server, to host a database from different Configuration Manager sites. To support databases from different sites, you must configure each instance of SQL Server to use unique ports for communication.

SQL Server Configurations for Database Servers

To successfully configure a SQL Server installation for use as a Configuration Manager site database server, ensure that the following required SQL Server configurations are specified. Also, be familiar with the optional configurations and planning for service principal names (SPNs), database server location planning, and how to modify the database configuration after a site has completed installation.

Prerequisites for Database Servers

Before you specify a computer to host the site database for any site, ensure that it meets the prerequisites for database servers. Before installing SQL Server, you must be familiar with the Configurations for the SQL Server Site Database section of the Supported Configurations for Configuration Manager topic.

Database Server Locations

At a central administration site and at primary sites, you can co-locate the database server on the site server, or place it on a remote server. At secondary sites, the database server is always colocated on the secondary site server. If you use a remote database server computer, ensure the intervening network connection is a high-availability, high-bandwidth network connection. This is because the site server and some site system roles must constantly communicate with the SQL Server that is hosting the site database. Consider the following when you select a remote database server location: The amount of bandwidth required for communications to the database server depends upon a combination of many different site and client configurations; therefore, the actual bandwidth required cannot be adequately predicted. Each computer that runs the SMS Provider and that connects to the site database increases network bandwidth requirements. The computer that runs SQL Server must be located in a domain that has a two-way trust with the site server and all computers running the SMS Provider. You cannot use a clustered SQL Server for the site database server when the site database is co-located with the site server.
557

SQL Server Service Principal Names

A Service Principal Name (SPN) for the Configuration Manager site database server must be registered in Active Directory Domain Services for the SQL Server service account. The registered SPN lets SQL clients identify and authenticate the service by using Kerberos authentication. When you configure SQL Server to use the local system account to run SQL Server services, the SPN is automatically created in Active Directory Domain Services. When a local domain user account is in use, you must manually register the SPN for the account. Without registering the SPN for the SQL Server service account, SQL clients and other site systems are not able to perform Kerberos authentication, and communication to the database might fail. Important Running the SQL Server service by using the local system account of the computer running SQL Server is not a SQL Server best practice. For the most secure operation of SQL Server site database servers, configure a low-rights domain user account to run the SQL Server service. For information about how to register the SPN when you use a domain user account, see How to Manage the SPN for SQL Server Site Database Servers in this documentation library.

About Modifying the Database Configuration

After you install a site, you can manage the configuration of the site database and site database server by running Setup on a central administration site server or primary site server. It is not supported to manage the database configuration for a secondary site. For more information about modifying the site database configuration, see Modify the Site Database Configuration in this documentation library.

About Modifying the Database Server Alert Threshold

By default, Configuration Manager generates alerts when free disk space on a site database server is low. The defaults are set to generate a warning when there is 10 GB or less of free disk space, and a critical alert when there is 5 GB or less of free disk space. You can modify these values or disable alerts for each site. To change these settings: 1. In the Administration workspace, expand Site Configuration, and then click Sites. 2. Select the site that you want to configure and open that sites Properties. 3. In the sites Properties dialog box, select the Alert tab, and then edit the settings. 4. Click OK to close the site properties dialog box.

558

Planning for the SMS Provider in Configuration Manager

The SMS Provider is a Windows Management Instrumentation (WMI) provider that assigns read and write access to the Configuration Manager database at a site. The SMS Admins group provides access to the SMS Provider and Configuration Manager automatically creates this security group on the site server and on each SMS Provider computer. You must have at least one SMS Provider in each central administration site and primary site. These sites also support the installation of additional SMS Providers. Secondary sites do not install the SMS Provider. The Configuration Manager console, Resource Explorer, tools, and custom scripts use the SMS Provider so that Configuration Manager administrative users can access information that is stored in the database. The SMS Provider does not interact with Configuration Manager clients. When a Configuration Manager console connects to a site, the Configuration Manager console queries WMI on the site server to locate an instance of the SMS Provider to use. The SMS Provider helps enforce Configuration Manager security. It returns only the information that the administrative user who is running the Configuration Manager console is authorized to view. Important When each computer that holds an SMS Provider for a site is offline, Configuration Manager consoles cannot connect to that sites database. Use the following sections in this topic to plan for the SMS Provider. For information about how to manage the SMS Provider, see Manage the SMS Provider Configuration for a Site.

SMS Provider Prerequisites

Before you install the SMS Provider on a computer, ensure that the computer meets the following prerequisites: The computer must be in a domain that has a two-way trust with the site server and the site database site systems. The computer cannot have a site system role from a different site. The computer cannot have an SMS Provider from any site. The computer must run an operating system that is supported for a site server. The computer must have at least 650 MB of free disk space to support the Windows Automated Installation Kit (Windows AIK) components that are installed with the SMS Provider. For more information about Windows AIK and the SMS Provider, see the Operating System Deployment Requirements for the SMS Provider section in this topic. Note Beginning with Configuration Manager SP1, the Windows ADK replaces the Windows AIK. For more information, see Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.
559

About SMS Provider Locations

When you install a site, the installation automatically installs the first SMS Provider for the site. You can specify any of the following supported locations for the SMS Provider: The site server computer The site database computer A server-class computer that does not hold an SMS Provider, or a site system role from a different site

Each SMS Provider supports simultaneous connections from multiple requests. The only limitations on these connections are the number of server connections that are available on the SMS Provider computer, and the available resources on the SMS Provider computer to service the connection requests. After a site is installed, you can run Setup on the site server again to change the location of an existing SMS Provider, or to install additional SMS Providers at that site. You can install only one SMS Provider on a computer, and a computer cannot install an SMS Provider from more than one site. Use the following table to identify the advantages and disadvantages of installing an SMS Provider on each supported location.
Location Advantages Disadvantages

Configuration Manager site server

The SMS Provider does not use the system resources of the site database computer. This location can provide better performance than an SMS Provider located on a computer other than the site server or site database computer. The SMS Provider does not use site system resources on the site server. This location can provide the best performance of the three locations, if sufficient server resources are available.

The SMS Provider uses system and network resources that could be dedicated to site server operations.

SQL Server that is hosting the site database

The SMS Provider uses system and network resources that could be dedicated to site database operations. This location is not an option when the site database is hosted on a clustered instance of SQL Server. The SMS Provider performance might be
560

Computer other than the site server or site database

SMS Provider does not use site server or site database

Location

Advantages

Disadvantages

computer

computer resources. This type of location lets you deploy additional SMS Providers to provide high availability for connections.

reduced due to the additional network traffic that is required to coordinate with the site server and the site database computer. This server must be always accessible to the site database computer and all computers with the Configuration Manager console installed. This location can use system resources that would otherwise be dedicated to other services.

To view the locations of each SMS Provider that is installed at a site, view the General tab of the site Properties dialog box.

About SMS Provider Languages

The SMS Provider operates independently of the display language of the computer where it is installed. When an administrative user or Configuration Manager process requests data by using the SMS Provider, the SMS Provider attempts to return that data in a format that matches the operating system language of the requesting computer. The SMS Provider does not translate information from one language to another. Instead, when data is returned for display in the Configuration Manager console, the display language of the data depends on the source of the object and type of storage. When data for an object is stored in the database, the languages that will be available depend on the following: Objects that Configuration Manager creates are stored in the database by using support for multiple languages. The object is stored by using the languages that are configured at the site where the object is created when you run Setup. These objects are displayed in the Configuration Manager console in the display language of the requesting computer, when that language is available for the object. If the object cannot be displayed in the display language of the requesting computer, it is displayed in the default language, which is English. Objects that an administrative user creates are stored in the database by using the language that was used to create the object. These objects display in the Configuration Manager

561

console in this same language. They cannot be translated by the SMS Provider and do not have multiple language options.

About Multiple SMS Providers

After a site completes installation, you can install additional SMS Providers for the site. To install additional SMS Providers, run Configuration Manager Setup on the site server. Consider installing additional SMS Providers when any of the following is true: You will have a large number of administrative users that run a Configuration Manager console and connect to a site at the same time. You will use the Configuration Manager SDK, or other products, that might introduce frequent calls to the SMS Provider. You want to ensure high availability for the SMS Provider.

When multiple SMS Providers are installed at a site and a connection request is made, the site non-deterministically assigns each new connection request to use an installed SMS Provider. You cannot specify the SMS Provider location to use with a specific connection session. Note Consider the advantages and disadvantages of each SMS Provider location and balance these considerations with the information that you cannot control which SMS Provider will be used for each new connection. For example, when you first connect a Configuration Manager console to a site, the connection queries WMI on the site server to non-deterministically identify an instance of the SMS Provider that the console will use. This specific instance of the SMS Provider remains in use by the Configuration Manager console until the Configuration Manager console session ends. If the session ends because the SMS Provider computer becomes unavailable on the network, when you reconnect the Configuration Manager console the site will non-deterministically assign an SMS Provider computer to the new connection session. It is possible to be assigned to same SMS Provider computer that is not available. If this occurs, you can attempt to reconnect the Configuration Manager console until an available SMS Provider computer is assigned.

About the SMS Admins Group

You use the SMS Admins group to provide administrative users access to the SMS Provider. The group is automatically created on the site server when the site installs, and on each computer that installs an SMS Provider. Additional information about the SMS Admins group: When the computer is a member server, the SMS Admins group is created as a local group. When the computer is a domain controller, the SMS Admins group is created as a domain local group. When the SMS Provider is uninstalled from a computer, the SMS Admins group is not removed from the computer.

Before a user can make a successful connection to an SMS Provider, their user account must be a member of the SMS Admins group. Each administrative user that you configure in the
562

Configuration Manager console is automatically added to the SMS Admins group on each site server and to each SMS Provider computer in the hierarchy. When you delete an administrative user from the Configuration Manager console, that user is removed from the SMS Admins group on each site server and on each SMS Provider computer in the hierarchy. After a user makes a successful connection to the SMS Provider, role-based administration determines what Configuration Manager resources that user can access or manage. You can view and configure SMS Admins group rights and permissions by using the WMI Control MMC snap-in. By default, Everyone has Execute Methods, Provider Write, and Enable Account permissions. After a user connects to the SMS Provider, that user is granted access to data in the site database based on their role-based administrative security rights as defined in the Configuration Manager console. The SMS Admins group is explicitly granted Enable Account and Remote Enable on the Root\SMS namespace. Note Each administrative user who uses a remote Configuration Manager console requires Remote Activation DCOM permissions on the site server computer and on the SMS Provider computer. Although you can grant these rights to any user or group, as best practice, grant them to the SMS Admins group to simplify administration. For more information, see the Configure DCOM Permissions for Remote Configuration Manager Console Connections section in the Manage Site and Hierarchy Configurations topic.

About the SMS Provider Namespace

The structure of the SMS Provider is defined by the WMI schema. Schema namespaces describe the location of Configuration Manager data within the SMS Provider schema. The following table contains some of the common namespaces that are used by the SMS Provider.
Namespace Description

Root\SMS\site_<site code>

The SMS Provider, which is extensively used by the Configuration Manager console, Resource Explorer, Configuration Manager tools, and scripts. Provides the location of the SMS Provider computers for a site. Location inventoried for WMI namespace information during hardware and software inventory. Configuration Manager client configuration policies and client data. Location of inventory reporting classes that are collected by the inventory client agent. These
563

Root\SMS\SMS_ProviderLocation Root\CIMv2

Root\CCM root\CIMv2\SMS

Namespace

Description

settings are compiled by clients during computer policy evaluation and are based on the client settings configuration for the computer.

Operating System Deployment Requirements for the SMS Provider

The SMS Provider requires the following external dependency be installed on the computer that runs the SMS Provider to enable you to use operating system deployment task functions by using the Configuration Manager console: For Configuration Manager with no service pack: Automated Installation Kit (Windows AIK) For Configuration Manager SP1: Windows Assessment and Deployment Kit 8.0 (Windows ADK) For System Center 2012 R2 Configuration Manager: Windows Assessment and Deployment Kit 8.1

For Configuration Manager with no service pack, the Windows AIK installs as a component of the SMS Provider. Beginning with Configuration Manager with SP1, you must manually install the Windows ADK on a computer before you can install the SMS Provider. When you manage operating system deployments, the Windows AIK or Windows ADK allows the SMS Provider to complete various tasks, which include the following: View WIM file details Add driver files to existing boot images Create boot .ISO files

The Windows AIK or Windows ADK installation can require up to 650 MB of free disk space on each computer that installs the SMS Provider. This high disk space requirement is necessary for Configuration Manager to install the Windows PE boot images. Note Beginning with Configuration Manager SP1, the Windows ADK replaces the Windows AIK. For more information, see Prerequisites For Deploying Operating Systems in Configuration Manager topic in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Planning for Custom Websites with Configuration Manager

Configuration Manager site system roles that require Microsoft Internet Information Services (IIS) also require a website to host the site system services. By default, site systems use the IIS
564

website named Default Web Site on a site system server. However, you can use a custom website that has the name of SMSWEB. This option might be appropriate if you must run other web applications on the same server and their settings are either incompatible with Configuration Manager, or you want the additional resilience of using a separate website. In this scenario, these other applications continue to use the default IIS website, and Configuration Manager operations use the custom website. Important When you run other applications on a Configuration Manager site system, you increase the attack surface on that site system. As a security best practice, dedicate a server for the Configuration Manager site systems that require IIS. You can use custom websites on all primary sites. When you use a custom website at a site, all client communications within the site are directed to use the custom website named SMSWEB on each site system instead of the default website on IIS. Additionally, site system roles that use IIS but do not accept client connections, such as the reporting services point, also use the SMSWEB website instead of the default website. For more information about which site systems require IIS, see Supported Configurations for Configuration Manager. Before you configure a Configuration Manager site to use a custom website, you must manually create the custom website in IIS on each site system server that requires Internet Information Services (IIS) at that site. Because secondary sites are automatically configured to use a custom website when you enable this option on the parent site, you must also create a custom website in IIS on each secondary site system server that requires IIS. If you enable custom websites for one site, consider using custom websites for all sites in your hierarchy to ensure that clients can successfully roam within the hierarchy. Note When you select or clear the check box to use a custom website for a site, the following site system roles that are installed on each site system server in the site are automatically uninstall and reinstalled: Management point Distribution point Software update point Fallback status point State migration point

Site System Roles That Can Use Custom Websites

The following Configuration Manager site system roles require IIS and use the default or custom website on the site system server: Application Catalog web service point Application Catalog website point Distribution point
565

Enrollment point Enrollment proxy point Fallback status point Management point Software update point State migration point

Custom Website Ports

When you create a custom website, you must assign port numbers to the custom website that differ from the port numbers that the default website uses. The default website and the custom website cannot run at the same time if both sites are configured to use the same TCP/IP ports. After the site system roles are reinstalled, verify that the TCP/IP ports configured in IIS for the custom website match the client request ports for the site. For information about how to configure ports for client communication, see How to Configure Client Communication Port Numbers in Configuration Manager.

Switching Between Default Websites and Custom Websites

Although you can select or clear the check box to use a custom website at any time, if possible, configure this option as soon as the site is installed to minimize any disruptions to service continuity. When you make this site configuration change, plan for the site system roles that are automatically uninstalled and reinstalled with the new website and port configuration. You must also plan to manually uninstall and reinstall any site system roles that are not automatically reinstalled to use the new website and port configuration. When you change from using the default website to use a custom website, Configuration Manager does not automatically remove the old virtual directories. If you want to remove the files that Configuration Manager used, you must manually delete the virtual directories that were created under the default website. If you change the site option to use a custom website, clients that are assigned to the site must be configured to use the client request port that matches the new website port. For information about how to configure ports for client communication, see How to Configure Client Communication Port Numbers in Configuration Manager.

How to Create the Custom Website in Internet Information Services (IIS)

To use a custom website for a site, you must perform the following actions before you enable the option to use a custom website in Configuration Manager: Create the custom web site in IIS for each site system server that requires IIS in the primary site and any child secondary sites. Name the custom website SMSWEB.
566

Configure the custom website to respond to the same port that you configure for Configuration Manager client communication. Important When you change from using the default website and use a custom website, Configuration Manager adds the client request ports that are configured on the default website to the custom website. Configuration Manager does not remove these ports from the default website, and the ports are listed for both the default and custom website. IIS cannot start both websites when they are configured to operate on the same TCP/IP ports, and clients cannot contact the management point.

Use the information in the following procedures to help you configure the custom websites in IIS. Note The following procedures are for Internet Information Services (IIS) 7.0 on Windows Server 2008 R2. If you cannot use these procedures because your server has a different operating system version, refer to the IIS documentation for your operating system version. To create a custom website in Internet Information Services (IIS) 1. On the computer that runs the Configuration Manager site system, click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In the Internet Information Services (IIS) Manager console, in the Connections pane, right-click the Sites node to select Add Web Site. 3. In the Add Web Site dialog box, enter SMSWEB in the Site name box. Important SMSWEB is the required name for Configuration Manager custom websites. 4. In the Physical path box, specify the physical path to use for the website folder. 5. Specify the protocol and custom port for this website. After you create the website, you can edit it to add additional website bindings for additional protocols. When you configure the HTTPS protocol, you must specify a SSL certificate before you can save the configuration.

6. Click OK to create the custom website. Remove the custom website ports from the default website in Internet Information Services (IIS) 1. In the Internet Information Services (IIS) Manager, edit the Bindings of the IIS website that has the duplicate ports (Default Web Site). Remove the ports that match the ports that are assigned to the custom website ( SMSWEB). 2. Start the website (SMSWEB). 3. Restart the SMS_SITE_COMPONENT_MANAGER service on the site server.
567

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Cloud Services in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Beginning with System Center 2012 Configuration Manager SP1, you can use cloud services to help you manage resources and to reduce the number of remote distribution points that you deploy in a hierarchy. Use the information in the following sections to help you plan for using a cloud-based infrastructure, such as site system roles by using Windows Azure.

About Cloud Services for Site System Roles

Beginning with Configuration Manager SP1, you can use a cloud service in Windows Azure to host the following site system roles: Distribution point - For information about how to use cloud-based distribution points, see the Planning for Cloud-Based Distribution Points section in the Planning for Content Management in Configuration Manager topic.

Site system roles that Windows Azure hosts are named site system cloud services. These cloud services are in contrast to site system servers, which refer to on-premises computers that you manage in your network environment. Before you can use a cloud service to host a site system role, you must have a subscription to Windows Azure, and configure Windows Azure to support the site system roles. To use Windows Azure for site system roles, you must obtain a management certificate that you upload to Windows Azure. The management certificate enables Configuration Manager to communicate with the cloud service. For additional requirements, see the planning topic that is specific to the site system role that you install as a cloud service. When you use a cloud service to host a site system role, you do not have to plan for the hardware that the site system role is installed on. The cloud service in Windows Azure replaces the hardware. For example, for a distribution point, you define the amount of storage that you want the distribution point to use, and specify when Configuration Manager generates alerts that are based on data transfer thresholds. You also specify the Windows Azure region that each cloudbased distribution point serves. For example, you might deploy one cloud-based distribution point to the North America region, and a second distribution point to Asia. Typically, the primary concern for a site system role that is installed as a cloud service is cost management for the Windows Azure account that hosts the cloud service. Therefore, plan to
568

monitor each cloud service that you use for ongoing costs that are associated with the storage of data in the cloud, and for data transfers from site system cloud services that you use with Configuration Manager. For more information, see Costs of Using a Cloud Service with Configuration Manager, and review the details for your Windows Azure subscription.

Costs of Using a Cloud Service with Configuration Manager

When you use a cloud service, plan for the cost of data storage and transfers that Configuration Manager clients perform. System Center 2012 Configuration Manager does not control charges for using a cloud service, nor does Configuration Manager add additional costs to access a cloud service. Instead, your Windows Azure account and subscription details, and the volume of data that you store and allow clients to download determine all costs. For more information about Windows Azure, see Windows Azure in the MSDN Library.

Security and Cloud Services with Configuration Manager

Configuration Manager uses certificates to provision and access your content in Windows Azure, and to manage the services that you use. Configuration Manager encrypts the data that you store in Windows Azure, but does not introduce additional security or data controls beyond those that Windows Azure provides. For more information about Windows Azure security, see the documentation for Windows Azure. The following topics on the TechNet website can help you understand security in Windows Azure: Windows Azure: Understanding Security Account Management in Windows Azure Windows Azure Security Overview Get Past the Security Crossroads in Your Cloud Migration Data Security in Azure Part 1 of 2

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Configuration Manager uses distribution points to store files that are required for software to run on client computers. These distribution points function as distribution centers for
569

the content files and let users download and run the software. Clients must have access to at least one distribution point from which they can download the files. Use the following sections in this topic to help you plan how to manage content in your Configuration Manager hierarchy: Plan for Distribution Points Distribution Point Configurations Planning for Preferred Distribution Points and Fallback Content Source Location Network Connection Speed to the Content Source Location On-Demand Content Distribution Content Source Location Scenarios

Planning for BranchCache Support Network Bandwidth Considerations for Distribution Points Planning for Scheduling and Throttling Determine Whether To Prestage Content

Planning for Pull-Distribution Points Planning for Cloud-Based Distribution Points Prerequisites for Cloud-Based Distribution Points Plan for the Cost of Using Cloud-Based Distribution About Subscriptions and Certificates for Cloud-Based Distribution Points Site Server to Cloud-Based Distribution Point Communication Client to Cloud-Based Distribution Point Communication

Determine the Distribution Point Infrastructure

Plan for Distribution Point Groups Plan for Distribution Point Priority Plan for Content Libraries Plan for Binary Differential Replication About the Package Transfer Manager Note For information about the dependencies and supported configurations for content management, see Prerequisites for Content Management in Configuration Manager.

Plan for Distribution Points

When you plan for distribution points in your hierarchy, determine what distribution point attributes you must have in your environment, how to distribute the network and system load on the distribution point, and how to determine the distribution point infrastructure.

570

Distribution Point Configurations

Distribution points can have a number of different configurations. The following table describes the possible configurations.
Distribution point configuration Descriptions

Preferred distribution point

You assign boundary groups to distribution points. The distribution points are preferred for clients that are within the boundary group for the distribution point. The client uses preferred distribution points as the source location for content. When the content is not available on a preferred distribution point, the client uses another distribution point for the content source location. You can configure a distribution point to let clients that are not in the boundary group use it as a fallback location for content. Enable the PXE option on a distribution point to enable operating system deployment for Configuration Manager clients. The PXE option must be configured to respond to PXE boot requests that Configuration Manager clients on the network make and must then interact with the Configuration Manager infrastructure to determine the appropriate installation actions to take. Important You can enable PXE only on a server that has Windows Deployment Services installed. When you enable PXE, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed.

PXE

Multicast

Enable the Multicast option on a distribution point to use multicast when you distribute operating systems. Important You can enable multicast only on a server that has Windows Deployment Services installed. When you enable
571

Distribution point configuration

Descriptions

multicast, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed. Pull For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Enable the pull-distribution point option on a distribution point to change the behavior of how that computer obtains the content that you distribute to the distribution point. When you configure a distribution point to be a pulldistribution point, you must specify one or more source distribution points from which the pulldistribution point obtains the content. Important Although a pull-distribution point supports communications over HTTP and HTTPS, when you use the Configuration Manager console, you can only specify source distribution points that are configured for HTTP. You can use the Configuration Manager SDK to specify a source distribution point that is configured for HTTPS. Support for mobile devices You must configure the distribution point to accept HTTPS communications to support mobile devices. You must configure the distribution point to accept HTTPS communications to support Internet-based clients. Although there are no configuration requirements for the distribution point to enable streaming of virtual applications to clients, there are application management prerequisites that you must fulfill. For more information, see Prerequisites for Application Management in
572

Support for Internet-based clients

Application Virtualization

Distribution point configuration

Descriptions

Configuration Manager.

Planning for Preferred Distribution Points and Fallback

When you create a distribution point, you have the option to assign boundary groups to the distribution point. The distribution points are preferred for clients that are in a boundary group that is assigned to the distribution point.

Content Source Location

When you deploy software to a client, the client sends a content request to a management point, the management point sends a list of the preferred distribution points to the client, and the client uses one of the preferred distribution points on the list as the source location for content. When the content is not available on a preferred distribution point, the management point sends a list to the client with distribution points that have the content available. The client uses one of the distribution points for the content source location. In the distribution point properties and in the properties for a deployment type or package, you can configure whether to enable clients to use a fallback source location for content. When a preferred distribution point does not have the content and the fallback settings are not enabled, the client fails to download the content, and the software deployment fails.

Network Connection Speed to the Content Source Location

You can configure the network connection speed of each distribution point in an assigned boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. When the client uses a distribution point that is not preferred, the connection to the distribution point is automatically considered as slow. The network connection speed helps determine whether a client can download content from a distribution point. You can configure the deployment behavior for each network connection speed in the deployment properties for the specific software that you deploy. You can choose to never install software when the network connection is considered slow download and install the software, and so on.

On-Demand Content Distribution

You can select the Distribute the content for this package to preferred distribution points property for an application or package to enable on-demand content distribution to preferred distribution points. The enabled management point creates a trigger for the Distribution Manager to distribute the content to all preferred distribution points in the list when a client requests the content for the package and the content is not available on any preferred distribution points. Depending on the scenario, the client might wait for the content to be available on a preferred

573

distribution point, or it might download the content from a distribution point that is configured to enable a fallback location for content source.

Content Source Location Scenarios

When you deploy software to clients, the content source location that the client uses depends on the following settings: Allow fallback source location for content: This distribution point property enables clients to fall back and use the distribution point as the source location for content when the content is not available on a preferred distribution point. Deployment properties for network connection speed: The deployment properties for network speed are configured as a property for deployed objects, such as application deployment types, software updates, and task sequence deployments. Different deployment objects have different settings, but the properties can configure whether to download and install the software content when the network connection speed is configured as slow. Distribute the content for this package to preferred distribution points : When you select this application deployment type or package property, you enable on-demand content distribution to preferred distribution points.

The following table provides scenarios for different content location and fallback scenarios.
Scenario Scenario 1 Scenario 2 Scenario 3

Fallback configuration and deployment behavior for slow network:

Allow Fallback Not enabled.

Allow Fallback Enabled.

Deployment Fallback option Enabled. Deployment behavior for slow network Download and install content. The client sends a content request to the management point. The client includes a flag with the request to indicate that fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution
574

Deployment behavior Deployment for slow network behavior for slow network Any configuration. Do not download content.

Distribution points are online and meet the following criteria: Content is available on a preferred distribution point. Content is available on a fallback distribution point. The package configuration for

The client sends a content request to the management point.

A content location list is returned to the client from the management point with the preferred distribution points that A content location list is returned to the client contain the content. from the management point with the The client downloads preferred distribution

The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed.

Scenario

Scenario 1

Scenario 2

Scenario 3

on-demand package distribution is not relevant in this scenario.

the content from a preferred distribution point on the list.

points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list.

points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list. The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are enabled. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content. The content is downloaded from a fallback distribution point on the list because the deployment property for when the client uses a fallback distribution point is set to Download and install the content.
575

Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is not configured for on-demand package distribution.

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a A content location list is returned to the client flag with the request from the management that indicates fallback point with the preferred distribution points are distribution points that allowed. have the content. A content location list There are no preferred is returned to the client distribution points in from the management the list. point with the The client fails with the preferred distribution points and fallback message Content is distribution points that not available and have the content. goes into retry mode. A new content request There are no preferred distribution points that is started every hour. have the content, but at least one fallback distribution point has the content. The content is not downloaded because the deployment property for when the client uses a fallback distribution point is set to Do not download. The client fails with the message Content is not available and goes into retry mode.

Scenario

Scenario 1

Scenario 2

Scenario 3

The client makes a new content request every hour. Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is configured for ondemand package distribution. The client sends a content request to the management point. The client sends a content request to the management point. The client includes a A content location list is returned to the client flag with the request from the management that indicates fallback point with the preferred distribution points are distribution points that allowed. have the content. A content location list There are no preferred is returned to the client distribution points that from the management have the content. point with the The client fails with the preferred distribution points and fallback message Content is distribution points that not available and have the content. goes into retry mode. A new content request There are no preferred distribution points that is made every hour. have the content, but The management at least one fallback point creates a trigger distribution point that for Distribution has the content. Manager to distribute The content is not the content to all downloaded because preferred distribution the deployment points for the client that made the content property for when the client uses a fallback request. distribution point is set Distribution Manager to Do not download. distributes the content The client fails with the to all preferred message Content is distribution points. not available and A content request is goes into retry mode. initiated by the client to The client makes a the management point new content request every hour. every hour. A content location list The management is returned to the client The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content. The content is downloaded from a fallback distribution point on the list because the deployment property for when the client uses a fallback distribution point is set to Download and install the content. The management point creates a trigger for Distribution Manager to distribute
576

Scenario

Scenario 1

Scenario 2

Scenario 3

from the management point with the preferred distribution points that have the content. In most cases, the content is distributed to the preferred distribution points within the hour. The client downloads the content from a preferred distribution point on the list.

point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points. A content request is initiated by the client to the management point. A content location list is returned to the client from the management point with the preferred distribution points that have the content. Typically, the content is distributed to the preferred distribution points within the hour. The client downloads the content from a preferred distribution point on the list.

the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points.

Planning for BranchCache Support

Windows BranchCache has been integrated in Configuration Manager. You can configure the BranchCache settings on software deployments. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is running Windows Server 2008 R2 and that has also been configured as a BranchCache server, the client computer downloads the content and
577

caches it. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this way, subsequent clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. For more information about BranchCache support in Configuration Manager, see the BranchCache Feature Support section in the Supported Configurations for Configuration Manager topic.

Network Bandwidth Considerations for Distribution Points

To help you plan for the distribution point infrastructure in your hierarchy, consider the network bandwidth that is used for the content management process and ways to reduce the network bandwidth that is used. When you create a package, change the source path for the content or update content on the distribution point, the files are copied from the source path to the content library on the site server. Then, the content is copied from the content library on the site server to the content library on the distribution points. When content source files are updated, and the source files have already been distributed, Configuration Manager retrieves only the new or updated files, and then sends them to the distribution point. Scheduling and throttling controls can be configured for siteto-site communication and for communication between a site server and a remote distribution point. When network bandwidth between the site server and remote distribution point is limited even after you configure the schedule and throttling settings, you might consider prestaging the content on the distribution point.

Planning for Scheduling and Throttling

In Configuration Manager, you can configure a schedule and set specific throttling settings on remote distribution points that determine when and how content distribution is performed. Each remote distribution point can have different configurations that help address network bandwidth limitations from the site server to the remote distribution point. The controls for scheduling and throttling to the remote distribution point are similar to the settings for a standard sender address, but in this case, the settings are used by a new component called Package Transfer Manager. Package Transfer Manager distributes content from a site server, as a primary site or secondary site, to a distribution point that is installed on a site system. The throttling settings are configured on the Rate Limits tab, and the scheduling settings are configured on the Schedule tab for a distribution point that is not on a site server. Warning The Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not installed on a site server. For more information about configuring scheduling and throttling settings for a remote distribution point, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

578

Determine Whether To Prestage Content

Consider prestaging content for applications and packages in the following scenarios: Limited network bandwidth from the site server to distribution point: When scheduling and throttling do not satisfy your concerns about distributing content over the network to a remote distribution point, consider prestaging the content on the distribution point. Each distribution point has the Enable this distribution point for prestaged content setting that you can configure in the distribution point properties. When you enable this option, the distribution point is identified as a prestaged distribution point, and you can choose how to manage the content on a per-package basis. The following settings are available in the properties for an application, package, driver package, boot image, operating system installer, and image, and let you configure how content distribution is managed on remote distribution points that are identified as prestaged: Automatically download content when packages are assigned to distribution points: Use this option when you have smaller packages where the scheduling and throttling settings provide enough control for content distribution. Download only content changes to the distribution point : Use this option when you have an initial package that is possibly large, but you expect future updates to the content in the package to be generally smaller. For example, you might prestage Microsoft Office 2010 because the initial package size is over 700 MB and is too large to send over the network. However, content updates to this package might be less than 10 MB and are acceptable to distribute over the network. Another example might be driver packages where the initial package size is large, but incremental driver additions to the package might be small. Manually copy the content in this package to the distribution point : Use this option for when you have large packages, with content such as an operating system, and you never want to use the network to distribute the content to the distribution point. When you select this option, you must prestage the content on the distribution point. Warning The preceding options are applicable on a per-package basis and are only used when a distribution point is identified as prestaged. Distribution points that have not been identified as prestaged ignore these settings. In this case, content always is distributed over the network from the site server to the distribution points. Restore the content library on a site server: When a site server fails, information about packages and applications that is contained in the content library is restored to the site database as part of the restore process, but the content library files are not restored as part of the process. If you do not have a file system backup to restore the content library, you can create a prestaged content file from another site that contains the packages and applications that you have to have, and then extract the prestaged content file on the recovered site server. For more information about site server backup and recovery, see the Planning for Backup and Recovery section in the Planning for Site Operations in Configuration Manager topic.

For more information about prestaging content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.
579

Planning for Pull-Distribution Points

Beginning with Configuration Manager SP1, you can configure a distribution point that is not on a site server to be a pull-distribution point. When you deploy content to a large number of distribution points at a site, pull-distribution points can help reduce the processing load on the site server and can help to speed the transfer of the content to each distribution point. This efficiency is achieved by offloading the process of transferring the content to each distribution point from the distribution manager process on the site server. Instead, each pull-distribution point individually manages the transfer of content by downloading content from another distribution point that already has a copy of the content. A pull-distribution point can only obtain content from a distribution point that is specified as a source distribution point. Pull-distribution points support the same configurations and functionality as typical Configuration Manager distribution points. For example, a distribution point that is configured as a pulldistribution point supports the use of multicast and PXE configurations, content validation, and on-demand content distribution. A pull-distribution point supports HTTP or HTTPS communications from clients, supports the same certificates options as other distribution points, and can be managed individually or as a member of a distribution point group. However, the following configurations are exceptions to support for the pull-distribution point: A cloud-based distribution point cannot be configured as a pull-distribution point. Similarly, a cloud-based distribution point cannot be used as a source distribution point. A distribution point on a site server cannot be configured as a pull-distribution point. The prestage content configuration for a distribution point overrides the pull-distribution point configuration. A pull-distribution point that is configured for prestaged content waits for the content. It does not pull content from source distribution point, and, like a standard distribution point that has the prestage content configuration, does not receive content from the site server. A distribution point that is configured as a pull-distribution point does not use configurations for rate limits when it transfers content. If you configure a previously installed distribution point to be a pull-distribution point, configurations for rate limits are saved, but not used. If, at a later time, you remove the pull-distribution point configuration, the rate limit configurations are implemented as previously configured. Note When a distribution point is configured as a pull-distribution point, the Rate Limits tab is not visible in the properties of the distribution point. For more information, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic. A distribution point that is configured as a pull-distribution point does not use the Retry settings for content distribution. Retry Settings can be configured as part of the Software Distribution Component Properties for each site. To view or configure these properties, in the Administration workspace of the Configuration Manager console, expand Site Configuration, and then select Sites. Next, in the results pane, select a site, and then on the Home tab, select Configure Site Components, and then select Software Distribution. The following sequence of events occurs when you distribute software to a pull-distribution point:
580

As soon as content is distributed to a pull-distribution point, the Package Transfer Manager on the site server checks the site database to confirm if the content is available on a source distribution point. If it cannot confirm that the content is on a source distribution point for the pull-distribution point, it repeats the check every 20 minutes until the content is available. When the Package Transfer Manager confirms that the content is available, it notifies the pull-distribution point to download the content. When the pull-distribution point receives this notification, it attempts to download the content from its source distribution points. After the pull-distribution point completes the download of content, it submits this status to a management point. However, if after 60 minutes, this status is not received, the Package Transfer Manager wakes up and checks with the pull-distribution point to confirm if the pull-distribution point has downloaded the content. If the content download is in progress, the Package Transfer Manager sleeps for 60 minutes before it checks with the pull-distribution point again. This cycle continues until the pull-distribution point completes the content transfer.

To transfer content from a source distribution point in a remote forest, the computer that hosts the pull-distribution point must have a Configuration Manager client installed. A Network Access Account that can access the source distribution point must be configured for use.

You can configure a pull-distribution point when you install the distribution point or after it is installed by editing the properties of the distribution point site system role. A distribution point that you configure as a pull-distribution point can transfer content to clients by HTTP or HTTPS. When you configure the pull-distribution point, you must specify one or more source distribution points. Only distribution points that qualify to be source distribution points are displayed. Only distribution points that support HTTP can be specified as a source distribution points when you use the Configuration Manager console. However, you can use the Configuration Manager SDK to specify a source distribution point that is configured for HTTPS. To use a source distribution point that is configured for HTTPS, the pull-distribution point must be co-located on a computer that runs the Configuration Manager client. A pull-distribution point can be specified as a source distribution point for another pull-distribution point. When you distribute content to the pull-distribution point, the Package Transfer Manager notifies the distribution point about the content but does not transfer the content to the distribution point computer. Instead, after the pull-distribution point is notified, the pull-distribution point attempts to download the content from the first source distribution point on its list of source distribution points. If the content is not available, the pull-distribution point attempts to download the content from the next distribution point on the list, continuing until either the content is successfully downloaded or the content is not accessed from any source distribution point. If the content cannot be downloaded from any source distribution point, the pull-distribution point sleeps for 30 minutes and then begins the process again. Beginning with System Center 2012 R2 Configuration Manager, you can configure each source distribution point on the list with a priority. You can assign a separate priority to each source distribution point, or assign multiple source distribution points to the same priority. The priority determines in which order the pull-distribution point requests content from its source distribution
581

points. Pull-distribution points initially contact a source distribution point with the lowest value for priority. If there are multiple source distribution points with the same priority, the pull-distribution point nondeterministically selects one of the source distribution points that share that priority. If the content is not available, the pull-distribution point then attempts to download the content from another distribution point with that same priority. If none of the distribution points with a given priority has the content, the pull-distribution point attempts to download the content from a distribution point that has an assigned priority with the next larger value, until the content is either located or the pull-distribution point sleeps for 30 minutes before it begins the process again. To manage the transfer of content, pull-distribution points use the CCMFramework component of the Configuration Manager client software. This framework is installed by the Pulldp.msi when you configure the distribution point to be a pull-distribution point and does not require that the Configuration Manager client be installed. After the pull-distribution point is installed, the CCMExec service on the distribution point computer must be operational for the pull-distribution point to function. When the pull-distribution point transfers content, it transfers content by using Background Intelligent Transfer Service (BITS) and logs its operation in the datatransferservice.log and the pulldp.log on the distribution point computer. Note On a computer that is configured as a pull-distribution point and that runs a Configuration Manager client, the version of the Configuration Manager client must be the same as the Configuration Manager site that installs the pull-distribution point. This is a requirement for the pull-distribution point to use the CCMFramework that is common to both the pulldistribution point and the Configuration Manager client. Tip When a pull-distribution point downloads content from a source distribution point, that pull-distribution point is counted as a client in the Client Accessed (Unique) column of the Distribution point usage summary report. This report first appears in System Center 2012 R2 Configuration Manager. By default, a pull-distribution point uses its computer account to transfer content from a source distribution point. However, when the pull-distribution point transfers content from a source distribution point that is in a remote forest, the pull-distribution point always uses the Network Access Account. This process requires that the computer has the Configuration Manager client installed and that a Network Access Account is configured for use and has access to the source distribution point. For information about the Network Access Account, see the "Network Access Account" section in the Technical Reference for Accounts Used in Configuration Manager topic. For information about configuring the Network Access Account, see Configure the Network Access Account in the Configuring Content Management in Configuration Manager topic. You can remove the configuration to be a pull-distribution point by editing the properties of the distribution point. When you remove the pull-distribution point configuration, the distribution point returns to normal operation, and the site server manages future content transfers to the distribution point.

582

Note Beginning with System Center 2012 R2 Configuration Manager, the Configuration Manager console displays information that identifies a pull-distribution point. With System Center 2012 Configuration Manager SP1, you must review the properties of the distribution point to identify if it is configured as a pull-distribution point.

Planning for Cloud-Based Distribution Points

Beginning with Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. When you use a cloud-based distribution, you configure client settings to enable users and devices to access the content, and specify a primary site to manage the transfer of content to the distribution point. Additionally, you specify thresholds for the amount of content that you want to store on the distribution point and the amount of content that you want to enable clients to transfer from the distribution point. Based on these thresholds, Configuration Manager can raise alerts that warn you when the combined amount of content that you have stored on the distribution point is near the specified storage amount, or when transfers of data by clients are close to the thresholds that you defined. Cloud-based distribution points support the following features that are also supported with onpremises distribution points: You manage cloud-based distribution points individually, or as members of distribution point groups. You can use a cloud-based distribution point for fallback content location. You receive support for both intranet and Internet-based clients. Content that is sent to the cloud-based distribution point is encrypted by Configuration Manager before Configuration Manager sends it to Windows Azure. In Windows Azure, you can manually scale the cloud service to meet changing demands for content request by clients, without the requirement to install and provision additional distribution points. The cloud-based distribution point supports the download of content by clients that are configured for Windows BranchCache. You cannot use a cloud-based distribution point to host software update packages. You cannot use a cloud-based distribution point for PXE or multi-cast enabled deployments. Clients are not offered a cloud-based distribution point as a content location for a task sequence that is deployed by using the deployment option Download content locally when needed by running task sequence. However, task sequences that are deployed by using the deployment option of Download all content locally before starting task sequence can use a cloud-based distribution point as a valid content location. A cloud-based distribution point does not support packages that run from the distribution point. All content must be downloaded by the client, and then run locally.
583

A cloud-based distribution point provides the following additional benefits:

A cloud-based distribution point has the following limitations:

A cloud-based distribution point does not support streaming applications by using Application Virtualization or similar programs. A cloud-based distribution point does not support prestaged content. The Distribution Manager of the primary site that manages the distribution point transfers all content to the distribution point. A cloud-based distribution point cannot be configured as pull-distribution points.

Prerequisites for Cloud-Based Distribution Points

A cloud-based distribution point requires the following prerequisites for its use: A subscription to Windows Azure. A self-signed or PKI management certificate for communication from a Configuration Manager primary site server to the cloud service in Windows Azure. A service certificate (PKI) that Configuration Manager clients use to connect to cloud-based distribution points and download content from them by using HTTPS. A device or user must receive the client setting for Cloud Services of Allow access to cloud distribution points set to Yes, before a device or user can access content from a cloud-based distribution point. By default, this value is set to No. A client must be able to resolve the name of the cloud service, which requires a Domain Name System (DNS) alias, CNAME record, in your DNS namespace. A client must be able to access the Internet to use the cloud-based distribution point.

Plan for the Cost of Using Cloud-Based Distribution

To help control costs that are associated with data transfers to and from a cloud-based distribution point, Configuration Manager includes options to control and monitor data access. You can control and monitor the amount of content that you store in a cloud service, and you can configure Configuration Manager to alert you when thresholds for client downloads meet or exceed monthly limits. Use these alerts to proactively manage data charges when you use a cloud-based distribution point. For more information, see the section Controlling the Cost of Cloud-Based Distribution Points in the topic Manage Cloud Services for Configuration Manager.

About Subscriptions and Certificates for Cloud-Based Distribution Points

Cloud-based distribution points require certificates to enable Configuration Manager to manage the cloud service that hosts the distribution point, and for clients to access content from the distribution point. The following table provides overview information about these certificates. For more detailed information, see PKI Certificate Requirements for Configuration Manager.
Certificate Details

Management certificate for site server to distribution point communication

The management certificate establishes trust between the Windows Azure management API
584

Certificate

Details

and Configuration Manager. This authentication enables Configuration Manager to call on the Windows Azure API when you perform tasks such as deploying content or starting and stopping the cloud service. By using Windows Azure, customers can create their own management certificates, which can be either a self-signed certificate or a certificate that is issued by a certification authority (CA): Provide the .cer file of the management certificate to Windows Azure when you configure Windows Azure for Configuration Manager. The .cer file contains the public key for the management certificate. You must upload this certificate to Windows Azure before you install a cloud-based distribution point. This certificate enables Configuration Manager to access the Windows Azure API. Provide the .pfx file of the management certificate to Configuration Manager when you install the cloud-based distribution point. The .pfx file contains the private key for the management certificate. Configuration Manager stores this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into the Configuration Manager database.

If you create a self-signed certificate, you must first export the certificate as a .cer file, and then export it again as a .pfx file. Optionally, you can specify a version 1 .publishsettings file from the Windows Azure SDK 1.7. For information about .publishsettings files, refer to the Windows Azure documentation. For more information, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform
585

Certificate

Details

section of the MSDN Library. Service certificate for client communication to the distribution point The Configuration Manager cloud-based distribution point service certificate establishes trust between the Configuration Manager clients and the cloud-based distribution point and secures the data that clients download from it by using Secure Socket Layer (SSL) over HTTPS. Important The common name in the certificate subject box of the service certificate must be unique in your domain and not match any domain-joined device. For an example deployment of this certificate, see the Deploying the Service Certificate for Cloud-Based Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Site Server to Cloud-Based Distribution Point Communication

When you install a cloud-based distribution point, you must assign one primary site to manage the transfer of content to the cloud service. This action is equivalent to installing the distribution point site system role on a specific site.

Client to Cloud-Based Distribution Point Communication

When a device or user of a device is configured with the client setting that enables the use of a cloud-based distribution point, the device can receive the cloud-based distribution point as a valid content location. A cloud-based distribution point is considered a remote distribution point when a client evaluates available content locations. Clients on the intranet only use cloud-based distribution points as a fallback option if on-premises distribution points are not available. Even though you install cloud-based distribution points in specific regions of Windows Azure, clients that use cloud-based distribution points are not aware of the Windows Azure regions, and non-deterministically select a cloud-based-distribution point. This means if you install cloud-based distribution points in multiple regions, and a client receives multiple cloud-based distribution points as content locations, the client might not use a cloud-based distribution point from the same Windows Azure region as the client.
586

Clients that can use cloud-based distribution points use the following sequence when they perform a content location request: 1. A client that is configured to use cloud-based distribution points always attempts to obtain content from a preferred distribution point first. For information about preferred distribution points, see the Preferred Distribution Points section in the Introduction to Content Management in Configuration Manager topic. 2. When a preferred distribution point is not available, the client uses a remote distribution point, if the deployment supports this option, and if a remote distribution point is available. 3. When a preferred distribution point or remote distribution point is not available, the client can then fall back to obtain the content from a cloud-based distribution point. Note Clients on the Internet that receive both an Internet-based distribution point and a cloud-based distribution point as content locations for a deployment, only attempt to retrieve content from the Internet-based distribution point. If the client on the Internet fails to retrieve content from the Internet-based distribution point, the client does not then attempt to access the cloud-based distribution point. When a client uses a cloud-based distribution point as a content location, the client authenticates itself to the cloud-based distribution point by using a Configuration Manager access token. If the client trusts the Configuration Manager cloud-based distribution point certificate, the client can then download the requested content.

Determine the Distribution Point Infrastructure

At least one distribution point is required at each site in the Configuration Manager hierarchy. By default, a primary site server is configured as a distribution point. However, assign this role to a remote site system and remove it from the site server if possible. This role assignment reduces the resource requirements and improves performance on the site server, and also assists in load balancing. The distribution point site system role is automatically configured on the secondary site server when it is installed. However, the distribution point site system role is not required at secondary sites. Clients connect to distribution points at the parent primary site if one is not available at the secondary site. As you configure your distribution points with assigned boundary groups, consider the physical location and network connection speed between the distribution point and site server Consider the following to help you determine the appropriate number of distribution points to install at a site: The number of clients that might access the distribution point The configuration of the distribution point, such as PXE and multicast The network bandwidth that is available between clients and distribution points The size of the content that clients retrieve from the distribution point The setting for BranchCache that when it is enabled, lets clients at remote locations obtain content from local clients
587

For more information about creating and configuring distribution points, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic.

Plan for Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points for content distribution. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. If you add a distribution point to the distribution point group after an initial content distribution, the content automatically distributes to the new distribution point member. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group, to manage and monitor content from a central location for distribution points that span multiple sites. You can also add a collection to distribution point groups, which creates an association, and then distribute content to the collection. When you distribute content to a collection, the content is assigned to all distribution point groups that are associated with the collection. The content is then distributed to all distribution points that are members of those distribution point groups. There are no restrictions on the number of distribution point groups that can be associated with a collection or the number of collections that can be associated with a distribution point group. If you add a collection to a distribution point group, the distribution point group does not automatically receive content previously distributed to the associated collection. However, the distribution point group receives all new content that is distributed to the collection. Note After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content is distributed to the new distribution point group. For more information about creating and configuring distribution point groups, see the Create and Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.

Plan for Distribution Point Priority

Beginning with System Center 2012 R2 Configuration Manager, Configuration Manager determines a priority for each distribution point that is based on the time it took the last content deployment to that distribution point to transfer across the network. When you distribute content to multiple distributions points at the same time or to a distribution point group, Configuration Manager sends the content to the distribution point with the highest priority before it sends that same content to a distribution point with a lower priority. This process is self-tuning and helps Configuration Manager successfully distribute content to more distribution points in a shorter period of time than in previous versions. By default, all new distribution points share the same priority.
588

The priority of a distribution point does not replace a packages distribution priority. The distribution priority, which is high, medium, or low, remains the deciding factor in the sequence of when different distributions are transferred. For example, if you distribute content that has a high distribution priority to a distribution point that has a low distribution point priority, this high distribution priority package always transfers before a package that has a lower distribution priority. The distribution priority applies even if packages that have a lower distribution priority are distributed to distribution points that have higher distribution point priorities. The high distribution priority of the package ensures that Configuration Manager distributes that content to its applicable distribution points before any packages with a lower distribution priority are sent. The priority of distribution points is determined and managed by Configuration Manager automatically. There are no options in the Configuration Manager console to adjust or view this priority. However, you can use the Configuration Manager SDK to manually manage the priority of distribution points. Note Pull-distribution points use a concept of priority to order the sequence of their source distribution points. The distribution point priority for content transfers to the distribution point is distinct from the priority that pull-distribution points use when they search for content from a source distribution point. For more information about pull-distribution points, see Planning for Pull-Distribution Points in this topic.

Plan for Content Libraries

Configuration Manager creates a content library on each site server and on each distribution point. The content library stores all content files for software updates, applications, and operating system deployment. An exception to this process is on the central administration site. On the central administration site, the content library only stores content that is created at the central administration site, and content that you migrate from another site and assign to be managed by the central administration site. When you plan for content management, ensure there is enough free disk space for use by the content library on each distribution point that you deploy, and on each site server that manages content that you create or that you migrate from another Configuration Manager site. For information about the content library, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. Important For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: To move the content library to a different location on a distribution point after the installation, use the Content Library Transfer Tool in the System Center 2012 Configuration Manager Service Pack 1 Toolkit. You can download the toolkit from the Microsoft Download Center.

589

Plan for Binary Differential Replication

System Center 2012 Configuration Manager uses binary differential replication, sometimes known as delta replication, to update the copy of applications and packages on remote sites and on distribution points. This process minimizes the network bandwidth that is used to send updates for distributed content by resending only the new or changed content instead of sending the entire set of content source files each time a change to those files is made. When binary differential replication is used, Configuration Manager identifies the changes that occur to source files for each set of content that has previously been distributed. When files in the source content change, Configuration Manager creates a new incremental version of the content set and replicates only the changed files to destination sites and distribution points. A file is considered to be changed if it renamed, moved, or the contents of the file change. For example, if you replace a single driver file for an operating system deployment package that you previously distributed to several sites, only the changed driver file is replicated to those destination sites. Configuration Manager supports up to five incremental versions of a content set before it resends the entire content set. After the fifth update, the next change to the content set causes Configuration Manager to create a new version of the content set. Configuration Manager then distributes the new version of the content set to replace the previous set and any of its incremental versions. After the new content set is distributed, subsequent incremental changes to the source files are again replicated by binary differential replication. Binary replication is supported between each parent and child site in a hierarchy. Within a site, binary replication is supported between the site server and its distribution points. Beginning with Configuration Manager Service Pack 1, this support includes pull-distribution points but does not include cloud-based distribution points. Cloud-based distribution points do not support binary differential replication to transfer content. Applications always use binary differential replication. For packages, binary differential replication is optional and is not enabled by default. To use binary differential replication for packages, you must enable this functionality for each package. To do so, select the option Enable binary differential replication when you create a new package or when you edit the Data Source tab of the package properties.

About the Package Transfer Manager

In a System Center 2012 Configuration Manager site, the Package Transfer Manager is a new component of the SMS_Executive that manages the transfer of content from a site server computer to remote distribution points in a site. When you distribute content to one or more remote distribution points at a site, Distribution Manager creates a content transfer job and then notifies the Package Transfer Manager on primary and secondary site servers to transfer the content to the remote distribution points. Note In previous versions of Configuration Manager, the Distribution Manager manages the transfer of content to a remote distribution point. Distribution Manager also manages the
590

transfer of content between sites. With System Center 2012 Configuration Manager, Distribution Manager continues to manage the transfer of content between two sites. However, the Package Transfer Manager allows Configuration Manager to offload from Distribution Manager the operations required to transfer content to large numbers of distribution points. Compared to previous product versions, this helps to increase the overall performance of content deployment both between sites and to distribution points within a site. To transfer content to a standard distribution point, Package Transfer Manager operates the same as the Distribution Manager operates in previous versions of Configuration Manager. That is, it actively manages the transfer of files to each remote distribution point. However, to distribute content to a pull-distribution point, the Package Transfer Manager notifies the pull-distribution point that content is available, and then hands the process of transferring that content over to the pull-distribution point. Use the following information to help you understand how Package Transfer Manager manages the transfer of content to standard distribution points and to distribution points configured as pulldistribution points:
Action Standard distribution point Pull-distribution point

Administrative user deploys content to one or more distribution points at a site Distribution Manager runs preliminary checks

Distribution Manager creates a content transfer job for that content. Distribution Manager runs a basic check to confirm that each distribution point is ready to receive the content. After this check, Distribution Manager notifies Package Transfer Manager to start the transfer of content to the distribution point.

Distribution Manager creates a content transfer job for that content. Distribution manager starts Package Transfer Manager, which then notifies the pulldistribution point that there is a new content transfer job for the distribution point. Distribution Manager does not check on the status of remote distribution points that are pull-distribution points because each pulldistribution point manages its own content transfers. For each pull-distribution point in the distribution, Package Transfer Manager checks the pull-distribution points source distribution points to confirm if the content is available: When the content is available on at least one
591

Package Transfer Manager prepares to transfer content

Package Transfer Manager examines the single instance content store of each specified remote distribution point, to identify any files that are already on that distribution point. Then, Package Transfer Manager queues up for transfer only

Action

Standard distribution point

Pull-distribution point

those files that are not already present. Note When you use the Redistribute action for content, Package Transfer Manager copies each file in the distribution to the distribution point, even if the files are already present in the single instance store of the distribution point.

source distribution point, Package Transfer Manager sends a notification to that pull-distribution point that directs that distribution point to begin the process of transferring content. The notification includes file names and sizes, attributes, and hash values. When the content is not yet available, Package Transfer Manager does not send a notification to the distribution point. Instead, it repeats the check every 20 minutes until the content is available. Then, when the content is available, Package Transfer Manager sends the notification to that pulldistribution point. Note When you use the Redistribute action for content, the pulldistribution point copies each file in the distribution to the distribution point, even if the files are already present in the single instance store of the pull-distribution point.

Content begins to transfer

Package Transfer Manager copies files to each remote distribution point. During the transfer to a standard distribution point: By default, Package Transfer Manager can simultaneously process

When a pull-distribution point receives a notification file, the distribution point begins the process to transfer the content. The transfer process runs independently on each pulldistribution point: The pull-distribution
592

Action

Standard distribution point

Pull-distribution point

three unique packages, and distribute them to five distribution points in parallel. These are called Concurrent distribution settings and are configured on the General tab of the Software Distribution Component Properties for each site. Package Transfer Manager uses the scheduling and network bandwidth configurations of each distribution point when transferring content to that distribution point. You configure these settings on the Schedule and Rate Limits tabs in the Properties of each remote distribution point. For more information, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

identifies the files in the content distribution that it does not already have in its single instance store, and prepares to download that content from one of its source distribution points. Next, the pull-distribution point checks with each of its source distribution points, in order, until it locates a source distribution point that has the content available. When the pull-distribution point identifies a source distribution point with the content, it begins the download of that content. Note The process to download content by the pull-distribution point is the same as is used by Configuration Manager clients. For the transfer of content by the pulldistribution point, neither the concurrent transfer settings, nor the scheduling and throttling options that you configure for standard distribution points are used. After the pull-distribution point completes the content download, the distribution point verifies the hash of the content, and then submits a status message to the sites management point to indicate
593

Content transfer completes

After the Package Transfer Manager is done transferring files to each designated remote distribution point, it verifies the hash of the content on the distribution point, and notifies Distribution Manager that the

Action

Standard distribution point

Pull-distribution point

distribution is complete.

success. However, if after 60 minutes, this status is not received, the Package Transfer Manager wakes up and checks with the pull-distribution point to confirm if the pull-distribution point has downloaded the content. If the content download is in progress, the Package Transfer Manager sleeps for 60 minutes before it checks with the pull-distribution point again. This cycle continues until the pull-distribution point completes the content transfer.

Package Transfer Manager logs its actions in the pkgxfermgr.log file on the site server. The log file is the only location you can view the activities of the Package Transfer Manager.

Supplemental Planning Topics for Content Management

Use the following topics to help you plan for content management in Configuration Manager: Prerequisites for Content Management in Configuration Manager Best Practices for Content Management in Configuration Manager

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Boundaries and Boundary Groups in Configuration Manager

In System Center 2012 Configuration Manager, a boundary is a network location on the intranet that can contain one or more devices that you want to manage. Boundaries can be an IP subnet, Active Directory site name, IPv6 Prefix, or an IP address range, and the hierarchy can include any combination of these boundary types. To use a boundary, you must add the boundary to one or more boundary groups. Boundary groups are collections of boundaries. By using boundary

594

groups, clients on the intranet can find an assigned site and locate content when they have to install software, such as applications, software updates, and operating system images. When clients are on the Internet, or they are configured as Internet-only clients, they do not use boundary information. These clients cannot use automatic site assignment and always download content from any distribution point in their assigned site when the distribution point is configured to allow client connections from the Internet. Use the following sections in this topic to help you plan how to manage boundaries in your Configuration Manager hierarchy: Boundaries Boundary Groups Site Assignment Content Location Overlapping Boundaries Network Connection Speed

Best Practices for Boundaries

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for boundaries since Configuration Manager 2007: Boundaries are no longer site specific, but defined once for the hierarchy, and they are available at all sites in the hierarchy. Each boundary must be a member of a boundary group before a device on that boundary can identify an assigned site, or a content server such as a distribution point. You no longer configure the network connection speed of each boundary. Instead, in a boundary group you specify the network connection speed for each site system server associated to the boundary group as a content location server.

Boundaries
Each boundary represents a network location in System Center 2012 Configuration Manager, and it is available from every site in your hierarchy. A boundary does not enable you to manage clients at the network location. To manage a client, the boundary must be a member of a boundary group. Configuration Manager does not support the direct entry of a supernet as a boundary. Instead, use the IP address range boundary type. When Active Directory Forest Discovery identifies a supernet that is assigned to an Active Directory site, Configuration Manager converts the supernet into an IP address range boundary. For more information about Active Directory Forest

595

Discovery, see the About Active Directory Forest Discovery section in the Planning for Discovery in Configuration Manager topic.

Boundary Groups
Use boundary groups to manage your network locations. You must assign boundaries to boundary groups before you can use the boundary group. Boundary groups have the following functions: They enable clients to find a primary site for client assignment (automatic site assignment). They can provide clients with a list of available site systems that have content after you associate the distribution point and state migration point site system servers with the boundary group.

To support site assignment, you must configure the boundary group to specify an assigned site for clients to use during automatic site assignment. To support content location, you must specify one or more site systems. You can only specify site systems with the distribution point or state migration point site system role. Both the site assignment and content location configurations are optional for boundary groups. When you plan for boundary groups, consider creating one set of boundary groups for content location and a second set of boundary groups for automatic site assignment. This separation can help you avoid overlapping boundaries for site assignment. When you have overlapping boundaries and use automatic site assignment, the site to which a client is assigned, might be to is nondeterministic. The following sections contain information to consider when you configure boundary groups.

Site Assignment
You can configure each boundary group with an assigned site for clients. Clients join the assigned site of a boundary group that contains the clients current network location. When a boundary is added to multiple boundary groups that have different assigned sites, clients will nondeterministically select one of the sites. System Center 2012 Configuration Manager does not support this overlapping boundary configuration for site assignment. If you make a change to the site assignment configuration of a boundary group, only new site assignment actions are affected. Clients that have previously been assigned to a site, do not reevaluate their site assignment based on changes to the configuration of a boundary group. For more information about client site assignment, see How to Assign Clients to a Site in Configuration Manager.

Content Location
You can associate one or more distribution points and one or more state migration points with each boundary group. You can also associate a distribution point or state migration point with multiple boundary groups.

596

During software distribution, clients request a location for deployment content. Configuration Manager sends the client a list of distribution points that are associated with each boundary group that includes the current network location of the client. During operating system deployment, clients request a location to send or receive their state migration information. Configuration Manager sends the client a list of state migration points that are associated with each boundary group that includes the current network location of the client. This behavior enables the client to select the nearest server from which to transfer the content or state migration information.

Overlapping Boundaries
System Center 2012 Configuration Manager supports overlapping boundary configurations for content location. When a client requests content, and the client network location belongs to multiple boundary groups, Configuration Manager sends the client a list of all distribution points that have the content. When a client requests a server to send or receive its state migration information, and the client network location belongs to multiple boundary groups, Configuration Manager sends the client a list of all state migration points that are associated with a boundary group that includes the current network location of the client. This behavior enables the client to select the nearest server from which to transfer the content or state migration information.

Network Connection Speed

You can configure the network connection speed of each distribution point in a boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. The network connection speed and the deployment configuration determine whether a client can download content from a distribution point when the client is in an associated boundary group.

Best Practices for Boundaries

Use the following best practices information to help you use boundaries in System Center 2012 Configuration Manager.

Consider using the IP address range boundary type only when other boundary types cannot be used
When designing your boundary strategy, we recommend you use boundaries that are based on Active Directory sites before using other boundary types. Where boundaries based on Active Directory sites are not an option, then use IP subnet or IPv6 boundaries. If none of these options are available to you, then leverage IP address range boundaries. This is because the site
597

evaluates boundary members periodically, and the query required to assess members of an IP address range requires a substantially larger use of SQL Server resources than queries that assess members of other boundary types.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning to Use Extensions in Configuration Manager

Beginning with System Center 2012 R2 Configuration Manager, optional extensions that introduce new capabilities to manage mobile devices using Windows Intune are available from within the Configuration Manager console. Configuration Manager administrators can enable individual extensions to gain access to these new capabilities without waiting for the next service pack or major product release to introduce that functionality. To use extensions, you must first install the Windows Intune connector site system role in your hierarchy and have a Windows Intune subscription. The Windows Intune connector is responsible for contacting Microsoft to download the available extensions. After the Windows Intune connector downloads available extensions, the extensions are available in the Configuration Manager console where you can select one or more to enable in your hierarchy. After you enable an extension, the capabilities that it introduces appear seamlessly as regular options and settings in the Configuration Manager console alongside existing options and settings. For example, after you enable the extension for email profiles, a new node named Email Profiles appears under Company Resource Access in the Compliance Settings node in the Assets and Compliance workspace. This new option enables you to configure and deploy email profiles to devices along with the other available profiles. Because different extensions deliver separate sets of functionality, you can find documentation for extensions in the feature-specific areas of the Configuration Manager documentation on Microsoft TechNet. To learn more, use the following links; or from within the Configuration Manager console, you can select an extension and then click on the More Information link to open a web browser to on-line content. Email Profiles iOS 7 Security Settings

The information in the following sections applies to all extensions, and can help you learn how to manage extensions and what to expect when you enable or disable them for your infrastructure. How to Identify the Available Extensions How to Enable Extensions How to Upgrade Extensions How to Disable Extensions
598

How to Identify the Available Extensions

When you are ready to manage the extensions you want to use, and after you have enabled the Windows Intune connector site system role, you can view the available extensions in the Extensions for Windows Intune node, under Cloud Services in the Administration workspace. Tip When you use extensions, the first time you open each Configuration Manager console when a new extension is available from Microsoft, you receive a pop-up which informs you about the new extension. This pop-up appears only one time for each console, and does not appear for any console after the extension is enabled. Each extension includes a brief description, identifies when the extension was published or updated, and the date that the extension was enabled in your environment. When you have not enabled an extension in your environment, the Date Enabled field is blank. You can read more information about each extension by selecting the extension in the results pane of the console, and then clicking on the More Information link in the in the details pane. Periodically, new extensions and updates for extensions might become available in the Configuration Manager console. When you have not enabled an extension, only the most recent version of that extension displays and is available to enable. When there is an update for an extension you have already enabled, the update appears as a new item in the console with the same name as the enabled extension but with a newer value for Date Released and a status of Available.

How to Enable Extensions

Use the Extensions for Windows Intune node in the Configuration Manager console to enable extensions in your Configuration Manager environment. You can enable an extension when using a Configuration Manager console that is connected to any site in your hierarchy. However, it is the top-level site in your hierarchy where you installed the Windows Intune connector site system role that installs the extension and updates the site database. Any changes then replicate to other sites in the hierarchy. After the extension installs, Configuration Manager consoles must also update to support the extension. When you first connect a Configuration Manager console to a site that uses one or more extensions that the console does not yet support, you receive a notification that the console will update. After you accept this notification, the console closes, the update begins, and the process then automatically restarts the console to complete the update. After the console restarts, the new capabilities of the extension are available for use. Updates to a console persist and are available the next time that console starts. The update to a Configuration Manager console only occurs when a console connects to a site and does not have the same extensions installed as are enabled at the site. Tip
599

If you use a Configuration Manager console to connect to a site in a different hierarchy that has a different set of extensions enabled, the console will update to install or remove the applicable extensions based on the that configuration of the new site. To enable extensions 1. In the Extensions for Windows Intune node, under Cloud Services in the Administration workspace, select the extension and then click Enable. 2. Accept the license terms, and then click Yes to start the installation to enable the extension. Tip During the installation, the Status for the extension displays Enabling extension. After the installation is complete, if you refresh the Configuration Manager console, the status updates to display Enabled. The time to download and install different extensions varies based on the size of the extension files. Additionally, if you manage extensions from a child primary site, the primary site must pass the command to download and install the extensions to the central administration site where the Windows Intune connector is located. After the installation completes, you will not be able to view the new elements from the extension in the console until the console restarts and installs the console updates for the extension.

How to Upgrade Extensions

Periodically, an update for an extension that is enabled might be available. An update for an enabled extension appears as a new item along with the enabled extension in the Extensions for Windows Intune node in the Configuration Manager console. The updated version of the extension has same name as the enabled extension but with a newer value for Date Released and a status of Available. To install the updated version of the extension, select the new version and then click Enable. You do not need to disable the older version of the extension before you enable the updated version. When the updated version installs, the configurations you previously made for the extension are retained. After the new version installs, only the most recent version of the extension displays in the console. Individual patches or cumulative updates that release for Configuration Manager should not affect extensions. When an update for Configuration Manager would affect the capabilities or function of an extension, an updated version of that extension will be released and can be found in the Configuration Manager console.

600

How to Disable Extensions

Use the Extensions for Windows Intune node in the Configuration Manager console to disable extensions in your Configuration Manager environment. After you disable an extension you will be able to enable it again at any time. You do not need to first disable an extension before you enable a newer version of that extension. Before you can disable an extension, you must remove all of the configurations for that extension from the Configuration Manager console. For example, if you use the extension for iOS 7 Security Settings and configure configuration items that use any of the new settings introduced by that extension, you must delete those configuration items from the console before you can disable the extension for iOS 7 Security Settings. This includes deleting any previous versions (revision history) of a configuration item that contains those settings. While it is possible to remove only the iOS 7 specific configurations from existing configuration items, you must also remove the same settings from any previous versions of the configuration items that might contain those configurations. After all of the relevant configurations are removed, you will have the option to disable the extension. To disable an extension, you first select the extension in the console, and then click Disable. The extension will then uninstall and after the extension uninstalls, you must restart the Configuration Manager console so that the extension update for the console can uninstall. When you disable an extension, the extension uninstalls from the Configuration Manager database and this change replicates to all sites in your hierarchy. Subsequently, when a Configuration Manager console that previously installed the update for the now disabled extension connects to a site, that console updates to remove the extension. This process is similar to that for adding an extension to a site in that the user receives a notification, the update for the extension then uninstalls form the console, and then the console automatically restarts and then re-connects to the site. After you disable an extension, that extension is not available for use in the Configuration Manager console until you re-enable it. However, the act of disabling an extension (which requires that you first remove the configurations for that extension in the Configuration Manager console), does not remove the configurations from devices that have previously received them. Additionally, the results of disabling different extensions can vary. For example, after you disable Email Profiles Extensions, you can no longer deploy email profiles to new devices. However, the email profiles you have previously configured and deployed to devices remain on those devices, unused, until the device is retired or wiped. Continuing this example, the experience for iOS 7 Security Settings is slightly different. After you disable the extension iOS 7 Security Settings, the configuration items that enforce the iOS 7 settings are no longer configured. However, the iOS 7 settings that were enforced by those configuration items remain in place on devices, but the end user is now free to reconfigure them.

See Also
Planning for Configuration Manager Sites and Hierarchy
601

Planning for Security in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Use the following information to help you plan for security in Microsoft System Center 2012 Configuration Manager. Planning for Certificates (Self-Signed and PKI) Planning for PKI Certificate Revocation Planning for the PKI Trusted Root Certificates and the Certificate Issuers List Planning for PKI Client Certificate Selection Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management

Planning for the Trusted Root Key Planning for Signing and Encryption Planning for Role-Based Administration

In addition to these sections, see Security and Privacy for Site Administration in Configuration Manager. For additional information about how Configuration Manager uses certificates and cryptographic controls, see Technical Reference for Cryptographic Controls Used in Configuration Manager.

Planning for Certificates (Self-Signed and PKI)

Configuration Manager uses a combination of self-signed certificates and public key infrastructure (PKI) certificates. As a security best practice, use PKI certificates whenever possible. For more information about the PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. When Configuration Manager requests the PKI certificates, such as during enrollment for mobile devices and AMT provisioning, you must use Active Directory Domain Services and an enterprise certification authority. For all other PKI certificates, you must deploy and manage them independently from Configuration Manager. PKI certificates are also required when client computers connect to Internet-based site systems, and they are recommended to be used when clients connect to site systems that run Internet Information Services (IIS). For more information about client communication, see Planning for Client Communication in Configuration Manager. When you use a PKI, you can also use IPsec to help secure the server-to-server communication between site systems in a site and between sites, and for any other scenario when you transfer
602

data between computers. You must configure and implement IPsec independently from Configuration Manager. Configuration Manager can automatically generate self-signed certificates when PKI certificates are not available, and some certificates in Configuration Manager are always self-signed. In most cases, Configuration Manager automatically manages the self-signed certificates, and you do not have to take additional action. One possible exception is the site server signing certificate. The site server signing certificate is always self-signed, and it ensures that the client policies that clients download from the management point were sent from the site server and were not tampered with.

Planning for the Site Server Signing Certificate (Self-Signed)

Clients can securely obtain a copy of the site server signing certificate from Active Directory Domain Services and from client push installation. If clients cannot obtain a copy of the site server signing certificate by using one of these mechanisms, as a security best practice, install a copy of the site server signing certificate when you install the client. This is especially important if the clients first communication with the site is from the Internet, because the management point is connected to an untrusted network and therefore, vulnerable to attack. If you do not take this additional step, clients automatically download a copy of the site server signing certificate from the management point. Scenarios when clients cannot securely obtain a copy of the site server certificate include the following: You do not install the client by using client push, and any of the following conditions is true: The Active Directory schema is not extended for Configuration Manager. The clients site is not published to Active Directory Domain Services. The client is from an untrusted forest or a workgroup.

You install the client when it is on the Internet.

Use the following procedure to install clients together with a copy of the site server signing certificate. To install clients with a copy of the site server signing certificate 1. Locate the site server signing certificate on the clients primary site server. The certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. 2. Export the certificate without the private key, store the file securely, and only access it from a secured channel (for example, by using SMB signing or IPsec). 3. Install the client by using the Client.msi property SMSSIGNCERT= <Full path and file name> with CCMSetup.exe.

603

Planning for PKI Certificate Revocation

When you use PKI certificates with Configuration Manager, plan for how and whether clients and servers will use a certificate revocation list (CRL) to verify the certificate on the connecting computer. The certificate revocation list (CRL) is a file that is created and signed by a certification authority (CA) and contains a list of certificates that it has issued, but revoked. Certificates can be revoked by a CA administrator, for example, if an issued certificate is known or suspected to be compromised. Important Because the location of the CRL is added to a certificate when it is issued by a CA, ensure that you plan for the CRL before you deploy any PKI certificates that Configuration Manager will use. By default, IIS always checks the CRL for client certificates, and you cannot change this configuration in Configuration Manager. By default, Configuration Manager clients always check the CRL for site systems; however, you can disable this setting by specifying a site property and by specifying a CCMSetup property. When you manage Intel AMT-based computers out of band, you can also enable CRL checking for the out of band service point and for computers that run the Out of Band Management console. If computers use certificate revocation checking but they cannot locate the CRL, they behave as if all certificates in the certification chain are revoked because their absence from the list cannot be verified. In this scenario, all connections that require certificates and use a CRL fail. Checking the CRL every time that a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and additional processing on the client. You are more likely to require this additional security check when clients are on the Internet or on an untrusted network. Consult your PKI administrators before you decide whether Configuration Manager clients must check the CRL, and then consider keeping this option enabled in Configuration Manager when both of the following conditions are true: Your PKI infrastructure supports a CRL, and it is published where all Configuration Manager clients can locate it. Remember that this might include clients on the Internet if you are using Internet-based client management, and clients in untrusted forests. The requirement to check the CRL for each connection to a site system configured to use a PKI certificate is larger than the requirement for faster connections and efficient processing on the client, and is also larger than the risk of clients failing to connect to servers if they cannot locate the CRL.

Planning for the PKI Trusted Root Certificates and the Certificate Issuers List
If your IIS site systems use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, you might have to import root CA certificates as a site property. The two scenarios are as follows:
604

You deploy operating systems by using Configuration Manager, and the management points only accept HTTPS client connections. You use PKI client certificates that do not chain to a root certification authority (CA) certificate that is trusted by management points. Note When you issue client PKI certificates from the same CA hierarchy that issues the server certificates that you use for management points, you do not have to specify this root CA certificate. However, if you use multiple CA hierarchies and you are not sure whether they trust each other, import the root CA for the clients CA hierarchy.

If you must import root CA certificates for Configuration Manager, export them from the issuing CA or from the client computer. If you export the certificate from the issuing CA that is also the root CA, ensure that the private key is not exported. Store the exported certificate file in a secured location to prevent tampering. You must be able to access the file when you configure the site, so that if you access the file over the network, ensure that the communication is protected from tampering by using SMB signing or IPsec. If any of the root CA certificates that you import are renewed, you must import the renewed certificates. These imported root CA certificates and the root CA certificate of each management point create the certificate issuers list that Configuration Manager computers use in the following ways: When clients connect to management points, the management point verifies that the client certificate chains to a trusted root certificate in the sites certificate issuers list. If it does not, the certificate is rejected, and the PKI connection fails. When clients select a PKI certificate, if they have a certificate issuers list, they select a certificate that chains to a trusted root certificate in the certificate issuers list. If there is no match, the client does not select a PKI certificate. For more information about the client certificate process, see the Planning for PKI Client Certificate Selection section in this topic.

Independently from the site configuration, you might also have to import a root CA certificate when you enroll mobile devices or Mac computers, and when you provision Intel AMT-based computers for wireless networks.

Planning for PKI Client Certificate Selection

If your IIS site systems will use PKI client certificates for client authentication over HTTP or for client authentication and encryption over HTTPS, plan for how Windows-based clients will select the certificate to use for Configuration Manager. Note Not all devices support a certificate selection method and instead, automatically select the first certificate that fulfills the certificate requirements. For example, clients on Mac computers, and mobile devices do not support a certificate selection method.

605

In many cases, the default configuration and behavior will be sufficient. The Configuration Manager client on Windows-based computers filters multiple certificates by using the following criteria: 1. The certificate issuers list: The certificate chains to a root CA that is trusted by the management point. 2. The certificate is in the default certificate store of Personal. 3. The certificate is valid, not revoked, and not expired. The validity check includes verifying that the private key is accessible and that the certificate is not created by using a version 3 certificate template, which is not compatible with Configuration Manager. 4. The certificate has client authentication capability, or it is issued to the computer name. 5. The certificate has the longest validity period. Clients can be configured to use the certificate issuers list by using the following mechanisms: Is it published as Configuration Manager site information to Active Directory Domain Services. Clients are installed by using client push. Clients download it from the management point after they are successfully assigned to their site. It is specified during client installation, as a CCMSetup client.msi property of CCMCERTISSUERS.

If clients do not have the certificate issuers list when they are first installed and are not yet assigned to the site, they skip this check. When they do have the certificate issuers list and do not have a PKI certificate that chains to a trusted root certificate in the certificate issuers list, certificate selection fails, and clients do not continue with the other certificate selection criteria. In most cases, the Configuration Manager client correctly identifies a unique and appropriate PKI certificate to use. However, when this is not the case, instead of selecting the certificate based on the client authentication capability, you can configure two alternative selection methods: A partial string match on the client certificate Subject name. This is a case-insensitive match that is appropriate if you are using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. However, you can use this selection method to identify any string of sequential characters in the certificate Subject name that differentiate the certificate from others in the client certificate store. Note You cannot use the partial string match with the Subject Alternative Name (SAN) as a site setting. Although you can specify a partial string match for the SAN by using CCMSetup, it will be overwritten by the site properties in the following scenarios: Clients retrieve site information that is published to Active Directory Domain Services. Clients are installed by using client push installation. Use a partial string match in the SAN only when you install clients manually, and when they do not retrieve site information from Active Directory Domain Services. For example, these conditions apply to Internet-only clients.
606

A match on the client certificate Subject name attribute values or the Subject Alternative Name (SAN) attribute values. This is a case-sensitive match that is appropriate if you are using an X500 distinguished name or equivalent OIDs (Object Identifiers) in compliance with RFC 3280, and you want the certificate selection to be based on the attribute values. You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.

The following table shows the attribute values that Configuration Manager supports for the client certificate selection criteria.
OID Attribute Distinguished name attribute Attribute definition

0.9.2342.19200300.100.1.25 1.2.840.113549.1.9.1 2.5.4.3 2.5.4.4 2.5.4.5 2.5.4.6 2.5.4.7 2.5.4.8 2.5.4.9 2.5.4.10 2.5.4.11 2.5.4.12 2.5.4.42 2.5.4.43 2.5.29.17

DC E or E-mail CN SN SERIALNUMBER C L S or ST STREET O OU T or Title G or GN or GivenName I or Initials (no value)

Domain component E-mail address Common name Subject name Serial number Country code Locality State or province name Street address Organization name Organizational unit Title Given name Initials Subject Alternative Name

If more than one appropriate certificate is located after the selection criteria is applied, you can override the default configuration to select the certificate with the longest validity period and instead, specify that no certificate is selected. In this scenario, the client will not be able to communicate with IIS site systems by using a PKI certificate. The client sends an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria. The client behavior then depends on whether the failed connection was over HTTPS or HTTP: If the failed connection was over HTTPS: The client tries to make a connection over HTTP and uses the client self-signed certificate.
607

If the failed connection was over HTTP: The client tries to make another connection over HTTP by using the self-signed client certificate.

To help identify a unique PKI client certificate, you can also specify a custom store, other than the default of Personal in the Computer store. However, you must create this store independently from Configuration Manager and must be able to deploy certificates to this custom store and renew them before the validity period expires. For information about how to configure the settings for client certificates, see the Configure Settings for Client PKI Certificates section in the Configuring Security for Configuration Manager topic.

Planning a Transition Strategy for PKI Certificates and InternetBased Client Management
The flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI certificates provide better security and enable clients to be managed when they are on the Internet. Because of the number of configuration options and choices in Configuration Manager, there is no single way to transition a site so that all clients use HTTPS connections. However, you can follow these steps as guidance: 1. Install the Configuration Manager site and configure it so that site systems accept client connections over HTTPS and HTTP. 2. Configure the Client Computer Communication tab in the site properties so that the Site System Settings is HTTP or HTTPS, and select the Use PKI client certificate (client authentication capability) when available check box. Configure any other settings from this tab that you require. For more information, see the Configure Settings for Client PKI Certificates section in the Configuring Security for Configuration Manager topic. 3. Pilot a PKI rollout for client certificates. For an example deployment, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. 4. Install clients by using the client push installation method. For more information, see the How to Install Configuration Manager Clients by Using Client Push section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. 5. Monitor client deployment and status by using the reports and information in the Configuration Manager console. 6. Track how many clients are using a client PKI certificate by viewing the Client Certificate column in the Assets and Compliance workspace, Devices node. You can also deploy the Configuration Manager HTTPS Readiness Assessment Tool (cmHttpsReadiness.exe) to computers and use the reports to view how many computers can use a client PKI certificate with Configuration Manager. Note

608

When the Configuration Manager client installs on client computers, the cmHttpsReadiness.exe tool is installed in the %windir%\CCM folder. When you run this tool on clients, you can specify the following options: /Store:<name> /Issuers:<list> /Criteria:<criteria> /SelectFirstCert These options map to the CCMCERTSTORE, CCMCERTISSUERS, CCMCERTSEL, and CCMFIRSTCERT Client.msi properties, respectively. For more information about these options, see About Client Installation Properties in Configuration Manager. 7. When you are confident that a sufficient number of clients are successfully using their client PKI certificate for authentication over HTTP, do the following: a. Deploy a PKI web server certificate to a member server that will run an additional management point for the site, and configure that certificate in IIS. For more information, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. b. Install the management point role on this server and configure the Client connections option in the management point properties for HTTPS. 8. Monitor and verify that clients that have a PKI certificate use the new management point by using HTTPS. You can use IIS logging or performance counters to verify this. 9. Reconfigure other site system roles to use HTTPS client connections. If you want to manage clients on the Internet, ensure that site systems have an Internet FQDN and configure individual management points and distribution points to accept client connections from the Internet. Important Before you configure site system roles to accept connections from the Internet, review the planning information and prerequisites for Internet-based client management. For more information, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. 10. Extend the PKI certificate rollout for clients and for site systems that run IIS, and configure the site system roles for HTTPS client connections and Internet connections, as required. 11. For the highest security: When you are confident that all clients are using a client PKI certificate for authentication and encryption, change the site properties to use HTTPS only. When you follow this plan to gradually introduce PKI certificates, first for authentication only over HTTP, and then for authentication and encryption over HTTPS, you reduce the risk that clients will become unmanaged. In addition, you will benefit from the highest security that Configuration Manager supports.

609

Planning for the Trusted Root Key

The Configuration Manager trusted root key provides a mechanism for Configuration Manager clients to verify that site systems belong to their hierarchy. Every site server generates a site exchange key to communicate with other sites. The site exchange key from the top-level site in the hierarchy is called the trusted root key. The function of the trusted root key in Configuration Manager resembles a root certificate in a public key infrastructure in that anything signed by the private key of the trusted root key is trusted further down the hierarchy. For example, by signing the management point certificate with the private key of the trusted root key pair, and by making a copy of the public key of the trusted root key pair available to the clients, clients can differentiate between management points that are in their hierarchy and management points that are not in their hierarchy. Clients use WMI to store a copy of the trusted root key in the namespace root\ccm\locationservices. Clients can automatically retrieve the public copy of the trusted root key by using two mechanisms: The Active Directory schema is extended for Configuration Manager, the site is published to Active Directory Domain Services, and clients can retrieve this site information from a global catalog server. Clients are installed by using client push.

If clients cannot retrieve the trusted root key by using one of these mechanisms, they trust the trusted root key that is provided by the first management point that they communicate with. In this scenario, a client might be misdirected to an attackers management point where it would receive policy from the rogue management point. This would likely be the action of a sophisticated attacker and might occur only in a limited time before the client retrieves the trusted root key from a valid management point. However, to reduce this risk of an attacker misdirecting clients to a rogue management point, you can pre-provision the clients by using the trusted root key. Use the following procedures to pre-provision and verify the trusted root key for a Configuration Manager client: Pre-provision a client by using the trusted root key by using a file. Pre-provision a client by using the trusted root key without using a file. Verify the trusted root key on a client. Note You do not have to pre-provision client by using the trusted root key if they can obtain this from Active Directory Domain Services or they are installed by using client push. In addition, you do not have to pre-provision clients when they use HTTPS communication to management points because trust is established by using the PKI certificates. You can remove the trusted root key from a client by using the Client.msi property RESETKEYINFORMATION = TRUE with CCMSetup.exe. To replace the trusted root key, reinstall the client together with the new trusted root key, for example, by using client push, or by specifying the Client.msi SMSPublicRootKey property by using CCMSetup.exe.

610

To pre-provision a client with the trusted root key by using a file 1. In a text editor, open the file <Configuration Manager directory>\bin\mobileclient.tcf. 2. Locate the entry SMSPublicRootKey=, copy the key from that line, and close the file without any changes. 3. Create a new text file and paste the key information that you copied from the mobileclient.tcf file. 4. Save the file and place it somewhere where all computers can access it, but the file is secured to prevent tampering. 5. Install the client by using any installation method that accepts Client.msi properties, and specify the Client.msi property SMSROOTKEYPATH=<Full path and file name>. Important When you specify the trusted root key for additional security during client installation, you must also specify the site code, by using the Client.msi property SMSSITECODE=<site code>. To pre-provision a client with the trusted root key without using a file 1. In a text editor, open the file <Configuration Manager directory>\bin\mobileclient.tcf. 2. Locate the entry SMSPublicRootKey=, note the key from that line or copy it to the Clipboard, and then close the file without any changes. 3. Install the client by using any installation method that accepts Client.msi properties, and specify the Client.msi property SMSPublicRootKey=<key>, where <key> is the string that you copied from mobileclient.tcf. Important When you specify the trusted root key for additional security during client installation, you must also specify the site code, by using the Client.msi property SMSSITECODE=<site code> To verify the trusted root key on a client 1. On the Start menu, click Run, and then type Wbemtest. 2. In the Windows Management Instrumentation Tester dialog box, click Connect. 3. In the Connect dialog box, in the Namespace box, type root\ccm\locationservices, and then click Connect. 4. In the Windows Management Instrumentation Tester dialog box, in the IWbemServices section, click Enum Classes. 5. In the Superclass Info dialog box, select Recursive, and then click OK. 6. The Query Result window, scroll to the end of the list, and then double-click TrustedRootKey (). 7. In the Object editor for TrustedRootKey dialog box, click Instances. 8. In the new Query Result window that displays the instances of TrustedRootKey,
611

double-click TrustedRootKey=@ 9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. Verify that it matches the SMSPublicRootKey value in the file <Configuration Manager directory>\bin\mobileclient.tcf.

Planning for Signing and Encryption

When you use PKI certificates for all client communications, you do not have to plan for signing and encryption to help secure client data communication. However, if you configure any site systems that run IIS to allow HTTP client connections, you must decide how to help secure the client communication for the site. To help protect the data that clients send to management points, you can require it to be signed. In addition, you can require that all signed data from clients that use HTTP is signed by using the SHA-256 algorithm. Although this is a more secure setting, do not enable this option unless all clients support SHA-256. Many operating systems natively support SHA-256, but older operating systems might require an update or hotfix. For example, computers that run Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397. Whereas signing helps protect the data from tampering, encryption helps protect the data from information disclosure. You can enable 3DES encryption for the inventory data and state messages that clients send to management points in the site. You do not have to install any updates on clients to support this option, but consider the additional CPU usage that will be required on clients and the management point to perform the encryption and decryption. For information about how to configure the settings for signing and encryption, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic.

Planning for Role-Based Administration

Role-based administration lets you design and implement administrative security for the System Center 2012 Configuration Manager hierarchy by using any or all of the following: Security roles Collections Security scopes

These settings combine to define an administrative scope for an administrative user. The administrative scope controls the objects that an administrative user can view in the Configuration Manager console and the permissions that user has on those objects. Role-based administration configurations replicate to each site in the hierarchy as global data, and then are applied to all administrative connections. Important Intersite replication delays can prevent a site from receiving changes for role-based administration. For information about how to monitor intersite database replication, see
612

the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic.

Planning for Security Roles

Use security roles to grant security permissions to administrative users. Security roles are groups of security permissions that you assign to administrative users so that they can perform their administrative tasks. These security permissions define the administrative actions that an administrative user can perform and the permissions that are granted for particular object types. As a security best practice, assign the security roles that provide the least permissions. System Center 2012 Configuration Manager has several built-in security roles to support typical groupings of administrative tasks, and you can create your own custom security roles to support your specific business requirements. Examples of the built-in security roles: Full Administrator: This security role grants all permissions in Configuration Manager. Asset Analyst: This security role allows administrative users to view data collected by using Asset Intelligence, software inventory, hardware inventory, and software metering. Administrative users can create metering rules and Asset Intelligence categories, families, and labels. Software Update Manager: This security role grants permissions to define and deploy software updates. Administrative users who are associated with this role can create collections, software update groups, deployments, templates, and enable software updates for Network Access Protection (NAP). Tip You can view the list of built-in security roles and custom security roles you create, including their descriptions, in the Configuration Manager console. To do so, in the Administration workspace, expand Security, and select Security Roles. Each security role has specific permissions for different object types. For example, the Application Administrator security role has the following permissions for applications: Approve, Create, Delete, Modify, Modify Folders, Move Objects, Read/Deploy, Set Security Scope. You cannot change the permissions for the built-in security roles, but you can copy the role, make changes, and then save these changes as a new custom security role. You can also import security roles that you have exported from another hierarchy (for example, from a test network). Review the security roles and their permissions to determine whether you will use the built-in security roles or you have to create your own custom security roles. Use the following steps to help you plan for security roles: 1. Identify the tasks that the administrative users perform in System Center 2012 Configuration Manager. These tasks might relate to one or more groups of management tasks, such as deploying applications and packages, deploying operating systems and settings for compliance, configuring sites and security, auditing, remotely controlling computers, and collecting inventory data. 2. Map these administrative tasks to one or more of the built-in security roles.

613

3. If some of the administrative users perform the tasks of multiple security roles, assign the multiple security roles to these administrative users instead of in creating a new security role that combines the tasks. 4. If the tasks that you identified do not map to the built-in security roles, create and test new security roles. For information about how to create and configure security roles for role-based administration, see the Create Custom Security Roles and Configure Security Roles sections in the Configuring Security for Configuration Manager topic.

Planning for Collections

Collections specify the user and computer resources that an administrative user can view or manage. For example, for administrative users to deploy applications or to run remote control, they must be assigned to a security role that grants access to a collection that contains these resources. You can select collections of users or devices. For more information about collections, see Introduction to Collections in Configuration Manager. Before you configure role-based administration, check whether you have to create new collections for any of the following reasons: Functional organization. For example, separate collections of servers and workstations. Geographic alignment. For example, separate collections for North America and Europe. Security requirements and business processes. For example, separate collections for production and test computers. Organization alignment. For example, separate collections for each business unit.

For information about how to configure collections for role-based administration, see the Configure Collections to Manage Security section in the Configuring Security for Configuration Manager topic.

Planning for Security Scopes

Use security scopes to provide administrative users with access to securable objects. Security scopes are a named set of securable objects that are assigned to administrator users as a group. All securable objects must be assigned to one or more security scopes. Configuration Manager has two built-in security scopes: All: This built-in security scope grants access to all scopes. You cannot assign objects to this security scope. Default: This built-in security scope is used for all objects, by default. When you first install System Center 2012 Configuration Manager, all objects are assigned to this security scope.

If you want to restrict the objects that administrative users can see and manage, you must create and use your own custom security scopes. Security scopes do not support a hierarchical structure and cannot be nested. Security scopes can contain one or more object types, which include the following: Alert subscriptions
614

Applications Boot images Boundary groups Configuration items Custom client settings Distribution points and distribution point groups Driver packages Global conditions Migration jobs Operating system images Operating system installation packages Packages Queries Sites Software metering rules Software update groups Software updates packages Task sequence packages Windows CE device setting items and packages

There are also some objects that you cannot include in security scopes because they are only secured by security roles. Administrative access to these cannot be limited to a subset of the available objects. For example, you might have an administrative user who creates boundary groups that are used for a specific site. Because the boundary object does not support security scopes, you cannot assign this user a security scope that provides access to only the boundaries that might be associated with that site. Because a boundary object cannot be associated to a security scope, when you assign a security role that includes access to boundary objects to a user, that user can access every boundary in the hierarchy. Objects that are not limited by security scopes include the following: Active Directory forests Administrative users Alerts Antimalware Policies Boundaries Computer associations Default client settings Deployment templates Device drivers Exchange Server connector Migration site-to-site mappings
615

Mobile device enrollment profiles Security roles Security scopes Site addresses Site system roles Software titles Software updates Status messages User device affinities

Create security scopes when you have to limit access to separate instances of objects. For example: You have a group of administrative users who must be able to see production applications and not test applications. Create one security scope for production applications and another for the test applications. Different administrative users require different access for some instances of an object type. For example, one group of administrative users requires Read permission to specific software update groups, and another group of administrative users requires Modify and Delete permissions for other software update groups. Create different security scopes for these software update groups.

For information about how to configure security scopes for role-based administration, see the Configure Security Scopes for an Object section in the Configuring Security for Configuration Manager topic.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Communications in Configuration Manager

Before you install System Center 2012 Configuration Manager, plan for the network communications between different sites in a hierarchy, between different site system servers in a site, and between clients and site system servers. These communications might be contained in a single domain, or they might span multiple Active Directory forests. You might also have to plan for communications to manage clients on the Internet. Use the following sections in this topic to help you plan for communications in Configuration Manager. Planning for Intersite Communications in Configuration Manager File-Based Replication
616

Database Replication

Planning for Intrasite Communications in Configuration Manager Planning for Client Communication in Configuration Manager Planning for Client Communication to Site Systems Planning for Client Approval Planning for Service Location by Clients Planning How to Wake Up Clients

Planning for Communications Across Forests in Configuration Manager Planning for Internet-Based Client Management Features that Are Not Supported on the Internet Planning for Internet-Based Site Systems Planning for Internet-Based Clients Prerequisites for Internet-Based Client Management Controlling Network Bandwidth Usage Between Sites Controlling Network Bandwidth Usage Between Site System Servers Controlling Network Bandwidth Usage Between Clients and Site System Servers

Planning for Network Bandwidth in Configuration Manager

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for site communication since Configuration Manager 2007: Site-to-site communication now uses database replication in addition to file-based replication for many site-to-site data transfers, including configurations and settings. The Configuration Manager 2007 concept of mixed-mode or native-mode sites to define how clients communicate to site systems in the site has been replaced by site system roles that can independently support HTTP or HTTPS client communications. To help support client computers in other forests, Configuration Manager can discover computers in these forests and publish site information to these forests. The server locator point is no longer used, and the functionality of this site system role is moved to the management point. Internet-based client management now supports the following: User policies when the Internet-based management point can authenticate the user by using Windows authentication (Kerberos or NTLM). Simple task sequences, such as scripts. Operating system deployment on the Internet remains unsupported.

617

Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for site communication for Configuration Manager SP1: File replication routes replace addresses for file-based replication between sites. This is only a change in the name for file-based replication and brings consistency with database replication. There is no change in functionality. Configure database replication links between site databases to control and monitor the network traffic for database replication: Use distributed views to prevent the replication of selected site data from a primary site to the central administration site. The central administration site then accesses this data directly from the primary site database. Schedule the transfer of selected site data across database replication links. Control the frequency that replication traffic is summarized for reports. Define custom thresholds that raise alerts for replication problems. Change the port that Configuration Manager uses for the SQL Server Service Broker. Configure the period of time to wait before a replication failure triggers a site to reinitialize its copy of the site database. Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.

Configure replication controls for the SQL Server database at a site:

When Configuration Manager SP1 clients run Windows 7, Windows 8, Windows Server 2008 R2, or Windows Server 2012, you can supplement the Wake on LAN site setting for unicast packets by using the wake-up proxy client settings. This combination helps to wake up computers on subnets without the requirement to reconfigure network switches.

Planning for Intersite Communications in Configuration Manager

In a Configuration Manager hierarchy, each site communicates with its parent site and its direct child sites by using two data transfer methods: file-based replication and database replication. Secondary sites not only communicate to their parent primary sites by using both data transfer
618

methods, but can also communicate with other secondary sites by using file-based replication to route content to remote network locations. Configuration Manager uses file-based replication and database replication to transfer different types of information between sites.

File-Based Replication
Configuration Manager uses file-based replication to transfer file-based data between sites in your hierarchy. This data includes content such as applications and packages that you want to deploy to distribution points in child sites, and unprocessed discovery data records that are transferred to parent sites where they are processed. File-based communication between sites uses the Server Message Block (SMB) protocol by using TCP/IP port 445. You can specify configurations that include bandwidth throttling and pulse mode to control the amount of data transferred across the network, and schedules to control when to send data across the network. Beginning with Configuration Manager SP1, addresses are renamed to file replication routes to bring consistency with database replication. Prior to SP1, Configuration Manager uses an address to connect to the SMS_SITE share on the destination site server to transfer file-based data. File replication routes and addresses operate the same way, and support the same configurations. The following sections are written for changes introduced with service pack 1 and reference file replication routes instead of addresses. If you use Configuration Manager without a service pack, use the information in the following table to convert the references to file replication routes back to the related reference for addresses.
Beginning with Configuration Manager with SP1 Configuration Manager without service pack

File Replication Account File replication route File Replication node in the Configuration Manager console

Site Address Account Address Addresses node in the Configuration Manager console

File Replication Routes

Configuration Manager uses file replication routes to transfer file-based data between sites in a hierarchy. File replication routes replace addresses, which are used in previous versions of Configuration Manager. The functionality of file replication routes is unchanged from addresses. The following table provides information about file replication routes.
Object More information

File replication route

Each file replication route identifies a

619

Object

More information

destination site to which file-based data can transfer. Each site supports a single file replication route to a specific destination site. Configuration Manager supports the following configurations for file replication routes: File Replication Account: This account is used to connect to the destination site and to write data to that sites SMS_SITE share. Data written to this share is processed by the receiving site. By default, when a site is added to the hierarchy, Configuration Manager assigns the computer account of the new sites site server as that sites File Replication Account. This account is then added to the destination sites SMS_SiteToSiteConnection_<Sitecode> group which is a local group on the computer that grants access to the SMS_SITE share. You can change this account to be a Windows user account. If you change the account, ensure you add the new account to the destination sites SMS_SiteToSiteConnection_<Sitecode> group. Note Secondary sites always use the computer account of the secondary site server as the File Replication Account. Schedule: You can configure the schedule for each file replication route to restrict the type of data and time when data can transfer to the destination site. Rate Limits: You can configure rate limits for each file replication route to control the network bandwidth that is used when the site transfers data to the destination site: Use Pulse mode to specify the size of the data blocks that are sent to the destination site. You can also specify a time delay between sending each data block. Use this option when you must
620

Object

More information

send data across a very low bandwidth network connection to the destination site. For example, you might have constraints to send 1 KB of data every five seconds, but not 1 KB every three seconds, regardless of the speed of the link or its usage at a given time. Use Limited to maximum transfer rates by hour to have a site send data to a destination site by using only the percentage of time that you specify. When you use this option, Configuration Manager does not identify the networks available bandwidth, but instead divides the time it can send data into slices of time. Then data is sent in a short block of time, which is followed by blocks of time when data is not sent. For example, if the maximum rate is set to 50%, Configuration Manager transmits data for an amount of time followed by an equal period of time when no data is sent. The actual size amount of data, or size of the data block, is not managed. Instead, only the amount of time during which data is sent is managed. Caution By default, a site can use up to three concurrent sendings to transfer data to a destination site. When you enable rate limits for a file replication route, the concurrent sendings for sending data to that site are limited to one. This applies even when the Limit available bandwidth (%) is set to 100%. For example, if you use the default settings for the sender, this reduces the transfer rate to the destination site to be one
621

Object

More information

third of the default capacity. You can configure a file replication route between two secondary sites to route filebased content between those sites.

To manage a file replication route, in the Administration workspace, expand the Hierarchy Configuration node, and select File Replication. Sender Each site has one sender. The sender manages the network connection from one site to a destination site, and can establish connections to multiple sites at the same time. To connect to a site, the sender uses the file replication route to the site to identify the account to use to establish the network connection. The sender also uses this account to write data to the destination sites SMS_SITE share. By default, the sender writes data to a destination site by using multiple concurrent sendings, typically referred to as a thread. Each concurrent sending, or thread, can transfer a different file-based object to the destination site. By default, when the sender begins to send an object, the sender continues to write blocks of data for that object until the entire object is sent. After all the data for the object has been sent, a new object can begin to send on that thread. You can configure the following settings for a sender: Maximum concurrent sendings: By default, each site is configured to use five concurrent sendings, with three available for use when it sends data to any one destination site. When you increase this number you can increase the throughput of data between sites by enabling Configuration Manager to transfer more files at the same time. Increasing this number also increases the demand for
622

Object

More information

network bandwidth between sites. Retry settings: By default, each site is configured to retry a problem connection two times with a one minute delay between connection attempts. You can modify the number of connection attempts the site makes, and how long to wait between those attempts.

To manage the sender for a site, expand the Site Configuration node in the Administration workspace, select the Sites node, and then click Properties for the site that you want to manage. Click the Sender tab to change the sender configuration.

Database Replication
Configuration Manager database replication uses SQL Server to transfer data and merge changes that are made in a site database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Database replication is automatically configured by all Configuration Manager sites. When you install a site in a hierarchy, database replication automatically configures between the new site and its designated parent site. When the site installation finishes, database replication automatically starts. When you install a new site in a hierarchy, Configuration Manager creates a generic database at the new site. Next, the parent site creates a snapshot of the relevant data in its database and transfers that snapshot to the new site by file-based replication. The new site then uses a SQL Server bulk copy program (BCP) to load the information into its local copy of the Configuration Manager database. After the snapshot loads, each site conducts database replication with the other site. To replicate data between sites, Configuration Manager uses its own database replication service. The database replication service uses SQL Server change tracking to monitor the local site database for changes, and then replicates those changes to other sites by using a SQL Server Service Broker. By default, this process uses the TCP/IP port 4022. Configuration Manager groups data that replicates by database replication into different replication groups. Each replication group has a separate, fixed replication schedule that determines how frequently changes to the data in the group is replicated to other sites. For example, a configuration change to a role-based administration configuration replicates quickly to other sites to ensure that these changes are enforced as soon as possible. Meanwhile a lower priority configuration change, such as a request to install a new secondary site, replicates with less urgency and takes several minutes for the new site request to reach the destination primary site.
623

Note Configuration Manager database replication is configured automatically and does not support configuration of replication groups or replication schedules. However, beginning with Configuration Manager SP1, you can configure database replication links to control when specific traffic traverses the network. You can also configure when Configuration Manager raises alerts about replication links that have a status of degraded or failed. Configuration Manager classifies the data that it replicates by database replication as either global data or site data. When database replication occurs, changes to global data and site data are transferred across the database replication link. Global data can replicate to both a parent or child site, and site replicates only to a parent site. A third data type that is named local data, does not replicate to other sites. Local data includes information that is not required by other sites: Global Data: Global data refers to administrator-created objects that replicate to all sites throughout the hierarchy, although secondary sites receive only a subset of global data, as global proxy data. Examples of global data include software deployments, software updates, collection definitions, and role-based administration security scopes. Administrators can create global data at central administration sites and primary sites. Site Data: Site data refers to operational information that Configuration Manager primary sites and the clients that report to primary sites create. Site data replicates to the central administration site but not to other primary sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only viewable at the central administration site and the primary site where the data originates. Site data can be modified only at the primary site where it was created. All site data replicates to the central administration site; therefore the central administration site can perform administration and reporting for the whole hierarchy. Use the information in the following sections to plan for using the controls that are available beginning with Configuration Manager SP1 to configure database replication links between sites, and to configure controls on each site database. These controls can help you control and monitor the network traffic that database replication creates.

Database Replication Links

When you install a new site in a hierarchy, Configuration Manager automatically creates a database replication link between the two sites. A single link is created to connect the new site to the parent site. Beginning with Configuration Manager SP1, each database replication link supports configurations to help control the transfer of data across the replication link. Each replication link supports separate configurations. The controls for database replication links include the following: Use distributed views to stop the replication of selected site data from a primary site to the central administration site, and enable the central administration site to directly access this data from the database of the primary site. Schedule when selected site data transfers from a child primary site to the central administration site.
624

Define the settings that determine when a database replication link is in a degraded status or has failed. Configure when to raise alerts for a failed replication link. Specify how frequently Configuration Manager summarizes data about the replication traffic that uses the replication link. This data is used in reports.

To configure a database replication link, you edit the properties for the link in the Configuration Manager console from the Database Replication node. This node appears in the Monitoring workspace, and beginning with Configuration Manager SP1, this node also appears under the Hierarchy Configuration node in the Administration workspace. You can edit a replication link from either the parent site or the child site of the replication link. Tip You can edit database replication links from the Database Replication node in either workspace. However, when you use the Database Replication node in the Monitoring workspace you can also view the status of database replication for replication links, and access the Replication Link Analyzer tool to help you investigate problems with database replication. For information about how to configure replication links, see Site Database Replication Controls. For more information about how to monitor replication, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. Use the information in the following sections to plan for database replication links. Planning to use Distributed Views For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Distributed views enable requests that are made at a central administration site for selected site data, to access that site data directly from the database at a child primary site. This direct access replaces the need to replicate this site data from the primary site to the central administration site. Because each replication link is independent from other replication links, you can enable distributed views on only the replication links you choose. Distributed views are not supported between a primary site and a secondary site. Distributed views can provide the following benefits: Reduce the CPU load to process database changes at the central administration site and primary sites. Reduce the amount of data that transfers across the network to the central administration site. Improve the performance of the SQL Server that hosts the central administration sites database. Reduce the disk space used by the database at the central administration site.

Consider using distributed views when a primary site is located in close proximity on the network to the central administration site, and the two sites are always on, and always connected. This is
625

because distributed views replace the replication of the selected data between the sites with direct connections between the SQL Servers at each site. This direct connection is made each time a request for this data is made at the central administration site. Typically, requests for data you might enable for distributed views is made when you run reports or queries, view information in Resource Explorer, and by collection evaluation for collections that include rules that are based on the site data. By default, distributed views are disabled for each replication link. When you enable distributed views for a replication link, you select site data that will not replicate to the central administration site across that link, and enable the central administration site to access this data directly from the database of the child primary site that shares the link. You can configure the following types of site data for distributed views: Hardware inventory data from clients Software inventory and metering data from clients Status messages from clients, the primary site, and all secondary sites

Operationally, distributed views are invisible to an administrative user who views data in the Configuration Manager console or in reports. When a request is made for data that is enabled for distributed views, the SQL Server that hosts the database for the central administration site directly accesses the SQL Server of the child primary site to retrieve the information. For example, you use a Configuration Manager console at the central administration site to request information about hardware inventory from two sites, and only one site has hardware inventory enabled for a distributed view. The inventory information for clients from the site that is not configured for distributed views is retrieved from the database at the central administration site. The inventory information for clients from the site that is configured for distributed views is accessed from the database at child primary site. This information appears in the Configuration Manager console or report without distinction as to the source. As long as a replication link has a type of data enabled for distributed views, the child primary site does not replicate that data to the central administration site. As soon as you turn off distributed views for a type of data, the child primary site resumes the replication of that data to the central administration site as part of normal data replication. However, before this data is available at the central administration site, the replication groups that contain this data must reinitialize between the primary site and the central administration site. Similarly, after you uninstall a primary site that has distributed views enabled, the central administration site must complete reinitialization of its data before you can access data that was enabled for distributed views on the central administration site. Important When you use distributed views on any replication link in the hierarchy, you must disable distributed views for all replication links before you uninstall any primary site. For more information, see the Uninstall a Primary Site when you Use Distributed Views section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Prerequisites and Limitations for Distributed Views The following are prerequisites and limitations for distributed views:
626

Both the central administration site and primary site must run the same version of Configuration Manager and have a minimum version of SP1 Distributed views are supported only on replication links between a central administration site and a primary site. The central administration site can have only one instance of the SMS Provider installed, and that instance must be installed on the site database server. This is required to support the Kerberos authentication required to enable the SQL Server at the central administration site to access the SQL Server at the child primary site. There are no limitations on the SMS Provider at the child primary site. The central administration site can have only one SQL Server Reporting Services point installed, and it must be located on site database server. This is required to support the Kerberos authentication required to enable the SQL Server at the central administration site to access the SQL Server at the child primary site. The site database cannot be hosted on a SQL Server cluster. The computer account of the database server from the central administration site requires Read permissions to the site database of the primary site. Distributed views and schedules for when data can replicate are mutually exclusive configurations for a database replication link.

Plan to Schedule Transfers of Site Data on Database Replication Links For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: To help you control the network bandwidth that is used to replicate site data from a child primary site to its central administration site, you can schedule when a replication link is used, and specify when different types of site data replicates. You can control when the primary site replicates status messages, inventory, and metering data. Database replication links from secondary sites do not support schedules for site data. The transfer of global data cannot be scheduled. When you configure a database replication link schedule, you can restrict the transfer of selected site data from the primary site to the central administration site, and you can configure different times to replicate different types of site data. For more information about how to control the use of network bandwidth between Configuration Manager sites, see the section Controlling Network Bandwidth Usage Between Sites in this topic. Plan for Summarization of Database Replication Traffic For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Beginning with Configuration Manager SP1, each site periodically summarizes data about the network traffic that traverses database replication links that include the site. This summarized data is used in reports for database replication. Both sites on a replication link summarize the network traffic that traverses the replication link. The summarization of data is performed by the SQL Server that hosts the site database. After summarization of the data, this information replicates to other sites as global data.
627

By default, summarization occurs every 15 minutes. You can modify the frequency of summarization for network traffic by editing the Summarization interval in the properties of the database replication link. The frequency of summarization affects the information you view in reports about database replication. You can modify this interval from 5 minutes to 60 minutes. When you increase the frequency of summarization, you increase the processing load on the SQL Server at each site on the replication link. Plan for Database Replication Thresholds Database replication thresholds define when the status of a database replication link is reported as either degraded or failed. By default, a link is set to degraded when any one replication group fails to complete replication for a period of 12 consecutive attempts, and set to failed when any replication group fails to replicate in 24 consecutive attempts. Beginning with Configuration Manager SP1, you can specify custom values to fine-tune when Configuration Manager reports a replication link as degraded or failed. Prior to Configuration Manager SP1, you cannot adjust these thresholds. Adjusting when Configuration Manager reports each status for your database replication links can help you accurately monitor the health of database replication across your database replication links. Because it is possible for one or a few replication groups fail to replicate while other replication groups continue to replicate successfully, plan to review the replication status of a replication link when it first reports a status of degraded. If there are recurring delays for specific replication groups and their delay does not present a problem, or where the network link between sites has low available bandwidth, consider modifying the retry values for the degraded or failed status of the link. When you increase the number of retries before the link is set to degrade or failed, you can eliminate false warnings for known issues, allowing you to more accurately track the status of the link. You should also consider the replication synchronization interval for each replication groups to understand how frequently replication of that group occurs. You can view the Synchronization Interval for replication groups on the Replication Detail tab of a replication link in the Database Replication node in the Monitoring workspace. For more information about how to monitor database replication including how to view the replication status, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. For information on configuring database replication thresholds, see Site Database Replication Controls.

Site Database Replication Controls

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Each site database supports configurations that can help you control the network bandwidth used for database replication. These configurations apply only to the site database where you configure the settings, and are always used when the site replicates any data by database replication to any other site.
628

Replication controls for each site database include the following: Change the port that Configuration Manager uses for the SQL Server Service Broker. Configure the period of time to wait before replication failures trigger the site to reinitializes its copy of the site database. Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.

To configure the replication controls for a site database, you edit the properties of the site database in the Configuration Manager console from the Database Replication node. This node appears under the Hierarchy Configuration node in the Administration workspace, and also appears in the Monitoring workspace. To edit the properties of the site database, select the replication link between the sites, and then open either the Parent Database Properties or Child Database Properties. Tip You can configure database replication controls from the Database Replication node in either workspace. However, when you use the Database Replication node in the Monitoring workspace you can also view the status of database replication for a replication link, and access the Replication Link Analyzer tool to help you investigate problems with replication. For more information about how to configure database replication controls, see Configure Database Replication Controls. For more information about how to monitor replication, see Monitor Site Database Replication.

Planning for Intrasite Communications in Configuration Manager

Each Configuration Manager site contains a site server and can have one or more additional site system servers that host site system roles. Configuration Manager requires each site system server to be a member of an Active Directory domain. Configuration Manager does not support a change of the computer name or the domain membership while the computer remains a site system. When Configuration Manager site systems or components communicate across the network to other site systems or Configuration Manager components in the site, they use either server message block (SMB), HTTP, or HTTPS. The communication method depends on how you choose to configure the site. With the exception of communication from the site server to a distribution point, these server-to-server communications in a site can occur at any time and do not use mechanisms to control the network bandwidth. Because you cannot control the communication between site systems, ensure that you install site system servers in locations that have well connected and fast networks. You can use the following options to help you manage the transfer of content from the site server to distribution points:
629

Configure the distribution point for network bandwidth control and scheduling. These controls resemble the configurations used by intersite addresses, and you can often use this configuration instead of installing another Configuration Manager site when the transfer of content to remote network locations is your main bandwidth consideration. You can install a distribution point as a prestaged distribution point. A prestaged distribution point lets you use content that is manually put on the distribution point server and removes the requirement to transfer content files across the network.

For more information about network bandwidth considerations, see Network Bandwidth Considerations for Distribution Points in Planning for Content Management in Configuration Manager.

Planning for Client Communication in Configuration Manager

Client communication in Configuration Manager includes client-to-site-system communications and service location inquiries. By using service location inquiries, Configuration Manager clients can identify the site system servers to use. Use the information in the following sections to plan for communications by Windows-based clients. Beginning with Configuration Manager SP1, you can manage clients that run Linux and UNIX. Clients that run Linux and UNIX operate as clients in workgroups. For information about supporting computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager in this topic. For additional information about communication for clients that run Linux and UNIX, see the Planning for Communication across Forest Trusts for Linux and UNIX Servers section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Planning for Client Communication to Site Systems

Configuration Manager clients initiate communication to site system roles that provide services to clients. This includes management points from which clients download client policy, and distribution points from which clients download content. To communicate with a site system role, the client must first locate a site system role that is configured to support the protocol (HTTPS or HTTP) that the client can use. By default, clients use the most secure method available to them. Therefore, a client that is configured to use a PKI certificate attempts to locate and communicate with a site system role by using HTTPS before it communicates with a site system role that uses HTTP. For a Configuration Manager client to use HTTPS, you must have a public key infrastructure (PKI) and must install PKI certificates on clients and servers. The client requires a certificate that has client authentication capability for mutual authentication with the site system server. For information about how to use certificates, see PKI Certificate Requirements for Configuration Manager.
630

When you deploy a site system role that uses Internet Information Services (IIS) and supports communication from clients that include management points, an Application Catalog website point, a state migration point, or distribution points, you must specify whether clients connect to the site system by using HTTP or HTTPS. If you use HTTP, you must also consider signing and encryption choices. For more information, see Planning for Signing and Encryption. You can also configure the site system to use an intranet fully qualified domain name (FQDN) and an Internet FQDN. When you configure an Internet FQDN, you can then configure the site system role to accept client connections from the Internet. You can configure support for client connections from the Internet only, or clients connections from the intranet and Internet. You can deploy multiple instances of a site system role in a site and separate instances of that site system role support different communication settings. For example, in a single site, you can have one management point that accepts HTTPS client communication and another management point that accepts HTTP client communication. You can use one site to manage clients across different network locations that use different communication protocols and security settings.

Planning for Client Approval

When clients use a PKI certificate to authenticate themselves to a management point, Configuration Manager knows that the client is trusted because the trust is established by using PKI. When you do not use PKI to establish this trust, Configuration Manager uses a process named client approval to register this trust. By default, Configuration Manager uses the computer account of the device and Kerberos authentication to verify that the device is trusted. By using this default setting, you must manually verify that any client that is displayed as Not Approved in the Configuration Manager console is a trusted device, and then approve it to be managed by Configuration Manager. This scenario applies to computers that are in untrusted forests and in workgroups. It also applies if the Kerberos authentication failed for any reason. Although Configuration Manager has a configuration option to automatically approve all clients, do not use this configuration unless Configuration Manager is running in a secured test environment. You can also select a configuration option to always manually approve clients. The approval setting is for all devices in the hierarchy, and you can manually approve clients from anywhere in the hierarchy. Note Although some management functions might work for clients that are not approved, Configuration Manager does not support the management of these devices.

Planning for Service Location by Clients

Service location is how Configuration Manager clients find sites, site information, and site system roles that they can communicate with. For example, for clients to successfully download client

631

policy, they must first locate a management point from their site that uses the same protocol as they use. Service location is independent from name resolution, which maps a computer name to an IP address. Name resolution is performed by DNS or WINS. However, DNS and WINS can also be used for service location. Clients search for a management point by using the following options in the order specified: 1. Management point 2. Active Directory Domain Services 3. DNS 4. WINS

Planning for Service Location from Management Points

When you install a Configuration Manager client, you can use the /MP option to indicate the management point for the client installation process to download the client installation files. You can use the SMSMP= option to identify the initial management point that the client first communicates with. When a client communicates successfully with a management point from its assigned site, it downloads the current list of available management points and stores this information locally in WMI for future use. After the initial list of management points is built, the client updates the list every 25 hours, and when it receives a new IP address, and when the client CCMEXEC service starts. During the installation of the client, the client builds a lookup list of management points (also known as an MP list) that include the management points that you specify during client installation, and management points that the client can identify from Active Directory Domain Services. A site must have one or more management points installed, and the site must publish to Active Directory Domain Services before the client can discover the sites management points from Active Directory Domain Services. Management points that are found in Active Directory Domain Services must match the clients assigned site code and client version. The client ignores management points that are published by Configuration Manager 2007. If you did not specify a management point to the client during client installation, and if you have not extended the Active Directory schema, the client checks DNS and WINS for management points to add to its lookup list. Note When a client is a member of more than one boundary group that is configured for site assignment, the management point lookup list is determined by a union of all of the boundaries that are associated to each of those boundary groups. After the client builds its list of management points, it sorts the list into different priorities. When the client supports a client PKI certificate, the client uses a management point that supports HTTPS communication and puts HTTPS-capable management points first in the list, as preferred management points. The client then tries to contact a preferred management point before it uses a management point that is not preferred. The order of all equivalent management points is not set and only the relative priority is set. This order of equivalent management points can reset
632

every time that the client updates its management point lookup list. Therefore, a client that has three HTTPS capable management points available to it might contact any of the three HTTPS management points during each new connection attempt. If the client cannot reach the first management point, it retries several times. If it continues to fail, it tries additional management points until communications are established, or there are no more management points on its list. For information about how to install Configuration Manager clients, and how to use command-line parameters to specify management points and the protocol that a client uses to contact site system roles, see How to Install Clients on Windows-Based Computers in Configuration Manager. If the client cannot contact a management point from its lookup list, it tries to use an alternative service location method.

Planning for Service Location from Active Directory Domain Services

Intranet clients use Active Directory Domain Services as their primary method of service location. Examples of site information include the location of available site system roles and their capabilities, and the security information that is required by client computers to establish trusted connections with site system servers in the site. Configuration Manager clients can use Active Directory Domain Services for service location when all the following conditions are true: The Active Directory schema is extended for Configuration Manager 2007 or System Center 2012 Configuration Manager. Configuration Manager sites publish to Active Directory Domain Services. The Active Directory forest is enabled for publishing in Configuration Manager. The client computer is a member of an Active Directory domain and can access a global catalog server.

If any one of these conditions cannot be met, you can configure alternative service location methods. Alternatives include DNS, WINS, and a management point that is specified during client installation.

Planning for Service Location by Using DNS Publishing

If you cannot publish site information to Active Directory Domain Services, consider publishing management points to DNS. You can publish this site system role for clients on the intranet. Determine Whether to Publish Management Points to DNS When you publish Configuration Manager management points to DNS, this configuration adds a service location resource record (SRV RR) in the DNS zone of the site system server that hosts the management point. Ensure that you have a corresponding host entry for the site system server. Consider publishing to DNS when any of the following conditions are true: The Active Directory Domain Services schema is not extended to support Configuration Manager. Clients on the intranet are located in a forest that is not enabled for Configuration Manager publishing.

633

Clients are on workgroup computers, and they are not configured for Internet-only client management. Important Publishing service location records for management points in DNS is applicable only to management points that accept client connections from the intranet. Client Discovery of Management Points from DNS For clients on the intranet to find a management point in DNS, at least one site in the Configuration Manager hierarchy must be configured to publish to DNS. If clients reside in an Active Directory domain that does not have a management point published to DNS, you must configure a client property that specifies the domain suffix of a published management point. If you do not specify a domain suffix, the clients domain is automatically searched. After clients find a management point in DNS, this management point can inform the client about other management points in the Configuration Manager hierarchy. This means that the management point published in DNS does not have to be from the clients Configuration Manager site for the client to successfully find a management point to download client policy. When a client locates more than one management that is published to DNS, the client selects the first management point that matches its own communication setting for HTTPS or HTTP. A client that can use HTTPS always selects a management point that is configured for HTTPS if one is available. For more information about how to configure the DNS suffix client property, see How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager. Publish Management Points to DNS To publish management points to DNS, the following two conditions must be true: Your DNS servers support service location resource records, by using a version of BIND that is at least 8.1.2. The specified intranet FQDNs for the management points in Configuration Manager have host entries (for example, A records) in DNS. Important Configuration Manager DNS publishing does not support a disjoint namespace. If you have a disjoint namespace, you can manually publish management points to DNS or use one of the other alternative service location methods that are documented in this section. When your DNS servers support automatic updates, you can configure Configuration Manager to automatically publish management points on the intranet to DNS, or you can manually publish these records to DNS. When management points are published to DNS, their intranet FQDN and port number are published in the service location (SRV) record. When your DNS servers do not support automatic updates but do support service location records, you can manually publish management points to DNS. To accomplish this, you must manually specify the service location resource record (SRV RR) in DNS.
634

Configuration Manager supports RFC 2782 for service location records, which have the following format: _Service._Proto.Name TTL Class SRV Priority Weight Port Target To publish a management point to Configuration Manager, specify the following values: _Service: Enter _mssms_mp_<sitecode>, where <sitecode> is the management point's site code. ._Proto: Specify ._tcp. .Name: Enter the DNS suffix of the management point, for example contoso.com. TTL: Enter 14400, which is four hours. Class: Specify IN (in compliance with RFC 1035). Priority: This field is not used by Configuration Manager. Weight: This field is not used by Configuration Manager. Port: Enter the port number that the management point uses, for example 80 for HTTP and 443 for HTTPS. Note If the management point accepts HTTP and HTTPS client connections, you must create two SRV records. In one record, specify the HTTP port number; in the other, specify the HTTPS port number. Target: Enter the intranet FQDN that is specified for the site system that is configured with the management point site role.

If you use Windows Server DNS, you can use the following procedure to enter this DNS record for intranet management points. If you use a different implementation for DNS, use the information in this section about the field values and consult that DNS documentation to adapt this procedure. To manually publish management points to DNS on Windows Server 1. In the Configuration Manager console, specify the intranet FQDNs of site systems. 2. In the DNS management console, select the DNS zone for the management point computer. 3. Verify that there is a host record (A or AAA) for the intranet FQDN of the site system. If this record does not exist, create it. 4. By using the New Other Records option, click Service Location (SRV) in the Resource Record Type dialog box, click Create Record, enter the following information, and then click Done: Domain: If necessary, enter the DNS suffix of the management point, for example contoso.com. Service: Type _mssms_mp_<sitecode>, where <sitecode> is the management point's site code. Protocol: Type _tcp. Priority: This field is not used by Configuration Manager.
635

Weight: This field is not used by Configuration Manager. Port: Enter the port number that the management point uses, for example 80 for HTTP and 443 for HTTPS. Note If the management point accepts HTTP and HTTPS client connections, you must create two SRV records. In one record, specify the HTTP port number; in the other, specify the HTTPS port number.

Host offering this service: Enter the intranet fully qualified domain name that is specified for the site system that is configured with the management point site role.

Repeat these steps for each management point on the intranet that you want to publish to DNS.

Planning for Service Location by Using WINS

The first management point in the primary site that is configured to accept HTTP client connections and the first management point in the primary site that is configured to accept HTTPS client connections are automatically published to WINS. When other service location mechanisms fail, clients can find an initial management point by checking WINS. When they connect to this management point, they download a list of other management points. This behavior means that clients can indirectly locate all management points from WINS and use them for subsequent connections. For example, you might prefer clients to use HTTPS when they connect to management points on the intranet, because this configuration provides improved security. You configure all management points but one to accept only HTTPS client connections. The one management point that accepts HTTP client connections is used only when clients first connect to the site. If you do not want clients to find an HTTP management point in WINS, configure clients with the CCMSetup.exe Client.msi property SMSDIRECTORYLOOKUP=NOWINS.

Planning How to Wake Up Clients

Configuration Manager supports two wake on local area network (LAN) technologies to wake up computers in sleep mode when you want to install required software, such as software updates and applications: traditional wake-up packets and AMT power-on commands. Beginning with Configuration Manager SP1, you can supplement the traditional wake-up packet method by using the wake-up proxy client settings. Wake-up proxy uses a peer-to-peer protocol and elected computers to check whether other computers on the subnet are awake, and to wake them if necessary. When the site is configured for Wake On LAN and clients are configured for wake-up proxy, the process works as follows: 1. Computers that have the Configuration Manager SP1 client installed and that are not asleep on the subnet check whether other computers on the subnet are awake. They do this by sending each other a TCP/IP ping command every 5 seconds.

636

2. If there is no response from other computers, they are assumed to be asleep. The computers that are awake become manager computers for the subnet. Because it is possible that a computer might not respond because of a reason other than it is asleep (for example, it is turned off, removed from the network, or the proxy wake-up client setting is no longer applied), the computers are sent a wake-up packet every day at 2 P.M. local time. Computers that do not respond will no longer be assumed to be asleep and will not be woken up by wake-up proxy. To support wake-up proxy, at least three computers must be awake for each subnet. To achieve this, three computers are non-deterministically chosen to be guardian computers for the subnet. This means that they stay awake, despite any configured power policy to sleep or hibernate after a period of inactivity. Guardian computers honor shutdown or restart commands, for example, as a result of maintenance tasks. If this happens, the remaining guardian computers wake up another computer on the subnet so that the subnet continues to have three guardian computers. 3. Manager computers ask the network switch to redirect network traffic for the sleeping computers to themselves. The redirection is achieved by the manager computer broadcasting an Ethernet frame that uses the sleeping computers MAC address as the source address. This makes the network switch behave as if the sleeping computer has moved to the same port that the manager computer is on. The manager computer also sends ARP packets for the sleeping computers to keep the entry fresh in the ARP cache. The manager computer will also respond to ARP requests on behalf of the sleeping computer and reply with the MAC address of the sleeping computer. Warning During this process, the IP-to-MAC mapping for the sleeping computer remains the same. Wake-up proxy works by informing the network switch that a different network adapter is using the port that was registered by another network adapter. However, this behavior is known as a MAC flap and is unusual for standard network operation. Some network monitoring tools look for this behavior and can assume that something is wrong. Consequently, these monitoring tools can generate alerts or shut down ports when you use wake-up proxy. Do not use wake-up proxy if your network monitoring tools and services do not allow MAC flaps. 4. When a manager computer sees a new TCP connection request for a sleeping computer and the request is to a port that the sleeping computer was listening on before it went to sleep, the manager computer sends a wake-up packet to the sleeping computer, and then stops redirecting traffic for this computer. 5. The sleeping computer receives the wake-up packet and wakes up. The sending computer automatically retries the connection and this time, the computer is awake and can respond. Wake-up proxy has the following prerequisites and limitations: Important
637

If you have a separate team that is responsible for the network infrastructure and network services, notify and include this team during your evaluation and testing period. For example, on a network that uses 802.1X network access control, wake-up proxy will not work and can disrupt the network service. In addition, wake-up proxy could cause some network monitoring tools to generate alerts when the tools detect the traffic to wake-up other computers. The supported clients are Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012. Guest operating systems that run on a virtual machine are not supported. Clients must run Configuration Manager SP1 and be enabled for wake-up proxy by using client settings. Although wake-up proxy operation does not depend on hardware inventory, clients do not report the installation of the wake-up proxy service unless they are enabled for hardware inventory and submitted at least one hardware inventory. Network adapters (and possibly the BIOS) must be enabled and configured for wake-up packets. If the network adapter is not configured for wake-up packets or this setting is disabled, Configuration Manager will automatically configure and enable it for a computer when it receives the client setting to enable wake-up proxy. If a computer has more than one network adapter, you cannot configure which adapter to use for wake-up proxy; the choice is non-deterministic. However, the adapter chosen is recorded in the SleepAgent_<DOMAIN>@SYSTEM_0.log file. The network must allow ICMP echo requests (at least within the subnet). You cannot configure the 5 second interval that is used to send the ICMP ping commands. Communication is unencrypted and unauthenticated, and IPsec is not supported. The following network configurations are not supported: 802.1X with port authentication Wireless networks Network switches that bind MAC addresses to specific ports IPv6-only networks DHCP lease durations less than 24 hours

As a security best practice, use AMT power on commands rather than wake-up packets when this is possible. Because AMT power on commands use PKI certificates to help secure the communication, this technology is more secure than sending wake-up packets. However, to use AMT power on commands, the computers must be Intel AMT-based computers that are provisioned for AMT. For more information about how Configuration Manager can manage AMTbased computers, see Introduction to Out of Band Management in Configuration Manager. If you want to wake up computers for scheduled software installation, you must configure each primary site for one of the three options: Use AMT power on commands if the computer supports this technology; otherwise use wakeup packets Use AMT power on commands only. Use wake-up packets only.
638

To use wake-up proxy with Configuration Manager SP1, you must deploy Power Management wake-up proxy client settings in addition to selecting the Use wake-up packets only option. Use the following table for more information about the differences between the two Wake-on-LAN (WOL) technologies, traditional wake-up packets and power on commands..
Technology Advantage Disadvantage

Traditional wake-up packets

Does not require any additional site system roles in the site. Supported by many network adapters. UDP wake-up packets are quick to send and process. Does not require a PKI infrastructure. Does not require any changes to Active Directory Domain Services. Supported on workgroup computers, computers from another Active Directory forest, and computers in the same Active Directory forest but using a noncontiguous namespace.

Less secure solution than AMT power on commands because it does not use authentication or encryption. If subnetdirected broadcast transmissions are used for the wake-up packets, this has the security risk of smurf attacks. Might require manual configuration on each computer for BIOS settings and adapter configuration. No confirmation that computers are woken up. Wake-up transmissions as multiple User Datagram Protocol (UDP) packets can unnecessarily saturate available network bandwidth. Unless you use wake-up proxy with Configuration Manager SP1, cannot wake up computers interactively. Cannot return computers to sleep state. Management features are restricted to waking up computers only.

AMT power on commands

More secure solution than traditional wake-up packets because it provides authentication and encryption by using standard industry security protocols. It can also integrate

Requires that the site has an out of band service point and enrollment point. Supported only on computers that have the Intel vPro chip set and a supported version of
639

Technology

Advantage

Disadvantage

with an existing PKI deployment, and the security controls can be managed independently from the product. Supports automatic centralized setup and configuration (AMT provisioning). Established transport session for a more reliable connection and auditable connection. Computers can be woken up interactively (and restarted). Computers can be powered down interactively. Additional management capabilities, which include the following: Restarting a nonfunctioning computer and booting from a locally connected device or known good boot image file. Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server. Reconfiguring the BIOS settings on a selected computer and bypassing the BIOS password if this is supported by the BIOS manufacturer. Booting to a commandbased operating system to run commands, repair tools, or diagnostic applications (for example, upgrading the firmware or running a disk repair tool).

Intel Active Management Technology (Intel AMT) firmware. For more information about which AMT versions are supported, see Supported Configurations for Configuration Manager. The transport session requires more time to establish, higher processing on the server, and an increase in data transferred. Requires a PKI deployment and specific certificates. Requires an Active Directory container that is created and configured for publishing AMTbased computers. Cannot support workgroup computers, computers from another Active Directory forest, or computers from the same Active Directory forest but that use a noncontiguous namespace. Requires changes to DNS and DHCP to support AMT provisioning.

640

Choose how to wake up computers based on whether you can support the AMT power on commands and whether the computers assigned to the site support the Wake-on-LAN technology. Also consider the advantages and disadvantages of both technologies that are listed in the previous table. For example, wake-up packets are less reliable and are not secured, but power on commands take longer to establish and require more processing on the site system server that is configured with the out of band service point. Important Because of the additional overhead involved in establishing, maintaining, and ending an out of band management session to AMT-based computers, conduct your own tests so that you can accurately judge how long it takes to wake up multiple computers by using AMT power on commands in your environment (for example, across slow WAN links to computers in secondary sites). This knowledge helps you determine whether waking up multiple computers for scheduled activities by using AMT power on commands is practical when you have many computers to wake up in a short amount of time. If you decide to use traditional wake-up packets, you must also decide whether to use subnetdirected broadcast packets, or unicast packets, and what UDP port number to use. By default, traditional wake-up packets are transmitted by using UDP port 9, but to help increase security, you can select an alternative port for the site if this alternative port is supported by intervening routers and firewalls.

For Traditional Wake-up Packets: Choose Between Unicast and SubnetDirected Broadcast for Wake-on-LAN
If you chose to wake up computers by sending traditional wake-up packets, you must decide whether to transmit unicast packets or subnet-direct broadcast packets. If you use wake-up proxy with Configuration Manager SP1, you must use unicast packets. Otherwise, use the following table to help you determine which transmission method to choose.
Transmission method Advantage Disadvantage

Unicast

More secure solution than subnet-directed broadcasts because the packet is sent directly to a computer instead of to all computers on a subnet. Might not require reconfiguration of routers (you might have to configure the ARP cache).

Wake-up packets do not find destination computers that have changed their subnet address after the last hardware inventory schedule. Switches might have to be configured to forward UDP packets.

Some network adapters might Consumes less network not respond to wake-up bandwidth than subnet-directed packets in all sleep states broadcast transmissions. when they use unicast as the
641

Transmission method

Advantage

Disadvantage

Supported with IPv4 and IPv6. Subnet-Directed Broadcast Higher success rate than unicast if you have computers that frequently change their IP address in the same subnet. No switch reconfiguration is required. High compatibility rate with computer adapters for all sleep states, because subnetdirected broadcasts were the original transmission method for sending wake-up packets.

transmission method. Less secure solution than using unicast because an attacker could send continuous streams of ICMP echo requests from a falsified source address to the directed broadcast address. This causes all of the hosts to reply to that source address. If routers are configured to allow subnet-directed broadcasts, the additional configuration is recommended for security reasons: Configure routers to allow only IP-directed broadcasts from the Configuration Manager site server, by using a specified UDP port number. Configure Configuration Manager to use the specified non-default port number.

Might require reconfiguration of all intervening routers to enable subnet-directed broadcasts. Consumes more network bandwidth than unicast transmissions. Supported with IPv4 only; IPv6 is not supported.

Warning There are security risks associated with subnet-directed broadcasts: An attacker could send continuous streams of Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast address, which cause all the hosts to reply to that source address. This type of denial of service attack is commonly

642

called a smurf attack and is typically mitigated by not enabling subnet-directed broadcasts.

Planning for Communications Across Forests in Configuration Manager

System Center 2012 Configuration Manager supports sites and hierarchies that span Active Directory forests. Configuration Manager also supports domain computers that are not in the same Active Directory forest as the site server, and computers that are in workgroups: To support domain computers in a forest that is not trusted by your site servers forest, you can install site system roles in that untrusted forest, with the option to publish site information to the clients Active Directory forest. Or, you can m anage these computers as if they are workgroup computers. When you install site system servers in the clients forest, the client -toserver communication is kept within the clients forest and Configuration Manager can authenticate the computer by using Kerberos. When you publish site information to the clients forest, clients benefit from retrieving site information, such as a list of available management points, from their Active Directory forest rather than downloading this information from their assigned management point. Note If you want to manage devices that are on the Internet, you can install Internet-based site system roles in your perimeter network when the site system servers are in an Active Directory forest. This scenario does not require a two-way trust between the perimeter network and the site servers forest. To support computers in a workgroup, you must manually approve these computers if they use HTTP client connections to site system roles because Configuration Manager cannot authenticate these computers by using Kerberos. In addition, you must configure the Network Access Account so that these computers can retrieve content from distribution points. Because these clients cannot retrieve site information from Active Directory Domain Services, you must provide an alternative mechanism for them to find management points. You can use DNS publishing, or WINS, or directly assign a management point. For information about client approval and how clients find management points, see the Planning for Client Communication in Configuration Manager section in this topic. For information about how to configure the Network Access Account, see the Configure the Network Access Account section in the Configuring Content Management in Configuration Manager topic. For information about how to install clients on workgroup computers, see the How to Install Configuration Manager Clients on Workgroup Computers section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. Configuration Manager supports the Exchange Server connector in a different forest from the site server. To support this scenario, ensure that name resolution works across the forests (for example, configure DNS forwards), and specify the intranet FQDN of the Exchange Server when
643

you configure the Exchange Server connector. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Exchange. When your Configuration Manager design spans multiple Active Directory domains and forests, use the additional information in the following table to help you plan for the following types of communication.
Scenario Details More information

Communication between sites in a hierarchy that spans forests: Requires a twoway forest trust, which supports Kerberos authentication that Configuration Manager requires.

Configuration Manager supports installing a child site in a remote forest that has the required two-way trust with the forest of the parent site. For example: You can place a secondary site in a different forest from its primary parent site so long as the required trust exists. If you do not have a two-way forest trust which supports Kerberos authentication, then Configuration Manager does not support the child site in the remote forest. Note A child site can be primary site (where the central administration site is the parent site), or a secondary site. Intersite communication in Configuration Manager uses database replication and file-based transfers. When you install a site, you must specify an account to install the site on the designated server. This account also establishes

When a two-way forest trust exists, Configuration Manager does not require any additional configuration steps. By default, when you install a new site as a child of another site, Configuration Manager configures the following: An intersite file-based replication address at each site that uses the site server computer account. Configuration Manager adds the computer account of each computer to the SMS_SiteToSiteConnection_<siteco de> group on the destination computer. Database replication between the SQL Server at each site.

The following configurations must also be set: Intervening firewalls and network devices must allow the network packets that Configuration Manager requires. Name resolution must work between the forests. To install a site or site system role, you must specify an account that has local administrator permissions on the specified computer.

644

Scenario

Details

More information

and maintains communication between sites. After the site successfully installs and initiates filebased transfers and database replication, you do not have to configure anything else for communication to the site. For more information about how to install a site, see the Install a Site Server section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Communication in a site that spans forests: Does not require a two-way forest trust. To support clients primary sites support the installation of each site system role on computers in other forests. Note Two exceptions are the out of band service point and the Application Catalog web service point. Each must be installed in the same forest as the site server. When the site system role accepts connections from the Internet, as a security best practice, install these site system roles in an untrusted forest (for example, in a perimeter network) so that the forest The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database. If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site: Management point: Management Point Database Connection Account Enrollment point: Enrollment Point Connection Account

Consider the following additional information when you plan for site system
645

Scenario

Details

More information

boundary provides protection for the site server. When you specify a computer to be a site system server, you must specify the Site System Installation Account. This account must have local administrative credentials to connect to, and then install site system roles on the specified computer. When you install a site system role in an untrusted forest, you must select the site system option Require the site server to initiate connections to this site system. This configuration enables the site server to establish connections to the site system server to transfer data. This prevents the site system server that is in the untrusted location from initiating contact with the site server that is inside your trusted network. These connections use the Site System Installation Account that you use to install the site system server. Communication between clients and site system roles when the clients are not in the same Active Directory forest as Configuration Manager supports the following scenarios for clients that are not in the same forest as their sites site server: There is a two-way forest trust between

roles in other forests: If you run a Windows Firewall, configure the applicable firewall profiles to pass communications between the site database server and computers that are installed with remote site system roles. For information about firewall profiles, see Understanding Firewall Profiles. When the Internet-based management point trusts the forest that contains the user accounts, user policies are supported. When no trust exists, only computer policies are supported.

Clients on a domain computer can use Active Directory Domain Services for service location when their site is published to their Active Directory Forest. To publish site information to another Active Directory forest, you must first
646

Scenario

Details

More information

their site server.

the forest of the client and the forest of the site server The site system role server is located in the same forest as the client The client is on a domain computer that does not have a twoway forest trust with the site server and site system roles are not installed in the client's forest The client is on a workgroup computer Note Configuration Manager cannot manage AMTbased computers out of band when these computers are in a different forest from the site server.

specify the forest and then enable publishing to that forest in the Active Directory Forests node of the Administration workspace. Additionally, you must enable each site to publish its data to Active Directory Domain Services. This configuration enables clients in that forest to retrieve site information and find management points. For clients that cannot use Active Directory Domain Services for service location, you can use DNS, WINS, or the clients assigned management point.

Planning for Internet-Based Client Management

Internet-based client management lets you manage Configuration Manager clients when they are not connected to your company network but have a standard Internet connection. This arrangement has several advantages that include the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a timelier manner. Because of the higher security requirements of managing client computers on a public network, Internet-based client management requires that clients and the site system servers that the clients connect to use PKI certificates. This ensures that connections are authenticated by an independent authority, and that data to and from these site systems are encrypted by using Secure Sockets Layer (SSL). Use the following sections to help you plan for Internet-based client management.
647

Features that Are Not Supported on the Internet

Not all client management functionality is appropriate for the Internet; therefore they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services or are not appropriate for a public network, such as network discovery and Wake-on-LAN (WOL). The following features are not supported when clients are managed on the Internet: Client deployment over the Internet, such as client push and software update-based client deployment. Instead, use manual client installation. Automatic site assignment. Network Access Protection (NAP). Wake-on-LAN. Operating system deployment. However, you can deploy task sequences that do not deploy an operating system; for example, task sequences that run scripts and maintenance tasks on clients. Remote control. Out of band management. Software deployment to users unless the Internet-based management point can authenticate the user in Active Directory Domain Services by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides.

Additionally, Internet-based client management does not support roaming. Roaming enables clients to always find the closest distribution points to download content. Clients that are managed on the Internet communicate with site systems from their assigned site when these site systems are configured to use an Internet FQDN and the site system roles allow client connections from the Internet. Clients non-deterministically select one of the Internet-based site systems, regardless of bandwidth or physical location. Note New in System Center 2012 Configuration Manager, when you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point, to determine which software updates are required. However, when these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point. Clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update, but always use Configuration Manager distribution points.

Planning for Internet-Based Site Systems

The following site system roles in a primary site support client connections from the Internet:
648

Management point Distribution point Fallback status point Software update point (with and without a network load balancing cluster) Application Catalog website point Enrollment proxy point

Secondary sites do not support client connections from the Internet. All site systems must reside in an Active Directory domain. However, you can install site systems for Internet-based client management in an untrusted forest. This scenario might be appropriate for a perimeter network that requires high security. Although there is no requirement to have a trust between the two forests, when the forest that contains the Internetbased site systems trusts the forest that contains the user accounts, this configuration supports user-based policies for devices on the Internet when you enable the Client Policy client setting Enable user policy requests from Internet clients. For example, the following configurations illustrate when Internet-based client management supports user policies for devices on the Internet: The Internet-based management point is in the perimeter network where a read-only domain controller resides to authenticate the user and an intervening firewall allows Active Directory packets. The user account is in Forest A (the intranet) and the Internet-based management point is in Forest B (the perimeter network). Forest B trusts Forest A, and an intervening firewall allows the authentication packets. The user account and the Internet-based management point are in Forest A (the intranet). The management point is published to the Internet by using a web proxy server. Note If Kerberos authentication fails, NTLM authentication is then automatically tried. As the previous example shows, you can place Internet-based site systems in the intranet when they are published to the Internet by using a web proxy server, such as ISA Server and Forefront Threat Management Gateway. These site systems can be configured for client connection from the Internet only, or client connections from the Internet and intranet. When you use a web proxy server, you can configure it for Secure Sockets Layer (SSL) bridging to SSL (more secure) or SSL tunneling: SSL bridging to SSL: The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging. The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager
649

clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP. Tunneling: If your proxy web server cannot support the requirements for SSL bridging, or you want to configure Internet support for mobile devices that are enrolled by Configuration Manager, SSL tunneling is also supported. It is a less secure option because the SSL packets from the Internet are forwarded to the site systems without SSL termination, so they cannot be inspected for malicious content. When you use SSL tunneling, there are no certificate requirements for the proxy web server.

Planning for Internet-Based Clients

You must decide whether the client computers that will be managed over the Internet will be configured for management on the intranet and the Internet, or for Internet-only client management. You can only configure the client management option during the installation of a client computer. If you change your mind later, you must reinstall the client. Tip You do not have to restrict the configuration of Internet-only client management to the Internet and you can also use it on the intranet. Clients that are configured for Internet-only client management only communicate with the site systems that are configured for client connections from the Internet. This configuration would be appropriate for computers that you know never connect to your company intranet, for example, point of sale computers in remote locations. It might also be appropriate when you want to restrict client communication to HTTPS only (for example, to support firewall and restricted security policies), and when you install Internet-based site systems in a perimeter network and you want to manage these servers by using the Configuration Manager client. When you want to manage workgroup clients on the Internet, you must install them as Internetonly. Note Mobile device clients are automatically configured as Internet-only when they are configured to use an Internet-based management point. Other client computers can be configured for Internet and intranet client management. They can automatically switch between Internet-based client management and intranet client management when they detect a change of network. If these clients can find and connect to a management point that is configured for client connections on the intranet, these clients are managed as intranet clients that have full Configuration Manager management functionality. If the clients cannot find or connect to a management point that is configured for client connections on the intranet, they attempt to connect to an Internet-based management point, and if this is successful, these clients are then managed by the Internet-based site systems in their assigned site.
650

The benefit in automatic switching between Internet-based client management and intranet client management is that client computers can automatically use all Configuration Manager features whenever they are connected to the intranet and continue to be managed for essential management functions when they are on the Internet. Additionally, a download that began on the Internet can seamlessly resume on the intranet, and vice versa.

Prerequisites for Internet-Based Client Management

Internet-based client management in Configuration Manager has the following external dependencies:
Dependency More information

Clients that will be managed on the Internet must have an Internet connection.

Configuration Manager uses existing Internet Service Provider (ISP) connections to the Internet, which can be either permanent or temporary connections. Client mobile devices must have a direct Internet connection, but client computers can have either a direct Internet connection or connect by using a proxy web server. The Internet-based site systems do not require a trust relationship with the Active Directory forest of the site server. However, when the Internet-based management point can authenticate the user by using Windows authentication, user policies are supported. If Windows authentication fails, only computer policies are supported. Note To support user policies, you also must set to True the two Client Policy client settings: Enable user policy polling on clients Enable user policy requests from Internet clients

Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.

An Internet-based Application Catalog website point also requires Windows authentication to authenticate users when their computer is on the Internet. This requirement is independent from user policies. You must have a supporting public key For more information about the PKI certificates,
651

Dependency

More information

infrastructure (PKI) that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers. The following infrastructure services must be configured to support Internet-based client management: Public DNS servers: The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers. Intervening firewalls or proxy servers: These network devices must allow the client communication that is associated with Internet-based site systems.

see PKI Certificate Requirements for Configuration Manager

Client communication requirements: Support HTTP 1.1 Allow HTTP content type of multipart MIME attachment (multipart/mixed and application/octet-stream) Allow the following verbs for the Internetbased management point: HEAD CCM_POST BITS_POST GET PROPFIND

Allow the following verbs for the Internetbased distribution point: HEAD GET PROPFIND

Allow the following verbs for the Internetbased fallback status point: POST Allow the following verbs for the Internetbased Application Catalog website point: POST GET

Allow the following HTTP headers for the Internet-based management point: Range: CCMClientID: CCMClientIDSignature: CCMClientTimestamp: CCMClientTimestampsSignature:

Allow the following HTTP header for the Internet-based distribution point: Range:
652

Dependency

More information

For configuration information to support these requirements, refer to your firewall or proxy server documentation. For similar communication requirements when you use the software update point for client connections from the Internet, see the documentation for Windows Server Update Services (WSUS). For example, for WSUS on Windows Server 2003, see Appendix D: Security Settings, the deployment appendix for security settings.

Planning for Network Bandwidth in Configuration Manager

System Center 2012 Configuration Manager includes several methods to control the network bandwidth that is used by communications between sites, site system servers, and clients. However, not all communication on the network can be managed. Use the following sections to help you understand the methods that you can use to control network bandwidth and to design your site hierarchy. When you plan the Configuration Manager hierarchy, consider the amount of network data that will be transferred from intersite and intrasite communications. Note File replication routes (known as addresses prior to Configuration Manager SP1), are used only for intersite communications and are not used for intrasite communications between site servers and site systems.

Controlling Network Bandwidth Usage Between Sites

Configuration Manager transfers data between sites by using both file-based replication and database replication. Prior to Configuration Manager with SP1 you can configure file-based replication to control the use of network bandwidth for transfers, but cannot configure the use of network bandwidth for database replication. Beginning with Configuration Manager SP1, you can configure the use of network bandwidth for database replication for selected site data. When you configure network bandwidth controls, you should remain aware of the potential for data latency. If communications between sites is restricted or configured to only transfer data after regular business hours, administrators at either the parent site or child site might be unable to view certain data until the intersite communication has occurred. For example, if an important software update package is being sent to distribution points that are located at child sites, the
653

package might not be available at those sites until all pending intersite communication is completed. Pending communication might include delivery of a package that is very large and that has not yet completed its transfer. Controls for File-based Replication: During file-based data transfers, Configuration Manager uses all of the available network bandwidth to send data between sites. You can control this process by configuring the sender at a site to increase or decrease site-to-site sending threads. A sending thread is used to transfer one file at a time. Each additional thread allows additional files to be transferred at the same time, which results in more bandwidth use. To configure the number of threads to use for site-to-site transfers, configure the Maximum concurrent sendings on the Sender tab of the sites properties. To control file-based data transfers between sites, you can schedule when Configuration Manager can use a file replication route to a specific site. You can control the amount of network bandwidth to use, the size of data blocks, and the frequency for sending the data blocks. Additional configurations can limit data transfers based on the priority of the data type. For each site in the hierarchy, you can set schedules and rate limits for that site to use when transferring data by configuring the properties of the file replication rout to each destination site. Configurations for a file replication route only apply to the data transfers to the destination site specified for that file replication route. For more information about file replication routes, see the sub-section File Replication Routes in the Planning for Intersite Communications in Configuration Manager section in this topic. Important When you configure rate limits to restrict the bandwidth use on a specific file replication route, Configuration Manager can use only a single thread to transfer data to that destination site. Use of rate limits for a file replication route overrides the use of multiple threads per site that are configured in the Maximum concurrent sendings for each site. Controls for Database Replication: Beginning with Configuration Manager SP1, you can configure database replication links to help control the use of network bandwidth for the transfer of selected site data between sites. Some of the controls are similar to those for filebased replication, with additional support to schedule when hardware inventory, software inventory, software metering, and status messages replicate to the parent site across the link. For more information, see the section Database Replication in this topic.

Controlling Network Bandwidth Usage Between Site System Servers

Within a site, communication between site systems uses server message blocks (SMB), can occur at any time, and does not support a mechanism to control network bandwidth. However, when you configure the site server to use rate limits and schedules to control the transfer of data over the network to a distribution point, you can manage the transfer of content from the site server to distribution points with controls similar to those for site-to-site file-based transfers.

654

Controlling Network Bandwidth Usage Between Clients and Site System Servers
Clients regularly communicate with different site system servers. For example, they communicate with a site system server that runs a management point when they have to check for a client policy, and communicate with a site system server that runs a distribution point when they have to download content to install an application or software update. The frequency of these connections and the amount of data that is transferred over the network to or from a client depends on the schedules and configurations that you specify as client settings. Typically, client policy requests use low network bandwidth. The network bandwidth might be high when clients access content for deployments or send information such as hardware inventory data to the site. You can specify client settings that control the frequency of client-initiated network communications. Additionally, you can configure how clients access deployment content, for example, by using Background Intelligent Transfer Service (BITS). To use BITS to download content, the client must be configured to use BITS. If the client cannot use BITS it uses SMB to transfer the content. For information about client settings in Configuration Manager, see Planning for Client Settings in Configuration Manager.

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for Site Operations in Configuration Manager

Use the information in the following sections to help you plan for site operations. Planning for Backup and Recovery Planning for Client Management Planning for Maintenance Tasks for Configuration Manager Planning for Alerts

Planning for Backup and Recovery

Enterprise solutions such as Configuration Manager must prepare for loss of critical data by planning for both backup and recovery operations. For Configuration Manager sites, this preparation ensures that sites and hierarchies are recovered with the least data loss and in the quickest possible time.

655

A Configuration Manager site contains a large amount of data, which is mostly stored in the site database. To ensure that you are correctly backing up your sites, schedule the Backup Site Server maintenance task for the central administration site and each primary site in your hierarchy. The Backup Site Server maintenance task creates a complete backup snapshot of your site and contains all the data necessary to perform recovery operations. You can also use your own method for backing up the site database. For example, you can create a site database backup as part of a SQL Server maintenance plan. Depending on your Configuration Manager hierarchy, the requirement to back up a site to avoid data loss varies. For example, consider the following scenarios: Central administration site with child primary sites: When you have a Configuration Manager hierarchy, the site can likely be recovered even when you do not have a site backup. Because database replication is used in the hierarchy, the data required for recovery can be retrieved from another site in the hierarchy. The benefit of restoring a site by using a backup is that only changes to the data since the last backup have to be retrieved from another site, which reduces the amount of data transferred over your network. Stand-alone primary site: When you have a stand-alone primary site (no central administration site), you must have a Configuration Manager backup to avoid data loss. Secondary sites: There is no backup and recovery support for secondary sites. You must reinstall the secondary site when it fails.

For more information about how to configure site backup or recover a site, see Backup and Recovery in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new since Configuration Manager 2007: In System Center 2012 Configuration Manager, recovery is integrated in the Configuration Manager Setup Wizard. Configuration Manager 2007 used the Site Repair Wizard to recover sites. You have the following options when running recovery in System Center 2012 Configuration Manager: Site Server Recover the site server from a backup. Reinstall the site server. Recover the site database from a backup. Create a new site database. Use a site database that been manually recovered. Skip database recovery.
656

Site Database

System Center 2012 Configuration Manager database replication uses SQL Server to transfer data and merge changes made to the database of a site with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Recovery in System Center 2012 Configuration Manager uses database replication to retrieve global data that the failed site created before it failed. This process minimizes data loss even when no backup is available.

You can start an unattended site recovery by configuring an unattended installation script and then using the Setup command /script option.

Whats New in Configuration Manager SP1

The following item is new since System Center 2012 Configuration Manager: Starting in Configuration Manager SP1, you can recover a secondary site by using the Recover Secondary Site action from the Sites node in the Configuration Manager console. During the recovery, the secondary site files are installed on the destination computer and then the secondary site data is reinitialized with data from the primary site. The secondary site that you recover must have the same FQDN, meet all secondary site prerequisites, and you must configure appropriate security rights for the secondary site. For more information about the Prerequisite Checker, see the Prerequisite Checker section in the Install Sites and Create a Hierarchy for Configuration Manager topic. For more information about secondary site security requirements, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Volume Shadow Copy Service

The Backup Site Server maintenance task uses the Volume Shadow copy Service (VSS) to create the backup snapshot. VSS is essentially a framework which facilitates communication between applications, storage subsystems, and storage management applications (including backup applications) to define point-in-time copies of storage data. These point-in-time copies, or shadow copies, of site server and site database information are used to back up and restore Configuration Manager sites. By using VSS shadow copies, the Backup Site Server maintenance task can minimize off-line times for site servers. VSS must be running for the Backup Site Server maintenance task to finish successfully.

What Gets Backed Up

The Backup Site Server maintenance task includes the following information in the backup set: The Configuration Manager site database files Note The Backup Site Server maintenance task does not support configuring an NTFS file system junction point to store the site database files. The following Configuration Manager installation folders:
657

<ConfigMgrInstallationPath>\bin <ConfigMgrInstallationPath>\inboxes <ConfigMgrInstallationPath>\Logs <ConfigMgrInstallationPath>\Data <ConfigMgrInstallationPath>\srvacct

The ..\HKEY_LOCAL_MACHINE\Software\Microsoft\SMS registry key.

What Does Not Get Backed Up

The Backup Site Server maintenance task creates a backup set that includes everything you need to restore your site server to a functional state. There are some Configuration Manager items not included in the site backup that you might want to back up outside of the normal process. The following sections provide information about items not backed up as part of the backup task. Warning For more information about supplemental backup tasks, see the Supplemental Backup Tasks section in the Backup and Recovery in Configuration Manager topic.

Configuration Manager Site Systems

Some Configuration Manager site systems contain site data that is easily recreated if the site fails and are not backed up during the site backup process. For example, you do not have to backup data from site systems such as distribution points and management points. The site server can easily reinstall these site systems if they fail.

Custom Reporting Services Reports

When you create custom Configuration Manager reports in SQL Server Reporting Services, there are several items on the Reporting Services server that you must add to your backup set to recover the reports in the event of a failure on the server running Reporting Services.

Content Files
The content library in Configuration Manager is the location where all content files are stored for software updates, applications, operating system deployment, and so on. The content library is located on the site server and each distribution point. The Backup Site Server maintenance task does not include a backup of the content library or the package source files. When a site server fails, the information about the content library files is restored to the site database, but you must restore the content library and package source files on the site server.

SQL Server Master Database

You do not have to back up the SQL Server master database. The Backup Site Server maintenance task backs up all of the required information for restoring the site database to
658

SQL Server as part of the backup process. The original SQL Server master database is not required for restoring the site database on a new server that is hosting the SQL Server database.

Configuration Manager Log Files

The Backup Site Server maintenance task backs up logs located in the <ConfigMgrInstallationPath>\Logs folder, but some System Center 2012 Configuration Manager site systems write logs in other locations and are not backed up by the Backup Site Server maintenance task. Plan an alternative method to back up these log files, if it is required.

Configuration Manager Clients

System Center 2012 Configuration Manager clients are not backed up as part of the site backup process for the following reasons: To correctly back up a Configuration Manager client, the client services must be stopped. However, there is no reliable way to stop and start the client services. Stopping and starting the client services can potentially corrupt the data on the hard disk of the client or in the backup snapshot. Clients are too numerous. It is neither practical nor beneficial to back up and restore the clients assigned to a site. The effect of losing client data is relatively small.

System Center Updates Publisher

When you use System Center Updates Publisher to create custom software updates, the updates are stored in the Updates Publisher database. Though many of these custom software updates might have been published to Windows Server Update Services, you typically want to have a backup of the Updates Publisher database that contains the source for the custom updates.

Maintenance Mode Support

When the Backup Site Server maintenance task performs a site backup, critical site services must be stopped including: SMS Executive service (SMS_Executive) SMS Site Component Manager service (SMS_Site_Component_Manager)

If the Configuration Manager site server or site database server is being monitored by the monitoring agent on the System Center Operations Manager client, the backup process might generate false stop service alerts when critical Configuration Manager services are stopped for backup. To avoid this problem, configure the entire backup process to be monitored as a single transaction that is managed by using Operations Manager maintenance mode state management.

Planning for Client Management

Use the following links to help you plan for client management:
659

Planning for Hardware Inventory in Configuration Manager Prerequisites for Asset Intelligence in Configuration Manager Planning for Power Management in Configuration Manager Planning for Remote Control in Configuration Manager Planning for Software Metering in Configuration Manager Planning for Out of Band Management in Configuration Manager Planning for Compliance Settings in Configuration Manager Planning for Endpoint Protection in Configuration Manager Planning for Software Updates in Configuration Manager Planning to Deploy Operating Systems in Configuration Manager

Planning for Maintenance Tasks for Configuration Manager

System Center 2012 Configuration Manager sites and hierarchies require regular maintenance and monitoring to provide services effectively and continuously. Regular maintenance ensures that the hardware, software, and the Configuration Manager database continue to function correctly and efficiently. Optimal performance greatly reduces the risk of failure. While your Configuration Manager site and hierarchy perform the tasks that you schedule and configure, site components continually add data to the Configuration Manager database. As the amount of data grows, database performance and the free storage space in the database decline. You can configure site maintenance tasks to remove aged data that you no longer require. Configuration Manager provides predefined maintenance tasks that you can use to maintain the health of the Configuration Manager database. Not all maintenance tasks are available at each site, by default, several are enabled while some are not, and all support a schedule that you can configure for when to run. Most maintenance tasks periodically remove out-of-date data from the Configuration Manager database. Reducing the size of the database by removing unnecessary data improves the performance and the integrity of the database, which increases the efficiency of the site and hierarchy. Other tasks, such as Rebuild Indexes, help maintain the database efficiency, while some, such as the Backup Site Server task, help you prepare for disaster recovery. Important When you plan the schedule of any task that deletes data, consider the use of that data across the hierarchy. When a task that deletes data runs at a site, the information is removed from the Configuration Manager database, and this change replicates to all sites in the hierarchy. This can affect other tasks that rely on that data. For example, at the central administration site, you might configure Discovery to run one time per month to identify non-client computers, and plan to install the Configuration Manager client to these computers within two weeks of their discovery. However, at one site in the hierarchy, an administrator configures the Delete Aged Discovery Data task to run every
660

seven days with a result that seven days after non-client computers are discovered, they are deleted from the Configuration Manager database. Back at the central administration site, you prepare to push install the Configuration Manager client to these new computers on day 10. However, because the Delete Aged Discovery Data task has recently run and deleted data that is seven days or older, the recently discovered computers are no longer available in the database. After you install a Configuration Manager site, review the available maintenance tasks and enable those tasks that your operations require. Review the default schedule of each task, and when necessary, modify the schedule to fine-tune the maintenance task to fit your hierarchy and environment. Although the default schedule of each task should suit most environments, monitor the performance of your sites and database and expect to fine-tune tasks to increase your deployments efficiency. Plan to periodically review the site and database performance and to reconfigure maintenance tasks and their schedules to maintain that efficiency.

When to Perform Common Maintenance Tasks

To maintain your site, consider performing regular maintenance on a daily, weekly, and for some tasks, a more periodic schedule. Common maintenance can include both the built-in maintenance tasks and other tasks such as account maintenance to maintain compliance with your company policies. Performing regular maintenance is important to ensure correct site operations. Maintain a maintenance log to document dates that maintenance was conducted, by whom, and any maintenance-related comments about the task conducted. Use the following information as a guide to help you plan when to perform different maintenance tasks. Use these lists as a starting point, and add any additional tasks you might require. Daily Tasks The following are maintenance tasks you might consider performing on a daily basis: Verify that predefined maintenance tasks that are scheduled to run daily are running successfully. Check the Configuration Manager database status. Check site server status. Check Configuration Manager site system inboxes for file backlogs. Check site systems status. Check the operating system event logs on site systems. Check the SQL Server error log on the site database computer. Check system performance. Check Configuration Manager alerts.

Weekly Tasks The following are maintenance tasks you might consider performing on a weekly basis: Verify that predefined maintenance tasks scheduled to run weekly are running successfully. Delete unnecessary files from site systems.
661

Produce and distribute end-user reports if required. Back up application, security, and system event logs and clear them. Check the site database size and verify that there is enough available disk space on the site database server so that the site database can grow. Perform SQL Server database maintenance on the site database according to your SQL Server maintenance plan. Check available disk space on all site systems. Run disk defragmentation tools on all site systems.

Periodic Tasks Some tasks do not have to be performed during daily or weekly maintenance, but are important to ensure overall site health, and security and disaster recovery plans are up-to-date. The following are maintenance tasks that you might consider performing on a more periodic basis than the daily or weekly tasks: Change accounts and passwords, if it is necessary, according to your security plan. Review the maintenance plan to verify that scheduled maintenance tasks are scheduled correctly and effectively depending on configured site settings. Review the Configuration Manager hierarchy design for any required changes. Check network performance to ensure changes have not been made that affect site operations. Verify that Active Directory settings affecting site operations have not changed. For example, verify that subnets assigned to Active Directory sites that are used as boundaries for Configuration Manager site have not changed. Review your disaster recovery plan for any required changes. Perform a site recovery according to the disaster recovery plan in a test lab by using a backup copy of the most recent backup created by the Backup Site Server maintenance task. Check hardware for any errors or for available hardware updates. Check the overall health of the site.

About the Built-In Maintenance Tasks

The following table lists the available maintenance tasks, at which site each task is available, and basic details about the task. For more information about each task and its available configurations, view the maintenance task Properties in the Configuration Manager console. Key: = By default, enabled = By default, not enabled

Maintenance task

Central administration site

Primary site

Secondary site

More information

Backup Site

Not available

Use this task to prepare for

662

Maintenance task

Central administration site

Primary site

Secondary site

More information

Server

recovery of critical data by creating a backup of the critical information that you have to restore a site and the Configuration Manager database. For more information, see Backup and Recovery in Configuration Manager.

Check Application Title with Inventory Information

Not available

Use this task to maintain consistency between software titles reported in software inventory and software titles in the Asset Intelligence catalog. For more information, see Introduction to Asset Intelligence in Configuration Manager.

Clear Install Flag

Not available

Not available

Use this task to remove the installed flag for clients that do not submit a Heartbeat Discovery record during the Client Rediscovery period. The installed flag prevents automatic client push installation to a computer that might have an active Configuration Manager client. For more information, see How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager.

Delete Aged Application Request Data

Not available

Not available

Use this task to delete aged application requests from the database.
663

Maintenance task

Central administration site

Primary site

Secondary site

More information

For more information about application requests, see Introduction to Application Management in Configuration Manager. Delete Aged Client Operations Not available Use this task to delete aged data for Endpoint Protection client operations from the database. This data includes requests that an administrative user made for clients to run a scan or download updated definitions. For more information about managing Endpoint Protection in Configuration Manager, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager. Delete Aged Client Presence History Not available For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this task to delete history information about the online status of clients, recorded by client notification, that is older than the specified time. For more information about client notification, see Introduction to Client Deployment in Configuration Manager. Delete Aged Collected Files Not available Not available Use this task to delete aged information about collected files from the database. This
664

Maintenance task

Central administration site

Primary site

Secondary site

More information

task also deletes the collected files from the site server folder structure at the selected site. By default, the five most recent copies of collected files are stored on the site server in the Inboxes\sinv.box\FileCol directory. For more information, see Planning for Software Inventory in Configuration Manager. Delete Aged Computer Association Data Not available Not available Use this task to delete aged Operating System Deployment computer association data from the database. This information is used as part of completing user state restores. For more information about computer associations, see Managing User State. Use this task to delete aged data from the database that has been created by Extraction Views. By default, Extraction Views are disabled and can only be enabled by use of the Configuration Manager SDK. Unless Extraction Views are enabled, there is no data for this task to delete. Delete Aged Device Wipe Record Not available Not available Use this task to delete aged data about mobile device wipe actions from the database.
665

Delete Aged Delete Detection Data

Not available

Maintenance task

Central administration site

Primary site

Secondary site

More information

For information about managing mobile devices, see Determine How to Manage Mobile Devices in Configuration Manager. Delete Aged Devices Managed by the Exchange Server Connector Not available Not available Use this task to delete aged data about mobile devices that are managed by using the Exchange Server connector. This data is deleted according to the interval configured for the Ignore mobile devices that are inactive for more than (days) option on the Discovery tab of the Exchange Server connector properties. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Exchange. Delete Aged Discovery Data Not available Not available Use this task to delete aged discovery data from the database. This data can include records resulting from heartbeat discovery, network discovery, and Active Directory Domain Services discovery methods (System, User, and Group). When this task runs at one site, it removes the data from the database at all sites in the hierarchy. For information about Discovery, see Planning for
666

Maintenance task

Central administration site

Primary site

Secondary site

More information

Discovery in Configuration Manager. Delete Aged Endpoint Protection Health Status History Data Not available Not available Use this task to delete aged status information for Endpoint Protection from the database. For more information about Endpoint Protection status information, see How to Monitor Endpoint Protection in Configuration Manager. Not available Not available Use this task to delete from the site database, aged data about mobile devices enrolled by Configuration Manager that have enrolled at a site but that have not reported any information to the site for a specified time. Important This task does not delete data about mobile devices that are enrolled by Windows Intune. Instead, to delete aged data about mobile devices that are enrolled by Windows Intune, use the Delete Inactive Client Discovery Data and Delete Obsolete Client Discovery Data task. For information about the operating systems of devices
667

Delete Aged Enrolled Devices

Maintenance task

Central administration site

Primary site

Secondary site

More information

that are enrolled by Configuration Manager or by Windows Intune, see the Mobile Device Requirements section in the Supported Configurations for Configuration Manager topic. Delete Aged Inventory History Not available Not available Use this task to delete inventory data that has been stored longer than a specified time from the database. For information about inventory history, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. Delete Aged Log Data Use this task to delete aged log data that is used for troubleshooting from the database. This data is not related to Configuration Manager component operations. Important By default, this task runs daily at each site. At a central administration site and primary sites, the task deletes data that is older than 30 days. When you use SQL Server Express at a secondary site, ensure that this task runs daily, and deletes data that has been inactive for 7
668

Maintenance task

Central administration site

Primary site

Secondary site

More information

days. Delete Aged Notification Task History Not available Not available For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this task to delete information about client notification tasks from the site database when it has not been updated for a specified time. For more information about client notification, see Introduction to Client Deployment in Configuration Manager. Delete Aged Replication Summary Data For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this task to delete aged replication summary data from the site database when it has not been updated for a specified time. For more information, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. Delete Aged Replication 1 Tracking Data Use this task to delete aged data about database replication between Configuration Manager sites from the database.
669

Maintenance task

Central administration site

Primary site

Secondary site

More information

For more information, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic. Delete Aged Software Metering Data Not available Not available Use this task to delete aged data for software metering that has been stored longer than a specified time from the database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Delete Aged Software Metering Summary Data Not available Not available Use this task to delete aged summary data for software metering that has been stored longer than a specified time from the database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Delete Aged Status Messages Not available Use this task to delete aged status message data as configured in status filter rules from the database. For information, see Monitor System Status for Configuration Manager the section in the topic Monitor Configuration Manager Sites and Hierarchy. Delete Aged Threat Data Not available Not available Use this task to delete aged Endpoint Protection threat
670

Maintenance task

Central administration site

Primary site

Secondary site

More information

data that has been stored longer than a specified time from the database. For information about Endpoint Protection, see Endpoint Protection in Configuration Manager. Delete Aged Unknown Computers Not available Not available For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this task to delete information about unknown computers from the site database when it has not been updated for a specified time. For more information, see How to Manage Unknown Computer Deployments in Configuration Manager. Delete Aged User Device Affinity Data Not available Not available Use this task to delete aged User Device Affinity data from the database. For more information, see How to Manage User Device Affinity in Configuration Manager. Delete Inactive Client Discovery Data Not available Not available Use this task to delete discovery data for inactive clients from the database. Clients are marked as inactive when the client is flagged as obsolete and by configurations made for Client status. This task operates only on resources
671

Maintenance task

Central administration site

Primary site

Secondary site

More information

that are Configuration Manager clients. It is different than the Delete Aged Discovery Data task which deletes any aged discovery data record. When this task runs at a site, it removes the data from the database at all sites in a hierarchy. Important When enabled, configure this task to run at an interval greater than the Heartbeat Discovery schedule. This enables active clients to send a Heartbeat Discovery record to mark their client record as active so this task does not delete them. For more information, see How to Configure Client Status in Configuration Manager. Delete Obsolete Alerts Not available Use this task to delete expired alerts that have been stored longer than a specified time from the database. For more information, see Planning for Alerts. Delete Obsolete Client Discovery Data Not available Not available Use this task to delete obsolete client records from the database. A record that is marked as obsolete has
672

Maintenance task

Central administration site

Primary site

Secondary site

More information

usually been replaced by a newer record for the same client. The newer record becomes the clients current record. Important When enabled, configure this task to run at an interval greater than the Heartbeat Discovery schedule. This enables the client to send a Heartbeat Discovery record that sets the obsolete status correctly. For information about Discovery, see Planning for Discovery in Configuration Manager. Delete Obsolete Forest Discovery Sites and Subnets Not available Use this task to delete data about Active Directory sites, subnets, and domains that have not been discovered by the Active Directory Forest Discovery method in the last 30 days. This removes the discovery data but does not affect boundaries created from this discovery data. For more information, see Planning for Discovery in Configuration Manager. Delete Unused Application Revisions Not available Not available Use this task to delete application revisions that are no longer referenced.
673

Maintenance task

Central administration site

Primary site

Secondary site

More information

For more information, see How to Manage Application Revisions in Configuration Manager. Evaluate Collection Members Not available Not available In Configuration Manager with no service pack, use this task to change how often collection membership is incrementally evaluated. Incremental evaluation updates a collection membership with only new or changed resources. For more information, see How to Manage Collections in Configuration Manager. Beginning with Configuration Manager SP1, you configure the Collection Membership Evaluation as a site component. For information about site components, see Configuring Site Components in Configuration Manager. Evaluate Provisioned AMT Computer Certificates Not available Not available Use this task to check the validity period of the certificates issued to AMTbased computers. For more information see, How to Manage AMT Provisioning Information in Configuration Manager. Monitor Keys Not available Use this task to monitor the integrity of the Configuration Manager database primary keys. A primary key is a column or combination of columns that uniquely identify
674

Maintenance task

Central administration site

Primary site

Secondary site

More information

one row and distinguish it from any other row in a Microsoft SQL Server database table. Rebuild Indexes Use this task to rebuild the Configuration Manager database indexes. An index is a database structure that is created on a database table to speed up data retrieval. For example, searching an indexed column is often much faster than searching a column that is not indexed. To improve performance, the Configuration Manager database indexes are frequently updated to remain synchronized with the constantly changing data stored in the database. This task creates indexes on database columns that are at least 50 percent unique, drops indexes on columns that are less than 50 percent unique, and rebuilds all existing indexes that meet the data uniqueness criteria. Summarize Installed Software Data Not available Not available Use this task to summarize the data for installed software from multiple records into one general record. Data summarization can compress the amount of data stored in the Configuration Manager database. For more information, see
675

Maintenance task

Central administration site

Primary site

Secondary site

More information

Planning for Software Inventory in Configuration Manager. Summarize Software Metering File Usage Data Not available Not available Use this task to summarize the data from multiple records for software metering file usage into one general record. Data summarization can compress the amount of data stored in the Configuration Manager database. You can use this task with the Summarize Software Metering Monthly Usage Data task to summarize software metering data, and to conserve disk space in the Configuration Manager database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Summarize Software Metering Monthly Usage Data Not available Not available Use this task to summarize the data from multiple records for software metering monthly usage into one general record. Data summarization can compress the amount of data stored in the Configuration Manager database. You can use this task with the Summarize Software Metering File Usage Data task to summarize software metering data, and to
676

Maintenance task

Central administration site

Primary site

Secondary site

More information

conserve space in the Configuration Manager database. For more information, see Maintenance Tasks for Software Metering in Configuration Manager. Update Application 2 Catalog Tables Not available Use this task to synchronize the Application Catalog website database cache with the latest application information. For more information, see Configuring the Application Catalog and Software Center in Configuration Manager.
1

When you change the configuration of this maintenance task, the configuration applies to each applicable site in the hierarchy.
2

When you change the configuration of this maintenance task, the configuration applies to all primary sites in the hierarchy.

Planning for Alerts

System Center 2012 Configuration Manager generates alerts that you can use to monitor the status of objects as they perform a task. Alerts can indicate a completed task, an interim status of a task, or the failure of a task. Alerts are listed in several places in the Configuration Manager console. A complete list of alerts is provided in the Monitoring workspace in the Alerts node. The most recent active alerts are displayed in the Overview of the workspace that they are associated with. For example, select Assets and Compliance to see a list of the most recent alerts listed in the Assets and Compliance Overview. The list of the most recent alerts is updated whenever a new alert is generated or the state of an alert has changed for that workspace. For more information about managing alerts, see Configuring Alerts in Configuration Manager. For more information about what you can do when an alert is generated, see Monitor Alerts in Configuration Manager.

677

See Also
Planning for Configuration Manager Sites and Hierarchy

Planning for High Availability with Configuration Manager

System Center 2012 Configuration Manager sites, hierarchy of sites, and Configuration Manager clients can each take advantage of options that maintain a high level of available service. These include the following: Sites support multiple instances of site system servers that provide important services to clients. Central administration sites and primary sites support the backup of the site database. The site database contains all the configurations for sites and clients, and it is shared between sites in a hierarchy that contain a central administration site. Built-in site recovery options can reduce server downtime and include advanced options that simplify recovery when you have a hierarchy with a central administration site. Clients can automatically remediate typical issues without administrative intervention. Sites generate alerts about clients that fail to submit recent data, which alerts administrators to potential problems. Configuration Manager provides several built-in reports that enable administrators to identify problems and trends before they become problems for server or client operations.

Configuration Manager does not provide a real-time service and you must expect it to operate with some data latency. Therefore, it is unusual for most scenarios that involve a temporary interruption of service to become a critical problem. When you have configured your sites and hierarchies with high availability in mind, downtime can be minimized, autonomy of operations maintained, and a high level of service provided. For example, Configuration Manager clients typically operate autonomously by using known schedules and configurations for operations, and schedules to submit data to the site for processing. When clients cannot contact the site, they cache data to be submitted until they can contact the site. Additionally, clients that cannot contact the site continue to operate by using the last known schedules and cached information, such as a previously downloaded application that they must run or install, until they can contact the site and receive new policies. The site monitors its site systems and clients for periodic status updates, and can generate alerts when these fail to register. Built-in reports provide insight to ongoing operations as well as historical operations and trends. Finally, Configuration Manager supports state-based messages that provide near realtime information for ongoing operations. Use the information in the following sections to help you understand the options to deploy Configuration Manager in a highly available configuration. High Availability for Configuration Manager Clients
678

High Availability for Configuration Manager Sites Details for Sites and Site System Roles that are Highly Available Details for Sites and Site System Roles that are not Highly Available

High Availability for Configuration Manager Clients

The following table provides information about the operations of Configuration Manager clients that promote high availability.
Feature More information

Client operations are autonomous

Configuration Manager client autonomy includes the following: Clients do not require continuous contact with any specific site system servers. They use known configurations to perform preconfigured actions on a schedule. Clients can use any available instance of a site system role that provides services to clients, and they will attempt to contact known servers until an available server is located. Clients can run inventory, software deployments, and similar scheduled actions independent of direct contact with site system servers. Clients that are configured to use a fallback status point can submit details to the fallback status point when they cannot communicate with a management point.

Clients can repair themselves

Clients automatically remediate most typical issues without direct administrative intervention: Periodically, clients self-evaluate their status and take action to remediate typical problems by using a local cache of remediation steps and source files for repairs. When a client fails to submit status information to its site, the site can generate an alert. Administrative users that receive these alerts can take immediate action to
679

Feature

More information

restore the normal operation of the client. Clients cache information to use in the future When a client communicates with a management point, the client can obtain and cache the following information: Client settings. Client schedules. Information about software deployments and a download of the software the client is scheduled to install, when the deployment is configured for this action.

When a client cannot contact a management point the following actions are taken: Clients locally cache the status, state, and client information they report to the site, and transfer this data after they establish contact with a management point.

Client can submit status to a fallback status point

When you configure a client to use a fallback status point, you provide an additional point of contact for the client to submit important details about its operation: Clients that are configured to use a fallback status point continue to send status about their operations to that site system role even when the client cannot communicate with a management point.

Central management of client data and client identity

The site database rather than the individual client retains important information about each clients identity, and associates that data to a specific computer, or user. This has the following results: The client source files on a computer can be uninstalled and reinstalled without affecting the historical records that are associated with the computer where the client is installed. Failure of a client computer does not affect the integrity of the information that is stored in the database. This information can remain available for reporting.

680

High Availability for Configuration Manager Sites

At each site, you deploy site system roles to provide the services that you want clients to use at that site. The site database contains the configuration information for the site and for all clients. Use one or more of the available options to provide for high availability of the site database, and the recovery of the site and site database if needed. The following table provides information about the available options for Configuration Manager sites that support high availability.
Option More information

Use a SQL Server cluster to host the site database

When you use a SQL Server cluster for the database at a central administration site or primary site, you use the fail-over support built into SQL Server. Secondary sites cannot use a SQL Server cluster, and do not support backup or restoration of their site database. You recover a secondary site by reinstalling the secondary site from its parent primary site.

Deploy a hierarchy of sites with a central administration site, and one or more child primary sites

This configuration can provide fault tolerance when your sites manage overlapping segments of your network. In addition, this configuration offers an additional recovery option to use the information in the shared database available at another site, to rebuild the site database at the recovered site. You can use this option to replace a failed or unavailable backup of the failed sites database. When you create and test a regular site backup, you can ensure that you have the data necessary to recover a site, and the experience to recover a site in the minimal amount of time.

Create regular backups at central administration sites and primary sites

Install multiple instances of site system roles

When you install multiple instances of critical site system roles such as the management point and distribution point, you provide redundant points of contact for clients in the event that a specific site system server is offline.
681

Option

More information

Install multiple instances of the SMS Provider at a site

The SMS Provider provides the point of administrative contact for one or more Configuration Manager consoles. When you install multiple SMS Providers, you can provide redundancy for contact points to administer your site and hierarchy.

Details for Sites and Site System Roles that are Highly Available
The following table provides information about features available at sites, and the site system roles that are part of a high availability configuration.
Feature More information

Redundancy for important site system roles

You can install multiple instances of the following site system roles to provide important services to clients: Management point Distribution point State migration point System Health Validator point Application Catalog web service point Application Catalog website point Software update point (Configuration Manager SP1 only)

You can install multiple instance of the following site system role to provide redundancy for reporting on sites and clients: Reporting services point You can install the following site system role on a Windows Network Load Balancing (NLB) cluster to provide failover support: Software update point Note For Configuration Manager SP1, you must use Windows PowerShell if you want to configure an NLB software update point instead of using the automatic redundancy
682

Feature

More information

that Configuration Manager SP1 provides when you install multiple software update points. Built-in site backup Configuration Manager includes a built-in backup task to help you back up your site and critical information on a regular schedule. Additionally, the Configuration Manager Setup wizard supports site restoration actions to help you restore a site to operations. You can configure each site to publish data about site system servers and services to Active Directory Domain Services and to DNS. This enables clients to identify the most accessible server on the network, and to identify when new site system servers that can provide important services, such as management points, are available. Configuration Manager supports installing multiple SMS Providers, each on a separate computer, to ensure multiple access points for Configuration Manager consoles. This ensures that if one SMS Provider computer is offline, you maintain the ability to view and reconfigure Configuration Manager sites and clients. When a Configuration Manager console connects to a site, it connects to an instance of the SMS Provider at that site. The instance of the SMS Provider is selected nondeterministically. If the selected SMS Provider is not available, you have the following options: Reconnect the console to the site. Each new connection request is nondeterministically assigned an instance of the SMS Provider and it is possible that the new connection will be assigned an available instance. Connect the console to a different Configuration Manager site and manage the configuration from that connection. This
683

Publishing to Active Directory Domain Services and DNS

SMS Providers and Configuration Manager consoles

Feature

More information

introduces a slight delay of configuration changes of no more than a few minutes. After the SMS Provider for the site is online, you can reconnect your Configuration Manager console directly to the site that you want to manage. You can install the Configuration Manager console on multiple computers for use by administrative users. Each SMS Provider supports connections from multiple Configuration Manager consoles. Management point Install multiple management points at each primary site, and enable the sites to publish site data to your Active Directory infrastructure, and to DNS. Multiple management points help to loadbalance the use of any single management point by multiple clients. In addition, you can install one or more database replicas for management points to decrease the CPUintensive operations of the management point, and to increase the availability of this critical site system role. Because you can install only one management point in a secondary site, which must be located on the secondary site server, management points at secondary sites are not considered to have a highly available configuration. Note Mobile devices that are enrolled by Configuration Manager can connect to only one management point in a primary site. The management point is assigned by Configuration Manager to the mobile device during enrollment and then does not change. When you install multiple management points and enable more than one for mobile devices, the management point that is
684

Feature

More information

assigned to a mobile device client is non-deterministic. If the management point that a mobile device client uses becomes unavailable, you must resolve the problem with this management point or wipe the mobile device and re-enroll the mobile device so that it can assign to an operational management point that is enabled for mobile devices. Distribution point Install multiple distribution points, and deploy content to multiple distribution points. You can configure overlapping boundary groups for content location to ensure that clients on each subnet can access a deployment from two or more distribution points. Finally, consider configuring one or more distribution points as fallback locations for content. For more information about fallback locations for content, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. Application Catalog web service point and Application Catalog website point You can install multiple instances of each site system role, and for best performance, deploy one of each on the same site system computer. Each Application Catalog site system role provides the same information as other instances of that site system role regardless of the location of this site server role in the hierarchy. Therefore, when a client makes a request for the Application Catalog and you have configured the Default Application Catalog website point device client setting for Automatically detect, the client can be directed to an available instance, with preference given to local Application Catalog site system servers, based on the current network location of the client. For more information about this client setting
685

Feature

More information

and how automatic detection works, see the Computer Agent client setting section in the About Client Settings in Configuration Manager topic.

Details for Sites and Site System Roles that are not Highly Available
Several site systems do not support multiple instances at a site or in the hierarchy. Use the information in the following table to help you plan if these site systems go off-line.
Site system server More information

Site server (site)

Configuration Manager does not support the installation of the site server for each site on a Windows Server cluster or NLB cluster. The following information can help you prepare for when a site server fails or is not operational: Use the built-in backup task to regularly create a backup of the site. In a test environment, regularly practice restoring sites from a backup. Deploy multiple Configuration Manager primary sites in a hierarchy with a central administration site to create redundancy. If you experience a site failure, consider using Windows group policy or logon scripts to reassign clients to a functional site. If you have a hierarchy with a central administration site, you can recover the central administration site or a child primary site by using the option to recover a site database from another site in your hierarchy. Secondary sites cannot be restored, and must be reinstalled.

Asset Intelligence synchronization point (hierarchy)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options:
686

Site system server

More information

Endpoint Protection point (hierarchy)

Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

Enrollment point (site)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

Enrollment proxy point (site)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. However, you can install multiple instances of this site system role at a site, and at multiple sites in the hierarchy. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

When you have more than one enrollment proxy server in a site, use a DNS alias for the server name. When you use this configuration, DNS round robin provides some fault tolerance and load balancing for when users enroll their mobile devices. For more information, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager.
687

Site system server

More information

Fallback status point (site or hierarchy)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server. Because clients are assigned the fallback status point during client installation, you will need to modify existing clients to use the new site system server.

Out of band service point (site)

This site system role is not considered mission critical and provides optional functionality in Configuration Manager. If this site system goes offline, use one of the following options: Resolve the reason for the site system to be off-line. Uninstall the role from the current server, and install the role on a new server.

See Also
Planning for Configuration Manager Sites and Hierarchy

Example Scenarios for Planning a Simplified Hierarchy with Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following scenarios provide examples of how you can implement System Center 2012 Configuration Manager to solve typical business requirements and simplify your overall hierarchy design.

688

Scenario 1: Remote Office Optimization

The remote office optimization scenario demonstrates an implementation of System Center 2012 Configuration Manager that reduces the administrative overhead required for managing information flow across the network.

Current Situation
The customer has a simple Configuration Manager 2007 hierarchy of one primary site with two secondary sites that include a warehouse and a remote district office location. The customer has 5,015 clients across four locations as shown in the following table.
Location Site type Deployment details Connection to headquarters

Headquarters

Primary

3,000 clients Two standard distribution points, one management point, and one software update point 500 clients One standard distribution point 1,500 clients One standard distribution point, one proxy management point, and one software update point 15 clients Use of Windows BranchCache

Not Applicable

Warehouse

Secondary

Slow Network

District Office

Secondary

Slow Network

Sales Office

None

Well Connected

Business Requirements
The System Center 2012 Configuration Manager hierarchy must support the following business requirements:

689

Business requirement

Configuration Manager Information

The data transferred over the network must not use excessive bandwidth. Minimize the number of servers used. Produce reports that provide current information about devices. Deploy applications, software updates, and operating system deployments on a daily basis.

Slow network connections must support bandwidth control. Install the minimum number of site system servers possible. Clients must regularly submit their hardware inventory data, status messages, and discovery information. Content must be available to clients, including large packages for operating system images.

Planning Decisions
Design of the System Center 2012 Configuration Manager hierarchy includes the following planning considerations:
Challenges Options and considerations

The transfer of deployment content from the primary site to remote locations represents the largest effect to the network and must be managed.

Content transmission to remote locations can be managed by: Distribution points enabled for bandwidth control Prestage for distribution points Windows BranchCache A local site to manage the network bandwidth used during site-to-site transfers

The flow of client information from large numbers of clients can slow down network.

Each remote location must be evaluated for network capacity, balancing the client settings, the number of clients at the location, and the available network bandwidth. Options include the following: A local primary or secondary site to manage the network bandwidth during siteto-site transfers. No site at the location allowing clients to transfer their data unmanaged across the network to an assigned primary site.

690

Steps Taken
After evaluation of requirements and options, client locations, and available network bandwidth, the following decisions are made:
Decision Details

A stand-alone primary site is deployed at the Headquarters location.

A System Center 2012 Configuration Manager primary site replaces the existing primary site as there are no administrative or content management benefits gained by the use of a central administration site for this environment. A primary site can support up to 100,000 clients. There is no planned expansion that could require additional primary sites to manage large numbers of clients across slow network connections.

A distribution point enabled for bandwidth control is deployed to the warehouse location.

The effect of client information flowing up from the warehouse location will not overwhelm the available network bandwidth. In place of a secondary site, the locations needs can be met by the use of a distribution point enabled for bandwidth control deployed from the primary site to manage the downward flow of deployment content. This decision does not reduce the number of servers in use but does remove the requirement to manage an additional site. The current client activity is not sufficient to require management of upward-flowing client data. Only downward-flowing content requires management to avoid effect to the slow network connection. In the future, the distribution point can be replaced by a secondary site that can manage network traffic in both directions if it is needed.

691

Decision

Details

A secondary site is deployed to the District Office Location.

After evaluation of the effect from the local clients, it is decided that a secondary site with the same configuration previously used will be required. 1,500 clients generate enough client information to exceed the available network connection to the primary site. A primary site is not required as there is no administrative benefit to be provided by a primary site, and the hierarchys combined client total is easily handled by the primary site at the Headquarters location.

The use of Windows BranchCache is maintained at the Sales Office location.

Because this location services only 15 clients and has a fast network connection to the Headquarters location, the current use of Windows BranchCache as a content deployment solution remains the best option.

Business Benefits
By using a single distribution point that is enabled for bandwidth control to replace a secondary site and its distribution point, the customer meets the business requirement for managing content across slow networks. Additionally, this change decreases the administrative workload and the time it takes for the site to receive client information.

Scenario 2: Infrastructure Reduction and Management of Client Settings

The infrastructure reduction and client settings scenario demonstrates an implementation of System Center 2012 Configuration Manager that reduces infrastructure in use while continuing to manage clients with customized client settings.

Current Situation
In this example, a company manages 25,000 clients across two physical locations by using a single Configuration Manager 2007 hierarchy that consists of one central site and three primary
692

child sites. The central site and one primary site are located in Chicago, and two primary sites are located in London. The primary sites at each geographic location reside on the same physical network and have well-connected network links. However, there is limited bandwidth between Chicago and London. Current deployment details:
Location Type of site Deployment details

Chicago Headquarters

Primary central site

19,200 clients that are configured for the companys standard configuration for client agent settings. 300 clients on computers used by people in the Human Resources division. The site is configured for a custom remote control client agent setting. 5,000 desktop clients that are configured for the companys standard configuration of client agent settings. 500 server clients that are configured for a custom hardware inventory client agent setting.

Chicago Headquarters

Primary child of central

London Offices

Primary child of central

London Offices

Primary child of central

Business Requirements
The Configuration Manager hierarchy must meet the following business requirements:
Business requirements Configuration Manager information

Maintain centralized management of the hierarchy in Chicago. Assign a standard client configuration to all clients unless specific business requirements dictate otherwise. Employees in the human resource division must not have the Remote Control client agent

Central administration from Chicago requires that content and client information is sent over the network for the 5,500 clients in London. The standard configuration for client settings must be available for all clients. These custom client settings must be assigned to the computers that are used by the
693

Business requirements

Configuration Manager information

enabled on their computers. Servers that are located in London must run hardware inventory no more than once a month.

employees in the human resource division. These custom client settings must be assigned to the clients on servers in London.

Control the network bandwidth when The slow network connection requires transferring data between Chicago and London. bandwidth control. Minimize the number of servers. Avoid installing site system servers where possible to reduce administrative tasks and infrastructure costs.

Planning Decisions
The System Center 2012 Configuration Manager hierarchy design includes the following planning considerations:
Challenges Options and considerations

Central administration in Chicago.

Options for this requirement include the following: Deploy a stand-alone primary site in Chicago to manage clients at both network locations: The amount of client information from London that must be transferred over the slow network must be carefully assessed.

Deploy a primary site at each location, and a central administration site in Chicago: Central administration sites cannot have clients assigned to them. Central administration sites are required if there are two or more primary sites in the hierarchy.

The transfer of content from Chicago to London will consume a lot of network bandwidth and this data transfer must be controlled.

The transfer of content down the hierarchy can be managed by the following methods: Distribution points that are enabled for bandwidth control. Windows BranchCache. A London site that is configured to manage
694

Challenges

Options and considerations

the network bandwidth for site-to-site transfers. The requirement to manage the network bandwidth when client information is sent from London. Assess the London location for the available network bandwidth and how this will be reduced by the data that is generated by the 5,500 clients. Options include the following: Allow clients to transfer their data unmanaged across the network to an assigned primary site at Chicago. Deploy a secondary site or primary site in London to manage the network bandwidth during site-to-site transfers to Chicago.

A standard set of client settings must be available at all locations. Two groups that contain employees from Human Resources and servers in London, require client settings that are different than the standard configuration.

A default set of Client Agent Settings are specified for the hierarchy. Collections are used to assign custom client settings.

Steps Taken
After an evaluation of the business requirements, the network structure, and the requirements for client settings, a central administration site is deployed in Chicago with one child primary site in Chicago and one child primary site in London. The following table explains these design choices.
Decision Details

A central administration site is deployed in Chicago.

This meets the centralized administration requirement by providing a centralized location for reporting and hierarchy-wide configurations. Because the central administration site has access to all client and site data in the hierarchy and is a direct parent of both primary sites, it is ideally located to host the content for all locations. A primary site is required to manage clients at the Chicago location because the central administration site cannot have clients assigned to it.
695

One primary site is required in Chicago.

Decision

Details

A local primary site is required to locally manage the 14,800 clients. Sites in System Center 2012 Configuration Manager are not used to configure client settings, which allows all clients at a location to be assigned to the same site. Site to site address configurations can control the network bandwidth when transferring content from the central administration site in Chicago. Sites in System Center 2012 Configuration Manager are not used to configure client settings, which allows all clients at a location to be assigned to the same site. A local primary site is deployed to manage the 5,500 local clients so that the clients do not send their information and client policy requests across the network to Chicago. A primary site ensures that future growth in London can be managed with the hierarchy design they implement today. Note The decision to deploy a primary site or secondary site can include consideration of the following: Assessing the available hardware for a site server The current number of clients at a location Expectations for additional clients in the future Political reasons Local point of administrative contact

One primary site is deployed in London.

A standard configuration for client settings is applied to each client in the hierarchy.

Default Client Agent Settings are configured and applied to every client in the hierarchy, which results in a consistent configuration for every client. This collection is configured with custom
696

A collection is created to contain the user

Decision

Details

accounts for the employees that work in the Human Resource division. This collection is configured to update regularly so that new accounts can be added to the collection soon after they are created.

client settings that disable Remote Control. These settings modify the hierarchy-wide defaults and provide the collection members with the customized client settings that are required for Human Resource employees. Because this collection is dynamically updated, new employees in Human Resources automatically receive the customized client settings. Because collections are shared with all sites, these customizations are applied to Human Resource employees at any location in the hierarchy without having to consider which site their computer is assigned to. This collection is configured with custom client settings, so that the servers are configured with custom settings for hardware inventory.

A collection is configured to contain the servers located in London.

Business Benefits
By using custom client settings in System Center 2012 Configuration Manager, the business requirements are met as follows: The infrastructure requirements are reduced by removing sites that were used only to provide custom client settings to subsets of clients. Administration is simplified because the central administration site applies a standard configuration for client settings to all clients in the hierarchy. Two collections of clients are configured for the required customized client settings. Network bandwidth is controlled when transferring data between Chicago and London.

See Also
Planning for Configuration Manager Sites and Hierarchy

697

Configuring Sites and Hierarchies in Configuration Manager

Use the information in the following topics to configure System Center 2012 Configuration Manager in your environment.

Configuration Topics
Prepare the Windows Environment for Configuration Manager Install Sites and Create a Hierarchy for Configuration Manager Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site Upgrade Configuration Manager to a New Service Pack Configure Sites and the Hierarchy in Configuration Manager Install and Configure Site System Roles for Configuration Manager Configure Database Replicas for Management Points Migrate Data from Configuration Manager 2007 to Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Prepare the Windows Environment for Configuration Manager

Use the information in the following sections to help you configure your Windows environment to support System Center 2012 Configuration Manager. Prepare Active Directory for Configuration Manager Extend the Active Directory Schema Create the System Management Container Set Security Permissions on the System Management Container Enable Active Directory publishing for the Configuration Manager site Remote Differential Compression Internet Information Services (IIS) Request Filtering for IIS

Configure Windows-Based Servers for Configuration Manager Site System Roles

698

Prepare Active Directory for Configuration Manager

When you extend the Active Directory schema, this action is a forest-wide configuration that you must do one time per forest. Extending the schema is an irreversible action and must be done by a user who is a member of the Schema Admins Group or who has been delegated sufficient permissions to modify the schema. If you decide to extend the Active Directory schema, you can extend it before or after Setup. For information to help you decide whether to extend the Active Directory schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. Tip If the Active Directory schema was extended with the Configuration Manager 2007 schema extensions, you do not have to extend the schema for System Center 2012 Configuration Manager. The Active Directory schema extensions are unchanged from Configuration Manager 2007. Four actions are required to successfully enable Configuration Manager clients to query Active Directory Domain Services to locate site resources: Extend the Active Directory schema. Create the System Management container. Set security permissions on the System Management container. Enable Active Directory publishing for the Configuration Manager site

Extend the Active Directory Schema

Configuration Manager supports two methods to extend the Active Directory schema. The first is to use the extadsch.exe utility. The second is to use the LDIFDE utility to import the schema extension information by using the ConfigMgr_ad_schema.ldf file. Note Before you extend your Active Directory schema, test the schema extensions for conflicts with your current Active Directory schema. For information about how to test the Active Directory schema extensions, see Testing for Active Directory Schema Extension Conflicts in the Active Directory Domain Services documentation.

Extend the Active Directory Schema by Using ExtADSch.exe

You can extend the Active Directory schema by running the extadsch.exe file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media. The extadsch.exe file does not display output when it runs but does provide feedback when you run it from a command console as a command line. When extadsch.exe runs, it generates a log file in the root of the system drive named extadsch.log, which indicates whether the schema update completed successfully or any problems that were encountered while extending the schema.
699

Tip In addition to generating a log file, the extadsch.exe program displays results in the console window when it is run from the command line. The following are limitations to using extadsch.exe: Extadsch.exe is not supported when run on a Windows 2000 based computers. To extend the Active Directory schema from a Windows 2000 based computer, use the ConfigMgr_ad_schema.ldf. To enable the extadsch.log to be created when you run extadsch.exe on a Windows Vista computer, you must be logged onto the computer with an account that has local administrator permissions. To extend the Active Directory schema by using Extadsch.exe 1. Create a backup of the schema master domain controllers system state . 2. Ensure that you are logged on to the schema master domain controller with an account that is a member of the Schema Admins security group. Important You must be logged on as a member of the Schema Admins security group in order to successfully extend the schema. Running the extadsch.exe file by using the Run As command to attempt to extend the schema using alternate credentials will fail. 3. Run extadsch.exe, located at \SMSSETUP\BIN\X64 on the installation media, to add the new classes and attributes to the Active Directory schema. 4. Verify that the schema extension was successful by reviewing the extadsch.log located in the root of the system drive. 5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1. Note To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Extend the Active Directory Schema by Using an LDIF File

You can use the LDIFDE command-line utility to import directory objects into Active Directory Domain Services by using LDAP Data Interchange Format (LDIF) files. For greater visibility of the changes being made to the Active Directory schema than the extadsch.exe utility provides, you can use the LDIFDE utility to import schema extension information by using the ConfigMgr_ad_schema.ldf file located in the SMSSETUP\BIN\X64 folder on the Configuration Manager installation media.
700

Note The ConfigMgr_ad_schema.ldf file is unchanged from the version provided with Configuration Manager 2007. To extend the Active Directory schema by using the ConfigMgr_ad_schema.ldf file 1. Create a backup of the schema master domain controllers system state. 2. Open the ConfigMgr_ad_schema.ldf file, located in the SMSSETUP\BIN\X64 directory of the Configuration Manager installation media and edit the file to define the Active Directory root domain to extend. All instances of the text DC=x in the file must be replaced with the full name of the domain to extend. For example, if the full name of the domain to extend is named widgets.microsoft.com, change all instances of DC=x in the file to DC=widgets, DC=microsoft, DC=com. 3. Use the LDIFDE command-line utility to import the contents of the ConfigMgr_ad_schema.ldf file into Active Directory Domain Services. For example, the following command line will import the schema extensions into Active Directory Domain Services, turn on verbose logging, and create a log file during the import process: ldifde i f ConfigMgr_ad_schema.ldf v j <location to store log file> 4. To verify that the schema extension was successful, you can review the log file created by the command line used in step 3. 5. If the schema extension procedure was unsuccessful, restore the schema master's previous system state from the backup created in step 1. Note To restore the system state on a Windows domain controller, the system must be restarted in Directory Services Restore Mode. For more information about Directory Services Restore Mode, see Restart the Domain Controller in Directory Services Restore Mode Locally.

Create the System Management Container

Configuration Manager does not automatically create the System Management container in Active Directory Domain Services when the schema is extended. The container must be created one time for each domain that includes a Configuration Manager primary site server or secondary site server that publishes site information to Active Directory Domain Services Tip You can grant the site servers computer account Full Control permission to the System container in Active Directory Domain Services, which results in the site server automatically creating the System Management container when site information is first published to Active Directory Domain Services. However, it is more secure to manually create the System Management container.
701

Use ADSI Edit to create the System Management container in Active Directory Domain Services. For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc) in the Active Directory Domain Services documentation. To manually create the System Management container 1. Log on as an account that has the Create All Child Objects permission on the System container in Active Directory Domain Services. 2. Run ADSI Edit, and connect to the domain in which the site server resides. 3. Expand Domain <computer fully qualified domain name>, expand <distinguished name>, right-click CN=System, click New, and then click Object. 4. In the Create Object dialog box, select Container, and then click Next. 5. In the Value box, type System Management, and then click Next. 6. Click Finish to complete the procedure.

Set Security Permissions on the System Management Container

After you have created the System Management container in Active Directory Domain Services, you must grant the site server's computer account the permissions that are required to publish site information to the container. Important The primary site server computer account must be granted Full Control permissions to the System Management container and all its child objects. If you have secondary sites, the secondary site server computer account must also be granted Full Control permissions to the System Management container and all its child objects. You can grant the necessary permissions by using the Active Directory Users and Computers administrative tool or the Active Directory Service Interfaces Editor (ADSI Edit). For more information about how to install and use ADSI Edit, see ADSI Edit (adsiedit.msc). Note The following procedures are provided as examples of how to configure Windows Server 2008 R2 computers. If you are using a different operating system version, refer to that operating systems documentation for information about how to make similar configurations. To apply permissions to the System Management container by using the Active Directory Users and Computers administrative tool 1. Click Start, click Run, and then enter dsa.msc to open the Active Directory Users and Computers administrative tool. 2. Click View, and then click Advanced Features. 3. Expand the System container, right-click System Management, and then click Properties.
702

4. In the System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions. 5. Click Advanced, select the site servers computer account, and then click Edit. 6. In the Apply to list, select This object and all descendant objects. 7. Click OK and then close the Active Directory Users and Computers administrative tool to complete the procedure. To apply permissions to the System Management container by using the ADSI Edit console 1. Click Start, click Run, and enter adsiedit.msc to open the ADSIEdit console. 2. If necessary, connect to the site server's domain. 3. In the console pane, expand the site server's domain, expand DC=<server distinguished name>, and then expand CN=System. Right-click CN=System Management, and then click Properties. 4. In the CN=System Management Properties dialog box, click the Security tab, and then click Add to add the site server computer account. Grant the account Full Control permissions. 5. Click Advanced, select the site servers computer account, and then click Edit. 6. In the Apply onto list, select This object and all descendant objects. 7. Click OK to close the ADSIEdit console and complete the procedure.

Enable Active Directory publishing for the Configuration Manager site

In addition to extending the Active Directory schema, creating the System Management container, and setting permissions for that container, you must enable Configuration Manager to publish site data to Active Directory Domain Services. For information about how to publish site data, see Planning for Publishing of Site Data to Active Directory Domain Services.

Configure Windows-Based Servers for Configuration Manager Site System Roles

Before you can use a Windows Server with System Center 2012 Configuration Manager, you must ensure that the computer is configured to support Configuration Manager operations. Use the information in the following sections to configure Windows servers for Configuration Manager. For more information about site system role prerequisites, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic. Note The procedures in the following sections are provided as examples of how to configure Windows Server 2008 or Windows Server 2008 R2 computers. If you are using a
703

different operating system version, refer to that operating systems documentation for information about how to make similar configurations.

Remote Differential Compression

Site servers and distribution points require Remote Differential Compression (RDC) to generate package signatures and perform signature comparison. If RDC is not enabled, you must enable it on these site system servers. Use the following procedure as an example of how to enable Remote Differential Compression on Windows Server 2008 and Windows Server 2008 R2 computers. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To configure Remote Differential Compression for Windows Server 2008 or Windows Server 2008 R2 1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard. 2. On the Select Features page, select Remote Differential Compression, and then click Next. 3. Complete the wizard and close Server Manager to complete the configuration.

Internet Information Services (IIS)

Several site system roles require Internet Information Services (IIS). If IIS is not already enabled, you must enable it on site system servers before you install a site system role that requires IIS. In addition to the site system server, the following site systems roles require IIS: Application Catalog web service point Application Catalog website point Distribution point Enrollment point Enrollment proxy point Fallback status point Management point Software update point

The minimum version of IIS that Configuration Manager requires is the default version that is supplied with the operating system of the server that runs the site system. For example, when you enable IIS on a Windows Server 2008 computer that you plan to use as a distribution point, IIS 7.0 is installed. You can also install IIS 7.5. If you enable IIS on a Windows 7 computer for a distribution point, IIS 7.5 is automatically installed. You cannot use IIS version 7.0 for distribution point that runs Windows 7.
704

Use the following procedure as an example of how to install IIS on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To install Internet Information Services (IIS) on Windows Server 2008 and Windows Server 2008 R2 computers 1. On the Windows Server 2008 or Windows Server 2008 R2 computer, navigate to Start / All Programs / Administrative Tools / Server Manager to start Server Manager. In Server Manager, select the Features node and click Add Features to start the Add Features Wizard. 2. On the Select Features page of the Add Features Wizard, install any additional features that are required to support the site system roles you install on this computer. For example, to add BITS Server Extensions: For Windows Server 2008, select the BITS Server Extensions check box. For Windows Server 2008 R2, select the Background Intelligent Transfer Services (BITS) check box. When prompted, click Add Required Role Services to add the dependent components, including the Web Server (IIS) role, and then click Next. Tip If you are configuring computer that will be a site server or distribution point, ensure the check box for Remote Differential Compression is selected. 3. On the Web Server (IIS) page of the Add Features Wizard, click Next. 4. On the Select Role Services page of the Add Features Wizard install any additional role services that are required to support the site system roles you install on this computer. For example, to add ASP.NET and Windows Authentication: For Application Development, select the ASP.NET check box and, when prompted, click Add Required Role Services to add the dependent components. For Security, select the Windows Authentication check box.

5. In the Management Tools node, for IIS 6 Management Compatibility, ensure that both the IIS 6 Metabase Compatibility and IIS 6 WMI Compatibility check boxes are selected, and then click Next. 6. On the Confirmation page, click Install, complete the wizard, and close Server Manager to complete the configuration.

Request Filtering for IIS

By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If your package source files contain extensions that are blocked in IIS, you must configure the requestFiltering section in the applicationHost.config file on distribution point computers. The following file name extensions are used by Configuration Manager for packages and applications. Allow the following file name extensions on distribution points: .PCK
705

.PKG .STA .TAR

For example, you might have source files for a software deployment that include a folder named bin, or that contain a file with the . mdb file name extension. By default, IIS request filtering blocks access to these elements. When you use the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment. Important Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If you must run other applications on the web server, use a custom website for Configuration Manager. For information about custom websites, see the Planning for Custom Websites with Configuration Manager section in Planning for Site Systems in Configuration Manager. Use the following procedure as an example of how to modify requestFiltering on a Windows Server 2008 or Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To configure request filtering for IIS on distribution points 1. On the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory. 2. Search for the <requestFiltering> section. 3. Determine the file name extensions and folder names that you will have in the packages on this distribution point. For each extension and folder name that you require, perform the following steps: If it is listed as a fileExtension element, set the value for allowed to true. For example, if your content contains a file with an .mdb extension, change the line <add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb" allowed="true" />. Allow only the file name extensions required for your content. If it is listed as a <hiddenSegments> element, delete the entry that matches the file name extension or folder name from the file. For example, if your content contains a folder with the label of bin, remove the line <add segment=bin /> from the file. 4. Save and close the applicationHost.config file to complete the configuration.

706

See Also
Configuring Sites and Hierarchies in Configuration Manager

Install Sites and Create a Hierarchy for Configuration Manager

You can use the Setup Wizard in System Center 2012 Configuration Manager to install and uninstall sites, create a Configuration Manager hierarchy, recover a site, and perform site maintenance. Use the following sections in this topic to help you to install sites, create a hierarchy, and learn more about the Setup options. Whats New in Configuration Manager Things to Consider Before You Run Setup Pre-Installation Applications Setup Downloader Prerequisite Checker

Manual Steps to Prepare for Site Server Installation System Center 2012 Configuration Manager Setup Wizard Install a Configuration Manager Console Manage Configuration Manager Console Languages Install a Central Administration Site Install a Primary Site Server Install a Secondary Site Install a Site Server

Upgrade an Evaluation Installation to a Full Installation Using Command-Line Options with Setup Configuration Manager Unattended Setup Decommission Sites and Hierarchies Remove a Secondary Site from a Hierarchy Uninstall a Primary Site Uninstall a Primary Site that is Configured with Distributed Views Uninstall the Central Administration Site

Configuration Manager Site Naming

Whats New in Configuration Manager

Note

707

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following options in Setup for site installation are new or have changed since Configuration Manager 2007. Central administration site The top-level Configuration Manager 2007 site in a multi-primary site hierarchy was known as a central site. In System Center 2012 Configuration Manager, the central administration site replaces the central site. The central administration site is not a primary site at the top of the hierarchy, but rather a site that is used for reporting and to facilitate communication between primary sites in the hierarchy. A central administration site supports a limited selection of site system roles and does not directly support clients or process client data. Installation of site system roles The following site system roles can be installed and configured for a primary site during Setup: Management point Distribution point

You can install the site system roles locally on the site server or on a different computer. After installation, you can use the Configuration Manager console to install additional site system roles. No secondary site installation option Secondary sites can only be installed from the Configuration Manager console. For more information about installing a secondary site, see the Install a Secondary Site section in the topic. Optional Configuration Manager console installation You can choose to install the Configuration Manager console during setup or install the console after setup by using the Configuration Manager console installer (Consolesetup.exe). Server and client language selections You are no longer required to install your site servers by using source files for a specific language or install International Client Packs when you want to support different languages on the client. From Setup, you can choose the server and client languages that are supported in your Configuration Manager hierarchy. Configuration Manager uses the display language of the server or client computer when you have configured support for the language. English is the default language that is used when Configuration Manager does not support the display language of the server or client computer. Warning You cannot select specific languages for mobile device clients. Instead, you must enable all available client languages or use English only. Unattended installation script Setup automatically creates the unattended installation script when you confirm the settings on the Summary page of the wizard. The unattended installation script contains the settings
708

that you selected in the wizard. You can modify the script to install other sites in your hierarchy. Setup creates the script in %TEMP%\ConfigMgrAutoSave.ini. Database replication When you have more than one System Center 2012 Configuration Manager site in your hierarchy, Configuration Manager uses database replication to transfer data and merge changes that are made to a sites database with the information that is stored in the database at other sites in the hierarchy. This hierarchy enables all sites to share the same information. When you have a primary site without any other sites, database replication is not used. Database replication is enabled when you install a primary site that reports to a central administration site or when you connect a secondary site to a primary site. Setup Downloader Setup Downloader (SetupDL.exe) is a stand-alone application that downloads the files that Setup requires. You can manually run Setup Downloader, or Setup can run it during site installation. You can see the progress of files that are downloaded and verified. Only the required files are downloaded while avoiding files and files that have been updated. For more information about Setup Downloader, see the Setup Downloader section in this topic. Prerequisite Checker Prerequisite Checker (Prereqchk.exe) is a stand-alone application that verifies server readiness for a specific site system role. In addition to the site server, site database server, and provider computer, Prerequisite Checker now checks management point and distribution point site systems. You can run Prerequisite Checker manually, or Setup runs it automatically as part of the site installation. For more information about Prerequisite Checker, see the Prerequisite Checker section in this topic.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. When you run Setup to install a new primary site or central administration site, you can select non-default locations for the site database files. The option to specify non-default file locations is not available when you specify a SQL Server cluster.

Things to Consider Before You Run Setup

There are many business and security decisions that you must consider before you run Setup and install your site. Base your System Center 2012 Configuration Manager hierarchy design on careful planning for your network infrastructure, business requirements, budget limitations, and so on. Ideally, read the entire Planning for Configuration Manager Sites and Hierarchy section in the Site Administration for System Center 2012 Configuration Manager guide, but for brevity, the
709

following list provides several important planning steps from the guide that you must consider before you run Setup. Important Installing System Center 2012 Configuration Manager in your production environment without thorough planning is unlikely to result in a fully functional site that meets your business and security requirements.
Item Description More information

Network infrastructure and Business requirements

Identify your network infrastructure and how it influences your Configuration Manager hierarchy, and what your business requirements are for using Configuration Manager. Verify that your servers meet the supported configurations for installing Configuration Manager. Review the public key infrastructure (PKI) certificates that you might require for your Configuration Manager site system servers and clients. Determine whether to install a central administration site, a child primary site, or a standalone primary site. When you create a hierarchy, you must install the central administration site first. Prepare the Windows environment for the site server and site system installation. Plan for and configure your site database server.

Identify Your Network and Business Requirements to Plan a Configuration Manager Hierarchy

Supported configurations

Supported Configurations for Configuration Manager

PKI certificates

PKI Certificate Requirements for Configuration Manager

Site hierarchy

Planning for Sites and Hierarchies in Configuration Manager

Windows environment

Prepare the Windows Environment for Configuration Manager Planning for Database Servers in Configuration Manager

Site database

710

Pre-Installation Applications
There are two applications, Setup Downloader and Prerequisite Checker, that you can optionally run before you install the site. They download updated files for Setup and verify server readiness for the site server or site system server.

Setup Downloader
Configuration Manager Setup Downloader is a stand-alone application that verifies and downloads required prerequisite redistributable files, language packs, and the latest product updates for Setup. When you install a Configuration Manager site, you can specify a folder that contains required files, or Setup can automatically start the Setup Downloader to download the latest files from the Internet. You might choose to run Setup Downloader before you run Setup and store the files on a network shared folder or removable hard drive. This approach is necessary when the planned site server computer does not have Internet access, or a firewall prevents the files from downloading. After you download the latest files, you can use the same path to the download folder to install multiple sites. When you install sites, always verify that the path to the download folder contains the most recent version of the files. Security To prevent an attacker from tampering with the files, use a local path to the folder that stores the files. If you use a network shared folder for the files, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) to secure the location for the files. You can open Setup Downloader and specify a path to the folder to host the downloaded files, or you can run Setup Downloader at a command prompt and specify command-line options. Use the following procedures to start Setup Downloader and download the latest Configuration Manager files that Setup requires. To start Setup Downloader from Windows Explorer 1. On a computer that has Internet access, open Windows Explorer, and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 2. Double-click Setupdl.exe. The Setup Downloader opens. 3. Specify the path for the folder that will host the updated installation files, and then click Download. Setup Downloader verifies the files that are currently in the download folder and downloads only the files that are missing or are newer than the existing files. Setup Downloader creates subfolders for the downloaded languages. Setup Downloader will create the folder if it does not exist. Security To run the Setup Downloader application, you must have Full Control NTFS file system permissions to the download folder. 4. View the ConfigMgrSetup.log file in the root of the drive C to review the download results.
711

To start Setup Downloader at a command prompt 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 2. Type setupdl.exe to open Setup Downloader. Optionally, you can use the following command-line options: /VERIFY: Use this option to verify the files in the download folder, which include language files. Review the ConfigMgrSetup.log file in the root of the drive C for a list of files that are outdated. No files are downloaded when you use this option. /VERIFYLANG: Use this option to verify the language files in the download folder. Review the ConfigMgrSetup.log file in the root of the drive C for a list of language files that are outdated. /LANG: Use this option to download only the language files to the download folder. /NOUI: Use this option to start Setup Downloader without displaying the user interface. When you use this option, you must specify the download path as part of the command line. <DownloadPath>: You can specify the path to the download folder to automatically start the verification or download process. You must specify the download path when you use the /NOUI option. When you do not specify a download path, you must specify the path when Setup Downloader opens. Setup Downloader will create the folder if it does not exist. Security To run the Setup Downloader application, you must have Full Control NTFS file system permissions to the download folder. Usage examples: setupdl <DownloadPath> Setup Downloader starts, verifies the files in the specified download folder, and downloads only the files that are missing or are newer than the existing files. setupdl /VERIFY <DownloadPath> Setup Downloader starts and verifies the files in the specified download folder. setupdl /NOUI <DownloadPath> Setup Downloader starts, verifies the files in the specified download folder, and downloads only the files that are missing or are newer than the existing files. setupdl /LANG <DownloadPath> Setup Downloader starts, verifies the language files in the specified download folder, and downloads only the language files that are missing or are newer than the existing files. setupdl /VERIFY Setup Downloader starts, and then you must specify the path to the download folder.
712

Next, after you click Verify, Setup Downloader verifies the files in the download folder. 3. View the ConfigMgrSetup.log file in the root of the drive C to review the download results.

Prerequisite Checker
Prerequisite Checker (Prereqchk.exe) is a stand-alone application that verifies server readiness for a site server or specific site system roles. Before site installation, Setup runs Prerequisite Checker. You might choose to manually run Prerequisite Checker on potential site servers or site systems to verify server readiness. This process lets you to remediate any issues that you find before you run Setup. When you run Prerequisite Checker without command-line options, the local computer is scanned for an existing site server, and only the checks that are applicable to the site are run. If no existing sites are detected, all prerequisite rules are run. You can run Prerequisite Checker at a command prompt and specify specific command-line options to perform only checks that are associated with the site server or site systems that you specified in the command line. When you specify another server to check, you must have administrative user rights on the server for Prerequisite Checker to complete the checks. For more information about the prerequisite checks that Prerequisite Checker performs, see Technical Reference for the Prerequisite Checker in Configuration Manager. When you are planning to upgrade a Configuration Manager site to a new service pack, you can manually run the Prerequisite Checker on each site to verify that sites readiness for upgrade. To do so, use the Prerequisite Checker files from the source media of that new version of Configuration Manager. When you run the Prerequisite Checker for upgrade, you do not specify command-line options. Use the following procedures to run Prerequisite Checker on site servers or site system servers. To move Prerequisite Checker files to another computer 1. In Windows Explorer, browse to one of the following locations: <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. <ConfigMgrInstallationPath>\BIN\X64.

2. Copy the following files to the destination folder on the other computer: Prereqchk.exe Prereqcore.dll Basesql.dll Basesvr.dll Baseutil.dll

To start Prerequisite Checker and run default checks

713

1. In Windows Explorer, browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\BIN\X64. 2. Open prereqchk.exe to start Prerequisite Checker. Prerequisite Checker detects existing sites, and if found, performs checks for upgrade readiness. If no sites are found, all checks are performed. The Site Type column provides information about the site server or site system with which the rule is associated. To start Prerequisite Checker at a command prompt and run all checks 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\BIN\X64. 2. Type prereqchk.exe /LOCAL to start Prerequisite Checker and run all prerequisite checks on the server. To start Prerequisite Checker at a command prompt and run primary site checks 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\BIN\X64. 2. Type prereqchk.exe and choose from the following command-line options to check requirements for a primary site installation.
Command-line option Required Description

/NOUI

No

Starts Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command line. Verifies that the local computer meets the requirements for the primary site. Verifies that the specified computer meets the requirements for SQL Server to host the Configuration Manager site database.
714

/PRI

Yes

/SQL <FQDN of SQL Server>

Yes

/SDK <FQDN of SMS Provider>

Yes

Verifies that the specified computer meets the requirements for the SMS Provider. Verifies that the local computer meets the requirements for connecting to the central administration site server. Verifies that the specified computer meets the requirements for the management point site system role. This option is only supported when you use the /PRI option. Verifies that the specified computer meets the requirements for the distribution point site system role. This option is only supported when you use the /PRI option. Verifies that a firewall exception is in effect to allow communication for the SQL Server Service Broker (SSB) port. The default is port number 4022. Verifies minimum disk space on requirements for site installation.

/JOIN <FQDN of central administration site>

No

/MP <FQDN of management point>

No

/DP <FQDN of distribution point>

No

/Ssbport

No

InstallDir <ConfigMgrInstallationPath>

No

Usage examples (optional options are displayed in brackets): prereqchk.exe [/NOUI] /PRI /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider> [/JOIN <FQDN of central administration site>] [/MP <FQDN of management point>] [/DP <FQDN of distribution point>]

When you run the command, unless you use the NOUI option, Prerequisite Checker
715

opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any detected problems. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review Prerequisite Checker results. The log file can contain additional information that are not displayed in the user interface. To start Prerequisite Checker at a command prompt and run central administration site checks 1. Open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\BIN\X64. 2. Type prereqchk.exe and choose from the following command-line options to check requirements for a central administration site installation.
Command-line option Required Description

/NOUI

No

Starts Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the command line. Verifies that the local computer meets the requirements for the central administration site. Verifies that the specified computer meets the requirements for SQL Server to host the Configuration Manager site database. Verifies that the specified computer meets the requirements for the SMS Provider.

/CAS

Yes

/SQL <FQDN of SQL Server>

Yes

/SDK <FQDN of SMS Provider>

Yes

716

/Ssbport

No

Verifies that a firewall exception is in effect to allow communication on the SSB port. The default is port number 4022. Verifies minimum disk space on requirements for site installation.

InstallDir <ConfigMgrInstallationPath>

No

Usage examples (optional options are displayed in brackets): prereqchk.exe /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider> /Ssbport 4022 prereqchk.exe /NOUI /CAS /SQL <FQDN of SQL Server> /SDK <FQDN of SMS Provider>

When you run the command, unless you use the NOUI option, Prerequisite Checker opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any problems that are found. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the prerequisite checker results. The log file can contain additional information that are not displayed in the user interface. To start Prerequisite Checker at a command prompt from a primary site and run secondary site checks 1. On the primary site server from which you plan to install the secondary site, open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\BIN\X64. 2. Type prereqchk.exe and choose from the following command-line options to check requirements for a secondary site installation on a remote server.
Command-line option Required Description

/NOUI

No

Starts Prerequisite Checker without displaying the user interface. You must specify this option before any other option in the
717

command line. /SEC <FQDN of secondary site server> Yes Verifies that the specified computer meets the requirements for the secondary site. Verifies that SQL Server Express can be installed on the specified computer. Verifies that a firewall exception is in effect to allow communication for the SQL Server Service Broker (SSB) port. The default is port number 4022. Verifies that a firewall exception is in effect to allow communication for the SQL Server service port and that the port is not in use by another named instance of SQL Server. The default port is 1433. Verifies minimum disk space on requirements for site installation. Verifies that the computer account of the secondary site can access the folder that hosts the source files for Setup.

/INSTALLSQLEXPRESS

No

/Ssbport

No

/Sqlport

No

InstallDir <ConfigMgrInstallationPath> /SourceDir

No

No

Usage examples (optional options are displayed in brackets): prereqchk.exe /SEC /Ssbport 4022 /SourceDir <Source Folder Path> prereqchk.exe [/NOUI] /SEC <FQDN of secondary site> [/INSTALLSQLEXPRESS]

When you run the command, unless you use the NOUI option, Prerequisite Checker
718

opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any problems that are found. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the prerequisite checker results. The log file can contain additional information that is not displayed in the user interface. To start Prerequisite Checker at a command prompt and run Configuration Manager console checks 1. On the primary site server from which you install the secondary site, open a Command Prompt window and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64 or <ConfigMgrInstallationPath>\BIN\X64. 2. Type prereqchk.exe /Adminui to check requirements for Configuration Manager console installation on the local computer. When you run the command, Prerequisite Checker opens and starts scanning the specified servers by using prerequisite checks that are applicable to the specified command-line options. Prerequisite Checker creates a list in the Prerequisite result section for any detected problems. 3. Click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you install the site server, site system, or Configuration Manager console. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the prerequisite checker results. The log file can contain additional information that is not displayed in the user interface.

Manual Steps to Prepare for Site Server Installation

Before you install a site server on a computer, consider the following manual steps to prepare for site server installation.
Manual step Description

Install the latest security updates on the site server computer.

Use Windows Update to install the latest security updates on the site server computer.

Install the hotfix that is described in KB2552033 The hotfix that is described in KB2552033 must on site servers that run Windows be installed on site servers that run Windows Server 2008 R2. Server 2008 R2 when client push installation is enabled.

719

System Center 2012 Configuration Manager Setup Wizard

When you run Setup, the local computer is scanned for an existing site server and provides only the options that are applicable, based on the scan results. The options that are available in Setup also differ when you run Setup from installation media, the Configuration Manager DVD or a network shared folder, or if you run Setup from the Start menu or by opening Setup.exe from the installation path on an existing site server. The Configuration Manager Setup Wizard provides the following options to install, upgrade, or uninstall a site: Install a Configuration Manager primary site server: When you choose to install a new primary site, you can manually configure the site settings in the wizard, or let Setup configure the site with a default installation path, to use a local installation of the default instance of SQL Server for the site database, to install a management point on the site server, and to install a distribution point on the site server. Note You must start Setup from installation media to select this option. Install a Configuration Manager central administration site: The central administration site is used for reporting and to coordinate communication between primary sites in the hierarchy. There is only one central administration site in a Configuration Manager hierarchy. The central administration site must be the first site that you install. Note You must start Setup from installation media to select this option. Upgrade an existing Configuration Manager installation: Choose this option to upgrade an existing version of System Center 2012 Configuration Manager. Note You must start Setup from installation media to select this option. Uninstall a Configuration Manager site server: When an existing site is detected on the local computer, and the version of the site is the same version as Setup, you have the option to uninstall the site server. You can start Setup from either the installation media or from the local site server to select this option. Note For more information about site maintenance and site reset options that are available in Setup, see Manage Site and Hierarchy Configurations.

Install a Configuration Manager Console

Administrative users use the Configuration Manager console to manage the Configuration Manager environment. Each Configuration Manager console connects to either a central administration site or a primary site. After the initial connection is made, the Configuration

720

Manager console can connect to other sites. However, you cannot connect a Configuration Manager console to a secondary site. Note The objects that are displayed for the administrative user who is running the console depend on the rights that are assigned to the administrative user. For more information about role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. You can install the Configuration Manager console during the site server installation in the Setup Wizard, or run the stand-alone application. Use the following procedure to install a Configuration Manager console by using the stand-alone application. To install a Configuration Manager console 1. Verify that the administrative user who runs the Configuration Manager console application has the following security rights: Local Administrator rights on the computer on which the console will run. Read permission to the location for the Configuration Manager console installation files. From the Configuration Manager source media, browse to <ConfigMgrSourceFiles>\Smssetup\Bin\I386. On the site server, browse to <ConfigMgrSiteServerInstallationPath>\Tools\ConsoleSetup. Important As a best practice, initiate the Configuration Manager console installation from a site server rather than the System Center 2012 Configuration Manager installation media. The site server installation method copies the Configuration Manager console installation files and the supported language packs for the site to the Tools\ConsoleSetup subfolder. If you install the Configuration Manager console from the System Center 2012 Configuration Manager installation media, this installation method always installs the English version, regardless of the supported languages on the site server or the language settings for the operating system that is running on the computer. Optionally, you can copy the ConsoleSetup folder to an alternate location to start the installation. 3. Double-click consolesetup.exe. The Configuration Manager Console Setup Wizard opens. Important Always install the Configuration Manager console by using ConsoleSetup.exe. The Configuration Manager console Setup can be initiated by running the AdminConsole.msi, but there are no prerequisite or dependency checks, and the
721

2. Browse to one of the following locations:

installation might likely not install correctly. 4. On the opening page, click Next. 5. On the Site Server page, specify the fully qualified domain name (FQDN) of the site server to which the Configuration Manager console will connect, and then click Next. 6. On the Installation Folder page, specify the installation folder for the Configuration Manager console, and then click Next. The folder path must not contain trailing spaces or Unicode characters. 7. On the Customer Experience Improvement Program page, choose whether to join the Customer Experience Improvement Program, and then click Next. 8. On the Ready to Install page, click Install to install the Configuration Manager console. To install a Configuration Manager console at a command prompt 1. On the server from which you install the Configuration Manager console, open a Command Prompt window and browse to one of the following locations: <ConfigMgrSiteServerInstallationPath>\Tools\ConsoleSetup <ConfigMgrInstallationMedia>\SMSSETUP\BIN\I386 Important When you install a Configuration Manager console at a command prompt, it always installs the English version regardless of the language setting for the operating system that is running on the computer. To install the Configuration Manager console in another language, you must use the previous procedure to install it. 2. Type consolesetup.exe and choose from the following command-line options.
Command-line option Description

/q

Installs the Configuration Manager console unattended. The EnableSQM, TargetDir, and DefaultSiteServerName options are required when you use this option. Uninstalls the Configuration Manager console. You must specify this option first when you use it with the /q option. Specifies the path to the folder that contains the language files. You can use Setup Downloader to download the language files. If you do not use this option, Setup looks for the language folder in the current folder. If the language folder is not found, Setup continues to install
722

/uninstall

LangPackDir

English only. For more information about Setup Downloader, see Setup Downloader in this topic. TargetDir Specifies the installation folder to install the Configuration Manager console. This option is required when you use the /q option. Specifies whether to join the Customer Experience Improvement Program (CEIP). Use a value of 1 to join the Customer Experience Improvement Program, and a value of 0 to not join the program. This option is required when you use the /q option. Specifies the FQDN of the site server to which the console connects when it opens. This option is required when you use the /q option.

EnableSQM

DefaultSiteServerName

Usage examples: consolesetup.exe /q TargetDir="D:\Program Files\ConfigMgr" EnableSQM=1 DefaultSiteServerName=MyServer.Contoso.com consolesetup.exe /q LangPackDir=C:\Downloads\ConfigMgr TargetDir="D:\Program Files\ConfigMgr" Console EnableSQM=1 DefaultSiteServerName=MyServer.Contoso.com consolesetup.exe /uninstall /q

Manage Configuration Manager Console Languages

During site server installation, the Configuration Manager console installation files and supported language packs for the site are copied to the <ConfigMgrInstallationPath>\Tools\ConsoleSetup subfolder on the site server. When you start the Configuration Manager console installation from this folder on the site server, the Configuration Manager console and supported language pack files are copied to the computer. When a language pack is available for the current language setting on the computer, the Configuration Manager console opens in that language. If the associated language pack is not available for the Configuration Manager console, the console opens in English. For example, consider a scenario where you install the Configuration Manager console from a site server that supports English, German, and French. If you open the Configuration Manager console on a computer with a configured language setting of French, the console opens in French. If you open the Configuration Manager console on a computer with a
723

configured language of Japanese, the console opens in English because the Japanese language pack is not available. Each time the Configuration Manager console opens, it determines the configured language settings for the computer, verifies whether an associated language pack is available for the Configuration Manager console, and then opens the console by using the appropriate language pack. When you want to open the Configuration Manager console in English regardless of the configured language settings on the computer, you must manually remove or rename the language pack files on the computer. Use the following procedures to start the Configuration Manager console in English regardless of the configured locale setting on the computer. To install an English-only version of the Configuration Manager console on computers 1. In Windows Explorer, browse to <ConfigMgrInstallationPath>\Tools\ConsoleSetup\LanguagePack. 2. Rename the .msp and .mst files. For example, you could change <file name>.MSP to <file name>.MSP.disabled. 3. Install the Configuration Manager console on the computer. Important When new server languages are configured for the site server, the .msp and .mst files are recopied to the LanguagePack folder, and you must repeat this procedure to install new Configuration Manager consoles in only English. To temporarily disable a console language on an existing Configuration Manager console installation 1. On the computer that is running the Configuration Manager console, close the Configuration Manager console. 2. In Windows Explorer, browse to <ConsoleInstallationPath>\Bin\ on the Configuration Manager console computer. 3. Rename the appropriate language folder for the language that is configured on the computer. For example, if the language settings for the computer were set for German, you could rename the de folder to de.disabled. 4. To open the Configuration Manager console in the language that is configured for the computer, rename the folder to the original name. For example, rename de.disabled to de.

Install a Site Server

Your Configuration Manager deployment consists of either a hierarchy of sites or a stand-alone site. A hierarchy consists of multiple sites, each with one or more site system servers. A standalone site also consists of one or more site system servers. Site system servers extend the functionality of Configuration Manager. For example, you might install a site system at a site to
724

support software update deployment or to manage mobile devices. To successfully plan your hierarchy of sites and identify the best network and geographical locations to place site servers, make sure that you review the information about each site type and the alternatives to sites that content deployment-related site systems offer. For more information, see the Planning a Hierarchy in Configuration Manager section in the Planning for Sites and Hierarchies in Configuration Manager topic. You must have a forest trust to support any Configuration Manager sites that are located in other Active Directory forests. When you install a Configuration Manager site in a trusted forest, Configuration Manager does not require any additional configuration steps. However, make sure that any intervening firewalls and network devices do not block the network packets that Configuration Manager requires, that name resolution is working between the forests, and that you use an account that has sufficient permissions to install the site. For more information, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic. Configuration Manager central administration site and primary site installation requires SQL Server to be installed before you run Setup. You can install SQL Server on a secondary site server before you run Setup, or let Setup install SQL Server Express as part of the secondary site installation. For more information about supported SQL Server versions for site installation, see the SQL Server Site Database Configurations section in the Supported Configurations for Configuration Manager topic. To set up a new site in Configuration Manager, you can use either the Configuration Manager Setup Wizard, or perform an unattended installation by using the scripted installation method. When you use the Configuration Manager Setup Wizard, you can install a primary site server or central administration site. You install a secondary site from the Configuration Manager console. For more information about the command-line options that are available with Setup, see the Using Command-Line Options with Setup section in this topic. For more information about running Setup by using an unattended script, see the Configuration Manager Unattended Setup section in this topic. Important After Setup is finished, you cannot change the program files installation directory, site code, or site description for the site. To change the installation directory, site code, or site name, you must uninstall the site, and then reinstall the site by using the new values. Use the following sections to help you install a site by using the Setup Wizard.

Install a Central Administration Site

Use a central administration site to configure hierarchy-wide settings and to monitor all sites and objects in the hierarchy. You must install the central administration site before you install the primary site that is connected to the Configuration Manager hierarchy. If you install a primary site before you install the central administration site, the only way to connect the primary site to the Configuration Manager hierarchy is to uninstall the primary site, install the central administration
725

site, and then reinstall the primary site and connect it to the central administration site during Setup. However, beginning with Configuration Manager SP1, you can expand an existing stand-alone primary site into a hierarchy that includes a new central administration site. After you install the new central administration site, you can install additional new primary sites. For more information, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic. Use the following procedure to install a central administration site. To install a central administration site 1. Verify that the administrative user who runs Setup has the following security rights: Local Administrator rights on the central administration site server computer. Local Administrator rights on each computer that hosts one of the following: The site database An instance of the SMS Provider for the site

Sysadmin rights on the instance of SQL Server that hosts the site database.

2. On the central administration site computer, open Windows Explorer and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Getting Started page, select Install a Configuration Manager central administration site, and then click Next. 6. On the Product Key page, choose whether to install Configuration Manager as an evaluation or a full installation. Enter your product key for the full installation of Configuration Manager. Click Next. If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product with a product key from the Site Maintenance page in Setup. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup must download the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in this topic. Note
726

When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, select the languages that are available for the Configuration Manager console and for reports, and then click Next. English is selected by default and cannot be removed. 11. On the Client Language Selection page, select the languages that are available to client computers, specify whether to enable all client languages for mobile device clients, and then click Next. English is selected by default and cannot be removed. Important If you are installing a central administration site to expand a stand-alone primary site, select the same client languages that are installed at the stand-alone primary site. 12. On the Site and Installation Settings page, specify the site code and site name for the site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. 13. Specify the installation folder and whether Setup will install the Configuration Manager console on the local computer, and then click Next. The folder path must not contain trailing spaces or Unicode characters. Warning You cannot change the installation folder after Setup is finished. Verify that the disk drive has enough disk space before you continue. 14. If you are using Configuration Manager with no service pack, skip to step 15. On the Central Administration Site Installation page, select the option that is appropriate to your scenario: To install a central administration site as the first site of a new hierarchy, select Install as the first site in a new hierarchy, and then click Next to continue. To install a central administration site to expand an existing stand-alone primary site into a hierarchy, select Expand an existing stand-alone primary into a hierarchy, specify the FQDN of the stand-alone primary site server, and then click Next to continue. Note The stand-alone primary site must run the same version of Configuration Manager as the version that you use to install the central administration site. 15. On the Database Information page, specify the information for the site database server and the SQL Server Service Broker (SSB) port that the SQL Server is to use. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Important With Configuration Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL
727

Server service port to use TCP port 1433, the default port. Beginning with Configuration Manager SP1, you can use a non-default TCP port for the default instance. Note Typically, the Service Broker is configured to use TCP port 4022, but other ports are supported. With System Center 2012 Configuration Manager with no service pack or with SP1, click Next to continue on to the SMS Provider Settings page. Beginning with System Center 2012 R2 Configuration Manager, click Next to continue to a second Database Information page where you can specify non-default locations for the SQL Server data file and SQL Server log file for the site database. Then, click Next to continue. Note The option to specify non-default file locations is not available when you use a SQL Server cluster. Warning The prerequisite checker does not run a check for free disk space for the nondefault file locations. 16. On the SMS Provider Settings page, specify the FQDN for the server that hosts the SMS Provider, and then click Next. You can configure additional SMS providers for the site after the initial installation. 17. On the Customer Experience Improvement Program Configuration page, choose whether to participate, and then click Next. 18. On the Settings Summary page, review the setting and verify that they are accurate. Click Next to start Prerequisite Checker to verify server readiness for the central administration site server. 19. On the Prerequisite Installation Check page, if no problems are listed, click Next to install the central administration site. When Prerequisite Checker finds a problem, click an item in the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you continue setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. 20. On the Installation page, Setup displays the overall installation status. When Setup completes the core site server installation, you can close the wizard. Site configuration continues in the background. Note You can connect a Configuration Manager console to the central administration
728

site before the site installation finishes, but the console connects to the site by using a read-only console. The read-only console lets you view objects and configuration settings but prevents you from introducing any change that could be lost when the site installation finishes.

Install a Primary Site Server

During Setup, you must choose whether to join the primary site to an existing central administration site or install it as a stand-alone primary site. Important When you create a Configuration Manager hierarchy, you must install the central administration site first. When you install a new primary site in your production environment, manually configure the installation options in the wizard. Typically, you only select the Use typical installation options for a stand-alone primary site option to install a stand-alone primary site in your test environment. When you select this option, Setup automatically configures the site as a standalone primary site, uses a default installation path, a local installation of the default instance of SQL Server for the site database, a local management point, a local distribution point, and configures the site with English and the display language of the operating system on the primary site server if it matches one of the languages that Configuration Manager supports. Use one of the following procedures to install a primary site. To install a primary site that joins an existing Configuration Manager hierarchy 1. Verify that the administrative user that runs Setup has the following security rights: Local Administrator rights on the central administration site server computer Sysadmin rights on the site database of the central administration site Local Administrator rights on the primary site server computer Local Administrator rights on each computer that hosts one of the following at the primary site: The site database An instance of the SMS Provider for the site A management point for the site A distribution point for the site

Sysadmin rights on the instance of SQL Server that hosts the site database Role-based administration rights that are equivalent to the security role of Infrastructure Administrator or Full Administrator Note Setup automatically configures the-sender address to use the computer account for the primary site server. This account must have Read, Write, Execute, and Delete NTFS file system permissions on the SMS\Inboxes\Despoolr.box\Receive
729

folder on the central administration site server. Also, your security policy must allow the account Access this computer from the network rights on the central administration site. After Setup is finished, you can change the account to a Windows user account if it is required. For example, you must change the account to a Windows user account if your central administration site is in a different forest. For more information about communication requirements across forest trusts, see Planning for Communications Across Forests in Configuration Manager. 2. On the new primary site computer, open Windows Explorer and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Getting Started page, select Install a Configuration Manager primary site, verify that Use typical installation options for a stand-alone primary site is cleared, and then click Next. 6. On the Product Key page, choose whether to install Configuration Manager as an evaluation or a full installation. Enter your product key for the full installation of Configuration Manager. Click Next. If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product from the Site Maintenance page in the Setup Wizard. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup will download the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in this topic. Note When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, select the languages that are available for the Configuration Manager console and for reports, and then click Next. English is selected by default and cannot be removed. 11. On the Client Language Selection page, select the languages that are available to client computers, specify whether to enable all client languages for mobile device clients, and then click Next. English is selected by default and cannot be removed.
730

12. On the Site and Installation Settings page, specify the site code and site name for the site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. 13. Specify the installation folder and whether Setup will install the Configuration Manager console on the local computer, and then click Next. The folder path must not contain trailing spaces or Unicode characters. Warning You cannot change the installation folder after Setup is finished. Verify that the disk drive has enough disk space before you proceed. 14. On the Primary Site Installation page, select Join the primary site to an existing hierarchy, specify the FQDN for the central administration site, and then click Next. Setup verifies that the primary site server has access to the central administration site server, and that the site code for the central administration site can be retrieved by using the security credentials of the administrative user that is running Setup. 15. On the Database Information page, specify the information for the site database server and the SQL Server Service Broker (SSB) port that SQL Server is to use, and then click Next. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Typically, the Service Broker is configured to use TCP port 4022, but other ports are supported. Important With Configuration Manager without a service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. Beginning with Configuration Manager SP1, you can use a non-default TCP port for the default instance. With System Center 2012 Configuration Manager with no service pack or with SP1, click Next to continue on to the SMS Provider Settings page. Beginning with System Center 2012 R2 Configuration Manager, click Next to continue to a second Database Information page where you can specify non-default locations for the SQL Server data file and SQL Server log file for the site database. Then, click Next to continue. Note The option to specify non-default file locations is not available when you use a SQL Server cluster. Warning The prerequisite checker does not run a check for free disk space for the nondefault file locations. 16. On the SMS Provider Settings page, specify the FQDN for the server that will host the SMS Provider, and then click Next. You can configure additional SMS providers for the site after the initial installation.
731

17. On the Client Computer Communication Settings page, choose whether to configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for each site system role, and then click Next. When you select All site system roles accept only HTTPS communication from clients, the client computer must have a valid PKI certificate for client authentication. When you select Configure the communication method on each site system role, you can choose Clients will use HTTPS when they have a valid PKI certificate and HTTPS-enabled site roles are available. This ensures that the client selects a site system that is configured for HTTPS if is available. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. 18. On the Site System Roles page, choose whether to install a management point or distribution point. When selected for installation, enter the FQDN for site system and select the client connection method. Click Next. If you selected All site system roles accept only HTTPS communication from clients on the previous page, the client connection settings are automatically configured for HTTPS and cannot be changed unless you go back and change the setting. Note The site system installation account is automatically configured to use the primary sites computer account to install the site system role. If you have to use an alternate installation account for remote site systems, you should not select the roles in the Setup Wizard and install them later from the Configuration Manager console. 19. On the Customer Experience Improvement Program Configuration page, choose whether to participate, and then click Next. 20. On the Settings Summary page, review the setting and verify that they are accurate. Click Next to start Prerequisite Checker to verify server readiness for the primary site server and for specified site system roles. 21. On the Prerequisite Installation Check page, if no problems are listed, click Next to install the primary site and site system roles that you selected. When Prerequisite Checker finds a problem, click an item on the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you continue setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. 22. On the Installation page, Setup displays the overall installation status. When Setup completes the core site server and site system installation, you can close the wizard. Site configuration continues in the background. Note You can connect a Configuration Manager console to a primary site before the
732

site installation finishes, but the console will connect to the site by using a readonly console. The read-only console lets you view objects and configuration settings but prevents you from introducing any change that could be lost when the site installation finishes. To install a stand-alone primary site 1. Verify that the administrative user who runs Setup has the following security rights: Local Administrator rights on the primary site server computer Local Administrator rights on each computer that hosts one of the following: The site database An instance of the SMS Provider for the site A management point for the site A distribution point for the site

Sysadmin rights on the instance of SQL Server that hosts the site database.

2. On the new primary site computer, open Windows Explorer and browse to <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup Wizard opens. 4. On the Before You Begin page, click Next. 5. On the Getting Started page, select Install a Configuration Manager primary site, verify that Use typical installation options for a stand-alone primary site is not selected, and then click Next. 6. On the Product Key page, choose whether to install Configuration Manager as an evaluation or a full installation. Enter your product key for the full installation of Configuration Manager. Click Next. If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product with a product key from the Site Maintenance page in Setup. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup will download the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in this topic. Note When you use previously downloaded files, verify that the path to the download
733

folder contains the most recent version of the files. 10. On the Server Language Selection page, select the languages that will be available for the Configuration Manager console and for reports, and then click Next. English is selected by default and cannot be removed. 11. On the Client Language Selection page, select the languages that will be available to client computers, specify whether to enable all client languages for mobile device clients, and then click Next. By default, English is selected and cannot be removed. 12. On the Site and Installation Settings page, specify the site code and site name for the site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. 13. Specify the installation folder and whether Setup will install the Configuration Manager console on the local computer, and then click Next. The folder path must not contain trailing spaces or Unicode characters. Warning You cannot change the installation folder after Setup finishes. Verify that the disk drive has enough disk space before you proceed. Important If you selected Use typical installation options for a stand-alone primary site, skip to step 17 - the Customer Experience Improvement Program Configuration page. 14. On the Primary Site Installation page, select Install the primary site as a stand-alone site, and then click Next. Click Yes to confirm that you want to install the site as a standalone site. Important Prior to Configuration Manager SP1, you cannot join the stand-alone primary site to a central administration site after Setup finishes. 15. On the Database Information page, specify the information for the site database server and the SQL Server Service Broker (SSB) port that SQL Server is to use, and then click Next. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Typically, the Service Broker is configured to use TCP port 4022, but other ports are supported. Important With Configuration Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. Beginning with Configuration Manager SP1, you can use a non-default TCP port for the default instance. With System Center 2012 Configuration Manager with no service pack or with SP1, click Next to continue on to the SMS Provider Settings page. Beginning with System Center 2012 R2 Configuration Manager, click Next to continue to
734

a second Database Information page where you can specify non-default locations for the SQL Server data file and SQL Server log file for the site database. Then, click Next to continue. Note The option to specify non-default file locations is not available when you use a SQL Server cluster. Warning The prerequisite checker does not run a check for free disk space for the nondefault file locations. 16. On the SMS Provider Settings page, specify the FQDN for the server that will host the SMS Provider, and then click Next. You can configure additional SMS providers for the site after the initial installation. 17. On Client Communication Settings page, choose whether to configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for each site system role, and then click Next. When you select to All site system roles accept only HTTPS communication from clients, client computer must have a valid PKI certificate for client authentication. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. 18. On the Site System Roles page, choose whether to install a management point or distribution point. When selected for installation, enter the FQDN for site system and choose the client connection method. Click Next. When you selected All site system roles accept only HTTPS communication from clients on the previous page, the client connection settings are automatically configured for HTTPS and cannot be changed unless you go back and change the setting. Note The site system installation account is automatically configured to use the primary sites computer account to install the site system role. If you have to use an alternate installation account for remote site systems, you should not select the roles in the Setup Wizard and install them later from the Configuration Manager console. 19. On the Customer Experience Improvement Program Configuration page, choose whether to participate, and then click Next. 20. On the Settings Summary page, review the setting and verify that they are accurate. Click Next to start Prerequisite Checker to verify server readiness for the primary site server and site system roles. 21. On the Prerequisite Installation Check page, if no problems are listed, click Next to install the primary site and site system roles. When Prerequisite Checker finds a problem, click an item on the list for details about how to resolve the problem. You must resolve all items in the list that have an Error status before you continue Setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the
735

user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. 22. On the Installation page, Setup displays the overall installation status. When Setup completes the core site server and site system installation, you can close the wizard. Site configuration continues in the background. Note You can connect a Configuration Manager console to the primary site before the site installation finishes, but the console will connect to the site by using a readonly console. The read-only console lets you view objects and configuration settings but prevents you from introducing any change that could be lost when the site installation finishes.

Install a Secondary Site

Use secondary sites to manage the transfer of deployment content and client data across low bandwidth networks. You manage a secondary site from a central administration site or the secondary sites parent primary site, and they are frequently used in locations that do not have an administrative user with Local Administrator rights. After a secondary site is attached to a primary site, you cannot move it to a different parent site without uninstalling it, and then reinstalling it at the new site. The secondary site requires SQL Server for its site database. Setup automatically installs SQL Server Express during site installation if a local instance of SQL Server is not available. Before Setup starts the secondary site installation, it runs Prerequisite Checker on the secondary site computer to verify requirements. During the secondary site installation, Setup configures database replication with its parent primary site, and automatically installs the management point and distribution point site system roles on the secondary site. Note For more information about supported versions of SQL Server for secondary sites, see the SQL Server Site Database Configurations section in the Supported Configurations for Configuration Manager topic. Note Setup automatically configures the secondary site to use the client communication ports that are configured at the parent primary site. Use the following procedure to create a secondary site. To create a secondary site 1. Verify that the following security rights exist: The administrative user who configures the installation of the secondary site in the Configuration Manager console must have role-based administration rights that are equivalent to the security role of Infrastructure Administrator or Full Administrator.
736

The computer account of the parent primary site must be a Local Administrator on the secondary site server computer. When the secondary site uses a previously installed instance of SQL Server to host the secondary site database: The computer account of the parent primary site must have sysadmin rights on the instance of SQL Server on the secondary site server computer. The Local System account of the secondary site server computer must have sysadmin rights on the instance of SQL Server on the secondary site server computer.

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. On the Home tab, in the Site group, click Create Secondary Site. The Create Secondary Site Wizard opens. 5. On the Before You Begin page, confirm that the primary site that is listed is the site in which you want this secondary site to be a child, and then click Next. 6. On the General page, specify the following settings: Site code: Specify a site code for the secondary site. For more information about site code naming, including best practices and limitations, see the Configuration Manager Site Naming section in this topic. Site server name: Specify the FQDN for the secondary site server. Verify that the server meets the requirements for secondary site installation. For more information about supported configurations, see Supported Configurations for Configuration Manager. Site name: Specify a name for the secondary site. Installation folder: Specify the installation folder to create on the secondary site server.

Click Next. Important You can click Summary to use the default settings in the wizard and go directly to the Summary page. Use this option only when you are familiar with the settings in this wizard. Boundary groups are not associated with the distribution point when you use the default settings. As a result, clients do not use the distribution point that is installed on this secondary site as a content source location. For more information about boundary groups, see the Create and Configure Boundary Groups for Configuration Manager section in the Configuring Boundaries and Boundary Groups in Configuration Manager topic. 7. On the Installation Source Files page, specify the location for the installation files for the secondary site, and then click Next. You can copy the files from the parent site to the secondary site, use the source files from a network location, or use source files that are already available locally on the secondary site server. When you choose the Use the source files at the following network location or Use the source files at the following location on the secondary site computer options,
737

the location must contain the Redist subfolder with the prerequisite redistributable files, language packs, and the latest product updates for Setup. Use Setup Downloader to download the required files to the Redist folder before you install the secondary site. The secondary site installation will fail if the files are not available in the Redist subfolder. For more information about Setup Downloader, see Setup Downloader in this topic. Note The folder or share name that you choose for the Setup installation source files must use only ASCII characters. Security The computer account for the secondary site must have Read NTFS file system permissions and share permissions to the Setup source folder and share. Avoid using administrative network shares (for example, C$ and D$) because they require the secondary site computer account to be an administrative user on the remote computer. 8. On the SQL Server Settings page, specify whether the secondary site will use SQL Server Express or an existing instance of SQL Server for the site database, and then configure the associated settings. Important With Configuration Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. Beginning with Configuration Manager SP1, you can use a non-default TCP port for the default instance. Install and configure a local copy of SQL Express on the secondary site computer SQL Server Service port: Specify the SQL Server service port for SQL Server Express to use. The service port is typically configured to use TCP port 1433, but you can configure another port. SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL Server Express to use. The Service Broker is typically configured to use TCP port 4022, but you can configure a different port. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Important For System Center 2012 R2 Configuration Manager only: With System Center 2012 R2 Configuration Manager, after you install SQL Server Express as part of a new secondary site, you must apply cumulative update 2 to SQL Server Express before the secondary site is supported. This is because, when System Center 2012 R2 Configuration Manager installs SQL Server Express as part of a new secondary site installation, it installs SQL Server 2012 Express with no service pack and is unable to install the required cumulative update 2 as part of the installation, If the secondary site
738

install fails, but first completes the installation of SQL Server 2012 Express, you must apply cumulative update 2 to that instance of SQL Server 2012 Express before Configuration Manager can successfully retry the secondary site installation. Use an existing SQL Server instance SQL Server FQDN: Review the FQDN for the SQL Server computer. You must use a local SQL Server to host the secondary site database and cannot modify this setting. SQL Server instance: Specify the instance of SQL Server to use as the secondary site database. Leave this option blank to use the default instance. ConfigMgr site database name: Specify the name to use for the secondary site database. SQL Server Broker port: Specify the SQL Server Service Broker (SSB) port for SQL Server to use. You must specify a valid port that no other site or service is using, and that no firewall restrictions block. Note Setup does not validate the information that you enter on this page until it starts the installation. Before you continue, verify these settings. Click Next. 9. On the Distribution Point page, configure the general distribution point settings. Install and configure IIS if required by Configuration Manager: Select this setting to let Configuration Manager install and configure Internet Information Services (IIS) on the server if it is not already installed. IIS must be installed on all distribution points. If IIS is not installed on the server and you do not select this setting, you must install IIS before the distribution point can be installed successfully. Configure how client devices communicate with the distribution point. There are advantages and disadvantages for using HTTP and HTTPS. For more information, see Security Best Practices for Content Management section in the Security and Privacy for Content Management in Configuration Manager topic. Important You must select HTTPS when the parent primary site is configured to communicate only by using HTTPS. For more information about client communication to the distribution point and other site systems, see the Planning for Client Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic. Allow clients to connect anonymously: This setting specifies whether the distribution point will allow anonymous connections from Configuration Manager clients to the content library. Warning When you deploy a Windows Installer application on a Configuration
739

Manager client, Configuration Manager downloads the file to the local cache on the client and the files are eventually removed after the installation finishes. The Configuration Manager client updates the Windows Installer source list for the installed Windows Installer applications with the content path for the content library on associated distribution points. Later, if you start the Repair action from Add/Remove Programs on a Configuration Manager client that is running Windows XP, MSIExec attempts to access the content path by using an anonymous user. You must select the Allow clients to connect anonymously setting, or the repair fails for clients that are running Windows XP. For all other operating systems, the client connects to the distribution point by using the logged-on user account. Create a self-signed certificate or import a public key infrastructure (PKI) client certificate for the distribution point. The certificate has the following purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When you select the Enable PXE support for clients check box on the PXE Settings page, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

When all your management points in the site are configured for HTTP, create a selfsigned certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager: Intended use must include client authentication. The private key must be enabled to be exported. Note There are no specific requirements for the certificate subject or subject alternative name (SAN), and you can use the same certificate for multiple distribution points. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Enable this distribution point for prestaged content: Select this setting to enable the distribution point for prestaged content. When this setting is selected, you can configure distribution behavior when you distribute content. You can choose whether you always want to prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there
740

are updates to the content, or always use the normal content distribution process for the content in the package. 10. On the Drive Settings page, specify the drive settings for the distribution point. You can configure up to two disk drives for the content library and two disk drives for the package share, although Configuration Manager can use additional drives when the first two reach the configured drive space reserve. The Drive Settings page configures the priority for the disk drives and the amount of free disk space to remain on each disk drive. Drive space reserve (MB): The value that you configure for this setting determines the amount of free space on a drive before Configuration Manager chooses a different drive and continues the copy process to that drive. Content files can span multiple drives. Content Locations: Specify the content locations for the content library and package share. Configuration Manager copies content to the primary content location until the amount of free space reaches the value that is specified for Drive space reserve (MB). By default, the content locations are set to Automatic, and the primary content location will be set to the disk drive that has the most disk space at installation and the secondary location that is assigned the disk drive that has the second most free disk space. When the primary and secondary drives reach the drive space reserve, Configuration Manager selects another available drive with the most free disk space and continues the copy process.

11. On the Content Validation page, specify whether to validate the integrity of content files on the distribution point. When you enable content validation on a schedule, Configuration Manager initiates the process at the scheduled time, and all content on the distribution point is verified. You can also configure the content validation priority. To view the results of the content validation process, click the Monitoring workspace, expand Distribution Status, and click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. 12. On the Boundary Groups page, manage the boundary groups for which this distribution point is assigned. During content deployment, clients must be in a boundary group that is associated with the distribution point to use it as a source location for content. You can select the Allow fallback source location for content option to allow clients outside these boundary groups to fall back and use the distribution point as a source location for content when no preferred distribution points are available. For more information about preferred distribution points, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. 13. On the Summary page, verify the settings, and then click Next to install the secondary site. 14. On the Completion page, click Close to exit the wizard. Tip The Windows PowerShell cmdlet, New-CMSecondarySite, performs the same function as this procedure. For more information, see New-CMSecondarySite in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

741

To verify the secondary site installation status 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the secondary site server to check installation status, and then on the Home tab, in the Site group, click Show Install Status. 4. Verify that the secondary site successfully finished. Note When you install more than one secondary site at a time, the prerequisite check runs against a single site at a time, and must complete for a site before it starts to check the next site.

Upgrade an Evaluation Installation to a Full Installation

If you install Configuration Manager as an evaluation, after 180 days the Configuration Manager console becomes read-only until you activate the product from the Site Maintenance page in Setup. At any time before or after the 180 day period, you have the option to upgrade an evaluation installation to a full installation. Note When you connect a Configuration Manager console to an evaluation installation of Configuration Manager, the title bar of the console displays the number of days that remain before the evaluation installation expires. The number of days does not automatically refresh and only updates when you make a new connection to a site. To upgrade an evaluation edition of a Configuration Manager central administration site or primary site to a full edition, you must run the copy of Setup that is located on the site server in the Configuration Manager installation folder. Because secondary sites are not treated as evaluation installations, you do not need to modify a secondary site after its primary parent site upgrades to a full installation. Use the following procedure to upgrade an evaluation installation to a full installation. To upgrade an evaluation installation to a full installation 1. On the site server, click Start, and then point to All Programs. Point to Microsoft System Center 2012, click Configuration Manager, and then click Configuration Manager Setup. Important When you run Setup from installation media, site maintenance options are not available. 2. On the Before You Begin page, click Next.
742

3. On the Getting Started page, select Perform site maintenance or reset the Site, and then click Next. 4. On the Site Maintenance page, select Convert from Evaluation to Full Product Version, enter a valid product key, and then click Next. 5. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 6. On the Configuration page, click Close to complete the wizard. Note When you have a Configuration Manager console connected to the site when you upgrade the site to the full installation, the title bar might indicate that the site is still an evaluation version until you reconnect the console to the site.

Using Command-Line Options with Setup

There are many options available when you run Configuration Manager Setup at a command prompt. These options can be used to start a scripted installation or upgrade, test a site's ability to be upgraded, perform a site reset, manage installed languages, and so on. The following table provides a list of command-line options for Setup. For information about how to use Setup script files to perform unattended installations, see the Configuration Manager Unattended Setup section in this topic.
Command-line option Description

/DEINSTALL /DONTSTARTSITECOMP

Uninstalls the site. You must run Setup from the site server computer. Install a site, but prevent the Site Component Manager service from starting. Until the Site Component Manager service starts, the site is not active. The Site Component Manager is responsible for installing and starting the SMS_Executive service, and additional processes at the site. After the site install is completed, when you start the Site Component Manager service, it will then install the SMS_Executive and additional processes necessary for the site to operate. Hides the user interface during setup. This option must be used in conjunction with the /SCRIPT option, and the unattended script file must provide all required options, or Setup fails. Disables user input during Setup, but display
743

/HIDDEN

/NOUSERINPUT

Command-line option

Description

the Setup Wizard interface. This option must be used in conjunction with the /SCRIPT option, and the unattended script file must provide all required options, or Setup fails. /RESETSITE Performs a site reset that resets the database and service accounts for the site. You must run Setup from <ConfigMgrInstallationPath>\BIN\X64 on the site server. For more information about the site reset, see the Perform a Site Reset section in the Manage Site and Hierarchy Configurations topic. Performs a test on a backup of the site database to ensure that it is capable of an upgrade. You must provide the instance name and database name for the site database. If you specify only the database name, Setup uses the default instance name. Important It is not supported to run this command-line option on your production site database. Doing so upgrades the site database and could render your site inoperable. /UPGRADE For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Runs an unattended upgrade of a site. When you use /UPGRADE, you must also specify the product key, including the dashes (). Additionally, you must specify the path to the previously downloaded Setup prerequisite files. Example: setupwpf.exe /UPGRADE xxxxxxxxxx-xxxxx-xxxxx-xxxxx <path to external component files> For more information about Setup prerequisite files, see the Setup Downloader section in this topic.

/TESTDBUPGRADE <InstanceName\DatabaseName>

744

Command-line option

Description

/SCRIPT <SetupScriptPath>

Performs unattended installations. A Setup initialization file is required when you use the /SCRIPT option. For more information about how to run Setup unattended, see the Configuration Manager Unattended Setup section in this topic. Installs the SMS Provider on the specified computer. You must provide the FQDN for the SMS Provider computer. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. Uninstalls the SMS Provider on the specified computer. You must provide the FQDN for the SMS Provider computer. Manages the languages that are installed at a previously installed site. To use this option, you must run Setup from <ConfigMgrInstallationPath>\BIN\X64 on the site server and provide the location for the language script file that contains the language settings. For more information about the language options available in the language setup script file, see the How to use a Command-Line Option to Manage Languages section in this topic.

/SDKINST <FQDN>

/SDKDEINST <FQDN>

/MANAGELANGS <LanguageScriptPath>

How to use a Command-Line Option to Manage Languages

Use the /MANAGELANGS command-line option to run Configuration Manager Setup to manage the languages that are supported at a central administration site or primary site that you previously installed. To use the command-line option, you must run Setup from <ConfigMgrInstallationPath>\Bin\X64 on the site server and specify a language script file that contains the language settings. For example, use the following command syntax: setupwpf.exe /MANAGELANGS <language script file>

745

You use the language script file to specify the server and client languages for which you want to add or remove support at a site. You can also manage the languages for mobile devices. The following table lists the script keys and available values for the language script file.
Section Key name Require d Values Description

Identificatio Action n

Yes

ManageLanguages

Manages the server, client, and mobile client language support at a site.

Options

AddServerLanguages

No

For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN

Specifies the server languages that will be available for the Configuration For System Center 2012 Manager Configuration Manager with SP1 and System Center 2012 console, reports, and Configuration R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, Manager objects. English is CHT, CSY, ESN, HUN, ITA, available by KOR, NLD, PLK, PTB, PTG, default. SVE, TRK, or ZHH For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For System Center 2012 Configuration Manager with SP1 and System Center 2012 R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH Specifies the languages that will be available to client computers. English is available by default.

AddClientLanguages

No

DeleteServerLanguag es

No

For System Center 2012 Configuration Manager with no service pack: DEU, FRA,

Specifies the languages to remove that will

746

Section

Key name

Require d

Values

Description

RUS, CHS, or JPN

no longer be available for the For System Center 2012 Configuration Configuration Manager with SP1 and System Center 2012 Manager console, reports, R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, and Configuration Manager objects. CHT, CSY, ESN, HUN, ITA, English is KOR, NLD, PLK, PTB, PTG, available by SVE, TRK, or ZHH default and cannot be removed. DeleteClientLanguag es No For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK Specifies the languages to remove that will no longer be available to client computers. English is available by For System Center 2012 default and Configuration Manager with SP1 and System Center 2012 cannot be removed. R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH 0 or 1 0 = do not install 1 = install PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether the mobile device client languages are installed. Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0,
747

MobileDeviceLangua ge

Yes

Section

Key name

Require d

Values

Description

Setup downloads the files. PrerequisitePath Yes <PathToSetupPrerequisiteFil es> Specifies the path to the Setup prerequisite files. Depending on the PrerequisiteCo mp value, Setup uses this path to store downloaded files or to locate previously downloaded files.

Configuration Manager Unattended Setup

To perform an unattended installation for a new Configuration Manager central administration site or primary site, you can create an unattended installation script and use Setup with the /SCRIPT command-line option. The script provides the same type of information that the Setup Wizard prompts for, except that there are no default settings. All values must be specified for the setup keys that apply to the type of installation that you are using. Note You cannot use the unattended script file to upgrade an evaluation site to a full installation of Configuration Manager. When you run Setup to install Configuration Manager by using the user interface, Setup automatically creates the unattended installation script for you when you confirm the settings on the Summary page of the wizard. The unattended installation script contains the settings that you select in the wizard. After the script is created, you can modify the script to install other sites in your hierarchy. Setup creates the script in %TEMP%\ConfigMgrAutoSave.ini. You can then use this script to perform an unattended setup of Configuration Manager. When Setup creates the unattended installation script, it is populated with the product key value that you enter during setup. This can be a valid product key, or it is equal to EVAL when you install an evaluation version of Configuration Manager. The product key value in the script is populated to enable the prerequisite check to finish. When Setup starts the actual site installation, the automatically created script is written to again to clear the product key value in the script that it creates. Before using the script for an unattended installation of a new site, you can edit the script to provide a valid product key or specify an evaluation installation of Configuration Manager.
748

Tip In Configuration Manager with no service pack, an unattended installation does not run Prerequisite Checker. Therefore, plan to manually run Prerequisite Checker before starting the installation. Beginning with Configuration Manager SP1, an unattended installation does run Prerequisite Checker. For information about Prerequisite Checker, see Technical Reference for the Prerequisite Checker in Configuration Manager You can run Configuration Manager Setup unattended by using an initialization file with the /SCRIPT Setup command-line option. Unattended setup is supported for new installations of a Configuration Manager central administration site, primary site, and Configuration Manager console. To use the /SCRIPT Setup command-line option, you must create an initialization file and specify the initialization file name after the /SCRIPT Setup command-line option. The name of the file must have the .ini file name extension. When you reference the Setup initialization file at the command prompt, you must provide the full path to the file. For example, if your Setup initialization file is named Setup.ini, and it is stored in the C:\Setup folder, at the command prompt, type: setup /script c:\setup\setup.ini. Security You must have administrative credentials to run Setup. When you run Setup with the unattended script, start the command prompt by using Run as administrator. The script contains section names, key names, and values. Required section key names vary depending on the installation type that you are scripting. The order of the keys within sections, and the order of sections within the file, is not important. The keys are not case sensitive. When you provide values for keys, the name of the key must be followed by an equals sign (=) and the value for the key.

Unattended Setup Script File Keys

To run Setup unattended, you must specify the /SCRIPT command-line option and configure the Setup script file with required keys and values. You must configure the following four sections in the script file to install or configure a site: Identification, Options, SQLConfigOptions, and HierarchyOptions. To recover a site, you must use the following sections of the script file: Identification and Recovery. For more information about for backup and recovery, see the Unattended Site Recovery Script File Keys section in the Backup and Recovery in Configuration Manager topic. Use the following sections to help you to create your script for unattended Setup. The tables list the available Setup script keys, their corresponding values, whether they are required, which type of installation they are used for, and a short description for the key.

749

Install a Central Administration Site Unattended

Use the following section to install a central administration site by using an unattended Setup script file.
Section Key name Requir ed Values Details

Identification

Action

Yes

InstallCAS

Installs a central administration site

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxx-xxxxx Specifies the Configuration or Manager Eval installation product key, including the dashes. Enter Eval to install the evaluation version of Configuration Manager. <SiteCode> Specifies three alphanumeric characters that uniquely identify the site in your hierarchy. For more information about site code restrictions, see Configuration Manager Site Naming. Specifies the name for this site. Specifies the installation folder for the Configuration
750

SiteCode

Yes

SiteName

Yes

<SiteName>

SMSInstallDir

Yes

<ConfigMgrInstallationPath>

Section

Key name

Requir ed

Values

Details

Manager program files. SDKServer Yes <FQDN of SMS Provider> Specifies the FQDN for the server that will host the SMS Provider. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup will download the files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteFiles Specifies the > path to the Setup prerequisite files.

751

Section

Key name

Requir ed

Values

Details

Depending on the PrerequisiteCo mp value, Setup uses this path to store downloaded files or to locate previously downloaded files. AdminConsole Yes 0 or 1 0 = do not install 1 = install Specifies whether to install the Configuration Manager console. Specifies whether to join the Customer Experience Improvement Program. Specifies the server languages that will be available for the Configuration Manager console, reports, and Configuration Manager objects. English is available by default. Specifies the languages that will be available to client computers.
752

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

AddServerLangua ges

No

For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For System Center 2012 Configuration Manager with SP1 and System Center 2012 R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

AddClientLanguag es

No

For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK,

Section

Key name

Requir ed

Values

Details

PTB, PTG, SVE, or TRK For System Center 2012 Configuration Manager with SP1 and System Center 2012 R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH DeleteServerLang uages No For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For System Center 2012 Configuration Manager with SP1 and System Center 2012 R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH

English is available by default.

Modifies a site after it is installed. Specifies the languages to remove that will no longer be available for the Configuration Manager console, reports, and Configuration Manager objects. English is available by default and cannot be removed. Modifies a site after it is installed. Specifies the languages to remove that will no longer be available to client computers. English is available by
753

DeleteClientLangu ages

No

For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For System Center 2012 Configuration Manager with SP1 and System Center 2012 R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN,

Section

Key name

Requir ed

Values

Details

CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH MobileDeviceLang uage Yes 0 or 1 0 = do not install 1 = install

default and cannot be removed. Specifies whether the mobile device client languages are installed. Specifies the name of the server, or name of the clustered instance, that is running SQL Server. It will host the site database. Specifies the name of the SQL Server database to create or use to install the central administration site database. Important You must specify the instance name and site database name if you do not use the default
754

SQLConfigOpt SQLServerName ions

Yes

<SQLServerName>

DatabaseName

Yes

<SiteDatabaseName> or <InstanceName>\<SiteDataba seName>

Section

Key name

Requir ed

Values

Details

instance. With Configur ation Manager with no service pack, when you configure the site database to use the default instance of SQL Server, you must configure the SQL Server service port to use TCP port 1433, the default port. Beginnin g with Configur ation Manager SP1, you can use a nondefault TCP port
755

Section

Key name

Requir ed

Values

Details

for the default instance. SQLSSBPort No <SSBPortNumber> Specifies the SQL Server Service Broker (SSB) port that SQL Server uses. Typically, SSB is configured to use TCP port 4022, but other ports are supported.

Install a Primary Site Unattended

Use the following section to install a primary site by using an unattended Setup script file.
Section Key name Requi red Values Details

Identification Options

Action ProductID

Yes Yes

InstallPrimarySite xxxxx-xxxxx-xxxxx-xxxxxxxxxx or Eval

Installs a primary site. Specifies the Configuration Manager installation product key, including the dashes. Enter Eval to install the evaluation version of Configuration Manager. Specifies the three alphanumericch
756

SiteCode

Yes

<SiteCode>

Section

Key name

Requi red

Values

Details

aracters that uniquely identify the site in your hierarchy. For more information about site code restrictions, see Configuration Manager Site Naming. SiteName Yes <SiteName> Specifies the name for this site. Specifies the installation folder for the Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration
757

SMSInstallDir

Yes

<ConfigMgrInstallationPath >

SDKServer

Yes

<FQDN of SMS Provider>

Section

Key name

Requi red

Values

Details

Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteF Specifies the iles> path to the Setup prerequisite files. Depending on the PrerequisiteCo mp value, Setup uses this path to store downloaded files or to locate previously downloaded files. 0 or 1 0 = do not install 1 = install Specifies whether to install the Configuration Manager console. Specifies whether to join
758

AdminConsole

Yes

JoinCEIP

Yes

0 or 1

Section

Key name

Requi red

Values

Details

0 = do not join 1 = join

the Customer Experience Improvement Program. Specifies the FQDN of the server that will host the management point site system role. Specifies the protocol to use for the management point. Specifies the protocol to use for the management point. Specifies the protocol to use for the distribution point. Specifies whether to configure all site systems to accept only HTTPS communication from clients or for the communication method to be configured for
759

ManagementPoint

No

<Management point site server FQDN>

ManagementPointP No rotocol

HTTPS or HTTP

DistributionPoint

No

<Distribution Point site server FQDN>

DistributionPointPro No tocol

HTTPS or HTTP

RoleCommunicatio nProtocol

Yes

EnforceHTTPS or HTTPorHTTPS

Section

Key name

Requi red

Values

Details

each site system role. When you select to EnforceHTTPS, client computer must have a valid PKI certificate for client authentication. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. ClientsUsePKICertif Yes icate 0 or 1 0 = do not use 1 = use Specifies whether clients will use a client PKI certificate to communicate with site system roles. For more information about PKI certificate requirements, see PKI Certificate Requirements for Configuration Manager. Specifies the server languages that will be available
760

AddServerLanguag es

No

For System Center 2012 Configuration Manager with no service pack: DEU,

Section

Key name

Requi red

Values

Details

FRA, RUS, CHS, or JPN

for the Configuration For System Center 2012 Configuration Manager with Manager console, reports, SP1 and System Center and 2012 R2 Configuration Manager: DEU, FRA, RUS, Configuration Manager CHS, JPN, CHT, CSY, objects. English ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, is available by default. TRK, or ZHH AddClientLanguage No s For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK For System Center 2012 Configuration Manager with SP1 and System Center 2012 R2 Configuration Manager: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH DeleteServerLangu ages No For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, or JPN For System Center 2012 Configuration Manager with SP1: and System Center 2012 R2 Configuration Manager DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, TRK, or ZHH Specifies the languages that will be available to client computers. English is available by default.

Use when modifying a site after it is installed. Specifies the languages to remove that will no longer be available for the Configuration Manager console, reports, and
761

Section

Key name

Requi red

Values

Details

Configuration Manager objects. English is available by default and cannot be removed. DeleteClientLangua No ges For System Center 2012 Configuration Manager with no service pack: DEU, FRA, RUS, CHS, JPN, CHT, CSY, ESN, HUN, ITA, KOR, NLD, PLK, PTB, PTG, SVE, or TRK Use when modifying a site after it is installed.

Specifies the languages to remove and that For System Center 2012 will no longer be Configuration Manager with available to SP1 and System Center client 2012 R2 Configuration computers. Manager: DEU, FRA, RUS, English is CHS, JPN, CHT, CSY, available by ESN, HUN, ITA, KOR, default and NLD, PLK, PTB, PTG, SVE, cannot be TRK, or ZHH removed. MobileDeviceLangu Yes age 0 or 1 0 = do not install 1 = install Specifies whether the mobile device client languages are installed. Specifies the name of the server or name of the clustered instance that runs SQL Server that will host the site database. Specifies the name of the
762

SQLConfigOption s

SQLServerName

Yes

<SQLServerName>

DatabaseName

Yes

<SiteDatabaseName> or

Section

Key name

Requi red

Values

Details

<InstanceName>\<SiteData SQL Server baseName> database to create or use to install the primary site database. Important You must specify the instance name and site databas e name if you do not use the default instance . With Configur ation Manage r with no service pack, when you configur e the site databas e to use the default instance of SQL
763

Section

Key name

Requi red

Values

Details

Server, you must configur e the SQL Server service port to use TCP port 1433, the default port. Beginni ng with Configur ation Manage r SP1, you can use a nondefault TCP port for the default instance . SQLSSBPort No <SSBPortNumber> Specifies the SQL Server Service Broker (SSB) port that SQL Server uses. Typically, SSB is configured to
764

Section

Key name

Requi red

Values

Details

use TCP port 4022, but other ports are supported. HierarchyExpansi onOption CCARSiteServer No <FQDN of central administration site> Specifies the central administration site that a primary site will attach to when it joins the Configuration Manager hierarchy. You must specify the central administration site during Setup. Prior to Configuration Manager SP1, you cannot join a stand-alone primary site to a central administration site after Setup finishes. Specifies the retry interval (in minutes) to attempt a connection to the central administration site after the connection fails. For example, if the connection to the central
765

CASRetryInterval

No

<Interval>

Section

Key name

Requi red

Values

Details

administration site fails, the primary site waits the number of minutes that you specify for CASRetryInterv al, and then reattempts the connection. WaitForCASTimeo ut No <Timeout> Specifies the maximum timeout value (in minutes) for a primary site to connect to the central administration site. For example, if a primary site fails to connect to a central administration site, the primary site retries the connection to the central administration site, based on the CASRetryInterv al until the WaitForCASTim eout period is reached. You can specify a value of 0 to 100.
766

Recover a Central Administration Site Unattended

Use the following section to recover a central administration site by using an unattended Setup script file.
Section Key name Requi red Values Details

Identification

Action

Yes Yes

RecoverCCAR 1, 2, or 4 1 = Recovery site server and SQL Server. 2 = Recover site server only. 4 = Recover SQL Server only.

Recovers a central administration site Specifies whether Setup will recover the site server, SQL Server, or both. The associated keys are required when you set the following value for the ServerRecoveryOpti ons setting: Value = 1: You have the option to specify a value for the SiteServerBack upLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 2: You have the option to specify a value for the SiteServerBack upLocation key to recover the
767

RecoveryOpti ServerRecoveryOp ons tions

Section

Key name

Requi red

Values

Details

site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocatio n key is required when you configure a value of 10 for the DatabaseRecov eryOptions key, which is to restore the site database from backup.

DatabaseRecovery Options

See Detail s

10, 20, 40, 80 10 = Restore the site database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new database for the site. Use this option when there is no site database backup available. Global and site data is recovered through replication from other sites. 80 = skip database recovery.

Specifies how Setup recovers the site database in SQL Server. This key is required when the ServerRecoveryOp tions setting has a value of 1 or 4.

ReferenceSite

See Detail s

<ReferenceSiteFQDN>

Specifies the reference primary site that the central

768

Section

Key name

Requi red

Values

Details

administration site uses to recover global data if the database backup is older than the change tracking retention period or when you recover the site without a backup. When you do not specify a reference site and the backup is older than the change tracking retention period, all primary sites are reinitialized with the restored data from the central administration site. When you do not specify a reference site and the backup is within the change tracking retention period, only changes after the backup are replicated from primary sites. When there are conflicting changes from different primary sites, the central administration site uses the first one that it receives. This key is required when the DatabaseRecovery
769

Section

Key name

Requi red

Values

Details

Options setting has a value of 40. SiteServerBackupL ocation No <PathToSiteServerBackupS et> Specifies the path to the site server backup set. This key is optional when the ServerRecoveryOp tions setting has a value of 1 or 2. Specify a value for the SiteServerBackupL ocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryOp tions key, and configure a value of 10 for the DatabaseRecovery Options key. Specifies the Configuration Manager installation product key, including the
770

BackupLocation

See Detail s

<PathToSiteDatabaseBacku pSet>

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx Eval

Section

Key name

Requi red

Values

Details

dashes. Enter Eval to install the evaluation version of Configuration Manager. SiteCode Yes <SiteCode> Specifies three alphanumeric characters that uniquely identify the site in your hierarchy. You must specify the site code that the site used before the failure. For more information about site code restrictions, see the Configuration Manager Site Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Specifies the name for this site.

SiteName SMSInstallDir

No See Detail s

<SiteName>

< ConfigMgrInstallationPath> Specifies the installation folder for the Configuration Manager program files. <FQDN of SMS Provider> Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider
771

SDKServer

See Detail s

Section

Key name

Requi red

Values

Details

before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteFil Specifies the path to es> the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. 0 or 1 0 = do not install 1 = install Specifies whether to install the Configuration Manager console.
772

AdminConsole

See Detail s

Section

Key name

Requi red

Values

Details

This key is required except when the ServerRecoveryOp tions setting has a value of 4. JoinCEIP Yes 0 or 1 0 = do not join 1 = join Specifies whether to join the Customer Experience Improvement Program. Specifies the name of the server, or name of the clustered instance that is running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure.

SQLConfigO ptions

SQLServerName

See Detail s

<SQLServerName>

DatabaseName

See Detail s

<SiteDatabaseName>

Specifies the name of the SQL Server or database to create <InstanceName>\<SiteDatab or use to install the aseName> central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and
773

Section

Key name

Requi red

Values

Details

site database name if you do not use the default instance. SQLSSBPort See Detail s <SSBPortNumber> Specifies the SQL Server Service Broker (SSB) port that SQL Server uses. Typically, SSB is configured to use TCP port 4022. You must specify the same SSB port that was used before the failure.

Recover a Primary Site Unattended

Use the following section to recover a primary site by using an unattended Setup script file.
Section Key name Requi red Values Details

Identification RecoveryOptions

Action ServerRecoveryO ptions

Yes Yes

RecoverPrimarySite 1, 2, or 4 1 = Recovery site server and SQL Server. 2 = Recover site server only. 4 = Recover SQL Server only.

Recovers a primary site Specifies whether Setup will recover the site server, SQL Server, or both. The associated keys are required when you set the following value for the ServerRecoveryOp tions setting:
774

Section

Key name

Requi red

Values

Details

Value = 1: You have the option to specify a value for the SiteServerBac kupLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 2: You have the option to specify a value for the SiteServerBac kupLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocati on key is required when you configure a value of 10 for the
775

Section

Key name

Requi red

Values

Details

DatabaseRec overyOptions key, which is to restore the site database from backup. DatabaseRecover See 10, 20, 40, 80 yOptions Detail 10 = Restore the site s database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new database for the site. Use this option when there is no site database backup available. 80 = skip database recovery. SiteServerBackup No Location <PathToSiteServerBackup Set> Specifies the path to the site server backup set. This key is optional when the ServerRecoveryO ptions setting has a value of 1 or 2. Specify a value for the SiteServerBackup Location key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a
776

Specifies options for Setup to recover the site database in SQL Server. This key is required when the ServerRecoveryO ptions setting has a value of 1 or 4.

Section

Key name

Requi red

Values

Details

backup set. BackupLocation See <PathToSiteDatabaseBack Detail upSet> s Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryO ptions key, and configure a value of 10 for the DatabaseRecover yOptions key. Specifies the Configuration Manager installation product key, including the dashes. Enter Eval to install the evaluation version of Configuration Manager. Specifies three alphanumeric characters that uniquely identify the site in your hierarchy. You must specify the site code that the site used before the failure. For more information about site code restrictions, see
777

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx or Eval

SiteCode

Yes

<SiteCode>

Section

Key name

Requi red

Values

Details

the Configuration Manager Site Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. SiteName SMSInstallDir No <SiteName> Specifies the name for this site. Specifies the installation folder for the Configuration Manager program files. Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in
778

See <ConfigMgrInstallationPath Detail > s

SDKServer

See <FQDN of SMS Provider> Detail s

Section

Key name

Requi red

Values

Details

Configuration Manager topic. PrerequisiteComp Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup downloads the files. Specifies the path to the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. Specifies whether to install the Configuration Manager console. This key is required except when the ServerRecoveryO ptions setting has a value of 4. Specifies whether to join the Customer Experience Improvement Program. Specifies the name of the server, or
779

PrerequisitePath

Yes

<PathToSetupPrerequisite Files>

AdminConsole

See 0 or 1 Detail 0 = do not install s 1 = install

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

SQLConfigOption

SQLServerName

See <SQLServerName> Detail

Section

Key name

Requi red

Values

Details

the name of the clustered instance that is running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. The name of the SQL Server database to create or use to install the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do not use the default instance.

DatabaseName

See <SiteDatabaseName> Detail or s <InstanceName>\<SiteDat abaseName>

SQLSSBPort

See <SSBPortNumber> Detail s

Specify the SQL Server Service Broker (SSB) port that

780

Section

Key name

Requi red

Values

Details

SQL Server uses. Typically, SSB is configured to use TCP port 4022. You must specify the same SSB port that was used before the failure. HierarchyExpansi onOption CCARSiteServer See <SiteCodeForCentralAdmin Specifies the Detail istrationSite> central s administration site to which a primary site attaches when it joins the Configuration Manager hierarchy. This setting is required if the primary site was attached to a central administration site before the failure. You must specify the site code that was used for the central administration site before the failure. No <Interval> Specifies the retry interval (in minutes) to attempt a connection to the central administration site after the connection fails. For example, if the connection to the central
781

CASRetryInterval

Section

Key name

Requi red

Values

Details

administration site fails, the primary site waits the number of minutes that you specify for CASRetryInterval, and then attempts the connection again. WaitForCASTime out No <Timeout> Specifies the maximum time-out value (in minutes) for a primary site to connect to the central administration site. For example, if a primary site fails to connect to a central administration site, the primary site retries the connection to the central administration site, based on the CASRetryInterval until the WaitForCASTime out period is reached. You can specify a value of 0 to 100.

Decommission Sites and Hierarchies

To decommission hierarchies, start at the bottom of the hierarchy and move upward. Remove secondary sites attached to primary sites, primary sites from the central administration site, and
782

then the central administration site itself. Use the information in this section to remove individual sites or decommission a hierarchy of sites.

Remove a Secondary Site from a Hierarchy

You cannot move or reassign secondary sites to a new parent primary site. To remove a secondary site from a hierarchy, it must be deleted from its direct parent site. Use the Delete Secondary Site Wizard from the Configuration Manager console to remove the secondary site. When you remove a secondary site, you must choose whether to delete or uninstall the secondary site: Uninstall the secondary site: Use this option to remove a functional secondary site that is accessible from the network. This option uninstalls Configuration Manager from the secondary site server, and then deletes all information about the site and its resources from the Configuration Manager hierarchy. If Configuration Manager installed SQL Server Express as part of the secondary site installation, Configuration Manager will uninstall SQL Express when it uninstalls the secondary site. If SQL Server Express was installed before you installed the secondary site, Configuration Manager will not uninstall SQL Server Express. Delete the secondary site: Use this option if one of the following is true: A secondary site failed to install. The secondary site continues to display in the Configuration Manager console after you uninstall it.

This option deletes all information about the site and its resources from the Configuration Manager hierarchy, but leaves Configuration Manager installed on the secondary site server. Note You can also use the Hierarchy Maintenance Tool and the /DELSITE option to delete a secondary site. For more information, see Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager. To uninstall or delete a secondary site 1. Verify the administrative user that runs Setup has the following security rights: Administrative rights on the secondary site computer. Local Administrator rights on the remote site database server for the primary site, if it is remote. Infrastructure Administrator or Full Administrator security role on the parent primary site. Sysadmin rights on the site database of the secondary site.

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. Select the secondary site server to remove. 5. On the Home tab, in the Site group, click Delete. 6. On the General page, select whether to uninstall or delete the secondary site, and then
783

click Next. 7. On the Summary page, verify the settings, and then click Next. 8. On the Completion page, click Close to exit the wizard.

Uninstall a Primary Site

You can run Configuration Manager Setup to uninstall a primary site that does not have an associated secondary site. Before you uninstall a primary site, consider the following: When Configuration Manager clients are within the boundaries configured at the site, and the primary site is part of a Configuration Manager hierarchy, consider adding the boundaries to a different primary site in the hierarchy before you uninstall the primary site. When the primary site server is no longer available, you must use the Hierarchy Maintenance Tool at the central administration site to delete the primary site from the site database. For more information, see Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager.

Use the following procedure to uninstall a primary site. To uninstall a primary site 1. Verify the administrative user that runs Setup has the following security rights: Local Administrator rights on the central administration site server. Local Administrator rights on the remote site database server for the central administration site, if it is remote. Sysadmin rights on the site database of the central administration site. Local Administrator rights on the primary site computer. Local Administrator rights on the remote site database server for the primary site, if it is remote. User name associated with the Infrastructure Administrator or Full Administrator security role on the central administration site.

2. Start Configuration Manager Setup on the primary site server by using one of the following methods: On Start, click Configuration Manager Setup. Open Setup.exe from <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. Open Setup.exe from <ConfigMgrInstallationPath>\BIN\X64.

3. On the Before You Begin page, click Next. 4. On the Getting Started page, select Uninstall a Configuration Manager site, and then click Next. 5. On the Uninstall the Configuration Manager Site, specify whether to remove the site database from the primary site server and whether to remove the Configuration Manager console. By default, Setup removes both items. Important When a secondary site is attached to the primary site, you must remove the
784

secondary site before you can uninstall the primary site. 6. Click Yes to confirm to uninstall the Configuration Manager primary site.

Uninstall a Primary Site that is Configured with Distributed Views

Before you uninstall a child primary site that has distributed views configured on its replication link to the central administration site, you must disable distributed views in your hierarchy. Use the following information to disable distributed views before you uninstall a primary site. To uninstall a primary site that is configured with distributed views 1. Before you uninstall any primary site, you must disable distributed views on each link in the hierarchy between the central administration site and a primary site. 2. After you disable distributed views on each link, confirm that the data from the primary site completes reinitialization at the central administration site. You can monitor the initialization of data when you view the link in the Database Replication node of the Monitoring workspace of the Configuration Manager console. 3. After the data successfully reinitializes with the central administration site, you can uninstall the primary site. To uninstall a primary site, see the Uninstall a Primary Site section in this topic. 4. After the primary site is completely uninstalled, you can reconfigure distributed views on links to primary sites. Important If you uninstall the primary site before you disable distributed views at each site, or before the data from the primary site successfully reinitializes at the central administration site, replication of data between primary sites and the central administration site can fail. In this scenario, you must disable distributed views for each link in your hierarchy, and then, after the data successfully reinitializes with the central administration site, you can reconfigure distributed views.

Uninstall the Central Administration Site

You can run Configuration Manager Setup to uninstall a central administration site without child primary sites. Use the following procedure to uninstall the central administration site. To uninstall a central administration site 1. Verify that the administrative user who runs Setup has the following security rights: Local Administrator rights on the central administration site server. Local Administrator rights on the site database server for the central administration site, when the site database server is not installed on the site server.

2. Start Configuration Manager Setup on the central administration site server by using one
785

of the following methods: On Start, click Configuration Manager Setup. Open Setup.exe from <ConfigMgrInstallationMedia>\SMSSETUP\BIN\X64. Open Setup.exe from <ConfigMgrInstallationPath>\BIN\X64.

3. On the Before You Begin page, click Next. 4. On the Getting Started page, select Uninstall a Configuration Manager site, and then click Next. 5. On the Uninstall the Configuration Manager Site, specify whether to remove the site database from the central administration site server and whether to remove the Configuration Manager console. By default, Setup removes both items. Important When there is a primary site attached to the central administration site, you must uninstall the primary site before you can uninstall the central administration site. 6. Click Yes to confirm to uninstall the Configuration Manager central administration site.

Configuration Manager Site Naming

Site codes and site names are used to identify and manage the sites in a Configuration Manager hierarchy. In the Configuration Manager console, the site code and site name are displayed in the <site code> - <site name> format. Every site code that you use in your Configuration Manager hierarchy must be unique. If the Active Directory schema is extended for Configuration Manager, and sites are publishing data, the site codes used within an Active Directory forest must be unique even if they are used in a different Configuration Manager hierarchy or if they have been used in previous Configuration Manager installations. Be sure to carefully plan your site codes and site names before you deploy your Configuration Manager hierarchy.

Specify a Site Code and Site Name

During Configuration Manager Setup, you are prompted for a site code and site name for the central administration site, and each primary and secondary site installation. The site code must uniquely identify each Configuration Manager site in the hierarchy. Because the site code is used in folder names, never use Windows-reserved names for the site code, such as AUX, CON, NUL, or PRN. Note Configuration Manager Setup does not verify that the site code that you specify is not already in use. To enter the site code for a site during Configuration Manager Setup, you must enter three alphanumeric characters. Only the letters A through Z, numbers 0 through 9, or combinations of the two are allowed when specifying site codes. The sequence of letters or numbers has no effect on the communication between sites. For example, it is not necessary to name a primary site ABC and a secondary site DEF.
786

The site name is a friendly name identifier for the site. Use only the standard characters A through Z, a through z, 0 through 9, and the hyphen (-) in site names. Important Changing the site code or site name after installation is not supported.

Re-Using Site Codes

Site codes cannot be used more than one time in a Configuration Manager hierarchy for a central administration site or primary sites. If you reuse a site code, you run the risk of having object ID conflicts in your Configuration Manager hierarchy. You can reuse the site code for a secondary site if it is no longer in use in your Configuration Manager hierarchy or in the Active Directory forest.

See Also
Configuring Sites and Hierarchies in Configuration Manager

Expand a Stand-Alone Primary Site into a Hierarchy with a Central Administration Site
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Beginning with System Center 2012 Configuration Manager SP1, you can expand an existing stand-alone primary site into a hierarchy with a central administration site. Before you run Setup to expand a stand-alone primary site, review the following sections in the Planning for Sites and Hierarchies in Configuration Manager topic: Prerequisites for Expanding a Stand-Alone Primary Site Considerations when Expanding a Stand-Alone Primary Site

Expand a Stand-Alone Primary Site

To expand your stand-alone primary site, run Setup from the source media for Configuration Manager SP1 or a subsequent version, and use the procedure To install a central administration site from the Install a Central Administration Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic. During Setup, ensure that you make the following selections in the Configuration Manager Setup Wizard: 1. On the Getting Started page, select Install a Configuration Manager central administration site.
787

2. On the Client Language Selection page, select the same client languages that the primary site supports. 3. On the Central Administration Site Installation page, select the option Expand an existing stand-alone primary site into a hierarchy. After Setup finishes, your stand-alone primary site is now a child primary site. After the new central administration site is installed, restart any Configuration Manager consoles that are open and remain connected to the primary site. If there are software update points at the primary site, install a software update point at the central administration site and configure it to synchronize software updates with Windows Server Update Services (WSUS). This is because the child primary automatically reconfigures its software update points to synchronize with a software update point at the central administration site. For information about how to configure software update points, see Configuring Software Updates in Configuration Manager.

See Also
Configuring Sites and Hierarchies in Configuration Manager

Upgrade Configuration Manager to a New Service Pack

Use the information in the following sections to help you upgrade your System Center 2012 Configuration Manager site and hierarchy to a new service pack successfully.

Pre-Upgrade Configurations for Configuration Manager Sites

Before you upgrade a site to a new service pack, review the applicable upgrade checklist to understand any pre-upgrade configurations that the site or hierarchy requires. Additionally, plan to record details about any configurations and settings that you use and that do not persist after an upgrade to that service pack version. For more information about pre-upgrade tasks and configurations, see the applicable sections in the Planning to Upgrade System Center 2012 Configuration Manager topic. For upgrades to Configuration Manager SP1: Configuration Manager SP1 Upgrade Checklist Considerations when Upgrading to Configuration Manager SP1 System Center 2012 R2 Configuration Manager Upgrade Checklist Considerations for Upgrading to System Center 2012 R2 Configuration Manager

For upgrades to System Center 2012 R2 Configuration Manager:

788

Test the Configuration Manager Site Database for the Upgrade

Before you upgrade a site, test a copy of that sites database for the upgrade. To test the database for an upgrade, you first restore a copy of the site database to an instance of SQL Server that does not host a Configuration Manager site. The version of SQL Server that you use to host the database copy must be a version of SQL Server that the version of Configuration Manager supports that is the source of the database copy. Next, after you restore the site database, on the SQL Server computer, run Configuration Manager Setup from the Configuration Manager service pack media, with the /TESTDBUPGRADE command-line option. For information about how to create and restore a backup of a site database, see Backup and Recovery in Configuration Manager. For information about the /TESTDBUPGRADE command-line option, see the table in the Using Command-Line Options with Setup section of the Install Sites and Create a Hierarchy for Configuration Manager topic. For information about the supported versions of SQL Server, see the Configurations for the SQL Server Site Database section in the Supported Configurations for Configuration Manager topic.

Use the following procedure on each central administration site and primary site that you plan to upgrade. To test a Configuration Manager site database for upgrade 1. Make a copy of the site database, and then restore that copy to an instance of SQL Server that uses the same edition as your site database and that does not host a Configuration Manager site. For example, if the site database runs on an instance of the Enterprise edition of SQL Server, make sure you restore the database to an instance of SQL Server that also runs the Enterprise edition of SQL Server. 2. After you restore the database copy, run Setup from the source media for the new version of Configuration Manager. When you run Setup, use the /TESTDBUPGRADE command-line option. If the SQL Server instance that hosts the database copy is not the default instance, you must also provide the command-line arguments to identify the instance that hosts the site database copy. For example, you plan to upgrade a site database with the database name SMS_ABC. You restore a copy of this site database to a supported instance of SQL Server with the instance name DBTest. To test an upgrade of this copy of the site database, use the following command line: Setup.exe /TESTDBUPGRADE DBtest\CM_ABC You can find Setup.exe in the following location on the source media for Configuration Manager SP1: SMSSETUP\BIN\X64. 3. On the instance of SQL Server where you run the database upgrade test, monitor the ConfigMgrSetup.log in the root of the system drive for progress and success: If the test upgrade fails, resolve any issues related to the site database upgrade
789

failure, create a new backup of the site database, and then test the upgrade of the new copy of the site database. After the process is successful, you can delete the database copy. Note It is not supported to restore the copy of the site database that you use for the test upgrade for use as a site database at any site. After you successfully upgrade a copy of the site database, proceed with the upgrade of the Configuration Manager site and its site database.

Upgrade a Configuration Manager Site

After you complete pre-upgrade configurations for your site, test the upgrade of the site database on a database copy, and download prerequisite files and language packs for the service pack version that you plan to install, you are ready to upgrade your Configuration Manager site. When you upgrade a site in a hierarchy, you upgrade the top-level site of the hierarchy first. This top-level site is either a central administration site or a stand-alone primary site. After the upgrade of a central administration site is completed, you can upgrade child primary sites in any order that you want. After you upgrade a primary site, you can upgrade that sites ch ild secondary sites, or upgrade additional primary sites before you upgrade any secondary sites. To upgrade a central administration site or primary site, you run Setup from the Configuration Manager service pack media. However, you do not run Setup to upgrade secondary sites. Instead, you use the Configuration Manager console to upgrade a secondary site after you complete the upgrade of its primary parent site. Before you upgrade a site, close the Configuration Manager console that is installed on the site server until after the site upgrade is completed. Also close each Configuration Manager console that runs on computers other than the site server. You can reconnect the console after the site upgrade is completed. However, until you upgrade a Configuration Manager console to the new version of Configuration Manager, that console cannot display some objects and information that are available in new version of Configuration Manager. Use the following procedures to upgrade Configuration Manager sites: To upgrade a central administration site or primary site 1. Verify that the user who runs Setup has the following security rights: Local Administrator rights on the site server computer. Local Administrator rights on the remote site database server for the site, if it is remote.

2. On the site server computer, open Windows Explorer and browse to <ConfigMgrServicePackInstallationMedia>\SMSSETUP\BIN\X64. 3. Double-click Setup.exe. The Configuration Manager Setup wizard opens. 4. On the Before You Begin page, click Next.
790

5. On the Getting Started page, select Upgrade this Configuration Manager site, and then click Next. 6. On the Product Key page, click Next. If you previously installed Configuration Manager Evaluation, you can select Install the licensed edition of this product, and then enter your product key for the full installation of Configuration Manager to convert the site to the full version. 7. On the Microsoft Software License Terms page, read and accept the license terms, and then click Next. 8. On the Prerequisite Licenses page, read and accept the license terms for the prerequisite software, and then click Next. Setup downloads and automatically installs the software on site systems or clients when it is required. You must select all check boxes before you can continue to the next page. 9. On the Prerequisite Downloads page, specify whether Setup downloads the latest prerequisite redistributable files, language packs, and the latest product updates from the Internet or use previously downloaded files, and then click Next. If you previously downloaded the files by using Setup Downloader, select Use previously downloaded files and specify the download folder. For information about Setup Downloader, see the Setup Downloader section in the Install Sites and Create a Hierarchy for Configuration Manager topic. Note When you use previously downloaded files, verify that the path to the download folder contains the most recent version of the files. 10. On the Server Language Selection page, view the list of languages that are currently installed for the site. Select additional languages that are available at this site for the Configuration Manager console and for reports, or clear languages that you no longer want to support at this site, and then click Next. By default, English is selected and cannot be removed. Important Each version of Configuration Manager cannot use language packs from a prior version of Configuration Manager. To enable support for a language at a Configuration Manager site that you upgrade, you must use the version of the language pack for that new version. For example, during upgrade from Configuration Manager with no service pack to Configuration Manager SP1, if the Configuration Manager SP1 version of a language pack is not available with the prerequisite files you download, support for that language cannot be installed. When a language is already installed for Configuration Manager with no service pack and the language pack for the new version is not available, support for that language is uninstalled when the site upgrades. 11. On the Client Language Selection page, view the list of languages that are currently installed for the site. Select additional languages that are available at this site for client computers, or clear languages that you no longer want to support at this site. Specify whether to enable all client languages for mobile device clients, and then click Next. By
791

default, English is selected and cannot be removed. Important Each version of Configuration Manager cannot use language packs from a prior version of Configuration Manager. To enable support for a language at a Configuration Manager site that you upgrade, you must use the version of the language pack for that new version. For example, during upgrade from Configuration Manager with no service pack to Configuration Manager SP1, if the Configuration Manager SP1 version of a language pack is not available with the prerequisite files that you download, support for that language cannot be installed. When a language is already installed for Configuration Manager with no service pack and the language pack for the new version is not available, support for that language is uninstalled when the site upgrades. 12. On the Settings Summary page, click Next to start Prerequisite Checker to verify server readiness for the upgrade of the site. 13. On the Prerequisite Installation Check page, if there are no problems listed, click Next to upgrade the site and site system roles. When Prerequisite Checker finds a problem, click an item on the list for details about how to resolve the problem. Resolve all items in the list that have an Error status before you continue Setup. After you resolve the issue, click Run Check to restart prerequisite checking. You can also open the ConfigMgrPrereq.log file in the root of the system drive to review the Prerequisite Checker results. The log file can contain additional information that is not displayed in the user interface. For a complete list of installation prerequisite rules and descriptions, see Technical Reference for the Prerequisite Checker in Configuration Manager. On the Upgrade page, Setup displays the overall progress status. When Setup completes the core site server and site system installation, you can close the wizard. Site configuration continues in the background. To upgrade a secondary site 1. Verify that the administrative user that runs Setup has the following security rights: Local Administrator rights on the secondary site computer Infrastructure Administrator or a Full Administrator security role on the parent primary site System administrator (SA) rights on the site database of the secondary site

2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. Select the secondary site that you want to upgrade, and then, on the Home tab, in the Site group, click Upgrade. 5. Click Yes to confirm the decision, and to start the upgrade of the secondary site. The secondary site upgrade progresses in the background. After the upgrade is completed, you can confirm the status in the Configuration Manager console. To confirm the status, select the secondary site server, and then on the Home tab, in the Site group, click Show
792

Install Status.

Perform Post-Upgrade Tasks on Configuration Manager Sites

After you upgrade a site to a new service pack, you might have to complete additional tasks to finish the upgrade or reconfigure the site. These tasks can include the upgrade of Configuration Manager clients or Configuration Manager consoles, re-enabling database replicas for management points, or restoring settings for Configuration Manager functionality that you use and that does not persist after the service pack upgrade. For more information about these tasks and settings, see the applicable sections in the Planning to Upgrade System Center 2012 Configuration Manager topic. For upgrades to Configuration Manager SP1: Configuration Manager SP1 Upgrade Checklist Considerations when Upgrading to Configuration Manager SP1 System Center 2012 R2 Configuration Manager Upgrade Checklist Considerations for Upgrading to System Center 2012 R2 Configuration Manager

For upgrades to System Center 2012 R2 Configuration Manager:

See Also
Configuring Sites and Hierarchies in Configuration Manager

Configure Sites and the Hierarchy in Configuration Manager

After you install a new System Center 2012 Configuration Manager site, upgrade a site to a new version, or expand a stand-alone primary site into a larger hierarchy, you might need to customize several features and configurations for use by your organization. Use this topic to help you configure settings that are used at individual sites and by the hierarchy. In most situations you will not need to configure the following options in any specific order. However, some options build upon each other, such as boundaries and boundary groups. Several of these configurations have default values you can use without configuration changes, at least temporarily. Others, such as boundary groups and distribution point groups, require you to configure them before you can use them. Plan to review these configurations over the lifecycle of your Configuration Manager deployment and to adjust them to meet changing business requirements or evolving network configurations. Use the information in the following sections of this topic to help you manage these configurations:
793

Site and Hierarchy Configuration Topics

Use the information in the following topics to help you configure core settings for a new site or hierarchy: Configuring Security for Configuration Manager Configuring Discovery in Configuration Manager Configuring Sites to Publish to Active Directory Domain Services Configuring Settings for Client Management in Configuration Manager Configuring Distribution Point Groups in Configuration Manager Configuring Boundaries and Boundary Groups in Configuration Manager Configuring Alerts in Configuration Manager Configuring Site Components in Configuration Manager

Site Upgrade
Use the information from the following topics and sections to identify configurations you might need to restore or reconfigure after you upgrade a site: For upgrade to System Center 2012 Configuration Manager SP1: Configuration Manager SP1 Upgrade Checklist section from the Planning to Upgrade System Center 2012 Configuration Manager topic. Considerations for Upgrading to Configuration Manager SP1 section from the Planning to Upgrade System Center 2012 Configuration Manager topic. System Center 2012 R2 Configuration Manager Upgrade Checklist section from the Planning to Upgrade System Center 2012 Configuration Manager topic. Considerations for Upgrading to System Center 2012 R2 Configuration Manager from the Planning to Upgrade System Center 2012 Configuration Manager topic.

For upgrade to System Center 2012 R2 Configuration Manager:

Site Expansion
Use the information from the following topics and sections to help you identify configurations and settings you might need to restore or reconfigure after you expand a stand-alone primary site: Considerations when Expanding a Stand-Alone Primary Site section from the Planning for Sites and Hierarchies in Configuration Manager topic.

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

794

Configuring Security for Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Use the information in this topic to help you configure the following security-related options: Configure Settings for Client PKI Certificates Configure Signing and Encryption Configure Role-Based Administration Manage Accounts that Are Used by Configuration Manager

Configure Settings for Client PKI Certificates

If you want to use public key infrastructure (PKI) certificates for client connections to site systems that use Internet Information Services (IIS), use the following procedure to configure settings for these certificates. To configure client PKI certificate settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Client Computer Communication tab. Note This tab is available on a primary site only. If you do not see the Client Computer Communication tab, check that you are not connected to a central administration site or a secondary site. 4. Click HTTPS only when you want clients that are assigned to the site to always use a client PKI certificate when they connect to site systems that use IIS. Or, click HTTPS or HTTP when you do not require clients to use PKI certificates. 5. If you selected HTTPS or HTTP, click Use client PKI certificate (client authentication capability) when available when you want to use a client PKI certificate for HTTP connections. The client uses this certificate instead of a self-signed certificate to authenticate itself to site systems. This option is automatically selected if you select HTTPS only. Note When clients are detected to be on the Internet, or they are configured for
795

Internet-only client management, they always use a client PKI certificate. 6. Click Modify to configure your chosen client selection method for when more than one valid PKI client certificate is available on a client, and then click OK. Note For more information about the client certificate selection method, see Planning for PKI Client Certificate Selection. 7. Select or clear the check box for clients to check the Certificate Revocation list (CRL). Note For more information about CRL checking for clients, see Planning for PKI Certificate Revocation. 8. If you must specify trusted root certification authority (CA) certificates for clients, click Set, import the root CA certificate files, and then click OK. Note For more information about this setting, see Planning for the PKI Trusted Root Certificates. 9. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Signing and Encryption

Configure the most secure signing and encryption settings for site systems that all clients in the site can support. These settings are especially important when you let clients communicate with site systems by using self-signed certificates over HTTP. To configure signing and encryption for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Signing and Encryption tab. Note This tab is available on a primary site only. If you do not see the Signing and Encryption tab, check that you are not connected to a central administration site or a secondary site. 4. Configure the signing and encryption options that you want, and then click OK. Warning Do not select Require SHA-256 without first verifying that all clients that might be assigned to the site can support this hash algorithm, or they have a valid PKI
796

client authentication certificate. You might have to install updates or hotfixes on clients to support SHA-256. For example, computers that run Windows Server 2003 SP2 must install a hotfix that is referenced in the KB article 938397. If you select this option and clients cannot support SHA-256 and use self-signed certificates, Configuration Manager rejects them. In this scenario, the SMS_MP_CONTROL_MANAGER component logs the message ID 5443. 5. Click OK to close the Properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Role-Based Administration

Use the information in this section to help you configure role-based administration in Configuration Manager. Role-based administration combines security roles, security scopes, and assigned collections to define the administrative scope for each administrative user. An administrative scope includes the objects that an administrative user can view in the Configuration Manager console, and the tasks related to those objects that the administrative user has permission to perform. Role-based administration configurations are applied at each site in a hierarchy. The information in the following procedures can help you create and configure role-based administration and related security settings. Create Custom Security Roles Configure Security Roles Configure Security Scopes for an Object Configure Collections to Manage Security Create a New Administrative User Modify the Administrative Scope of an Administrative User Important Role-based administration uses security roles, security scopes, and collections. These combine to define an administrative scope for each administrative user. Your own administrative scope defines the objects and settings that you can assign when you configure role-based administration for another administrative user. For information about planning for role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Create Custom Security Roles

Configuration Manager provides several built-in security roles. If you require additional security roles, you can create a custom security role by creating a copy of an existing security role, and then modifying the copy. You might create a custom security role to grant administrative users the
797

additional security permissions they require that are not included in a currently assigned security role. By using a custom security role, you can grant them only the permissions they require, and avoid assigning a security role that grants more permissions than they require. Use the following procedure to create a new security role by using an existing security role as a template. To create custom security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Security Roles. Use one of the following processes to create the new security role: To create a new custom security role, perform the following actions: i. ii. Select an existing security role to use as the source for the new security role. On the Home tab, in the Security Role group, click Copy. This creates a copy of the source security role.

iii. In the Copy Security Role wizard, specify a Name for the new custom security role. iv. In Security operation assignments, expand each Security Operations node to display the available actions. v. To change the setting for a security operation, click the down arrow in the Value column, and then select either Yes or No. Caution When you configure a custom security role, ensure not to grant permissions that are not required by administrative users that are associated with the new security role. For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role, even if they are not associated with that security role. vi. After you configure the permissions, click OK to save the new security role. To import a security role that was exported from another System Center 2012 Configuration Manager hierarchy, perform the following actions: i. ii. On the Home tab, in the Create group, click Import Security Role. Specify the .xml file that contains the security role configuration that you want to import, and click Open to complete the procedure and save the security role. Note After you import a security role, you can edit the security role properties to change the object permissions that are associated with the security role.

798

Configure Security Roles

The groups of security permissions that are defined for a security role are called security operation assignments. Security operation assignments represent a combination of object types and actions that are available for each object type. You can modify which security operations are available for any custom security role, but you cannot modify the built-in security roles that Configuration Manager provides. Use the following procedure to modify the security operations for a security role. To modify security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Security Roles. 3. Select the custom security role that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Permissions tab. 6. In Security operation assignments, expand each Security Operations node to display the available actions. 7. To change the setting for a security operation, click the down arrow in the Value column, and then select either Yes or No. Caution When you configure a custom security role, ensure not to grant permissions that are not required by administrative users that are associated with the new security role. For example, the Modify value for the Security Roles security operation grants administrative users permission to edit any accessible security role, even if they are not associated with that security role. 8. When you have finished configuring security operation assignments, click OK to save the new security role.

Configure Security Scopes for an Object

You manage the association of a security scope for an object from the object and not from the security scope. The only direct configurations that security scopes support are changes to its name and description. To change the name and description of a security scope when you view the security scope properties, you must have the Modify permission for the Security Scopes securable object. When you create a new object in Configuration Manager, the new object is associated with each security scope that is associated with the security roles of the account that is used to create the object when those security roles provide the Create permission, or Set Security Scope permission. Only after the object is created, can you change the security scopes it is associated with.

799

For example, you are assigned a security role that grants you permission to create a new boundary group. When you create a new boundary group, you have no option to which you can assign specific security scopes. Instead, the security scopes available from the security roles you are associated with are automatically assigned to the new boundary group. After you save the new boundary group, you can edit the security scopes associated with the new boundary group. Use the following procedure to configure the security scopes assigned to an object. To configure security scopes for an object 1. In the Configuration Manager console, select an object that supports assignment to a security scope. 2. On the Home tab, in the Classify group, click Set Security Scopes. 3. In the Set Security Scopes dialog box, select or clear the security scopes that this object is associated with. Each object that supports security scopes must be assigned to at least one security scope. 4. Click OK to save the assigned security scopes. Note When you create a new object, you can assign the object to multiple security scopes. To modify the number of security scopes associated with the object, you must change this assignment after the object is created.

Configure Collections to Manage Security

There are no procedures to configure collections for role-based administration. Collections do not have a role-based administration configuration; instead, you assign collections to an administrative user when you configure the administrative user. The collection security operations that are enabled in the users assigned security roles determine the permissions an administrative user has for collections and collection resources (collection members). When an administrative user has permissions to a collection, they also have permissions to collections that are limited to that collection. For example, your organization uses a collection named All Desktops, and there exist a collection named All North America Desktops that is limited to the All Desktops collection. If an administrative user has permissions to All Desktops, they also have those same permissions to the All North America Desktops collection. In addition, an administrative user cannot use the Delete or Modify permission on collection that is directly assigned to them, but can use these permissions on the collections that are limited to that collection. Using the previous example, the administrative user can delete or modify the All North America Desktops collection, but cannot delete or modify the All Desktops collection.

Create a New Administrative User

To grant individuals or members of a security group access to manage Configuration Manager, create an administrative user in Configuration Manager and specify the Windows account of the User or User Group. Each administrative user in Configuration Manager must be assigned at
800

least one security role and one security scope. You can also assign collections to limit the administrative scope of the administrative user. Use the following procedures to create new administrative users. To create a new administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. On the Home tab, in the Create group, click Add User or Group. 4. Click Browse and then select the user account or group to use for this new administrative user. Note For console-based administration, only domain users or security groups can be specified as an administrative user. 5. For Associated security roles, click Add to open a list of the available security roles, select the check box for one or more security roles, and then click OK. 6. Select one of the following two options to define the securable object behavior for the new user: All securable objects that are relevant to their associated security roles : This option associates the administrative user with the All security scope and the root level, built-in collections for All Systems, and All Users and User Groups. The security roles assigned to the user define access to objects. New objects that this administrative user creates are assigned to the Default security scope. Only securable objects in specified security scopes or collections: By default, this option associates the administrative user with the Default security scope and the All Systems and All Users and User Groups collections. However, the actual security scopes and collections are limited to those that are associated with the account that you used to create the new administrative user. This option supports the addition or removal of security scopes and collections to customize the administrative scope of the administrative user. Important The preceding options associate each assigned security scope and collection to each security role assigned to the administrative user. A third option, Only securable objects as determined by the security roles of the administrative user, can be used to associate individual security roles to specific security scopes and collections. This third option is available after you create the new administrative user, when you modify the administrative user. 7. Depending on your selection in step 6, take the following action: If you selected All securable objects that are relevant to their associated security roles, click OK to complete this procedure. If you selected Only securable objects in specified security scopes or
801

collections, you can click Add to select additional collections and security scopes, or select one or more objects in the list, and then click Remove to remove them. Click OK to complete this procedure.

Modify the Administrative Scope of an Administrative User

You can modify the administrative scope of an administrative user by adding or removing security roles, security scopes, and collections that are associated with the user. Each administrative user must be associated with at least one security role and one security scope. You might have to assign one or more collections to the administrative scope of the user. Most security roles interact with collections and do not function correctly without an assigned collection. When you modify an administrative user, you can change the behavior for how securable objects are associated with the assigned security roles. The three behaviors that you can select are as follows: All securable objects that are relevant to their associated security roles: This option associates the administrative user with the All scope and the root level built-in collections for All Systems, and All Users and User Groups. The security roles that are assigned to the user define access to objects. Only securable objects in specified security scopes or collections: This option associates the administrative user to the same security scopes and collections that are associated to the account you use to configure the administrative user. This option supports the addition or removal of security roles and collections to customize the administrative scope of the administrative user. Only securable objects as determined by the security roles of the administrative user : This option lets you create specific associations between individual security roles and specific security scopes and collections for the user. Note This option is available only when you modify the properties of an administrative user. The current configuration for the securable object behavior changes the process that you use to assign additional security roles. Use the following procedures that are based on the different options for securable objects to help you manage an administrative user. Use the following procedure to view and manage the configuration for securable objects for an administrative user: To view and manage the securable object behavior for an administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to view the current configuration for securable objects for
802

this administrative user. 6. To modify the securable object behavior, select a new option for securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user. 7. Click OK to complete the procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to All securable objects that are relevant to their associated security roles : Option: All securable objects that are relevant to their associated security roles 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the administrative user is configured for All securable objects that are relevant to their associated security roles . 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this administrative user, click Add, select the check box for each additional security role that you want to assign, and then click OK. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the securable object behavior, click the Security Scopes tab and select a new option for the securable object behavior. After you change this configuration, reference the appropriate procedure for further guidance to configure security scopes and collections, and security roles for this administrative user. Note When the securable object behavior is set to All securable objects that are relevant to their associated security roles, you cannot add or remove specific security scopes and collections. 8. Click OK to complete this procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects in specified security scopes or collections. Option: Only securable objects in specified security scopes or collections 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify.
803

4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the user is configured for Only securable objects in specified security scopes or collections. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this user, click Add, select the check box for each additional security role that you want to assign, and then click OK. To remove security roles, select one or more security roles from the list, and then click Remove.

7. To modify the security scopes and collections associated with security roles, click the Security Scopes tab. To associate new security scopes or collections with all security roles that are assigned to this administrative user, click Add and select one of the four options. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. To remove a security scope or collection, select the object, and then click Remove.

8. Click OK to complete this procedure. Use the following procedure to modify an administrative user that has the securable object behavior set to Only securable objects as determined by the security roles of the administrative user. Option: Only securable objects as determined by the security roles of the administrative user 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Administrative Users. 3. Select the administrative user that you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. Click the Security Scopes tab to confirm that the administrative user is configured for Only securable objects in specified security scopes or collections. 6. To modify the assigned security roles, click the Security Roles tab. To assign additional security roles to this administrative user, click Add. On the Add Security Role dialog box, select one or more available security roles, click Add, and select an object type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. Note You must configure at least one security scope before the selected security roles can be assigned to the administrative user. When you select multiple security roles, each security scope and collection that you configure is associated with each of the selected security roles. To remove security roles, select one or more security roles from the list, and then
804

click Remove. 7. To modify the security scopes and collections associated with a specific security role, click the Security Scopes tab, select the security role, and then click Edit. To associate new objects with this security role, click Add, and select an object type to associate with the selected security roles. If you select Security Scope or Collection, select the check box for one or more objects to complete that selection, and then click OK. Note You must configure at least a one security scope. To remove a security scope or collection that is associated with this security role, select the object, and then click Remove. When you have finished modifying the associated objects, click OK.

8. Click OK to complete this procedure. Caution When a security role grants administrative users the collection deployment permission, those administrative users can distribute objects from any security scope for which they have object read permissions, even if that security scope is associated with a different security role.

Manage Accounts that Are Used by Configuration Manager

Configuration Manager supports Windows accounts for many different tasks and uses. Use the following procedure to view which accounts are configured for different tasks, and to manage the password that Configuration Manager uses for each account. To manage accounts that are used by Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Security, and then click Accounts to view the accounts that are configured for Configuration Manager. 3. To change the password for an account that is configured for Configuration Manager, select the account. 4. On the Home tab, in the Properties group, click Properties. 5. Click Set to open the Windows User Account dialog box and specify the new password for Configuration Manager to use for the account. Note The password that you specify must match the password that is specified for the account in Active Directory Users and Computers. 6. Click OK to complete the procedure.
805

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Discovery in Configuration Manager

Discovery identifies computer and user resources that you can manage by using Configuration Manager, and it also discovers network infrastructure in your environment. Use the information in the following sections to help you configure discovery in System Center 2012 Configuration Manager. How to Enable a Discovery Method Configure Heartbeat Discovery Configure Active Directory Discovery for Computers, Users, or Groups Configure Active Directory Forest Discovery Configure Network Discovery About Configuring Network Discovery How to Configure Network Discovery How to Verify that Network Discovery Has Finished

How to Enable a Discovery Method

With the exception of the Heartbeat Discovery method, you must enable all configurable discovery methods in Configuration Manager before they can discover resources on a network. You can also disable each method by using the same procedure you use to enable it. In addition to enabling a discovery method, you might have to configure it to successfully discover resources in your environment. Note Heartbeat Discovery is enabled when you install a Configuration Manager primary site and does not have to be enabled. Keep Heartbeat Discovery enabled as this method ensures that the discovery data records (DDRs) for devices are up-to-date. For more information about Heartbeat discovery, see About Heartbeat Discovery. To enable a discovery method 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Discovery Methods. 3. Select the discovery method for the site where you want to enable discovery. 4. On the Home tab, in the Properties group, click Properties, and then on the General
806

tab, select the Enable <discovery method> check box. Note If this check box is already selected, you can disable the discovery method by clearing the check box. 5. Click OK to save the configuration.

Configure Active Directory Discovery for Computers, Users, or Groups

Use the information in the following sections to configure discovery of computers, users, or groups, by using one of the following discovery methods: Active Directory System Discovery Active Directory User Discovery Active Directory Group Discovery Note The information in this section does not apply to Active Directory Forest Discovery. While each of these discovery methods is independent of the others, they share similar options. For more information about these configuration options, see About Active Directory Discovery for Systems, Users, and Groups. Warning The Active Directory polling by each of these discovery methods can generate significant network traffic. Consider scheduling each discovery method to run at a time when this network traffic does not adversely affect business uses of your network. Use the following procedures to configure each discovery method. To configure Active Directory System Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and then return to enable discovery later. 6. Click the New icon to specify a new Active Directory container, and in the Active Directory Container dialog box, complete the following configurations: a. Specify one or more locations to search. b. For each location, specify options that modify the search behavior. c. For each location, specify the account to use as the Active Directory Discovery
807

Account. Tip For each location that you specify, you can configure a set of discovery options and a unique Active Directory Discovery Account. d. Click OK to save the Active Directory container configuration. 7. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery. 8. Optionally, on the Active Directory Attributes tab, you can configure additional Active Directory attributes for computers that you want to discover. The default object attributes are also listed. 9. Optionally, on the Option tab, you can configure options to filter out, or exclude, stale computer records from discovery. 10. When you are have finished configuring Active Directory System Discovery for this site, click OK to save the configuration. To configure Active Directory User Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the Active Directory User Discovery method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and return to enable discovery later. 6. Click the New icon to specify a new Active Directory container, and in the Active Directory Container dialog box, complete the following configurations: a. Specify one or more locations to search. b. For each location, specify options that modify the search behavior. c. For each location, specify the account to use as the Active Directory Discovery Account. Note For each location that you specify, you can configure a unique set of discovery options and a unique Active Directory Discovery Account. d. Click OK to save the Active Directory container configuration. 7. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery. 8. Optionally, on the Active Directory Attributes tab, you can configure additional Active Directory attributes for computers that you want to discover. The default object attributes are also listed. 9. When you are have finished configuring Active Directory User Discovery for this site, click
808

OK to save the configuration. To configure Active Directory Group Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the Active Directory Group Discovery method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and return to enable discovery later. 6. Click Add to configure a discovery scope, select either Groups or Location, and complete the following configurations in the Add Groups, or Add Active Directory Location dialog box: a. Specify a Name for this discovery scope. b. Specify an Active Directory Domain or Location to search: If you selected Groups, specify one or more Active Directory groups to be discovered. If you selected Location, specify an Active Directory container as a location to be discovered. You can also enable a recursive search of Active Directory child containers for this location.

c.

Specify the Active Directory Group Discovery Account that is used to search this discovery scope.

d. Click OK to save the discovery scope configuration. 7. Repeat step 6 for each additional discovery scope that you want to define. 8. On the Polling Schedule tab, configure both the full discovery polling schedule and delta discovery. 9. Optionally, on the Option tab, you can configure options to filter out, or exclude, stale computer records from discovery, and to discover the membership of distribution groups. Note By default, Active Directory Group Discovery discovers only the membership of security groups. 10. When you have finished configuring Active Directory Group Discovery for this site, click OK to save the configuration.

Configure Active Directory Forest Discovery

To complete the configuration of Active Directory Forest Discovery, you must configure settings in two locations:

809

In the Discovery Methods node, you can enable this discovery method, set a polling schedule, and select whether discovery automatically creates boundaries for the Active Directory sites and subnets that it discovers. In the Active Directory Forests node, you can add forests that you want to discover, enable discovery of Active Directory sites and subnets in that forest, configure settings that enable Configuration Manager sites to publish their site information to the forest, and assign an account to use as the Active Directory Forest Account for each forest.

Use the following procedures to enable Active Directory Forest discovery, and to configure individual forests for use with Active Directory Forest Discovery. To enable Active Directory Forest Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select the Active Directory Forest Discovery method for the site where you want to configure discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the check box to enable discovery, or you can configure discovery now, and return to enable discovery later. 6. Specify options to create site boundaries for discovered locations. 7. Specify a schedule for when discovery runs. 8. When you complete the configuration of Active Directory Forest Discovery for this site, click OK to save the configuration. To configure a forest for Active Directory Forest Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Active Directory Forests. If Active Directory Forest Discovery has previously run, you see each discovered forest in the results pane. The local forest and any trusted forests are discovered when Active Directory Forest Discovery runs. Only untrusted forests must be manually added. To configure a previously discovered forest, select the forest in the results pane, and then on the Home tab, in the Properties group, click Properties to open the forest properties. Continue with step 3. To configure a new forest that is not listed, on the Home tab, in the Create group, click Add Forest to open the Add Forests dialog box. Continue with step 3.

3. On the General tab, complete configurations for the forest that you want to discover and specify the Active Directory Forest Account. Note Active Directory Forest Discovery requires a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account.
810

4. If you plan to allow sites to publish site data to this forest, on the Publishing tab, complete configurations for publishing to this forest. Note If you enable sites to publish to a forest, you must extend the Active Directory schema of that forest for Configuration Manager, and the Active Directory Forest Account must have Full Control permissions to the System container in that forest. 5. When you complete the configuration of this forest for use with Active Directory Forest Discovery, click OK to save the configuration.

Configure Heartbeat Discovery

By default, Heartbeat Discovery is enabled when you install a Configuration Manager primary site. As a result, you only have to configure the schedule for how often clients send the Heartbeat Discovery data record (DDRs) to a management point. Although Heartbeat Discovery is enabled by default, if it is disabled, you can re-enable it like any other discovery method. For more information, see How to Enable a Discovery Method. Note If both client push installation and the site maintenance task for Clear Install Flag are enabled at the same site, set the schedule of Heartbeat Discovery to be less than the Client Rediscovery period of the Clear Install Flag site maintenance task. For more information about site maintenance tasks, see Configure Maintenance Tasks for Configuration Manager Sites. To configure the Heartbeat Discovery schedule 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select Heartbeat Discovery for the site where you want to configure Heartbeat Discovery. 4. On the Home tab, in the Properties group, click Properties. 5. Configure the frequency with which clients submit a Heartbeat discovery data records (DDRs), and then click OK to save the configuration.

Configure Network Discovery

Use the information in the following sections to help you configure Network Discovery.

About Configuring Network Discovery

Before you configure Network Discovery, you must understand the following:
811

Available levels of Network Discovery Available Network Discovery options Limiting Network Discovery on the network

For more information, see the section About Network Discovery in the Planning for Discovery in Configuration Manager topic. The following sections provide information about common configurations for Network Discovery. You can configure one or more of these configurations for use during the same discovery run. If you use multiple configurations, you must plan for the interactions that can affect the discovery results. For example, you might want to discover all SNMP devices that use a specific SNMP Community name. Additionally, for the same discovery run, you might disable discovery on a specific subnet. When discovery runs, Network Discovery does not discover the SNMP devices with the specified community name on the subnet that you have disabled.

Determine your Network Topology

You can use a topology-only discovery to map your network. This kind of discovery does not discover potential clients. The topology-only Network Discovery relies on SNMP. When mapping your network topology, you must configure the Maximum hops on the SNMP tab in the Network Discovery Properties dialog box. Just a few hops can help control the network bandwidth that is used when discovery runs. As you discover more of your network, you can increase the number of hops to gain a better understanding of your network topology. After you understand your network topology, you can configure additional properties for Network Discovery to discover potential clients and their operating systems while you are using available configurations to limit the network segments that Network Discovery can search.

Limit Searches by Using Subnets

You can configure Network Discovery to search specific subnets during a discovery run. By default, Network Discovery searches the subnet of the server that runs discovery. Any additional subnets that you configure and enable apply only to Simple Network Management Protocol (SNMP) and Dynamic Host Configuration Protocol (DHCP) search options. When Network Discovery searches domains, it is not limited by configurations for subnets. If you specify one or more subnets on the Subnets tab in the Network Discovery Properties dialog box, only the subnets that are marked as Enabled are searched. When you disable a subnet, it is excluded from discovery, and the following conditions apply: SNMP-based queries do not run on the subnet DHCP servers do not reply with a list of resources located on the subnet Domain-based queries can discover resources that are located on the subnet

812

Search a Specific Domain

You can configure Network Discovery to search a specific domain or set of domains during a discovery run. By default, Network Discovery searches the local domain of the server that runs discovery. If you specify one or more domains on the Domains tab in the Network Discovery Properties dialog box, only the domains that are marked as Enabled are searched. When you disable a domain, it is excluded from discovery, and the following conditions apply: Network Discovery does not query domain controllers in that domain SNMP-based queries can still run on subnets in the domain DHCP servers can still reply with a list of resources located in the domain

Limit Searches by Using SNMP Community Names

You configure Network Discovery to search a specific SNMP community or set of communities during a discovery run. By default, the community name of public is configured for use. Network Discovery uses community names to gain access to routers that are SNMP devices. A router can supply Network Discovery with information about other routers and subnets that are linked to the first router. Note SNMP community names resemble passwords. Network Discovery can get information only from an SNMP device for which you have specified a community name. Each SNMP device can have its own community name, but often the same community name is shared among several devices. Additionally, most SNMP devices have a default community name of public. However, some organizations delete the public community name from their devices as a security precaution. If multiple SNMP communities are displayed on the SNMP tab in the Network Discovery Properties dialog box, Network Discovery searches them in the order in which they are displayed. To help minimize network traffic that is generated by attempts to contact a device by using different names, ensure that the most frequently used names are at the top of the list. Note In addition to using the SNMP Community name, you can specify the IP address or resolvable name of a specific SNMP device. You configure the IP address or resolvable name for a specific device on SNMP Devices tab in the Network Discovery Properties dialog box.

Search a Specific DHCP Server

You can configure Network Discovery to use a specific DHCP server or multiple servers to discover DHCP clients during a discovery run. Network Discovery searches each DHCP server that you specify on the DHCP tab in the Network Discovery Properties dialog box. If the server that is running discovery leases its IP
813

address from a DHCP server, you can configure discovery to search that DHCP server by selecting the Include the DHCP server that the site server is configured to use check box. Note To successfully configure a DHCP server in Network Discovery, your environment must support IPv4. You cannot configure Network Discovery to use a DHCP server in a native IPv6 environment.

How to Configure Network Discovery

Use the following procedures to first discover only your network topology, and then to configure Network Discovery to discover potential clients by using one or more of the available Network Discovery options. To determine your network topology 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select Network Discovery for the site where you want to run Network Discovery. 4. On the Home tab, in the Properties group, click Properties. On the General tab, select the Enable network discovery check box, and then select Topology from the Type of discovery options. On the Subnets tab, select the Search local subnets check box.

Tip If you know the specific subnets that constitute your network, you can clear the Search local subnets check box and use the New icon to add the specific subnets that you want to search. For large networks, it is often best to search only one or two subnets at a time to minimize the use of network bandwidth. On the Domains tab, select the Search local domain check box. On the SNMP tab, use the Maximum hops drop-down list to specify how many router hops Network Discovery can take in mapping your topology. Tip When you first map your network topology, configure just a few router hops to minimize the use of network bandwidth. 5. On the Schedule tab, click the New icon Discovery. to set a schedule for running Network

Note You cannot assign a different discovery configuration to separate Network Discovery schedules. Each time Network Discovery runs, it uses the current discovery configuration.
814

6. Click OK to accept the configurations. Network Discovery runs at the scheduled time. To configure Network Discovery 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and then click Discovery Methods. 3. Select Network Discovery for the site where you want to run Network Discovery. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, select the Enable network discovery check box, and then select the type of discovery that you want to run from the Type of discovery options. 6. To configure discovery to search subnets, click the Subnets tab, and on the Subnets tab, configure one or more of the following options: i. To run discovery on subnets that are local to the computer that runs discovery, select the Search local subnets check box. To search a specific subnet, the subnet must be listed in Subnets to search, and have a Search value of Enabled:

If the subnet is not listed, click the New icon . In the New Subnet Assignment dialog box, enter the Subnet and Mask information, and then click OK. By default, a new subnet is enabled for search. ii. To change the Search value for a listed subnet, select the subnet, and then click the Toggle icon to toggle the value between Disabled and Enabled.

7. To configure discovery to search domains, click the Domains tab, and on the Domains tab, configure one or more of the following options: i. To run discovery on the domain of the computer that runs discovery, select the Search local domain check box. To search a specific domain, the domain must be listed in Domains and have a Search value of Enabled:

If the domain is not listed, click the New icon , and in the Domain Properties dialog box, enter the Domain information, and then click OK. By default, a new domain is enabled for search. ii. To change the Search value for a listed domain, select the domain, and then click the Toggle icon to toggle the value between Disabled and Enabled.

8. To configure discovery to search specific SNMP community names for SNMP devices, click the SNMP tab, and on the SNMP tab, configure one or more of the following options: To add an SNMP community name to the list of SNMP Community names, click the New icon , and in the New SNMP Community Name dialog box, specify the Name of the SNMP community, and then click OK. To remove an SNMP community name, select the community name, and then click the Delete icon . To adjust the search order of SNMP community names, select a community name, and then click the Move Item Up icon , or the Move Item Down icon . When discovery runs,
815

community names are searched in a top-to-bottom order. Note Network Discovery uses SNMP community names to gain access to routers that are SNMP devices. A router can inform Network Discovery about other routers and subnets linked to the first router. SNMP community names resemble passwords. Network Discovery can get information only from an SNMP device for which you have specified a community name. Each SNMP device can have its own community name, but often the same community name is shared among several devices Most SNMP devices have a default community name of Public which can be used if you do not know any other community names. However, some organizations delete the Public community name from their devices as a security precaution.

9. To configure the maximum number of router hops for use by SNMP searches, click the SNMP tab, and on the SNMP tab, select the number of hops from the Maximum hops drop-down list. 10. To configure SNMP Devices, click the SNMP Devices tab, and on the SNMP tab, if the device is not listed, click the New icon . In the New SNMP Device dialog box, specify the IP address or device name of the SNMP device, and then click OK. Note If you specify a device name, Configuration Manager must be able to resolve the NetBIOS name to an IP address. 11. To configure discovery to query specific DHCP servers for DHCP clients, click the DHCP tab, and on the DHCP tab, configure one or more of the following options: To query the DHCP server on the computer that is running discovery, select the Always use the site servers DHCP server check box. Note To use this option, the server must lease its IP address from a DHCP server and cannot use a static IP address. To query a specific DHCP server, click the New icon , and in the New DHCP Server dialog box, specify the IP address or server name of the DHCP server, and then click OK. Note If you specify a server name, Configuration Manager must be able to resolve the NetBIOS name to an IP address. 12. To configure when discovery runs, click the Schedule tab, and on the Schedule tab, click the New icon to set a schedule for running Network Discovery. You can configure multiple schedules for Network Discovery that include multiple recurring schedules and multiple schedules that have no recurrence.

816

Note If multiple schedules are displayed on the Schedule tab at the same time, all schedules result in a run of Network Discovery as it is configured at the time indicated in the schedule. This is also true for recurring schedules. 13. Click OK to save your configurations.

How to Verify that Network Discovery Has Finished

The time that Network Discovery requires to complete can vary depending on a variety of factors. These factors can include one or more of the following: The size of your network The topology of your network The maximum number of hops that are configured to find routers in the network The type of discovery that is being run

Because Network Discovery does not create messages to alert you when discovery has finished, you can use the following procedure to verify when discovery has finished. To verify that Network Discovery has finished 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, and then click Status Message Queries. 3. Select All Status Messages. 4. On the Home tab, in the Status Message Queries group, click Show Messages. 5. Select the Select date and time drop-down list and select a value that includes how long ago the discovery started, and then click OK to open the Configuration Manager Status Message Viewer. Tip You can also use the Specify date and time option to select a given date and time that you ran discovery. This option is useful when you ran Network Discovery on a given date and want to retrieve messages from only that date. 6. To validate that Network Discovery has finished, search for a status message that has the following details: Message ID: 502 Component: SMS_NETWORK_DISCOVERY Description: This component stopped

If this status message is not present, Network Discovery has not finished. 7. To validate when Network Discovery started, search for a status message that has the following details: Message ID: 500
817

Component: SMS_NETWORK_DISCOVERY Description: This component started

This information verifies that Network Discovery started. If this information is not present, reschedule Network Discovery.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Sites to Publish to Active Directory Domain Services

Before Configuration Manager can publish site data to Active Directory Domain Services, the Active Directory schema must be extended to create the necessary classes and attributes, the System Management container must be created, and the primary site servers computer account must be granted full control of the System Management container and all of its child objects. Each site publishes its own site-specific information to the System Management container within its domain partition in the Active Directory schema. For information about extending the Active Directory schema, see the Prepare Active Directory for Configuration Manager section in the Prepare the Windows Environment for Configuration Manager topic.

Use the following procedures to configure an Active Directory forest for publishing, and to configure a site to publish to an Active Directory forest that is enabled for publishing. To configure Active Directory forests for publishing: 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Active Directory Forests. If Active Directory Forest Discovery has previously run, you see each discovered forest in the results pane. The local forest and any trusted forests are discovered when Active Directory Forest Discovery runs. Only untrusted forests must be manually added. To configure a previously discovered forest, select the forest in the results pane, and then on the Home tab, in the Properties group, click Properties to open the forest properties. Continue with step 3. To configure a new forest that is not listed, on the Home tab, in the Create group, click Add Forest to open the Add Forests dialog box. Continue with step 3.

3. On the General tab, complete configurations for the forest that you want to discover and specify the Active Directory Forest Account. Note
818

Active Directory Forest Discovery requires a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account. 4. If you plan to allow sites to publish site data to this forest, on the Publishing tab, complete configurations for publishing to this forest. Note If you enable sites to publish to a forest, you must extend the Active Directory schema of that forest for Configuration Manager, and the Active Directory Forest Account must have Full Control permissions to the System container in that forest. 5. When you complete the configuration of this forest for use with Active Directory Forest Discovery, click OK to save the configuration. To enable a Configuration Manager site to publish site information to Active Directory forest: 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and click Sites. Select the site that you want to configure to have publish its site data, and then on the Home tab, in the Properties group, click Properties. 3. On the Publishing tab of the sites properties, select the forests to which this site will publish site data. 4. Click Ok to save the configuration.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Settings for Client Management in Configuration Manager

Use the following sections in this topic to help you configure client management settings in System Center 2012 Configuration Manager. Configure Client Settings for Configuration Manager Configure Settings for Client Approval and Conflicting Client Records Configure a Fallback Site for Automatic Site Assignment Configure Client Communication Port Numbers Configure Custom Websites Configure Wake on LAN Configure Maintenance Windows
819

Configure Client Settings for Configuration Manager

Note The information in this section also appears in How to Configure Client Settings in Configuration Manager. You manage all client settings in System Center 2012 Configuration Manager from the Client Settings node in the Administration workspace of the Configuration Manager console. Modify the default settings when you want to configure settings for all users and devices in the hierarchy. If you want to apply different settings to just some users or devices, create custom settings and assign these to collections. Use one of the following procedures to configure client settings:

How to Configure the Default Client Settings

Use the following procedure to configure the default client settings for all clients in the hierarchy. To configure the default client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then select Default Client Settings. 3. On the Home tab, click Properties. 4. View and configure the client settings for each group of settings in the navigation pane. For more information about each setting, see About Client Settings in Configuration Manager. 5. Click OK to close the Default Client Settings dialog box.

How to Create and Deploy Custom Client Settings

Use the following procedure to configure and deploy custom settings for a selected collection of users or devices. When you deploy these custom settings, they override the default client settings. Note Before you begin this procedure, ensure that you have a collection that contains the users or devices that require these custom client settings. To configure and assign custom client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. On the Home tab, in the Create group, click Create Custom Client Settings, and then
820

click one of the following options depending on whether you want to create custom client settings for devices or for users: Create Custom Client Device Settings Create Custom Client User Settings

4. In the Create Custom Client Device Settings or Create Custom Client User Settings dialog box, specify a unique name for the custom settings, and an optional description. 5. Select one or more of the available check boxes that display a group of settings. 6. Click the first group settings from the navigation pane, and then view and configure the available custom settings. Repeat this process for any remaining group settings. For information about each client setting, see About Client Settings in Configuration Manager. 7. Click OK to close the Create Custom Client Device Settings or Create Custom Client User Settings dialog box. 8. Select the custom client setting that you have just created. On the Home tab, in the Client Settings group, click Deploy. 9. In the Select Collection dialog box, select the collection that contains the devices or users to be configured with the custom settings, and then click OK. You can verify the assigned collection if you click the Assignments tab in the details pane. 10. View the order of the custom client setting that you have just created. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings. To change the order number, in the Home tab, in the Client Settings group, click Move Item Up or Move Item Down.

Configure Settings for Client Approval and Conflicting Client Records

Specify settings for client approval and conflicting client records to help Configuration Manager securely identify clients. These settings apply to the hierarchy for all clients. Configure approval for when clients do not use a PKI certificate for client authentication. Configure settings for conflicting records for when Configuration Manager detects duplicate hardware IDs and cannot resolve the conflict. Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you reinstall a computer, the hardware ID would be the same but the GUID used by Configuration Manager might be changed. When Configuration Manager can resolve a conflict by using Windows authentication of the computer account or a PKI certificate from a trusted source, the conflict is automatically resolved for you. However, when Configuration Manager cannot resolve the conflict, it uses a hierarchy setting that either automatically merges the records when it detects duplicate hardware IDs (the default setting), or allows you to decide when to merge, block, or create new client records. If you decide to manually manage duplicate records, you must manually resolve the conflicting records by using the Configuration Manager console. To configure hierarchy settings for client approval and conflicting client records
821

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings, and then click the Client Approval and Conflicting Records tab. 4. Configure options that you require for all clients in the hierarchy, and then click OK to close the properties dialog box. To manually approve clients, see Managing Clients from the Devices Node. To resolve conflicting records, see Manage Conflicting Records for Configuration Manager Clients.

Configure a Fallback Site for Automatic Site Assignment

You can specify a hierarchy-wide fallback site for automatic site assignment. The fallback site is assigned to a new client that is configured to automatically discover its site when that client is on a network boundary that is not associated with any boundary group configured for site assignment. To configure a fallback site for automatic site assignment 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and select Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. On the General tab, select the checkbox for Use a fallback site, and then select a site from the Fallback site drop-down list. 5. Click OK to save the configuration.

Configure Client Communication Port Numbers

The information in this section also appears in How to Configure Client Communication Port Numbers in Configuration Manager You can change the request port numbers that System Center 2012 Configuration Manager clients use to communicate with site systems that use HTTP and HTTPS for communication. For Configuration Manager SP1 only, you can also specify a client notification port if you do not want to use HTTP or HTTPS. Although HTTP or HTTPS is more likely to be already configured for firewalls, client notification that uses HTTP or HTTPS requires more CPU usage and memory on the management point computer than if you use a custom port number. For all versions of Configuration Manager, you can also specify the site port number to use if you wake up clients by using traditional wake-up packets.

822

When you specify HTTP and HTTPS request ports, you can specify both a default port number and an alternative port number. Clients automatically try the alternative port after communication fails with the default port. You can specify settings for HTTP and HTTPS data communication. The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic. Change them only if you do not want to use these default values. A typical scenario for using custom ports is when you use a custom website in IIS rather than the default website. If you change the default port numbers for the default website in IIS and other applications also use the default website, they are likely to fail. Important Do not change the port numbers in Configuration Manager without understanding the consequences. Examples: If you change the port numbers for the client request services as a site configuration and existing clients are not reconfigured to use the new port numbers, these clients will become unmanaged. Before you configure a nondefault port number, make sure that firewalls and all intervening network devices can support this configuration and reconfigure them as necessary. If you will manage clients on the Internet and change the default HTTPS port number of 443, routers and firewalls on the Internet might block this communication.

To make sure that clients do not become unmanaged after you change the request port numbers, clients must be configured to use the new request port numbers. When you change the request ports on a primary site, any attached secondary sites automatically inherit the same port configuration. Use the procedure in this topic to configure the request ports on the primary site. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about how to configure the request ports for clients on computers that run Linux and UNIX, see Configure Request Ports for the Client for Linux and UNIX. When the Configuration Manager site is published to Active Directory Domain Services, new and existing clients that can access this information will automatically be configured with their site port settings and you do not need to take further action. Clients that cannot access this information published to Active Directory Domain Services include workgroup clients, clients from another Active Directory forest, clients that are configured for Internet-only, and clients that are currently on the Internet. If you change the default port numbers after these clients have been installed, reinstall them and install any new clients by using one of the following methods: Reinstall the clients by using the Client Push Installation Wizard. Client push installation automatically configures clients with the current site port configuration. For more information about how to use the Client Push Installation Wizard, see How to Install Configuration Manager Clients by Using Client Push. Reinstall the clients by using CCMSetup.exe and the client.msi installation properties of CCMHTTPPORT and CCMHTTPSPORT. For more information about these properties, see How to Install Configuration Manager Clients by Using Client Push.
823

Reinstall the clients by using a method that searches Active Directory Domain Services for Configuration Manager client installation properties. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

To reconfigure the port numbers for existing clients, you can also use the script PORTSWITCH.VBS that is provided with the installation media in the SMSSETUP\Tools\PortConfiguration folder. Important For existing and new clients that are currently on the Internet, you must configure the non-default port numbers by using the CCMSetup.exe client.msi properties of CCMHTTPPORT and CCMHTTPSPORT. After changing the request ports on the site, new clients that are installed by using the site-wide client push installation method will be automatically configured with the current port numbers for the site. To configure the client communication port numbers for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure. 3. In the Home tab, click Properties, and then click the Ports tab. 4. Select any of the items and click the Properties icon to display the Port Detail dialog box. 5. In the Port Detail dialog box, specify the port number and description for the item, and then click OK. 6. Select Use custom web site if you will use the custom website name of SMSWeb for site systems that run IIS. 7. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

Configure Custom Websites

Before you configure Configuration Manager to use a custom website, review the planning information in Planning for Custom Websites with Configuration Manager. Most Configuration Manager site system roles automatically configure to use a custom website, however the following site system roles require you to manually configure the custom website. Application Catalog web service point Application Catalog website point Enrollment point Enrollment proxy point

For these sites system roles, you must specify the custom website during the site system role installation. If any of these site system roles are already installed when you enable custom
824

websites for the site, uninstall these site system roles, and then reinstall them. When you reinstall these site system roles, specify the custom website name of SMSWEB, and configure the port numbers. Use the following procedures to enable custom websites at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.

How to Configure a Configuration Manager Site to Use a Custom Website

When you enable the site option to use a custom website, all client communications for that primary site and its secondary sites are directed to use a custom website named SMSWEB on each site system server instead of the IIS default website. Use the following procedures to enable custom websites at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers. Note Before you use this procedure, make sure that you have manually created the custom website named SMSWEB in IIS. When you enable the Configuration Manager option to use custom websites, Configuration Manager does not create the website in IIS. If the custom website is not already created, this procedure will fail. For more information, see How to Create the Custom Website in Internet Information Services (IIS). To configure a Configuration Manager site to use a custom website 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Sites. 3. Select the site that will use custom websites. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the site, select the Ports tab. 6. Select the checkbox for Use custom web site and then click OK to close the custom website warning. 7. Click OK to save the configuration. To verify the custom website If the Active Directory schema has been extended for Configuration Manager and the site is publishing site information, you can review the sitecomp.log to verify that the site component manager successfully updated the site information published to Active Directory Domain Services. Review the custom website in the Internet Information Services Manager console.
825

Verify that the custom website is running and that the virtual directories for the site system roles have been created. If the site system roles were already installed, review the site system role setup logs to verify that they successfully uninstalled and reinstalled with the new settings. For example, if you are configuring a custom website for a site system server that hosts the management point role, review the mpsetup.log.

Configure Wake on LAN

Specify Wake on LAN settings when you want to bring computers out of a sleep state to install required software, such as software updates, applications, task sequences, and programs. If you have System Center 2012 Configuration Manager SP1 or System Center 2012 R2 Configuration Manager, you can supplement Wake on LAN by using the wake-up proxy client settings. However, to use wake-up proxy, you must first enable Wake on LAN for the site and specify Use wake-up packets only and the Unicast option for the Wake on LAN transmission method. This wake-up solution also supports ad-hoc connections, such as a remote desktop connection. Use the first procedure to configure a primary site for Wake on LAN. Then, to use wake-up proxy for System Center 2012 Configuration Manager SP1 or System Center 2012 R2 Configuration Manager, use the second procedure to configure the wake-up proxy client settings. This second procedure configures the default client settings for the wake-up proxy settings to apply to all computers in the hierarchy. If you want these settings to apply to only selected computers, create a custom device setting and assign it to a collection that contains the computers that you want to configure for wake-up proxy. For more information about how to create custom client settings, see How to Configure Client Settings in Configuration Manager Caution To avoid unexpected disruption to your network services, first evaluate wake-up proxy on an isolated and representative network infrastructure. Then use custom client settings to expand your test to a selected group of computers on several subnets. For more information about how wake-up proxy works, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic. To configure Wake on LAN for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure. 3. On the Home tab, in the Properties group, click Properties, and then click the Wake on LAN tab. 4. Configure options that you require for this site, and then click OK to close the properties dialog box for the site. To support wake-up proxy in Configuration Manager SP1 and System Center 2012 R2
826

Configuration Manager, make sure that you select Use wake-up packets only and Unicast. Note For more information about the options, see the Planning How to Wake Up Clients section in Planning for Client Communication in Configuration Manager. Repeat this procedure for all primary sites in the hierarchy. To configure wake-up proxy client settings 1. In the Configuration Manager console, click Administration. 2. In the Administrative workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties, 5. Select Power Management and then configure the following option: Enable wake-up proxy: Yes 6. Review and if necessary, configure the other wake-up proxy settings. For more information about these settings, see the Power Management section in the About Client Settings in Configuration Manager topic. Important Although there is a client setting to configure Windows Firewall for the wake-up proxy ports, System Center 2012 Configuration Manager SP1 does not configure Windows Firewall to allow the inbound ICMP ping commands that are required for wake-up proxy. Unless you are running System Center 2012 R2 Configuration Manager, you must manually configure Windows Firewall or your alternative host-based firewall to allow this communication. For more information about how to configure Windows Firewall for the inbound ICMP ping commands that are required for wake-up proxy, see the Wake-Up Proxy section in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic. 7. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box. You can use the following Wake On LAN reports to monitor the installation and configuration of wake-up proxy: Wake-Up Proxy Deployment State Summary Wake-Up Proxy Deployment State Details Tip To test whether wake-up proxy is working, test a connection to a sleeping computer. For example, connect to a shared folder on that computer, or trying connecting to the computer by using Remote Desktop. If you use DirectAccess, check that the IPv6 prefixes work by trying the same tests for a sleeping computer that is currently on the
827

Internet.

Configure Maintenance Windows

Note The information in this section also appears in How to Manage Collections in Configuration Manager. Maintenance windows in Configuration Manager provide a means by which administrative users can define a time period when members of a device collection can be updated by various Configuration Manager operations. You can use maintenance windows to help ensure that client configuration changes occur during periods which will not affect the productivity of the organization. The following Configuration Manager operations support maintenance windows. Software deployments Software update deployments Compliance settings deployment Operating system deployments Task sequence deployments

Maintenance windows are configured for a collection with a start date, a start and finish time, and a recurrence pattern. Each maintenance window must have a duration of less than 24 hours. Computer restarts caused by a deployment are by default, not allowed outside of a maintenance window, but you can override this in the settings for each deployment. Maintenance windows affect only when the deployment program runs; applications configured to download and run locally can download content outside of the maintenance window. When a client computer is a member of a device collection that has a maintenance window configured, a deployment program will only run if the maximum allowed run time does not exceed the duration configured for the maintenance window. If the program fails to run, an alert will be generated and the deployment will be rerun during the next scheduled maintenance window that has time available.

Using Multiple Maintenance Windows

When a client computer is a member of multiple device collections that have configured maintenance windows, the following rules apply: If the maintenance windows do not overlap, they are treated as two independent maintenance windows. If the maintenance windows overlap, they are treated as a single maintenance window encompassing the time period covered by both maintenance windows. For example, if two maintenance windows, each an hour in duration overlap by 30 minutes, the effective duration of the maintenance window would be 90 minutes.

828

When a user initiates an application installation from Software Center, the application will be installed immediately, regardless of any configured maintenance. If an application deployment with a purpose of Required reaches its installation deadline during the nonbusiness hours configured by a user in Software Center and a maintenance window is not available, the installation will wait until the next time a maintenance window is available.

How to Configure Maintenance Windows in Configuration Manager

Use the following procedure to configure maintenance windows. To configure maintenance windows in Configuration Manager 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure a maintenance window. 4. In the Home tab, in the Properties group, click Properties. 5. In the Maintenance Windows tab of the <collection name> Properties dialog box, click the New icon. Note You cannot create maintenance windows for the All Systems collection. 6. In the <new> Schedule dialog box, specify a name, a schedule and a recurrence pattern for the maintenance window. 7. Click OK to close the <new> Schedule dialog box and create the new maintenance window. 8. Close the <collection name> Properties dialog box.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Distribution Point Groups in Configuration Manager

Note The information in this section also appears in Configuring Content Management in Configuration Manager. Distribution point groups provide a logical grouping of distribution points and collections for content distribution. A Distribution point group is not limited to distribution points from a single
829

site, and can contain one or more distribution points from any site in the hierarchy. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. When a new distribution point is added to a distribution point group, it receives all content that has been previously distributed to it. You can also associate collections to the distribution point group. When you distribute content, you can target a collection and the distribution points that are members of all distribution point groups with an association to the collection receive the content. Important After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content will be distributed to the new distribution point group. Use the following procedures to help you configure distribution point groups.

To create and configure a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups. 3. On the Home tab, in the Create group, click Create Group. 4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add, select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, click Add, select the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add distribution points and associate collections to an existing distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to modify members. 3. On the Home tab, in the Properties group, click Properties. 4. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 5. On the Members tab, click Add to select the distribution points that you want to add as members of the distribution point group, and then click OK. 6. Click OK to save changes to the distribution point group. To add selected distribution points to a new distribution point group
830

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points in which you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to New Distribution Point Group. 4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, verify that the distribution points listed should be added as members of the distribution point group. Click Add to modify the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add selected distribution points to existing distribution point groups 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points in which you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to Existing Distribution Point Groups. 4. In the Available distribution point groups, select the distribution point groups in which the selected distribution points will be added as members, and then click OK.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Boundaries and Boundary Groups in Configuration Manager

Boundaries represent network locations on the intranet where Configuration Manager clients are located. Boundary groups are logical groups of boundaries that provide clients access to resources. In System Center 2012 Configuration Manager, each boundary and boundary group you configure is available throughout the hierarchy. You do not configure them for individual sites. You configure a boundary for each intranet network location that you manage, and then add that boundary to one or more boundary groups. You can configure a boundary group to identify the site that new clients should join, based upon the clients network location. You can also configure the boundary group with to identify which content servers are available for use by a client, based upon the clients network location.

831

Use the procedures in the following sections to help you configure boundaries and boundary groups Create and Configure Boundaries for Configuration Manager Create and Configure Boundary Groups for Configuration Manager

Create and Configure Boundaries for Configuration Manager

When you configure boundaries in System Center 2012 Configuration Manager, they automatically receive a name that is based upon the type and scope of the boundary. You cannot modify this name. Instead, when you configure the boundary specify a description to help identify the boundary in the Configuration Manager console. After you create a boundary, you can modify its properties to do the following: Add the boundary to one or more boundary groups. Change the type or scope of the boundary. View the boundaries Site Systems tab to see which content servers (distribution points and state migration points) are associated with the boundary. Tip In addition to using the Create Boundary command to create a new boundary, you can configure Active Directory Forest Discovery to create boundaries for each IP Subnet and Active Directory Site it discovers. Use the following procedures to create and modify a boundary: To create a boundary 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundaries. 3. On the Home tab, in the Create group, click Create Boundary. 4. On the General tab of the Create Boundary dialog box you can specific a Description to identify the boundary by a friendly name or reference. 5. Select a Type for this boundary: If you select IP Subnet, you must specify a Subnet ID for this boundary. Tip You can specify the Network and Subnet mask to have the Subnet ID automatically specified. When you save the boundary, only the Subnet ID value is saved. If you select Active Directory site, you must specify or Browse to an Active Directory site in the local forest of the site server. Important
832

When you specify an Active Directory site for a boundary, the boundary includes each IP Subnet that is a member of that Active Directory site. If the configuration of the Active Directory site changes in Active Directory, the network locations included in this boundary also change. If you select IPv6 prefix, you must specify a Prefix in the IPv6 prefix format. If you select IP address range, you must specify a Starting IP address and Ending IP address that includes part of an IP Subnet or includes multiple IP Subnets.

6. Click OK to save the new boundary. To configure a boundary 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundaries. 3. Select the boundary you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the boundary, select the General tab to edit the Description or Type for the boundary. You can also change the scope of a boundary by editing the network locations for the boundary. For example, for an Active Directory site boundary you can specify a new Active Directory site name. 6. Select the Site Systems tab to view the site systems that are associated with this boundary. You cannot change this configuration from the properties of a boundary. Tip For a site system server to be listed as a site system for a boundary, the site system server must be specified as a content location for at least one boundary group that includes this boundary. Content location is configured on the References tab of a boundary group. 7. Select the Boundary Groups tab to modify the boundary group membership for this boundary: To add this boundary to one or more boundary groups, click Add, select the check box for one or more boundary groups, and then click OK. To remove this boundary from a boundary group, select the boundary group and click Remove.

8. Click OK to close the boundary properties and save the configuration.

Create and Configure Boundary Groups for Configuration Manager

When you configure boundary groups, you add one or more boundaries to the boundary group, and then configure optional settings for use by clients located on those boundaries. The

833

configurations are for site assignment and content location for clients when they are on the intranet. Note Clients that are on the Internet or configured as Internet-only clients do not use boundaries and boundary groups. These clients cannot use automatic site assignment when they are on the Internet and will download content from any distribution point in their assigned site that allows client connections from the Internet.
Configuration Details

Site assignment

Site assignment is used by clients that use automatic site assignment to find an appropriate site to join, based on the clients current network location. After a client assigns to a site, the client will not change that site assignment. For example, if the client roams to a new network location that is represented by a boundary in a boundary group with a different site assignment, the clients assigned site will remain unchanged. When Active Directory System Discovery discovers a new resource, network information for the discovered resource is evaluated against the boundaries in boundary groups. This process associates the new resource with an assigned site for use by the client push installation method.

Content location

Content location is used by clients to identify available distribution points or state migration points, based upon the clients current network location

When you configure boundary groups for site assignment, ensure that each boundary in a boundary group is not a member of another boundary group with a different site assignment. Boundaries that are associated with more than one assigned site are called overlapping boundaries. Overlapping boundaries are not supported for site assignment. However, overlapping boundaries are supported for content location. Overlapping boundaries for site assignment can prevent clients from joining the site you expect. Overlapping boundaries for content location can provide clients access to content from multiple content sources.
834

Note To help avoid overlapping boundaries for site assignment, consider using of one set of boundary groups for site assignment, and a second set of boundary groups for content location. To create a boundary group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundary Groups. 3. On the Home tab, in the Create group, click Create Boundary Group. 4. In the Create Boundary Group dialog box, select the General tab and specify a Name for this boundary group. 5. Click OK to save the new boundary group. To configure a boundary group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Boundary Groups. 3. Select the boundary group you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the boundary group, select the General tab to modify the boundaries that are members of this boundary group: To add boundaries, click Add, select the check box for one or more boundaries, and click OK. To remove boundaries, select the boundary and click Remove.

6. Select the References tab to modify the site assignment and content location configuration: To enable this boundary group for use by clients for site assignment, select the check box for Use this boundary group for site assignment , and then select a site from the Assigned site dropdown box. To configure content location settings for this boundary group:

a. Click Add, and then select the check box for one or more servers. The servers are added as content location servers for this boundary group. Only servers that have a distribution point or state migration point installed on them are available. Note You can select any combination of distribution points and state migration points from any site in the hierarchy. Selected site systems are listed on the Site Systems tab in the properties of each boundary that is a member of this boundary group. b. To remove a server as a content location from this boundary group, select the server
835

and then click Remove. Note To stop use of this boundary group for content location you must remove all servers listed as site system servers for content location. c. To change the network connection speed for a content location site system server for this boundary group, select the server and then click Change Connection. Note By default, the connection speed for each site system is Fast, but can be changed to Slow. The network connection speed and the configuration of a deployment determine whether a client can download content from the server. 7. Click OK to close the boundary group properties and save the configuration. To associate a content deployment server with a boundary group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Hierarchy, and click Boundary Groups. 3. Select the boundary group you want to modify. 4. On the Home tab, in the Properties group, click Properties. 5. In the Properties dialog box for the boundary group, select the References tab. 6. Under Content location click Add, select the check box for the site system servers you want to associate with this boundary group, and then click OK. Note Only site system servers that have installed a distribution point or state migration point are available. 7. Click OK to close the dialog box and save the boundary group configuration. To configure a fallback site for automatic site assignment 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and select Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. On the General tab, select the checkbox for Use a fallback site, and then select a site from the Fallback site drop-down list. 5. Click OK to save the configuration.

See Also
Configure Sites and the Hierarchy in Configuration Manager

836

Configuring Alerts in Configuration Manager

Alerts in System Center 2012 Configuration Manager are generated by some operations when a specific condition occurs. Typically, alerts are generated when an error occurs that you must resolve. Additionally, an alert might be generated to warn you that a condition exists so that you can continue to monitor the situation. You can configure alerts for some Configuration Manager operations, such as Endpoint Protection and client status, whereas some alerts are configured automatically. Additionally, you can configure subscriptions to alerts for client status and Endpoint Protection that will be emailed to you. Note In Configuration Manager with no service pack, you could only configure email subscriptions for Endpoint Protection alerts. Beginning with System Center 2012 Configuration Manager SP1, you can configure email subscriptions to all alerts generated by Configuration Manager. Use the following table to find information about how to configure alerts and alert subscriptions in Configuration Manager:
Action More Information

Configure Endpoint Protection alerts for a collection Configure client status alerts for a collection

See the topic How to Configure Alerts for Endpoint Protection in Configuration Manager. See the section To Configure Alerts for Client Status in the topic How to Configure Client Status in Configuration Manager. See the section Management Tasks for Alerts in this topic. See the section How to Configure Email Subscriptions for Alerts in this topic.

Manage Configuration Manager alerts Configure email subscriptions to alerts

For information about how you can monitor the alerts that are generated by Configuration Manager, see the Monitor Alerts in Configuration Manager section in the Monitor Configuration Manager Sites and Hierarchy topic.

Management Tasks for Alerts

Use the information in this section to help you manage alerts in Configuration Manager. To manage alerts 1. In the Monitoring workspace, click Alerts and then select a management task. Use the following table for more information about the management tasks that might
837

require some information before you select them.

Management task Details

Configure

Opens the <alert name> Properties dialog box where you can modify the name, severity, and thresholds for the selected alert. If you change the severity of the alert, this configuration affects how the alerts are displayed in the Configuration Manager console. Enter a comment for the selected alerts. These comments display with the alert in the Configuration Manager console. Suspends the monitoring of the alert until the specified date is reached. At that time, the state of the alert is updated. You can only postpone an alert when it is enabled.

Edit Comment

Postpone

Create subscription

Opens the New Subscription dialog box where you can create an email subscription to the selected alert. Note Prior to Configuration Manager SP1, you can create email subscriptions only for Endpoint Protection and client status alerts.

How to Configure Email Subscriptions for Alerts

Use the procedures in this section to help you configure email subscriptions to alerts in Configuration Manager. Important In Configuration Manager with no service pack, you can only configure email subscriptions for Endpoint Protection alerts. To configure email notification settings in Configuration Manager with no service pack 1. In the Configuration Manager console, click Administration.
838

2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Settings group, click Configure Site Components and then click Email Notification. 4. In the Email Notification Component Properties dialog box, specify the following information: Enable email notification for Endpoint Protection alerts: Select this check box to enable Configuration Manager to use an SMTP server to send email alerts. FQDN or IP Address of the SMTP server to send email alerts: Enter the fully qualified domain name (FQDN) or IP address and the SMTP port for the email server that you want to use for these alerts. Endpoint Protection SMTP Server Connection Account : Specify the authentication method for Configuration Manager to use to connect the email server. Sender address for email alerts: Specify the email address from which alert emails are sent. Test SMTP Server: Sends a test email to the email address specified in Sender address for email alerts.

5. Click OK to save the settings and to close the Email Settings Component Properties dialog box. To configure email notification settings in Configuration Manager SP1 and System Center 2012 R2 Configuration Manager 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Alerts, and then click Subscriptions. 3. On the Home tab, in the Create group, click Configure Email Notification. 4. In the Email Notification Component Properties dialog box, specify the following information: Enable email notification for alerts: Select this check box to enable Configuration Manager to use an SMTP server to send email alerts. FQDN or IP Address of the SMTP server to send email alerts: Enter the fully qualified domain name (FQDN) or IP address and the SMTP port for the email server that you want to use for these alerts. SMTP Server Connection Account: Specify the authentication method for Configuration Manager to use to connect the email server. Sender address for email alerts: Specify the email address from which alert emails are sent. Test SMTP Server: Sends a test email to the email address specified in Sender address for email alerts.

5. Click OK to save the settings and to close the Email Settings Component Properties dialog box. To subscribe to alerts
839

1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Alerts. 3. In the Alerts list, select an alert and then, on the Home tab, in the Subscription group, click Create subscription. 4. In the New Subscription dialog box, specify the following information: Name: Enter a name to identify the email subscription. You can use up to 255 characters. Email address: Enter the email addresses that you want the alert sent to. You can separate multiple email addresses with a semicolon. Email language: In the list, specify the language for the email.

5. Click OK to close the New Subscription dialog box and to create the email subscription. Note You can delete and edit subscriptions in the Monitoring workspace when you expand the Alerts node, and then click the Subscriptions node.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Configuring Site Components in Configuration Manager

You configure site components to control the behavior of site system roles at a site, and to control the sites status reporting behavior. Configurations for site system roles apply to each instance of a site system role at a particular site. These configurations must be made at each site individually, and do not apply to multiple sites.

Configure Site Components for Configuration Manager

You configure site components to control the behavior of site system roles at a site, and to control the sites status reporting behavior. Configurations for site system roles apply to each instance of a site system role at a particular site. These configurations must be made at each site individually, and do not apply to multiple sites. Use the following procedure to select the site component you will configure at a specific site. To edit the site components at a site 1. In the Configuration Manager console, click Administration.
840

2. In the Administration workspace, expand Site Configuration, and click Sites. 3. Select the site that has the site components you will configure. 4. On the Home tab, in the Settings group, click Configure Site Components and then select the site component you want to configure.

Configuration Options for Site Components

Many of the configuration options for the site components are self-explanatory or display additional information in the dialog boxes. Use the following sections for more information about the settings that might require some information before you configure them:

System Health Validator Point Component Properties

Configure these configuration options only if you will install System Health Valdiator points in the site to use Network Access Protection for software updates.
Configuration Option Description

Query interval (minutes)

Specifies in minutes how often System Health Validator points retrieve and cache Configuration Manager health state references from Active Directory Domain Services. The information is retrieved with a Lightweight Directory Access Protocol (LDAP) call to a global catalog server. The lower the value, the more quickly the System Health Validator will detect changes to the Configuration Manager NAP policies; however clients are more likely to be found non-compliant even though they have all the required software updates specified in the Configuration Manager NAP policies. In this scenario, if policies on the Network Policy Server are configured to give noncompliant clients limited network access, in this scenario, clients will not have full network access until they have download their Configuration Manager NAP policies, re-evaluated their compliance, and then send a new statement of health to the System Health Validator point. This process can take a few minutes. The higher the value, the less likely clients will be found noncompliant when they have all the
841

Configuration Option

Description

required software updates specified in the Configuration Manager NAP policies. In this scenario, clients will not risk having limited network access to download their Configuration Manager NAP policies and re-evaluate compliance. However, a higher value might mean that clients are deemed compliant when they haven't evaluated compliance with the latest Configuration Manager NAP policies. A setting to reduce the likelihood of clients that have the selected software updates having limited network access, but to ensure that compliance results are based on the latest Configuration Manager NAP policies, is to configure this option to be twice the value specified for the client setting Client policy polling interval (by default, the client policy polling interval is once an hour). This setting can be between 1 and 10080 minutes, and the default value is 120 minutes. Validity period (hours) Specifies the length of time in hours for which a cached client statement of health will be accepted as compliant by System Health Validator points. If the client statement of health is older than the validity period, the System Health Validator point returns a health state of noncompliant to the Network Policy Server. In this scenario, if policies on the Network Policy Server enforce compliance, the client is forced to re-evaluate its compliance status and present a new statement of health. Therefore, a longer validity period results in quicker processing (and connecting times), but the compliance information might not be up to date. This setting can be between 1 and 168 hours, and the default value is 26 hours. Important If you change the default validity period, ensure that you configure a
842

Configuration Option

Description

value that is higher than the configured NAP re-evaluation schedule client setting. If the compliance evaluation on the client occurs less frequently than the validity period, clients will be found noncompliant by the System Health Validator point. In this scenario, remediation will instruct clients to re-evaluate their compliance and produce a current statement of health. This process might take a few minutes to complete, so if policies on the Network Policy Server are configured to limit network access for non-compliant computers, computers will not be able to access network resources on the full network during this re-evaluation time. Date created must be after (UTC) Specifies whether you want to ensure a client statement of health is created after a specified date and time (in Coordinated Universal Time). After selecting this option, select the date and time. The date and time cannot be set to a future value but must be the current or a previous date and time. Setting this option is appropriate if you have just configured a new Configuration Manager Network Access Protection (NAP) policy and it is imperative that the software update selected in the policy is included in the evaluation, regardless of the validity period. This option is not enabled by default. Designate an Active Directory forest Specifies that the site server and System Health Validator points for this site are not in the same Active Directory forest. To configure the System Health Validator Point Component for this environment, you must identify which forests the System Health Validator points reside in, identify whether trust relationships exist between them, and decide which forest
843

Configuration Option

Description

will publish the Configuration Manager health state references The Active Directory forest that publishes the health state references must be extended with the Configuration Manager schema extensions, the site servers must be publishing to Active Directory, and permissions must be set appropriately on the System Management container in Active Directory. These Active Directory dependencies might affect your decision on which forest will be used to publish the Configuration Manager health state references. The following scenarios identify four basic configurations when Network Access Protection in Configuration Manager spans multiple Active Directory forests. Use these scenarios to help you decide which Active Directory forest will publish the health state references. Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to the forest that contains the site servers. Choose this option if you can extend Active Directory Domain Services for Configuration Manager, and if the System Health Validator points reside in a perimeter network Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to the forest that contains the System Health Validator points. Choose this option if you cannot extend Active Directory Domain Services for Configuration Manager, but you can extend the schema of the second forest. Site servers reside in one Active Directory forest, and all System Health Validator
844

Configuration Option

Description

points reside in another Active Directory forest. Configuration Manager health state references are published to a third Active Directory forest that has trust relationships with the other two forests (either a forest trust or external domain trusts). Choose this option if you cannot extend Active Directory Domain Services for either forest, but you can extend the schema of a new or existing forest. Site servers reside in one Active Directory forest, and all System Health Validator points reside in another Active Directory forest. Configuration Manager health state references are published to a third Active Directory forest that has no trust relationships with the other two forests (neither a forest trust nor external domain trusts). Choose this option if you cannot extend Active Directory Domain Services for either forest, but you can extend the schema of a new or existing forest that cannot have any trust relationships with the other two forests.

Health state reference publishing account

Specifies a Microsoft Windows user account in the designated Active Directory forest if any of the following apply: The designated forest is not the same forest as the site server. There is no trust relationship between the site server's domain and the Domain suffix. There is a trust relationship between the site server's domain and the Domain suffix, but Full Control permission has not be granted to the System Management Active Directory container for the site server's computer account.

Health state reference querying account

Specifies a Windows user account in the designated Active Directory forest if any of the following apply: The designated forest is not the same forest as the System Health Validator
845

Configuration Option

Description

points. There is no trust relationship between the System Health Validator points and the Domain suffix.

Software Distribution Component Properties

Configuration Option Description

Network Access Account

Specify a Windows user account for the Network Access Account when client computers from workgroups or non-trusted domains require access to network resources. Important The Network Access account is never used as the security context to run applications and programs, install software updates, or run task sequences. It is used only for accessing resources on the network. Although Configuration Manager client computers use the Local System account to perform most Configuration Manager client operations on the computer, the Local System account cannot access network resources. For example, the Local System account cannot authenticate a computer to distribution points, so that the computer can make a connection and download software. In these scenarios, clients from trusted domains use the <computername>$ account to access network resources. Computers that cannot use the <computername>$ for computer authentication can use a specified Windows user account for the Network Access Account. You might also have to specify a Windows user account for the Network Access Account when you deploy an operating system. This is because the computer that receives the
846

Configuration Option

Description

operating system does not have a security context it can use to access content on the network. Note When you specify a Windows user account, configure it to have the minimum appropriate permissions on the content that it must access to download the software. The account must have Access this computer from the network user right on the distribution point or other server that holds the package content. Do not grant this account the interactive logon user right or the user right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account. For System Center 2012 R2 Configuration Manager only: You can now specify multiple network access accounts for a site. When clients try to access content and cannot use their local computer account, they will first use the last network access account that successfully connected. Configuration Manager supports adding up to ten network access accounts.

Software Update Point Component Properties

For more information about the configuration options for the software update point component, see Configuring Software Updates in Configuration Manager.

Management Point Component Properties

Configuration Option Description

Management points

Specifies the management points in the

847

Configuration Option

Description

Configuration Manager site to publish to Active Directory Domain Services. Configuration Manager clients use management points for service location: to find site information such as boundary group membership and PKI certificate selection options; and to find other management points in the site and distribution points from which to download software. Clients also use management points to complete site assignment and download client policy and upload their client information. Because the most secure method for clients to find management points is to publish them in Active Directory Domain Services, you will typically always select all functioning management points to publish to Active Directory Domain Services. However, this service location method requires that the schema is extended for Configuration Manager, there is a System Management container with appropriate security permissions for the site server to publish to this container, that the Configuration Manager site is configured to publish to Active Directory Domain Services, and that clients belong to the same Active Directory forest as the site servers forest. When clients on the intranet cannot use Active Directory Domain Services to find management points, use DNS publishing. Publish selected intranet management points in DNS Specify this option when clients on the intranet cannot find management points from Active Directory Domain Services, but they can use a DNS service location resource record (SRV RR) to find a management point in their assigned site. For Configuration Manager to publish intranet management points to DNS, all the following conditions must be met: Your DNS servers have a version of BIND
848

Configuration Option

Description

that is 8.1.2 or later. Your DNS servers are configured for automatic updates and support service location resource records. The specified FQDNs for the management points in Configuration Manager have host entries (A or AAA records) in DNS. Warning For clients to find management points that are published in DNS, you must assign the clients to a specific site (rather than use automatic-site assignment) and configure these clients to use the site code with the domain suffix of their management point. For more information, see How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager. If Configuration Manager clients cannot use Active Directory Domain Services or DNS to find management points on the intranet, they fall back to using WINS. The first management point that is installed for the site is automatically published to WINS when it is configured to accept HTTP client connections on the intranet.

Out of Band Management Point Component Properties

Important You cannot save configuration options for the out of band management component unless the site has at least one enrollment point installed. For more information about the configuration options for the out of band management point component, see Configuring the Out of Band Management Component.

Collection Membership Evaluation

Note

849

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this task to change how often collection membership is incrementally evaluated. Incremental evaluation updates a collection membership with only new or changed resources. In Configuration Manager with no service pack, you configure collection membership evaluation as a site maintenance task. For information, see the section Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic.

See Also
Configure Sites and the Hierarchy in Configuration Manager

Install and Configure Site System Roles for Configuration Manager

You can install one or more optional site system roles at each System Center 2012 Configuration Manager site to extend the management functionality of the site. You can specify a new server as a site system server and add the site system roles, or install the site system roles to an existing site system server in the site. Tip When a site system server is a computer other than the site server, it is referred to as a remote site system because it is remote from the site server in the site. Similarly, any site system role on that server is referred to as remote. For example, a remote distribution point is a site system server on a computer other than the site server, and which has installed on it the distribution point role. Note When you install a site system role on a remote computer (including an instance of the SMS Provider), the computer account of the remote computer is added to a local group on the site server. When the site is installed on a domain controller, the group on the site server is a domain group instead of a local group, and the remote site system role is not operational until either the site system role computer restarts, or the Kerberos ticket for the remote computers account is refreshed. Use one of the following wizards to install new site system roles: Add Site System Roles Wizard: Use this wizard to add site system roles to an existing site system server in the site. Create Site System Server Wizard: Use this wizard to specify a new server as a site system server, and then install one or more site system roles on the server. This wizard is the same

850

as the Add Site System Roles Wizard, except that on the first page, you must specify the name of the server to use and the site in which you want to install it. Note Configuration Manager does not support site system roles for multiple sites on a single site system server. By default, when Configuration Manager installs a site system role, the installation files are installed on the first available NTFS formatted disk drive that has the most available free disk space. To prevent Configuration Manager from installing on specific drives, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before you install the site system server. Configuration Manager uses the Site System Installation Account to install site system roles. You specify this account when you run the applicable wizard to create a new site system server or add site system roles to an existing site system server. By default, this account is the local system account of the site server computer, but you can specify a domain user account for use as the Site System Installation Account. For more information about this account, see the Site System Installation Account in the Technical Reference for Accounts Used in Configuration Manager topic. Use the following sections to help you install and configure site system roles for System Center 2012 Configuration Manager: Install Site System Roles To install site system roles on an existing site system server To install site system roles on a new site system server Configure Windows Azure and Install Cloud-Based Distribution Points Configure Name Resolution for Cloud-Based Distribution Points Configure Proxy Settings for Primary Sites that Manage Cloud Services Application Catalog Website Point Application Catalog Web Service Point Certificate Registration Point Distribution Point Enrollment Point Enrollment Proxy Point Fallback Status Point Out of Band Service Point

Install Cloud-Based Distribution Points in Windows Azure

Configuration Options for Site System Roles

Configure the Proxy Server for Site System Servers Note For planning information, such as where to install site system roles in the hierarchy, see Planning for Site Systems in Configuration Manager.
851

Install Site System Roles

How you install a site system role depends on whether you add the site system role to an existing site system server or install a new site system server for the site system role. Use one of the following procedures. Note Configuration Manager lists the site system roles that are available for you to install. This list depends on your hierarchy configuration and whether you have already installed an instance of the site system role. For more information about the available placement of site system roles, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. To install site system roles on an existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for the new site system roles. 3. On the Home tab, in the Server group, click Add Site System Roles. 4. On the General page, review the settings, and then click Next. Tip To access the site system role from the Internet, ensure that you specify an Internet FQDN. 5. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next. 6. On the System Role Selection page, select the site system roles that you want to add, and then click Next. 7. Complete the wizard. Tip The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same function as this procedure. For more information, see New-CMSiteSystemServer in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation. To install site system roles on a new site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and
852

Site System Roles. 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Tip To access the new site system role from the Internet, ensure that you specify an Internet FQDN. 5. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: On the Proxy page, specify settings for a proxy server if site system roles that run on this site system server require a proxy server to connect to locations on the Internet, and then click Next. 6. On the System Role Selection page, select the site system roles that you want to add, and then click Next. 7. Complete the wizard. Tip The Windows PowerShell cmdlet, New-CMSiteSystemServer, performs the same function as this procedure. For more information, see New-CMSiteSystemServer in the System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

Install Cloud-Based Distribution Points in Windows Azure

Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Before you install a cloud-based distribution point, make sure that you have the required certificate files: A Windows Azure management certificate that is exported to a .cer file and to a .pfx file. A Configuration Manager cloud-based distribution point service certificate that is exported to a .pfx file.

For more information about these certificates, see the section for cloud-based distribution points in the PKI Certificate Requirements for Configuration Manager topic. For an example deployment of the cloud-based distribution point service certificate, see the Deploying the Custom Web Server Certificate for Cloud-Based Distribution Points in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

853

After you install the cloud-based distribution point, Windows Azure automatically generates a GUID for the service and appends this to the DNS suffix of cloudapp.net. Using this GUID, you must configure DNS with a DNS alias (CNAME record) to map the service name that you define in the Configuration Manager cloud-based distribution point service certificate to the automatically generated GUID. If you use a proxy web server, you might have to configure proxy settings to enable communication with the cloud service that hosts the distribution point. Use the following sections and procedures to help you install a cloud-based distribution point.

Configure Windows Azure and Install Cloud-Based Distribution Points

Use the following procedures to configure Windows Azure to support distribution points, and then install the cloud-based distribution point in Configuration Manager. To configure a cloud service in Windows Azure for a distribution point 1. Open a web browser to the Windows Azure Management Portal, at https://windows.azure.com, and access your Windows Azure account. 2. Click Hosted Services, Storage Accounts & CDN, and then select Management Certificates. 3. Right-click your subscription, and then select Add Certificate. 4. For Certificate file, specify the .cer file that contains the exported Windows Azure management certificate to use for this cloud service, and then click OK. The management certificate is loaded in Windows Azure, and you can now install a cloudbased distribution point. To install a cloud-based distribution point for Configuration Manager 1. Complete the steps in the preceding procedure to configure a cloud service in Windows Azure with a management certificate. 2. In the Administration workspace of the Configuration Manager console, expand Cloud Services, select Cloud Distribution Points, and then on the Home tab, click Create Cloud Distribution Point. Note With Configuration Manager SP1, Create Cloud Distribution Point is located in the Cloud node under Hierarchy Configurations. 3. On the General page of the Create Cloud Distribution Point Wizard, configure the following: Specify the Subscription ID for your Windows Azure account. Tip You can find your Windows Azure subscription ID in the Windows Azure
854

Management Portal. Specify the Management certificate. Click Browse to specify the .pfx file that contains the exported Windows Azure management certificate, and then enter the password for the certificate. Optionally, you can specify a version 1 .publishsettings file from the Windows Azure SDK 1.7

4. Click Next, and Configuration Manager connects to Windows Azure to validate the management certificate. 5. On the Settings page, complete the following configurations, and then click Next: For Region, select the Windows Azure region where you want to create the cloud service that hosts this distribution point. For Certificate file, specify the .pfx file that contains the exported Configuration Manager cloud-based distribution point service certificate, and then enter the password. Note The Service FQDN box is automatically populated from the certificate Subject Name and in most cases, you do not have to edit it. The exception is if you are using a wildcard certificate in a testing environment, where the host name is not specified so that multiple computers that have the same DNS suffix can use the certificate. In this scenario, the certificate Subject contains a value similar to CN=*.contoso.com and Configuration Manager displays a message that you must specify the correct FQDN. Click OK to close the message, and then enter a specific name before the DNS suffix to provide a complete FQDN. For example, you might add clouddp1 to specify the complete service FQDN of clouddp1.contoso.com. The Service FQDN must be unique in your domain and not match any domain joined device. Wildcard certificates are supported for testing environments only. 6. On the Alerts page, configure storage quotas, transfer quotas, and at what percentage of these quotas you want Configuration Manager to generate alerts, and then click Next. 7. Complete the wizard. The wizard creates a new hosted service for the cloud-based distribution point. After you close the wizard, you can monitor the installation progress of the cloud-based distribution point in the Configuration Manager console, or by monitoring the CloudMgr.log file on the primary site server. You can also monitor the provisioning of the cloud service in the Windows Azure Management Portal. Note It can take up to 30 minutes to provision a new distribution point in Windows Azure. The following message is repeated in the CloudMgr.log file until the storage account is provisioned: Waiting for check if container exists. Will check again in 10 seconds. Then, the service is created and configured. You can identify that the cloud-based distribution point installation is completed by using the following methods:
855

In the Windows Azure Management Portal, the Deployment for the cloud-based distribution point displays a status of Ready. In the Administration workspace, Hierarchy Configuration, Cloud node of the Configuration Manager console, the cloud-based distribution point displays a status of Ready. Configuration Manager displays a status message ID 9409 for the SMS_CLOUD_SERVICES_MANAGER component.

Configure Name Resolution for Cloud-Based Distribution Points

Before clients can access the cloud-based distribution point, they must be able to resolve the name of the cloud-based distribution point to an IP address that Windows Azure manages. Clients do this in two stages: 1. They map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate to your Windows Azure service FQDN. This FQDN contains a GUID and the DNS suffix of cloudapp.net. The GUID is automatically generated after you install the cloud-based distribution point. You can see the full FQDN in the Windows Azure Management Portal, by referencing the SITE URL in the dashboard of the cloud service. An example site URL is http://d1594d4527614a09b934d470.cloudapp.net. 2. They resolve the Windows Azure service FQDN to the IP address that Windows Azure allocates. This IP address can also be identified in the dashboard for the cloud service in the Windows Azure portal, and is named PUBLIC VIRTUAL IP ADDRESS (VIP). To map the service name that you provided with the Configuration Manager cloud-based distribution point service certificate (for example, clouddp1.contoso.com) to your Windows Azure service FQDN (for example, d1594d4527614a09b934d470.cloudapp.net), DNS servers on the Internet must have a DNS alias (CNAME record). Clients can then resolve the Windows Azure service FQDN to the IP address by using DNS servers on the Internet.

Configure Proxy Settings for Primary Sites that Manage Cloud Services
When you use cloud services with Configuration Manager, the primary site that manages the cloud-based distribution point must be able to connect to the Windows Azure Management Portal by using the System account of the primary site computer. This connection is made by using the default web browser on the primary site server computer. On the primary site server that manages the cloud-based distribution point, you might have to configure the proxy settings to enable the primary site to access the Internet and Windows Azure. Use the following procedure to configure the proxy settings for the primary site server in the Configuration Manager console. Tip You can also configure the proxy server when you install new site system roles on the primary site server by using the Add Site System Roles Wizard.
856

To configure proxy settings for the primary site server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the primary site server that manages the cloud-based distribution point. 3. In the details pane, right-click Site system, and then click Properties. 4. In Site system Properties, select the Proxy tab, and then configure the proxy settings for this primary site server. 5. Click OK to save the new proxy server configuration.

Configuration Options for Site System Roles

Many of the configuration options for the site system roles are self-explanatory or display additional information in the wizard or dialog boxes. Use the following tables for the settings that might require some information before you configure them.

Application Catalog Website Point

For information about how to configure the Application Catalog website point for the Application Catalog, see Configuring the Application Catalog and Software Center in Configuration Manager.
Configuration option Description

Client connections

Select HTTPS to connect by using the more secure setting and to determine whether clients connect from the Internet. This option requires a PKI certificate on the server for server authentication to clients and for encryption of data over Secure Socket Layer (SSL). For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in Internet Information Services (IIS), see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.
857

Configuration option

Description

Add Application Catalog website to trusted sites zone

This message displays the value in the default client settings whether the client setting Add Application Catalog website to Internet Explorer trusted sites zone is currently set to True or False. If you have configured this setting by using custom client settings, you must check this value yourself. If this site system is configured for a FQDN, and the website is not in the trusted sites zone in Internet Explorer, users are prompted for credentials when they connect to the Application Catalog.

Organization name

Type the name that users see in the Application Catalog. This branding information helps users to identify this website as a trusted source.

Application Catalog Web Service Point

For information about how to configure the Application Catalog web service point for the Application Catalog, see Configuring the Application Catalog and Software Center in Configuration Manager.
Configuration option Description

HTTPS

Select HTTPS to authenticate the Application Catalog website points to this Application Catalog web service point. This option requires a PKI certificate on the servers running the Application Catalog website point for server authentication and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for
858

Configuration option

Description

Configuration Manager: Windows Server 2008 Certification Authority topic.

Certificate Registration Point

For information about how to configure the certificate registration point, see Configuring Certificate Profiles in Configuration Manager.

Distribution Point
For information about how to configure the distribution point for content deployment, see Configuring Content Management in Configuration Manager. For information about how to configure the distribution point for PXE deployments, see How to Deploy Operating Systems by Using PXE in Configuration Manager. For information about how to configure the distribution point for multicast deployments, see How to Manage Multicast in Configuration Manager.
Configuration Description

Install and configure IIS if required by Configuration Manager

Select this option to let Configuration Manager install and configure IIS on the site system if it is not already installed. IIS must be installed on all distribution points, and you must select this setting to continue in the wizard. For distribution points that are installed on a site server, only the computer account of the site server is supported for use as the Site System Installation Account. This certificate has two purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When Enable PXE support for clients is selected, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

Site System Installation Account

Create a self-signed certificate or import a PKI client certificate

When all your management points in the site are configured for HTTP, create a self-signed
859

Configuration

Description

certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a PublicKey Cryptography Standards #12 (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager: Intended use must include client authentication. The private key must be configured to be exported. Note There are no specific requirements for the certificate Subject name or Subject Alternative Name (SAN), and you can use the same certificate for multiple distribution points. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Enable this distribution point for prestaged content Select this check box to enable the distribution point for prestaged content. When this check box is selected, you can configure distribution behavior when you distribute content. You can choose whether you always prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package. You can associate boundary groups to a
860

Boundary groups

Configuration

Description

distribution point. During content deployment, clients must be in a boundary group that is associated with the distribution point to use it as a source location for content. You can select the Allow fallback source location for content check box to allow clients outside these boundary groups to fall back and use the distribution point as a source location for content when no other distribution points are available.

Enrollment Point
Beginning with Configuration Manager SP1, enrollment points are used to install Mac computers, enroll mobile devices, and provision AMT-based computers. For more information, see the following: How to Install Clients on Mac Computers in Configuration Manager How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager How to Provision and Configure AMT-Based Computers in Configuration Manager
Description

Configuration option

Allowed connections

The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to the enrollment proxy point and the out of band service point, and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

861

Enrollment Proxy Point

For information about how to configure an enrollment proxy point for mobile devices, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager.
Configuration Option Description

Client connections

The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to mobile devices and Mac computers (Configuration Manager SP1) enrolled by Configuration Manager, and for encryption of data over Secure Sockets Layer (SSL). For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the server certificate and information about how to configure it in IIS, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Fallback Status Point

Configuration option Description

Number of state messages and Throttle interval (in seconds)

Although the default settings for these options (10,000 state messages and 3,600 seconds for the throttle interval) are sufficient for most circumstances, you might have to change them when both of the following conditions are true: The fallback status point accepts connections only from the intranet. You use the fallback status point during a client deployment rollout for many computers.

In this scenario, a continuous stream of state messages might create a backlog of state messages that causes high central processing unit (CPU) usage on the site server for a
862

Configuration option

Description

sustained period of time. In addition, you might not see up-to-date information about the client deployment in the Configuration Manager console and in the client deployment reports. Note These fallback status point settings are designed to be configured for state messages that are generated during client deployment. The settings are not designed to be configured for client communication issues, such as when clients on the Internet cannot connect to their Internet-based management point. Because the fallback status point cannot apply these settings just to the state messages that are generated during client deployment, do not configure these settings when the fallback status point accepts connections from the Internet. Each computer that successfully installs the System Center 2012 Configuration Manager client sends the following four state messages to the fallback status point: Client deployment started Client deployment succeeded Client assignment started Client assignment succeeded

Computers that cannot be installed or assign the Configuration Manager client send additional state messages. For example, if you deploy the Configuration Manager client to 20,000 computers, the deployment might create 80,000 state messages sent to the fallback status point. Because the default throttling configuration allows for 10,000 state messages to be sent to the fallback status point each 3600 seconds (1 hour), state messages might become backlogged on the fallback status point
863

Configuration option

Description

because of the throttling configuration. You must also consider the available network bandwidth between the fallback status point and the site server, and the processing power of the site server to process many state messages. To help prevent these issues, consider increasing the number of state messages and decreasing the throttle interval. Reset the throttle values for the fallback status point if either of the following conditions is true: You calculate that the current throttle values are higher than required to process state messages from the fallback status point. You find that the current throttle settings create high CPU usage on the site server. Warning Do not change the settings for the fallback status point throttle settings unless you understand the consequences. For example, when you increase the throttle settings to high, the CPU usage on the site server can increase to high, which slows down all site operations.

Out of Band Service Point

The default settings for the out of band service point are sufficient for most circumstances. Change them only if you have to control the CPU usage for the out of band service point and the network bandwidth when Intel AMT-based computers are configured for scheduled wake-up activities and for power-on commands. For information about how to configure an out of band service point for AMT-based computers, see How to Provision and Configure AMT-Based Computers in Configuration Manager.
Configuration option Description

Retries

Specify the number of times a power-on command is sent to a destination computer.

864

Configuration option

Description

After a power-on command is sent to all destination computers, the transmission is paused for the Delay period. If this retry value is greater than 1, a second power-on command is sent to the same computers, and the process is repeated until the retry value is reached. The second and subsequent power-on commands are sent only if the destination computer did not respond. Unlike wake-up packets, power-on commands create an established session with the destination computer. Therefore, retries are less likely to be necessary. However, retries might be necessary if the site transmits many packets (for example, also sending wake-up packets), and the power-on commands cannot reach a destination computer because of the high network bandwidth consumption. The default setting is 3 retries. Values can range from 05. Delay (minutes) The time in minutes that power-on commands pause between retries. The default setting is 2 minutes. Values can range from 130 minutes. Transmission threads The number of threads that the out of band service point uses when it sends power-on commands. When you increase the number of threads, you are more likely to make full use of the available network bandwidth, especially when the out of band service point site system server computer has multiple cores or processors. However, when you increase the number of threads, the increased thread count might also produce a significant increase in CPU usage. The default setting is 60 transmission threads. Values can range from 1120 threads. Transmission offset The time in minutes that a power-on command is sent before a scheduled activity that is
865

Configuration option

Description

enabled for wake-up packets. Set a value that gives sufficient time before the scheduled activity so that computers have completed startup, but not so much time that the computer returns to a sleep state before the scheduled activity. The default setting is 10 minutes. Values can range from 1480 minutes.

Configure the Proxy Server for Site System Servers

You can configure a site system server to use a proxy server for connections to the Internet that site system roles that run on that computer make. For information about the site system roles that can use the proxy server configuration, see the Planning for Proxy Servers Configurations for Site System Roles section in the Planning for Site Systems in Configuration Manager topic. Use the following procedure to edit the proxy server configuration of a site system server. To configure the proxy server for a site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Select the site system server that you want to edit, and then in the details pane, rightclick Site system, and then click Properties. Tip You cannot configure the proxy server on a cloud-based distribution point in Windows Azure. Instead, you configure the proxy server on the primary site that manages the cloud-based distribution point. 4. In Site system Properties, select the Proxy tab, and then configure the proxy settings for this primary site server. 5. Click OK to save the new proxy server configuration.

See Also
Configuring Sites and Hierarchies in Configuration Manager

866

Configure Database Replicas for Management Points

You can configure System Center 2012 Configuration Manager management points in a primary site to use a replica of the site database. Management points at secondary sites do not support database replicas. At each primary site, you can configure one or more computers that run SQL Server to host a database replica, and more than one management point at that site can use the same database replica. When a management point uses a database replica, that management point requests data from the SQL Server computer that hosts the database replica. Because requests are made to the database replica server and replace direct requests to the site database server, this configuration can help reduce the CPU processing requirements on the site database server when there are large numbers of clients that make frequent requests for client policy. When you use a database replica, regularly monitor the site database server and each database replica server to ensure that replication occurs between them, and that the performance of the database replica server is sufficient for the site and client performance that you require. Use the following sections to help you configure and manage database replicas: Configurations for Using a Database Replica Operations for Using Database Replicas Uninstalling a Database Replica Uninstalling the Site Server Moving the Site Server Database

Configurations for Using a Database Replica

To use a database replica, all the following configurations are required: SQL Server on the site database server and on the database replica server must have the SQL Server replication installed. The site database must publish the database replica. Each remote SQL Server computer that will host a database replica must subscribe to the published database replica. You must configure each management point that will use the database replica to communicate with the database replica server and database replica. Each SQL Server computer that will host a database replica must have a self-signed certificate for management points to use on remote computers to communicate with the database replica server. You must configure the SQL Server in use for the site database and each database replica to support a Max Text Repl Size of 2 GB. For an example of how to configure this for SQL Server 2012, see Configure the max text repl size Server Configuration Option.

To configure a database replica, you must complete the procedures in the following sections:
867

Configuring the Site Database Server to Publish the Database Replica Configuring the Database Replica Server Configure Management Points to Use the Database Replica Configure a Self-Signed Certificate for the Database Replica Server

Beginning with Configuration Manager SP1, you must also complete the procedure in the following section: Configure the SQL Server Service Broker for the Database Replica Server

Configuring the Site Database Server to Publish the Database Replica

Use the following procedure as an example of how to configure the site database server on a Windows Server 2008 R2 computer to publish the database replica. If you have a different operating system version, refer to your operating system documentation and adjust the steps in this procedure as necessary. To configure the site database server 1. On the site database server, set the SQL Server Agent to automatically start. 2. On the site database server, create a local user group with the name ConfigMgr_MPReplicaAccess. You must add the computer account for each database replica server that you use at this site to this group to enable those database replica servers to synchronize with the published database replica. 3. On the site database server, configure a file share with the name ConfigMgr_MPReplica. 4. Add the following permissions to the ConfigMgr_MPReplica share: Note If the SQL Server Agent uses an account other than the local system account, replace SYSTEM with that account name in the following list. Share Permissions: SYSTEM: Write ConfigMgr_MPReplicaAccess: Read SYSTEM: Full Control ConfigMgr_MPReplicaAccess: Read, Read & execute, List folder contents

NTFS Permissions:

5. Use SQL Server Management Studio to connect to the site database and run the following stored procedure as a query: spCreateMPReplicaPublication When the stored procedure completes, the site database server is configured to publish the database replica.

868

Configuring the Database Replica Server

The database replica server is a computer that runs SQL Server and that hosts a replica of the site database for management points to use. On a fixed schedule, the database replica server synchronizes its copy of the database with the database replica that is published by the site database server. The database replica server must meet the same requirements as the site database server. However, the database replica server can run a different edition or version of SQL Server than the site database server uses. For information about the supported versions of SQL Server, see the Configurations for the SQL Server Site Database section in the Supported Configurations for Configuration Manager topic. Important The SQL Server Service on the computer that hosts the replica database must run as the System account. Use the following procedure as an example of how to configure a database replica server on a Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation and adjust the steps in this procedure as necessary. To configure the database replica server 1. On the database replica server, set the SQL Server Agent to automatic startup. 2. On the database replica server, use SQL Server Management Studio to connect to the local server, browse to the Replication folder, click Local Subscriptions, and select New Subscriptions to start the New Subscription Wizard: a. On the Publication page, in the Publisher list box, select Find SQL Server Publisher, enter the name of the sites database server, and then click Connect. b. Select ConfigMgr_MPReplica, and then click Next. c. On the Distribution Agent Location page, select Run each agent at its Subscriber (pull subscriptions), and click Next. Select an existing database from the database replica server to use for the database replica, and then click OK. Select New database to create a new database for the database replica. On the New Database page, specify a database name, and then click OK.

d. On the Subscribers page do one of the following:

e. Click Next to continue. f. On the Distribution Agent Security page, click the properties button (.) in the Subscriber Connection row of the dialog box, and then configure the security settings for the connection. Tip The properties button, (.), is in the fourth column of the display box. Security settings: Configure the account that runs the Distribution Agent process (the process
869

account): If the SQL Server Agent runs as local system, select Run under the SQL Server Agent service account (This is not a recommended security best practice.) If the SQL Server Agent runs by using a different account, select Run under the following Windows account, and then configure that account. You can specify a Windows account or a SQL Server account. Important You must grant the account that runs the Distribution Agent permissions to the publisher as a pull subscription. For information about configuring these permissions, see Distribution Agent Security in the SQL Server TechNet.Library. For Connect to the Distributor, select By impersonating the process account. For Connect to the Subscriber, select By impersonating the process account.

After you configure the connection security settings, click OK to save them, and then click Next. g. On the Synchronization Schedule page, in the Agent Schedule list box, select Define schedule, and then configure the New Job Schedule. Set the frequency to occur Daily, recur every 5 minute(s), and the duration to have No end date. Click Next to save the schedule, and then click Next again. h. On the Wizard Actions page, select the check box for Create the subscriptions(s), and then click Next. i. On the Complete the Wizard page, click Finish, and then click Close to complete the Wizard. On the subscriber computer: In SQL Server Management Studio, connect to the database replica server and expand Replication. Expand Local Subscriptions, right-click the subscription to the site database publication, and then select View Synchronization Status. In SQL Server Management Studio, connect to the site database computer, right-click the Replication folder, and then select Launch Replication Monitor.

3. Review the synchronization status to validate that the subscription is successful:

On the publisher computer:

4. To enable common language runtime (CLR) integration for the database replica, use SQL Server Management Studio to connect to the database replica on the database replica server, and run the following stored procedure as a query: exec sp_configure 'clr enabled', 1; RECONFIGURE WITH OVERRIDE 5. For each management point that uses a database replica server, add that management points computer account to the local Administrators group on that database replica
870

server. Tip This step is not necessary for a management point that runs on the database replica server. The database replica is now ready for a management point to use.

Configure Management Points to Use the Database Replica

You can configure a management point at a primary site to use a database replica when you install the management point role, or you can reconfigure an existing management point to use a database replica. Use the following information to configure a management point to use a database replica: To configure a new management point: On the Management Point Database page of the wizard that you use to install the management point, select Use a database replica, and specify the FQDN of the computer that hosts the database replica. Next, for ConfigMgr site database name, specify the database name of the database replica on that computer. To configure a previously installed management point: Open the properties page of the management point, select the Management Point Database tab, select Use a database replica, and then specify the FQDN of the computer that hosts the database replica. Next, for ConfigMgr site database name, specify the database name of the database replica on that computer.

In addition to configuring the management point to use the database replica server, you must enable Windows Authentication in IIS on the management point: 1. Open Internet Information Services (IIS) Manager. 2. Select the website used by the management point, and open Authentication. 3. Set Windows Authentication to Enabled, and then close Internet Information Services (IIS) Manager.

Configure a Self-Signed Certificate for the Database Replica Server

You must create a self-signed certificate on the database replica server and make this certificate available to each management point that will use that database replica server. The certificate is automatically available to a management point that is installed on the database replica server. However, to make this certificate available to remote management points, you must export the certificate and then add it to the Trusted People certificate store on the remote management point. Use the following procedures as an example of how to configure the self-signed certificate on the database replica server for a Windows Server 2008 R2 computer. If you have a different operating system version, refer to your operating system documentation and adjust the steps in these procedures as necessary.
871

To configure a self-signed certificate for the database replica server 1. On the database replica server, open a PowerShell command prompt with administrative privileges, and then run the following command: set-executionpolicy UnRestricted 2. Copy the following PowerShell script and save it as a file with the name CreateMPReplicaCert.ps1. Place a copy of this file in the root folder of the system partition of the database replica server. # Script for creating a self-signed certificate for the local machine and configuring SQL Server to use it.

Param($SQLInstance)

$ConfigMgrCertFriendlyName = "ConfigMgr SQL Server Identification Certificate"

# Get local computer name $computerName = "$env:computername"

# Get the sql server name #$key="HKLM:\SOFTWARE\Microsoft\SMS\MP" #$value="SQL Server Name" #$sqlServerName= (Get-ItemProperty $key).$value #$dbValue="Database Name" #$sqlInstance_DB_Name= (Get-ItemProperty $key).$dbValue

$sqlServerName = [System.Net.Dns]::GetHostByName("localhost").HostName $sqlInstanceName = "MSSQLSERVER" $SQLServiceName = "MSSQLSERVER"

if ($SQLInstance -ne $Null) { $sqlInstanceName = $SQLInstance $SQLServiceName = "MSSQL$" + $SQLInstance }

872

# Delete existing cert if one exists function Get-Certificate($storename, $storelocation) { $store=new-object System.Security.Cryptography.X509Certificates.X509Store($stor ename,$storelocation) $store.Open([Security.Cryptography.X509Certificates.OpenFlags ]::ReadWrite) $store.Certificates }

$cert = Get-Certificate "My" "LocalMachine" | ?{$_.FriendlyName -eq $ConfigMgrCertFriendlyName} if($cert -is [Object]) { $store = new-object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine") $store.Open([Security.Cryptography.X509Certificates.OpenFlags ]::ReadWrite) $store.Remove($cert) $store.Close()

# Remove this cert from Trusted People too... $store = new-object System.Security.Cryptography.X509Certificates.X509Store("Trus tedPeople","LocalMachine") $store.Open([Security.Cryptography.X509Certificates.OpenFlags ]::ReadWrite) $store.Remove($cert) $store.Close() }
873

# Create the new cert $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" $name.Encode("CN=" + $sqlServerName, 0)

$key = new-object -com "X509Enrollment.CX509PrivateKey.1" $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" $key.KeySpec = 1 $key.Length = 1024 $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089; ;;NS)" $key.MachineContext = 1 $key.Create()

$serverauthoid = new-object -com "X509Enrollment.CObjectId.1" $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" $ekuoids.add($serverauthoid) $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" $ekuext.InitializeEncode($ekuoids)

$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" $cert.InitializeFromPrivateKey(2, $key, "") $cert.Subject = $name $cert.Issuer = $cert.Subject $cert.NotBefore = get-date $cert.NotAfter = $cert.NotBefore.AddDays(3650) $cert.X509Extensions.Add($ekuext) $cert.Encode()

874

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" $enrollment.InitializeFromRequest($cert) $enrollment.CertificateFriendlyName = "ConfigMgr SQL Server Identification Certificate" $certdata = $enrollment.CreateRequest(0x1) $enrollment.InstallResponse(0x2, $certdata, 0x1, "")

# Add this cert to the trusted peoples store [Byte[]]$bytes = [System.Convert]::FromBase64String($certdata)

$trustedPeople = new-object System.Security.Cryptography.X509certificates.X509Store "TrustedPeople", "LocalMachine" $trustedPeople.Open([Security.Cryptography.X509Certificates.O penFlags]::ReadWrite) $trustedPeople.Add([Security.Cryptography.X509Certificates.X5 09Certificate2]$bytes) $trustedPeople.Close()

# Get thumbprint from cert $sha = new-object System.Security.Cryptography.SHA1CryptoServiceProvider $certHash = $sha.ComputeHash($bytes) $certHashCharArray = ""; $certThumbprint = "";

# Format the bytes into a hexadecimal string foreach($byte in $certHash) { $temp = ($byte | % {"{0:x}" -f $_}) -join "" $temp = ($temp | % {"{0,2}" -f $_}) $certHashCharArray = $certHashCharArray+ $temp; }
875

$certHashCharArray = $certHashCharArray.Replace(' ', '0');

# SQL needs the thumbprint in lower case foreach($char in $certHashCharArray) { [System.String]$myString = $char; $certThumbprint = $certThumbprint + $myString.ToLower(); }

# Configure SQL to use this cert $path = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL" $subKey = (Get-ItemProperty $path).$sqlInstanceName $realPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\" + $subKey + "\MSSQLServer\SuperSocketNetLib" $certKeyName = "Certificate" Set-ItemProperty -path $realPath -name $certKeyName -Type string -Value $certThumbprint

# restart sql service Restart-Service $SQLServiceName -Force 3. On the database replica server, run the following command that applies to the configuration of your SQL Server: For a default instance of SQL Server: Right-click the file CreateMPReplicaCert.ps1 and select Run with PowerShell. When the script runs, it creates the self-signed certificate and configures SQL Server to use the certificate. For a named instance of SQL Server: Use PowerShell to run the command %path%\CreateMPReplicaCert.ps1 xxxxxx where xxxxxx is the name of the SQL Server instance. After the script completes, verify that the SQL Server Agent is running. If not, restart the SQL Server Agent.

To configure remote management points to use the self-signed certificate of the database replica server 1. Perform the following steps on the database replica server to export the servers self signed certificate: a. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
876

b. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. c. In the Certificate snap-in dialog box, select Computer account, and then click Next.

d. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. e. In the Add or Remove Snap-ins dialog box, click OK. f. In the console, expand Certificates (Local Computer), expand Personal, and select Certificates.

g. Right-click the certificate with the friendly name of ConfigMgr SQL Server Identification Certificate, click All Tasks, and then select Export. h. Complete the Certificate Export Wizard by using the default options and save the certificate with the .cer file name extension. 2. Perform the following steps on the management point computer to add the self-signed certificate for the database replica server to the Trusted People certificate store on the management point: a. Repeat the preceding steps 1.a through 1.e to configure the Certificate snap-in MMC on the management point computer. b. In the console, expand Certificates (Local Computer), expand Trusted People, right-click Certificates, select All Tasks, and then select Import to start the Certificate Import Wizard. c. On the File to Import page, select the certificate saved in step 1.h, and then click Next.

d. On the Certificate Store page, select Place all certificates in the following store, with the Certificate store set to Trusted People, and then click Next. e. Click Finish to close the wizard and complete the certificate configuration on the management point.

Configure the SQL Server Service Broker for the Database Replica Server
For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: To support client notification with a database replica for a management point, you must configure communication between the site database server and the database replica server for the SQL Server Service Broker. This requires you to configure each database with information about the other database, and to exchange certificates between the two databases for secure communication. Note Before you can use the following procedure, the database replica server must successfully complete the initial synchronization with the site database server.
877

The following procedure does not modify the Service Broker port that is configured in SQL Server for the site database server or the database replica server. Instead, this procedure configures each database to communicate with the other database by using the correct Service Broker port. Use the following procedure to configure the Service Broker for the site database server and the database replica server. To configure the service broker for a database replica 1. Use SQL Server Management Studio to connect to database replica server database, and then run the following query to enable the Service Broker on the database replica server: ALTER DATABASE <Replica Database Name> SET ENABLE_BROKER, HONOR_BROKER_PRIORITY ON WITH ROLLBACK IMMEDIATE 2. Next, on the database replica server, configure the Service Broker for client notification and export the Service Broker certificate. To do this, run a SQL Server stored procedure that configures the Service Broker and exports the certificate as a single action. When you run the stored procedure, you must specify the FQDN of the database replica server, the name of the database replicas database, and specify a location for the export of the certificate file. Run the following query to configure the required details on the database replica server, and to export the certificate for the database replica server: EXEC sp_BgbConfigSSBForReplicaDB '<Replica SQL Server FQDN>', '<Replica Database Name>', '<Certificate Backup File Path>' Note When the database replica server is not on the default instance of SQL Server, for this step you must specify the instance name in addition to the replica database name. To do so, replace <Replica Database Name> with <Instance name\Replica Database Name>. After you export the certificate from the database replica server, place a copy of the certificate on the primary sites database server. 3. Use SQL Server Management Studio to connect to the primary site database. After you connect to the primary sites database, run a query to import the certificate and specify the Service Broker port that is in use on the database replica server, the FQDN of the database replica server, and name of the database replicas database. This configures the primary sites database to use the Service Broker to communicate to the database of the database replica server. Run the following query to import the certificate from the database replica server and specify the required details: EXEC sp_BgbConfigSSBForRemoteService 'REPLICA', '<SQL Service Broker Port>', '<Certificate File Path>', '<Replica SQL Server FQDN>', '<Replica Database Name>' Note When the database replica server is not on the default instance of SQL Server, for this step you must specify the instance name in addition to the replica
878

database name. To do so, replace <Replica Database Name> with <Instance name\Replica Database Name>. 4. Next, on the site database server, run the following command to export the certificate for the site database server: EXEC sp_BgbCreateAndBackupSQLCert '<Certificate Backup File Path>' After you export the certificate from the site database server, place a copy of the certificate on the database replica server. 5. Use SQL Server Management Studio to connect to the database replica server database. After you connect to the database replica server database, run a query to import the certificate and specify the site code of the primary site and the Service Broker port that is in use on the site database server. This configures the database replica server to use the Service Broker to communicate to the database of the primary site. Run the following query to import the certificate from the site database server: EXEC sp_BgbConfigSSBForRemoteService '<Site Code>', '<SQL Service Broker Port>', '<Certificate File Path>' A few minutes after you complete the configuration of the site database and the database replica database, the notification manager at the primary site sets up the Service Broker conversation for client notification from the primary site database to the database replica.

Operations for Using Database Replicas

When you use a database replica at a site, use the information in the following sections to supplement the process of uninstalling a database replica, uninstalling a site that uses a database replica, or moving the site database to a new installation of SQL Server. When you use information in the following sections to delete publications, use the guidance for deleting transactional replication for the version of SQL Server that you use for the database replica. For example, if you use SQL Server 2008 R2, see How to: Delete a Publication (Replication Transact-SQL Programming). Note After you restore a site database that was configured for database replicas, before you can use the database replicas you must reconfigure each database replica, recreating both the publications and subscriptions.

Uninstalling a Database Replica

When you use a database replica for a management point, you might need to uninstall the database replica for a period of time, and then reconfigure it for use. For example, you must remove database replicas before you upgrade a Configuration Manager site to a new service pack. After the site upgrade completes, you can restore the database replica for use. Use the following steps to uninstall a database replica. 1. In the Administration workspace of the Configuration Manager console, expand Site Configuration, then select Servers and Site System Roles, and then in the details pane
879

select the site system server that hosts the management point that uses the database replica you will uninstall. 2. In the Site System Roles pane, right click Management point and select Properties. 3. On the Management Point Database tab, select Use the site database to configure the management point to use the site database instead of the database replica. Then, click OK to save the configuration. 4. Next, Use SQL Server Management Studio to perform the following tasks: Delete the publication for the database replica from the site server database. Delete the subscription for the database replica from the database replica server. Delete the replica database from the database replica server. Disable publishing and distribution on the site database server. To disable publishing and distribution, right-click the Replication folder and then click Disable Publishing and Distribution.

5. After you delete the publication, subscription, the replica database, and disable publishing on the site database server, the database replica is uninstalled.

Uninstalling the Site Server

Before you uninstall a site that publishes a database replica, use the following steps to clean up the publication and any subscriptions. 1. Use SQL Server Management Studio to delete the database replica publication from the site server database. 2. Use SQL Server Management Studio to delete the database replica subscription from each remote SQL Server that hosts a database replica for this site. 3. Uninstall the site.

Moving the Site Server Database

When you move the site database to a new computer, use the following steps: 1. Use SQL Server Management Studio to delete the publication for the database replica from the site server database. 2. Use SQL Server Management Studio to delete the subscription for the database replica from each database replica server for this site. 3. Move the database to the new SQL Server computer. For more information, see the Modify the Site Database Configuration section in the Manage Site and Hierarchy Configurations topic. 4. Recreate the publication for the database replica on the site database server. For more information, see Configuring the Site Database Server to Publish the Database Replica. 5. Recreate the subscriptions for the database replica on each database replica server. For more information, see Configuring the Database Replica Server.

880

See Also
Configuring Sites and Hierarchies in Configuration Manager

Migrate Data from Configuration Manager 2007 to Configuration Manager

After you have installed and configured your sites and hierarchies for Microsoft System Center 2012 Configuration Manager, you can migrate data from one or more Configuration Manager hierarchies. For more information about how to plan and configure migration, see Migrating Hierarchies in System Center 2012 Configuration Manager.

See Also
Configuring Sites and Hierarchies in Configuration Manager

Operations and Maintenance for Site Administration in Configuration Manager

After you install and configure your sites and hierarchy for System Center 2012 Configuration Manager, there are several operations that you will typically use to manage and monitor your infrastructure.

Operations and Maintenance Topics

Use the following topics to help you maintain your Configuration Manager environment. Manage Site and Hierarchy Configurations Configure the Status System for Configuration Manager Configure Maintenance Tasks for Configuration Manager Sites Monitor Configuration Manager Sites and Hierarchy Manage Cloud Services for Configuration Manager Backup and Recovery in Configuration Manager Update System Center 2012 Configuration Manager

881

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

Manage Site and Hierarchy Configurations

Use the information in the following sections to help you manage site and hierarchy configurations in Microsoft System Center 2012 Configuration Manager. Manage the SMS Provider Configuration for a Site Configure DCOM Permissions for Remote Configuration Manager Console Connections Configure the Site Database to Use a SQL Server Cluster Configure Custom Locations for the Site Database Files Modify the Site Database Configuration How to Manage the SPN for SQL Server Site Database Servers Manage Site Components with the Configuration Manager Service Manager Perform a Site Reset Manage Language Packs at Configuration Manager Sites

Manage the SMS Provider Configuration for a Site

The SMS Provider is a dynamic-link library file (smsprov.dll) that you install or uninstall by running System Center 2012 Configuration Manager Setup. At each Configuration Manager site, you can re-run Setup to change the SMS Provider configuration. To remove the last SMS Provider for a site, you must uninstall the site. You can monitor the installation or removal of the SMS Provider by viewing the ConfigMgrSetup.log in the root folder of the site server on which you run Setup. Use the following procedure to manage SMS Providers for a site. To manage the SMS Provider configuration for a site 1. Run Configuration Manager Setup from <Configuration Manager site installation folder>\BIN\X64\setup.exe. 2. On the Getting Started page, select Perform site maintenance or reset this site, and then click Next 3. On the Site Maintenance page, select Modify SMS Provider configuration, and then click Next. 4. On the Manage SMS Providers page, select one of the following options and complete the wizard by using one of the following options: To add an additional SMS Provider at this site: Select Add a new SMS Provider, specify the FQDN for a computer that will host the
882

SMS Provider and does not currently host a SMS Provider, and then click Next. To remove an SMS Provider from a server: Select Uninstall the specified SMS Provider, select the name of the computer from which you want to remove the SMS Provider, click Next, and then confirm the action. Tip To move the SMS Provider between two computers, you must install the SMS Provider to the new computer, and remove the SMS Provider from the original location. There is no dedicated option to move the SMS Provider between computers in a single process. After the Setup Wizard finishes, the SMS Provider configuration is completed. On the General tab in the site Properties dialog box, you can verify the computers that have an SMS Provider installed for a site.

Configure DCOM Permissions for Remote Configuration Manager Console Connections

The user account that runs the Configuration Manager console requires permission to access the site database by using the SMS Provider. However, an administrative user who uses a remote Configuration Manager console also requires Remote Activation DCOM permissions on the site server computer and on the SMS Provider computer. The SMS Admins group grants access to the SMS Provider and can also be used to grant the required DCOM permissions. Important The Configuration Manager console uses Windows Management Instrumentation (WMI) to connect to the SMS Provider, and WMI internally uses DCOM. Therefore, Configuration Manager requires permissions to activate a DCOM server on the SMS Provider computer if the Configuration Manager console is running on a computer other than the SMS Provider computer. By default, Remote Activation is granted only to the members of the built-in Administrators group. If you allow the SMS Admins group to have Remote Activation permission, a member of this group could attempt DCOM attacks against the SMS Provider computer. This configuration also increases the attack surface of the computer. To mitigate this threat, carefully monitor the membership of the SMS Admins group. For more information about the security risks associated with allowing remote activation, see DCOM Security Enhancements in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Use the following procedure to configure each central administration site, primary site server, and each computer where the SMS Provider is installed to grant remote Configuration Manager console access for administrative users. Note
883

The following procedure applies to Windows Server 2008 R2. If you have a different operating system version, refer to the documentation for your version about how to configure DCOM permissions if you cannot use the steps in this procedure. To configure DCOM permissions for remote Configuration Manager console connections (Windows Server 2008 R2) 1. On the Start menu, click Run and type Dcomcnfg.exe. 2. In Component Services, click Console root, expand Component Services, expand Computers, and then click My Computer. On the Action menu, click Properties. 3. In the My Computer Properties dialog box, on the COM Security tab, in the Launch and Activation Permissions section, click Edit Limits. 4. In the Launch and Activation Permissions dialog box, click Add. 5. In the Select User, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type SMS Admins, and then click OK. Note You might have to change the setting for From this Location to locate the SMS Admins group. This group is local to the computer when the SMS Provider runs on a member server, and is a domain local group when the SMS Provider runs on a domain controller. 6. In the Permissions for SMS Admins section, to allow remote activation, select the Remote Activation check box. 7. Click OK and click OK again, and then close Computer Management. Your computer is now configured to allow remote Configuration Manager console access to members of the SMS Admins group. Repeat this procedure on each SMS Provider computer that might support remote Configuration Manager consoles.

Configure the Site Database to Use a SQL Server Cluster

System Center 2012 Configuration Manager supports the use of a virtual Microsoft SQL Server cluster instance to host the Configuration Manager site database. For a list of supported SQL Server versions and supported configurations for the SQL Server cluster, see the Configurations for the SQL Server Site Database section in the Supported Configurations for Configuration Manager topic. Configuration Manager Setup does not create or configure the SQL Server cluster. The clustered SQL Server environment must be configured before it can be used to host the site database. When you use a SQL Server cluster, Configuration Manager automatically checks each hour for changes to the SQL Server cluster node. Changes in the configuration of the SQL Server node that affect Configuration Manager component installation, such as a node failover or the
884

introduction of a new node to the SQL Server cluster, are automatically managed by Configuration Manager. Note When you use a clustered SQL Server instance to host the site database, the TCP/IP network communication protocol must be enabled for each SQL Server cluster node network connection. This is required to support Kerberos authentication. The named pipes communication protocol is not required, but can be used to troubleshoot Kerberos authentication issues. The network protocol settings are configured in SQL Server Configuration Manager under SQL Server Network Configuration.

Performance Considerations
Clustered SQL Server environments allow for failover support for the virtual SQL Server, and provide greater reliability for the site database. However, a site database on a clustered SQL Server configured for failover support does not provide additional processing or load balancing benefits and in fact, degradation in performance can occur. This is because the site server must find the active node of the SQL Server cluster before it connects to the site database.

SMS Provider Considerations

When you use a clustered SQL Server database to host the site database, install the SMS Provider on the site server or on a separate computer that does not host a SQL Server cluster node. It is not supported to install an instance of the SMS Provider on a SQL Server cluster or a computer that runs as a clustered SQL Server node.

How to Install Configuration Manager Using a Clustered SQL Server Instance

Use the following procedures to install the Configuration Manager site database for a central administration site or primary site, using a clustered virtual SQL Server instance during setup. Note During Configuration Manager Setup, the Volume Shadow Copy Service (VSS) writer will install on each physical computer node of the Microsoft Windows Server cluster to support the Backup Site Server maintenance task. To install Configuration Manager using a clustered SQL Server instance 1. Create the virtual SQL Server cluster to host the site database on an existing Windows Server cluster environment. For specific steps to install and configure a SQL Server cluster, see the documentation specific to your version of SQL Server. For example, if you are using SQL Server 2008 R2, see Installing a SQL Server 2008 R2 Failover Cluster. 2. On each computer in the SQL Server cluster you can place a file with the name NO_SMS_ON_DRIVE.SMS in the root folder of each drive where you do not want
885

Configuration Manager to install site components. By default, Configuration Manager installs some components on each physical node to support operations such as backup. 3. Add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. 4. In the virtual SQL Server instance, assign the sysadmin SQL Server role to the user account that runs Configuration Manager Setup. 5. Use Configuration Manager Setup to install the site using one of the procedures from the topic Install Sites and Create a Hierarchy for Configuration Manager, with the following alteration: a. On the Database Information page, specify the name of the clustered virtual SQL Server instance that will host the site database, in place of the name of the computer that runs SQL Server. Important During setup, you must enter the name of the virtual SQL Server cluster instance, and not the virtual Windows Server name created by the Windows Server cluster. Installing the site database using the Windows Server cluster virtual instance name will result in the site database being installed on the local hard drive of the active Windows Server cluster node, and it will prevent successful failover if that node fails. 6. Complete the remainder of the Setup Wizard normally, to install Configuration Manager using a clustered SQL Server instance. To configure Configuration Manager to use a site database on a clustered SQL Server instance 1. Create the virtual SQL Server cluster to host the site database on an existing Windows Server cluster environment. For specific steps to install and configure a SQL Server cluster, see the documentation specific to your version of SQL Server. For example, if you are using SQL Server 2008 R2, see Installing a SQL Server 2008 R2 Failover Cluster. 2. On each computer in the SQL Server cluster you can place a file with the name NO_SMS_ON_DRIVE.SMS in the root folder of each drive where you do not want Configuration Manager to install site components. By default, Configuration Manager installs some components on each physical node to support operations such as backup. 3. Add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer. 4. In the virtual SQL Server instance, assign the sysadmin SQL Server role to the user account that runs Configuration Manager Setup. 5. On the site server, start the local copy of Configuration Manager Setup and on the Getting Started page, select Perform site maintenance or reset this Site, and then click Next. 6. On the Site Maintenance page, select Modify SQL Server configuration, and then click Next.
886

7. On the Database Information page, specify the name of the clustered virtual SQL Server instance to host the site database, and then click Next. 8. Complete the Wizard to complete the move of the database to the virtual SQL Server cluster. To verify that the site database was installed successfully 1. Verify that Configuration Manager Setup completed successfully by reviewing the ConfigMgrSetup.log file located at the root of the system drive on site server computer. 2. In SQL Server Management Studio, verify that the site database was created successfully. 3. In the SQL Server Management Studio, verify that the following Database Roles were created for the site database: smsdbrole_MP smsdbrole_siteprovider smsdbrole_siteserver Note Depending on your site configuration, additional roles might be listed. 4. Verify that the following SQL Server Database Roles for the site database have been assigned with the appropriate computer accounts: smsdbrole_MP: The computer account for each management point at the site. smsdbrole_siteprovider: The computer account for the site server and each computer that runs an instance of the SMS Provider for the site. smsdbrole_siteserver: The computer account for the site server computer. Note Depending on your site configuration, additional roles might be listed.

Configure Custom Locations for the Site Database Files

Configuration Manager supports custom locations for SQL Server database files. To use custom locations for files when you use System Center 2012 Configuration Manager with no service pack or with SP1, you can pre-create a SQL Server database that uses nondefault file locations. Next, when you install a site, direct the site to use this pre-created database. You cannot specify custom file locations during the install of a site when you use either version of Configuration Manager to create the site database. Beginning with System Center 2012 R2 Configuration Manager, when you install a new primary site or central administration site, you can specify non-default file locations and Configuration Manager will create the site database using these locations. Optionally, you can still pre-create a SQL Server database that uses non-default file locations and then when you install the site specify that the site use that pre-created database.
887

Note The option to specify non-default file locations is not available when you use a SQL Server cluster. Also, you can change the location of the site database files after a site installs. To change the location of files after the site installs, you must stop the Configuration Manager site and then edit the file location in SQL Server. Use the following procedure at an installed site to move the file location within an instance of SQL Server. To change the file location for a site database: 1. On the Configuration Manager site server, stop the SMS_Executive service. 2. Use the information about moving user databases for the version of SQL Server that you use. For example, if you use SQL Server 2008 R2, see Moving User Databases in the online documentation library for SQL Server 2008 R2. 3. After you complete the database file move, restart the SMS_Executive service on the Configuration Manager site server.

Modify the Site Database Configuration

After you install a site, you can modify the configuration of the site database and site database server by running Setup on a central administration site server or primary site server. It is not supported to modify the database configuration for a secondary site. Note When you modify the database configuration for a site, Configuration Manager restarts or reinstalls Configuration Manager services on the site server and remote site system servers that communicate with the database. To modify the database configuration, you must run Setup on the site server and select the option Perform site maintenance or reset this site. Next, select the Modify SQL Server configuration option. You can change the following site database configurations: The Windows-based server that hosts the database. The instance of SQL Server in use on a server that hosts the SQL Server database. The database name. Important Although the Setup wizard allows you to change the port configuration of the SQL Server Service Broker, Configuration Manager does not support changing the port for SQL Server after the site is installed. You can only configure the TCP port for SQL Server when you install a site. You can move the site database to a new instance of SQL Server on the same computer, or to a different computer that runs a supported version of SQL Server. If you move the site database, you must configure the following:
888

When you move the site database to a new computer, add the computer account of the site server to the Local Administrators group on the computer that runs SQL Server. If you use a SQL Server cluster for the site database, you must add the computer account to the Local Administrators group of each Windows Server cluster node computer. When you move the database to a new instance on SQL Server, or to a new SQL Server computer, you must enable common language runtime (CLR) integration. To enable CLR, use SQL Server Management Studio to connect to the instance of SQL Server that hosts the site database and run the following stored procedure as a query: sp_configure clr enabled,1; reconfigure. Important Before you move a database that has one or more database replicas for management points, you must first remove the database replicas. After you complete the database move, you can reconfigure database replicas. For more information see the Operations for Using Database Replicas section in the Configure Database Replicas for Management Points topic.

After you have installed the Configuration Manager site, use the information in the following sections to help you manage a site database configuration. For information about planning site database configurations, see Planning for Database Servers in Configuration Manager.

How to Manage the SPN for SQL Server Site Database Servers
When you configure SQL Server to use the local system account to run SQL Server services, a Service Principal Name (SPN) for the account is automatically created in Active Directory Domain Services. When the local system account is not in use, you must manually register the SPN for the SQL Server service account. You can register an SPN for the SQL Server service account of the site database server by using the Setspn tool. You must run the Setspn tool on a computer that resides in the domain of SQL Server, and it must use Domain Administrator credentials to run. Use the following procedures as examples of how to manage the SPN for the SQL Server service account that uses the Setspn tool on Windows Server 2008 R2. For specific guidance about Setspn, see Setspn Overview, or similar documentation specific to your operating system. Note The following procedures reference the Setspn command-line tool. The Setspn command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center. For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools. To manually create a domain user Service Principal Name (SPN) for the SQL Server service account

889

1. On the Start menu, click Run, and then enter cmd in the Run dialog box. 2. At the command line, navigate to the Windows Server support tools installation directory. By default, these tools are located in the C:\Program Files\Support Tools directory. 3. Enter a valid command to create the SPN. To create the SPN, you can use the NetBIOS name or the fully qualified domain name (FQDN) of the computer running SQL Server. However, you must create an SPN for both the NetBIOS name and the FQDN. Important When you create an SPN for a clustered SQL Server, you must specify the virtual name of the SQL Server Cluster as the SQL Server computer name. To create an SPN for the NetBIOS name of the SQL Server computer, type the following command: setspn A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account> To create an SPN for the FQDN of the SQL Server computer, type the following command: setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account> Note The command to register an SPN for a SQL Server named instance is the same as that you use when you register an SPN for a default instance except that the port number must match the port that is used by the named instance. To verify the domain user SPN is registered correctly by using the Setspn command 1. On the Start menu, click Run, and then enter cmd in the Run dialog box. 2. At the command prompt, enter the following command: setspn L <domain\SQL Service Account>. 3. Review the registered ServicePrincipalName to ensure that a valid SPN has been created for the SQL Server. To verify the domain user SPN is registered correctly when using the ADSIEdit MMC console 1. On the Start menu, click Run, and then enter adsiedit.msc to start the ADSIEdit MMC console. 2. If necessary, connect to the domain of the site server. 3. In the console pane, expand the site server's domain, expand DC=<server distinguished name>, expand CN=Users, right-click CN=<Service Account User>, and then click Properties. 4. In the CN=<Service Account User> Properties dialog box, review the servicePrincipalName value to ensure that a valid SPN has been created and associated with the correct SQL Server computer. To change the SQL Server service account from local system to a domain user account 1. Create or select a domain or local system user account that you want to use as the SQL
890

Server service account. 2. Open SQL Server Configuration Manager. 3. Click SQL Server Services, and then double-click SQL Server<INSTANCE NAME>. 4. On the Log on tab, select This account, and then enter the user name and password for the domain user account created in step 1, or click Browse to find the user account in Active Directory Domain Services, and then click Apply. 5. Click Yes in the Confirm Account Change dialog box to confirm the service account change and restart the SQL Server Service. 6. Click OK after the service account has been successfully changed.

Manage Site Components with the Configuration Manager Service Manager

Use the Configuration Manager Service Manager to control System Center 2012 Configuration Manager services and to view the status of any Configuration Manager services or threads (referred to collectively as Configuration Manager components). Configuration Manager components can run on any site system. Components are managed the same way that you manage services in Windows; you can start, stop, pause, resume, or query Configuration Manager components. A Configuration Manager service runs when there is something for it to do (typically, when a configuration file is written to a component's inbox). If you have to identify the component involved in an operation, you can use the Configuration Manager Service Manager to manipulate various Configuration Manager services and threads and then view the resulting change in the behavior of Configuration Manager. For example, you can stop Configuration Manager services one at a time until a particular response is eliminated. Doing so enables you to determine which service causes the behavior. Tip The following procedure can be used to manipulate Configuration Manager component operation. If you want to modify the logging options of a component, see the Configure Logging Options by Using the Configuration Manager Service Manager section in the Technical Reference for Log Files in Configuration Manager topic. To use the Configuration Manager Service Manager 1. In the Configuration Manager console, click Monitoring, expand System Status, and then click Component Status. 2. On the Home tab, in the Component group, click Start, and then select Configuration Manager Service Manager. 3. When the Configuration Manager Service Manager opens, connect to the site that you want to manage. If you do not see the site that you want to manage, click Site, click Connect, and then
891

enter the name of the site server of the correct site. 4. Expand the site and navigate to Components or Servers depending on where the components that you want to manage are located. 5. In the right pane, select one or more components and then on the Component menu, click Query to update the status of your selection. 6. After the status of the component is updated, use one of the four action-based options on the Component menu to modify the components operation. After you request an action, you must query the component to display the new status of the component. 7. Close the Configuration Manager Service Manager when you are finished modifying the operational status of components.

Perform a Site Reset

Configuration Manager uses a site reset to reapply the default file and registry permissions on a primary or central administration site server and to reinstall site components at a site. Secondary sites do not support a site reset. You can perform a manual site reset to restore these settings, and Configuration Manager runs a site reset automatically after you make a configuration change that requires this action. For example, if there has been a change to the accounts used by Configuration Manager components, a manual site reset ensures the account details used by the components are correct and resets the access control lists (ACLs) used by remote site systems to access the site server. Or, if you modify the client or server languages that a site supports, Configuration Manager automatically runs a site reset because the reset is required before a site can use this change. Note A site reset does not reset access permissions to non-Configuration Manager objects. Important A site reset reinstalls all site system roles at a site. During a site reset, Setup stops and restarts the SMS_SITE_COMPONENT_MANAGER service and the thread components of the SMS_EXECUTIVE service. Additionally, Setup removes, and then re-creates, the site system share folder and the SMS Executive component on the local computer and on remote site system computers. After Setup reinstalls the SMS_SITE_COMPONENT_MANAGER service, this service installs the SMS_EXECUTIVE and the SMS_SQL_MONITOR services. In addition, a site reset restores the following objects: The SMS or NAL registry keys, and any default subkeys under these keys. The Configuration Manager file directory tree, and any default files or subdirectories in this file directory tree.

Permissions to Perform a Site Reset

The account that you use to perform a site reset must have the following permissions:

892

Central administration site: The account that you use to run a site reset at this site must be a local administrator on the central administration site server and must have privileges that are equivalent to the Full Administrator role-based administration security role. Primary site: The account that you use to run a site reset at this site must be a local administrator on the primary site server and must have privileges that are equivalent to the Full Administrator role-based administration security role. If the primary site is in a hierarchy with a central administration site, this account must also be a local administrator on the central administration site server.

How To Perform a Site Reset

You can perform a site reset of a Configuration Manager primary site or central administration site, by starting Configuration Manager Setup on the Start menu of the site server computer or on the Configuration Manager source media. To perform a site reset 1. Run Configuration Manager Setup from <Configuration Manager site installation folder>\BIN\X64\setup.exe. 2. On the Getting Started page, select Perform site maintenance or reset this site, and then click Next. 3. On the Site Maintenance page, select Reset site with no configuration changes, and then click Next. 4. Click Yes to begin the site reset. When the site reset is finished, click Close to complete this procedure.

Manage Language Packs at Configuration Manager Sites

Use the information in the following sections to help you manage server and client language packs for your Configuration Manager sites.

Add Language Packs to a Site

To add support for a server language pack or client language pack to a site, run Configuration Manager Setup and select the languages to use. When you add server language packs to a site they are made available for Configuration Manager console installations and applicable site system roles. When you add client language packs to a site, Configuration Manager adds them to the client installation source files so that new client installations, or upgrades, can add support for the current list of client languages. How to add language packs during site installation: To add support for language packs to a new central administration site, or a primary site, use the appropriate procedure in the Install a Site Server section of the Install Sites and Create a Hierarchy for Configuration Manager topic. The procedures in that topic include the selection of language packs when you install a site.
893

How to modify the languages packs at a site: To add or remove support for language packs at a previously installed site, run Setup from the Configuration Manager installation folder on the site server. Use the following procedure to modify the language packs that a site supports after the site is installed. To modify the language packs that are supported at a site 1. On the site server, run Configuration Manager Setup from <Configuration Manager site installation folder>\BIN\X64\setup.exe. 2. On the Getting Started page, select Perform site maintenance or reset this Site, and then click Next. 3. On the Site Maintenance page, select Modify language configuration, and then click Next. 4. On the Prerequisites Downloads page, select Download required files to acquire updates to language packs, or select Use previously downloaded files to use previously downloaded files that include the language packs you want to add to the site. Click Next to validate the files and continue. 5. On the Server Language Selection page, select the check box for server languages this site supports, and then click Next. 6. On the Client Language Selection page, select the check box for client languages that this site supports, and then click Next. 7. Click Next, to modify language support at the site. Note Configuration Manager initiates a site reset which also reinstalls all site system roles at the site. 8. Click Close to complete this procedure.

Update Servers and Clients with New Language Packs

Use the information in the following sections and to add support for language packs.

How to Update Language Packs on Clients

After you update the client language packs at a site, you must install each client that will use the language packs by using source files that include the client language packs. For information about how to install clients with support for language packs, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic.

894

How to Update Language Packs on Site Servers and Site Systems

After you update the server language packs at a site, there are no additional actions required. Configuration Manager automatically updates applicable components.

How to Update Language Packs on Configuration Manager Consoles

After you update the server language packs at a site, you can add support for the language packs to Configuration Manager consoles. To add support for a server language pack to a Configuration Manager console, you must install the Configuration Manager console from the ConsoleSetup folder on a site server that includes the language pack that you want to use. If the Configuration Manager console is already installed, you must first uninstall it to enable the new installation to identify the current list of supported language packs. For more information about how to install Configuration Manager consoles with support for additional languages, see the Manage Configuration Manager Console Languages section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Configure the Status System for Configuration Manager

Use the following procedures to configure the status system for Configuration Manager. All major System Center 2012 Configuration Manager components generate status messages. The Configuration Manager status system operates without configuration by using default settings that are suitable for most environments. However, you can configure the following: Status Summarizers: Configure the frequency of status messages that generate a status indicator change for the components that are tracked. There are four summarizers: Application Deployment Summarizer Application Statistics Summarizer Component Status Summarizer Site System Status Summarizer

Status Filter Rules: You can create custom status filter rules and modify the default rules. Note Status filter rules do not support the use of environment variables to run external commands.

Status Reporting: Configure the status reporting for server and client components.

The status system maintains separate configurations for each site so you must edit the status system for each site. Use the following sections to configure the Configuration Manager status system: Configure Status Summarizers
895

Configure Status Filter Rules Configure Status Reporting

Configure Status Summarizers

Use the following procedures to edit the status summarizers at each site. To configure status summarizers 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site for which you want to configure the status system. 3. On the Home tab, in the Settings group, click Status Summarizers. 4. In the Status Summarizers dialog box, select the status summarizer that you want to configure, and then click Edit to open the properties for that summarizer. If you are editing the Application Deployment or Application Statistics summarizer, proceed with step 5. If you are editing the Component Status skip to step 6. If you are editing the Site System Status summarizer, skip to step 7. 5. Use the following steps after you open the property page for either the Application Deployment Summarizer or the Application Statistics Summarizer: a. On the General tab of the summarizers properties page configure the summarization intervals and then click OK to close the properties page. b. Click OK to close the Status Summarizers dialog box and complete this procedure. 6. Use the following steps after you open property pages for the Component Status Summarizer: a. On the General tab of the summarizers properties page configure the replication and threshold period values. b. On the Thresholds tab, select the Message type you want to configure, and then click the name of a component in the Thresholds list. c. In the Status Threshold Properties dialog box, edit the warning and critical threshold values, and then click OK.

d. Repeat steps 6.b and 6.c as needed and when you are finished, click OK to close the summarizer properties. e. Click OK to close the Status Summarizers dialog box and complete this procedure. 7. Use the following steps after you open the property pages for the Site System Status Summarizer: a. On the General tab of the summarizers properties page configure the replication and schedule values. b. On the Thresholds tab, specify values for the Default thresholds to configure default thresholds for critical and warning status displays. c. To edit the values for specific Storage objects, select the object from the Specific thresholds list, and then click the Properties button to access and edit the storage objects warning and critical thresholds. Click OK to close the storage objects
896

properties. d. To create a new storage object, click the Create Object button and specify the storage objects values. Click OK to close the objects properties. e. To delete a storage object, select the object and then click the Delete button. f. Repeat steps 7.b through 7.e as needed. When you are finished, click OK to close the summarizer properties.

g. Click OK to close the Status Summarizers dialog box and complete this procedure.

Configure Status Filter Rules

Use the following procedures to create new status filter rules, modify the priority of rules, disable or enable rules, and delete unused rules at each site. To create a status filter rule 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site where you want to configure the status system. 3. On the Home tab, in the Settings group, click Status Filter Rules. The Status Filter Rules dialog box opens. 4. Click Create. 5. In the Create Status Filter Rule Wizard, on the General page, specify a name for the new status filter rule and message-matching criteria for the rule, and then click Next. 6. On the Actions page, specify the actions to be taken when a status message matches the filter rule, and then click Next. 7. On the Summary page review the details for the new rule, and then complete the wizard. Note Configuration Manager only requires that the new status filter rule has a name. If the rule is created but you do not specify any criteria to process status messages, the status filter rule will have no effect. This behavior allows you to create and organize rules before you configure the status filter criteria for each rule. To modify or delete a status filter rule 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site where you want to configure the status system. 3. On the Home tab, in the Settings group, click Status Filter Rules. 4. In the Status Filter Rules dialog box, select the rule that you want to modify and then take one of the following actions: Click Increase Priority or Decrease Priority to change the processing order of the
897

status filter rule. Then select another action or go to step 8 of this procedure to complete this task. Click Disable or Enable to change the status of the rule. After you change the status of the rule, select another action or go to step 8 of this procedure to complete this task. Click Delete if you want do delete the status filter rule from this site, and then click Yes to confirm the action. After you delete a rule, select another action or go to step 8 of this procedure to complete this task. Click Edit if you want to change the criteria for the status message rule, and continue to step 5 of this procedure.

5. On the General tab of the status filter rule properties dialog box, modify the rule and message-matching criteria. 6. On the Actions tab, modify the actions to be taken when a status message matches the filter rule. 7. Click OK to save the changes. 8. Click OK to close the Status Filter Rules dialog box.

Configure Status Reporting

You can use the following procedure to modify how status messages are reported to the Configuration Manager status system. You can configure both server and client component reporting, and specify where status messages are sent. Warning Because the default reporting settings are appropriate for most environments, change them with caution. When you increase the level of status reporting by choosing to report all status details you can increase the amount of status messages to be processed which increases the processing load on the Configuration Manager site. If you decrease the level of status reporting you might limit the usefulness of the status summarizers. To configure status reporting 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select where you want to configure the status system. 3. On the Home tab, in the Settings group, click Configure Site Components, and select Status Reporting. 4. In the Status Reporting Component Properties dialog box, specify the server and client component status messages that you want to report or log: a. Configure Report to send status messages to the Configuration Manager status message system. b. Configure Log to write the type and severity of status messages to the Windows event log.
898

5. Click OK.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Configure Maintenance Tasks for Configuration Manager Sites

System Center 2012 Configuration Manager sites and hierarchies require regular maintenance and monitoring to provide services effectively and continuously. Regular maintenance ensures that the hardware, software, and the Configuration Manager database continue to function correctly and efficiently. Each Configuration Manager site supports maintenance tasks that help maintain the operational efficiency of the Configuration Manager database. By default, several maintenance tasks are enabled in each site, and all tasks support independent schedules. Maintenance tasks are configured individually for each site and apply to the database at that site; however, some tasks, such as Delete Aged Discovery Data, affect the information available in all sites in a hierarchy. For more information about planning for site maintenance, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic.

Use the following procedure to help you configure the common settings of maintenance tasks. To configure maintenance tasks for Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Sites. 3. Select the site that contains the maintenance task that you want to configure. 4. On the Home tab, in the Settings group, click Site Maintenance, and then select the maintenance task you want to configure. Tip Only the tasks available at the selected site are displayed. 5. To configure the task, click Edit, ensure the Enable this task check box is selected, and configure a schedule for when the task runs. If the task also deletes aged data, configure the age of data that will be deleted from the database when the task runs. Click OK to close the task Properties. Note
899

For Delete Aged Status Messages, you configure the age of data to delete when you configure status filter rules. 6. To enable or disable the task without editing the task properties, click the Enable or Disable button. The button label changes depending on the current configuration of the task. 7. When you are finished configuring the maintenance tasks, click OK to complete the procedure.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Monitor Configuration Manager Sites and Hierarchy

Use the information in the following sections to help you monitor the infrastructure and common operations for System Center 2012 Configuration Manager. To monitor infrastructure and operations in Configuration Manager, use the Monitoring workspace in the Configuration Manager console. Note The exception to this location is Migration, which is monitored directly in the Migration node in the Administration workspace. For more information, see Monitor Migration Activity in the Migration Workspace. In addition to using the Configuration Manager console for monitoring, you can use the Configuration Manager reports, or view Configuration Manager log files for Configuration Manager components. For information about reports, see Reporting in Configuration Manager. For information about log files, see About Configuration Manager Log Files. When you monitor sites, look for signs that indicate problems that require you to take action. For example: A backlog of files on site servers and site systems. Status messages that indicate an error or a problem. Failing intrasite communication. Error and warning messages in the system event log on servers. Error and warning messages in the Microsoft SQL Server error log. Sites or clients that have not reported in a long time. Sluggish response from the SQL Server database. Signs of hardware failure.

900

To minimize the risk of a site failure, if monitoring tasks reveal any signs of problems, investigate the source of the problem and repair it as soon as possible. Use the information in the following sections to help you monitor the infrastructure and common operations for Configuration Manager. Monitor Infrastructure for Configuration Manager About the Site Hierarchy Node How to Monitor Database Replication Links and Replication Status About the Replication Link Analyzer Procedures for Monitoring Database Replication

Monitor System Status for Configuration Manager Monitor Management Tasks for Configuration Manager Monitor Alerts in Configuration Manager

Monitor Infrastructure for Configuration Manager

Configuration Manager provides several methods to monitor the status and operations of your hierarchy. You can check system status of sites throughout the hierarchy, monitor intersite replication from a site hierarchy or geographical view, monitor replication links between sites for database replication, and use the Replication Link Analyzer tool to remediate replication issues.

About the Site Hierarchy Node

The Site Hierarchy node of the Monitoring workspace provides you with an overview of your Configuration Manager hierarchy and intersite links. You can use two views: Hierarchy Diagram: This view displays your hierarchy as a topology map that has been simplified to show only vital information. Geographical View: This view displays your sites on a geographical map showing site locations that you configure.

Use the Site Hierarchy node to monitor the health of each site and the intersite replication links and their relationship to external factors, such as a geographical location. Because site status and intersite link status replicate as site data and not global data, when you connect your Configuration Manager console to a child primary site, you cannot view the site or link status for other primary sites or their child secondary sites. For example, in a multi-primary site hierarchy, when your Configuration Manager console connects to a primary site, you can view the status of child secondary sites, the primary site, and the central administration site, but you cannot see the status for other nodes of the hierarchy below the central administration site. Use the Configure Settings command to control how the site hierarchy display renders. Configurations to the Site Hierarchy node that you make when your Configuration Manager console is connected to one site are replicated to all other sites.

901

Hierarchy Diagram
The hierarchy diagram displays your sites in a topology map. In this view, you can select a site and view a status message summary from that site, drill through to view status messages, and access the Properties dialog box of the sites. Additionally, you can pause the mouse pointer on a site or replication link between sites to view high-level status for that object. Because replication link status does not replicate globally, in a hierarchy with multiple primary sites, you must connect your Configuration Manager console to the central administration site to view the replication link details between all sites. The following options modify the hierarchy diagram: Groups: You can configure the number of primary sites and secondary sites that trigger a change in the hierarchy diagram display that combines the sites into a single object. When sites are combined into a single object, you see the total number of sites and a high-level rollup of status messages and site status. Group configurations do not affect the geographical view. Favorite sites: You can specify individual sites to be a favorite site. A star icon identifies a favorite site in the hierarchy diagram. Favorite sites are not combined with others sites when you used groups and always are displayed individually.

Geographical View
The geographical view displays the location of each site on a geographical map. Only sites that you configure with a location are displayed. When you select a site in this view, replication links to parent or child sites are shown. Unlike the hierarchy diagram view, you cannot display site status message or replication link details in this view. Note To use the geographical view, the computer to which your Configuration Manager console connects must have Internet Explorer installed and be able to access Bing Maps by using the HTTP protocol. The following option modifies the geographical view. Site Location: You can specify a geographical location for each site. You can specify the location as a street address, a place name such as the name of a city, or by latitude and longitude coordinates. For example, to use the latitude and longitude of Redmond Washington, you would specify N 47 40 26.3572 W 122 7 17.4432 as the location of the site. You do not need to specify the symbols for the degree, minutes or seconds of longitude or latitude. Configuration Manager uses Bing Maps to display the location on the geographical view. This provides you the option to view your hierarchy in relation to a geographical location, which can provide insight into regional issues that might affect specific sites or intersite replication. When you specify a location, you can use the Location box to search for a specific site in your hierarchy. With the site selected, enter the location as a city name or street address in the Location column. Configuration Manager uses Bing Maps to resolve the location.

902

How to Monitor Database Replication Links and Replication Status

In addition to high level details that are accessible from the Site Hierarchy node in the Monitoring workspace, beginning with Configuration Manager SP1 you can monitor details for database replication when you use the Database Replication node in the Monitoring workspace. From the Database Replication you can monitor the status of replication links between sites, and the initialization details and replication details for replication groups at the site to which your Configuration Manager console is connected. Tip Although a Database Replication node also appears under the Hierarchy Configuration node in the Administration workspace, you cannot view the replication status for database replication links from that location.

Replication Link Status

Database replication between sites involves the replication of several sets of information, called replication groups. Each replication group replicates with different replication priorities. By default, the data contained in a replication group and the frequency of replication cannot be modified. When a replication link is active, and does not have a status of failed or degraded, all replication groups replicate in a timely manner. When one or more replication groups fail to complete replication in the expected period of time, the link displays as degraded. Degraded links can still function, but you should monitor them to ensure that they return to active status, or investigate them to ensure that additional degradation or replication failures do not occur. Beginning with Configuration Manager SP1, for each replication link you can specify the number of times that an unsuccessfully replicated replication group retries to replicate before the status of the link is set to degraded or failed. Even if all but one replication group replicate successfully, the status of the link is set to degraded or failed because the one replication group fails to complete replication in the specified number of attempts. For information about replication thresholds, see the Plan for Database Replication Thresholds section in the Planning for Communications in Configuration Manager topic. Use the information in following table to understand the status of replication links that might require further investigation.
Link description More information

Link is active Link is degraded

No problems have been detected, and communication across the link is current. Replication is functional, but at least one replication object or group is delayed. Monitor links that are in this state and review information from both sites on the link for
903

Link description

More information

indications that the link might fail. A link can also display a status of degraded when the site that receives replicated data is unable to quickly commit the data to the database. This can happen when large volumes of data replicate. For example, if you deploy a software update to a large number of computers, the volume of data that replicates might take some time to be processed by the parent site on the link. A processing lag at the parent site can result in the link status being set to degraded until the parent site can successfully process the backlog of data. Link has failed Replication is not functional. It is possible that a replication link might recover without further action. You can use the Replication Link Analyzer to investigate and help remediate replication on this link. This status can also indicate a problem with the physical network between the parent and child site on the replication link. While a parent site is in the process of upgrading to a new service pack and you view the link status from the child site, the link status displays as active. After the upgrade, until the child site is also at the same service pack as the parent site, the link status displays as active when viewed from the parent site, and as being configured when viewed from the child site.

Replication Status
You can use the Database Replication node in the Monitoring workspace to view the status of replication for a replication link, and view details about the site database at each site on the replication link. Beginning with Configuration Manager SP1, you can also view details about replication groups. To view details, select a replication link, and then select the appropriate tab for the replication status you want to view. The following table provides details about the different tabs for replication status.
Tab Details

Summary

View high level information about the replication of site data and global data between the two sites on a link.
904

Tab

Details

You can also click View reports for historical traffic data to view a report that shows details about the network bandwidth used by replication across the replication link. Parent Site For the parent site on a replication link, view details about the database, which include: Child Site Firewall ports for the SQL Server Free disk space Database file locations Certificates

For the child site on a replication link, view details about the database, which include: Firewall ports for the SQL Server Free disk space Database file locations Certificates

Initialization Detail

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: View the initialization status for replication groups that replicate across the replication link. This information can help you identify when initialization of replication data is in progress or has failed. Additionally, You can use this information to identify when a site might be in interoperability mode. Interoperability mode occurs when the child site does not run the same version of Configuration Manager as the parent site.

Replication Detail

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: View the replication status for each replication group that replicates across the link. Use this information to help identify problems or delays for the replication of specific data, and to help
905

Tab

Details

determine the appropriate database replication thresholds for this link. For information about database replication thresholds, see the Plan for Database Replication Thresholds section in the Planning for Communications in Configuration Manager topic. Tip Replication groups for site data are sent only from the child site to the parent site. Replication groups for global data replicate in both directions.

About the Replication Link Analyzer

Configuration Manager includes Replication Link Analyzer which you use to analyze and repair replication issues. You can use Replication Link Analyzer to remediate replication link failures when replication has failed and when replication stops working but has not yet been reported as failed. Replication Link Analyzer can be used to remediate replication issues between the following computers in the Configuration Manager hierarchy (the direction of the replication failure does not matter): Between a site server and the site database server. Between a sites site database server and another sites site database computer (intersite replication).

You can run Replication Link Analyzer in either the Configuration Manager console or at a command prompt: To run in the Configuration Manager console: In the Monitoring workspace, click the Database Replication node, select the replication link that you want to analyze, and then in the Database Replication group on the Home tab, select Replication Link Analyzer. To run at a command prompt, type the following command: %path%\Microsoft Configuration Manager\AdminConsole\bin\Microsoft.ConfigurationManager.ReplicationLinkAnalyzer. Wizard.exe <source site server FQDN> <destination site server FQDN>

When you run Replication Link Analyzer, it detects problems by using a series of diagnostic rules and checks. When the tool runs, you can view the problems that the tool identifies. When instructions to resolve an issue are known, they are displayed. If Replication Link Analyzer can automatically remediate a problem, you are presented with that option. When Replication Link Analyzer finishes, it saves the results in the following XML-based report and a log file on the desktop of the user who runs the tool:
906

ReplicationAnalysis.xml ReplicationLinkAnalysis.log

When Replication Link Analyzer runs, it stops the following services while it remediates some problems, and restarts these services when remediation is complete: SMS_SITE_COMPONENT_MANAGER SMS_EXECUTIVE

If Replication Link Analyzer fails to complete remediation, review the site server and restart these services if they are stopped. Successful and unsuccessful investigation and remediation actions are logged to provide additional details that are not presented in the tool interface.

Prerequisites to use the Replication Link Analyzer

The following items are prerequisites to use the Replication Link Analyzer: The account that you use to run the Replication Link Analyzer must have local administrator rights on each computer that is involved in the replication link. The account does not require a specific role-based administration security role. Therefore, an administrative user with access to the Database Replication node can run the tool in the Configuration Manager console, or a system administrator with sufficient rights to each computer can run the tool at a command prompt. The account that you use to run the Replication Link Analyzer must have sysadmin rights on each SQL Server database that is involved in the replication link.

Procedures for Monitoring Database Replication

Use the following procedures to monitor database replication in Configuration Manager. To monitor high-level site-to-site database replication status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Site Hierarchy to open the Hierarchy Diagram view. 3. Briefly pause the mouse pointer on the line between the two sites to view the status of global and site data replication for these sites. To monitor the replication status for a replication link 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Database Replication, and then select the replication link for the link that you want to monitor. Then, in the workspace, select the appropriate tab to view different details about the replication status for that link.

907

Monitor System Status for Configuration Manager

System status in Configuration Manager provides an overview of the general operations of sites and site server operations of your hierarchy. It can reveal operational problems for site system servers or components, and you can use the system status to review specific details for different Configuration Manager operations. You monitor system status from the System Status node of the Monitoring workspace in the Configuration Manager console. Most Configuration Manager site system roles and components generate status messages. Status messages details are logged in each components operational log, but are also submitted to the site database where they are summarized and presented in a general rollup of each component or site systems health. These status message rollups provide information details for regular operations and warnings and error details. You can configure the thresholds at which warnings or errors are triggered and fine-tune the system to ensure rollup information ignores known issues that are not relevant to you while calling attention to actual problems on servers or for component operations that you might want to investigate. System status is replicated to other sites in a hierarchy as site data, not global data. This means you can only see the status for the site to which your Configuration Manager console connects, and any child sites below that site. Therefore, consider connecting your Configuration Manager console to the top-level site of your hierarchy when you view system status. Use the following table to identify the different system status views and when to use each one.
Node More information

Site Status

Use this node to view a rollup of the status of each site system to review the health of each site system server. Site system health is determined by thresholds that you configure for each site in the Site System Status Summarizer. You can view status messages for each site system, set thresholds for status messages, and manage the operation of the components on site systems by using the Configuration Manager Service Manager.

Component Status

Use this node to view a rollup of the status of each Configuration Manager component to review the components operational health. Component health is determined by thresholds that you configure for each site in the Component Status Summarizer. You can view status messages for each component, set thresholds for status
908

Node

More information

messages, and manage the operation of components by using the Configuration Manager Service Manager. Conflicting Records Use this node to view status messages about clients that might have conflicting records. Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you have to reinstall a computer, the hardware ID would be the same, but the GUID that Configuration Manager uses might be changed. Status Message Queries Use this node to query status messages for specific events and related details. You can use status message queries to find the status messages related to specific events. You can often use status message queries to identify when a specific component, operation, or Configuration Manager object was modified, and the account that was used to make the modification. For example, you can run the built-in query for Collections Created, Modified, or Deleted to identify when a specific collection was created, and the user account used to create the collection.

Manage Site Status and Component Status

Use the following information to manage the site status and component status: To configure thresholds for the status system, see Configure the Status System for Configuration Manager. To manage individual components in Configuration Manager, use the Configuration Manager Service Manager.

View Status Messages

You can view the status messages for individual site system servers and components. To view status messages in the Configuration Manager console, select a specific site system server or component, and then click Show Messages. When you view messages, you can select
909

to view specific message types or messages from a specified period of time, and you can filter the results based on the status messages details.

Monitor Management Tasks for Configuration Manager

Configuration Manager provides built-in monitoring from within the Configuration Manager console. You can monitor many tasks including those related to software updates, power management, and the deployment of content throughout your hierarchy. Use the information in the following table to help you monitor common Configuration Manager tasks.
Monitoring task More information

Alerts Compliance Settings Content Deployment

See Monitor Alerts in Configuration Manager. See How to Monitor for Compliance Settings in Configuration Manager. For general information about monitoring content, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about monitoring specific types of content deployment: To monitor Applications, see How to Monitor Applications in Configuration Manager. To monitor Packages and Programs, see How to Monitor Packages and Programs in Configuration Manager.

Endpoint Protection Out of Band Management Monitor Power Management Monitor Software Metering

See How to Monitor Endpoint Protection in Configuration Manager. See How to Monitor Out of Band Management in Configuration Manager. See How to Monitor and Plan for Power Management in Configuration Manager. See How to Monitor Software Metering in Configuration Manager. See the Monitor Software Updates section in the Operations and Maintenance for Software
910

Monitor Software Updates

Monitoring task

More information

Updates in Configuration Manager topic.

Monitor Alerts in Configuration Manager

Alerts are generated by Configuration Manager when a specific condition occurs. Typically, alerts are generated when an error occurs that you must resolve. However, alerts are also generated to warn you that a condition exists so that you can continue to monitor the situation. You can view alerts in the Alerts node of the Monitoring workspace. Alerts have one of the following alert states: Never triggered: The condition of the alert has not been met. Active: The condition of the alert is met. Canceled: The condition of an active alert is no longer met. This state indicates that the condition that caused the alert is now resolved. Postponed: An administrative user has configured Configuration Manager to evaluate the state of the alert at a later time. Disabled: The alert has been disabled by an administrative user. When an alert is in this state, Configuration Manager does not update the alert even if the state of the alert changes. Resolve the condition that caused the alert, for example, you resolve a network issue or a configuration issue that generated the alert. After Configuration Manager detects that the issue no longer exists, the alert state changes to Cancel. If the alert is a known issue, you can postpone the alert for a specific length of time. At that time, Configuration Manager updates the alert to its current state. You can postpone an alert only when it is active. You can edit the Comment of an alert so that other administrative users can see that you are aware of the alert. For example, in the comment you can identify how to resolve the condition, provide information about the current status of the condition, or explain why you postponed the alert.

You can take one of the following actions when Configuration Manager generates an alert:

For more information about how to manage alerts, see Configuring Alerts in Configuration Manager.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

911

Manage Cloud Services for Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Use the information in the following sections to help you manage cloud services that you use with System Center 2012 Configuration Manager: Monitor Cloud-Based Distribution Points Controlling the Cost of Cloud-Based Distribution Points Backup and Recovery of Cloud-Based Distribution Points Uninstalling Cloud-Based Distribution Points

For information about the Windows Intune connector, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.

Monitor Cloud-Based Distribution Points

When you use cloud-based distribution points, you can monitor the content that you deploy to each distribution point, and you can monitor the cloud service that hosts the distribution point. You monitor content that you deploy to a cloud-based distribution point the same way as you would deploy content to on-premises distribution points. For general information about how to monitor content, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor specific types of content deployment: To monitor application deployments, see How to Monitor Applications in Configuration Manager. To monitor package and program deployments, see How to Monitor Packages and Programs in Configuration Manager.

To monitor the cloud-based distribution point, Configuration Manager periodically checks the Windows Azure service and raises an alert if the service is not active, or if there are subscription or certificate issues. You can also view details about the distribution point in the Cloud Distribution Points node under Cloud Services in the Administration workspace of the Configuration Manager console. From this location, you view high-level information about the distribution point, or select a distribution point, and then edit its Properties. When you edit the properties of a cloud-based distribution point, you can adjust the data thresholds for storage and alerts. You can also manage content as you would for an on-premises distribution point. Finally, for each cloud-based distribution point, you can view, but not edit, the subscription ID, service name, and other related details that are specified when the cloud-based distribution is installed. Note
912

With Configuration Manager SP1, you view details about cloud-based distribution points in the Cloud node under Hierarchy Configurations. For more information about how to control the cost of using a cloud-based distribution point, including how to set thresholds and alerts, see Controlling the Cost of Cloud-Based Distribution Points.

Controlling the Cost of Cloud-Based Distribution Points

In Configuration Manager you can specify thresholds for the amount of content that you want to store on the distribution point, and the amount of content that you want clients to transfer from the distribution point. Based on these thresholds, Configuration Manager can raise alerts that warn you when the combined amount of content that you have stored on the distribution point is near the specified storage amount, or when data that clients transfer are close to the thresholds that you defined. The following table provides information about these thresholds.
Option Description

Client Settings for Cloud

You control access to all cloud-based distribution points in a hierarchy by using Client Settings. In Client Settings, the category Cloud Settings supports the setting Allow access to cloud distribution points. By default, this setting is set to No. You can enable this setting for both Users and Devices.

Thresholds for data transfers

You can configure thresholds for the amount of data that you want to store on the distribution point, and for the amount of data that clients download from the distribution point. Thresholds for cloud-based distribution points include the following: Storage alert threshold: A storage alert threshold sets an upper limit on the amount of data or content that you want store on the cloud-based distribution point. You can specify Configuration Manager to generate a warning alert when the remaining free space of your storage alert threshold reaches the level that you specify. Transfer alert threshold: A transfer alert threshold helps you to monitor the amount
913

Option

Description

of content that transfers from the distribution point to clients for a 30-day period. The transfer alert threshold monitors the transfer of data for the last 30 days, and can raise a warning alert and a critical alert when transfers reach values that you define. Important Configuration Manager monitors the transfer of data, but does not stop the transfer of data beyond the specified transfer alert threshold. You can specify thresholds for each cloudbased distribution point during the installation of the distribution point, or you can edit the properties of each cloud-based distribution point after it is installed. Alerts You can configure Configuration Manager to raise alerts about data transfers to and from each cloud-based distribution point, based on the data transfer thresholds that you specify. These alerts help you monitor data transfers, and can help you decide when to stop the cloud service to prevent its use, adjust the content that you store on the distribution point, or modify which clients can use cloud-based distribution points. In an hourly cycle, the primary site that monitors the cloud-based distribution point downloads transaction data from Windows Azure and stores it in the CloudDP<ServiceName>.log on the site server. Configuration Manager then evaluates this information against the storage and transfer quotas for each cloud-based distribution point. When the transfer of data reaches or exceeds the specified volume for either warning or critical alerts, Configuration Manager generates the appropriate alert. Warning
914

Option

Description

Because information about data transfers is downloaded from Windows Azure hourly, that data usage might exceed a warning or critical threshold before Configuration Manager can access the data and raise an alert. Note Alerts for a cloud-based distribution point depend on usage statistics from Windows Azure, and can take up to 24 hours to become available. For information about Storage Analytics for Windows Azure, including how frequently Windows Azure updates use statistics, see Storage Analytics in the MSDN Library. Stop or start the cloud service on demand You can use the option to stop a cloud service at any time to prevent clients from using the service continuously. When you stop the cloud service, you immediately prevent clients from downloading additional content from the service. Additionally, you can restart the cloud service to restore access for clients. For example, you might want to stop a cloud service when data thresholds are reached. When you stop a cloud service, the cloud service does not delete the content from the distribution point and does not prevent the site server from transferring additional content to the cloud-based distribution point. To stop a cloud service, in the Configuration Manager console, select the distribution point in the Cloud Distribution Points node under Cloud Services, in the Administration workspace. Next, click Stop service to stop the cloud service that runs in Windows Azure. Note With Configuration Manager SP1, you manage the cloud service in the Cloud
915

Option

Description

node under Hierarchy Configurations. In addition to the use of data thresholds, client settings, and directly managing the cloud service, peer caching can help reduce the number of data transfers from cloud-based distribution points. By default, Configuration Manager clients that are configured for Windows BranchCache can transfer content by using cloud-based distribution points. For more information, see the following: The section Planning for BranchCache Support in the Planning for Content Management in Configuration Manager topic. The section BranchCache Feature Support in the Supported Configurations for Configuration Manager topic.

Backup and Recovery of Cloud-Based Distribution Points

When you use a cloud-based distribution point in your hierarchy, use the following information to help you plan for backup or recovery of the distribution point: When you use the predefined Backup Site Server maintenance task, Configuration Manager automatically includes the configurations for the cloud-based distribution point. It is best practice to back up and save a copy of both the management certificate and service certificate in use with a cloud-based distribution point. In the event that you restore the Configuration Manager primary site that manages the cloud-base distribution point to a different computer, you must re-import the certificates before you can continue to use them.

Uninstalling Cloud-Based Distribution Points

To uninstall a cloud-based distribution point, select the distribution point in the Configuration Manager console, and then select Delete. When you delete a cloud-based distribution point from a hierarchy, Configuration Manager removes the content from the cloud service in Windows Azure.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

916

Backup and Recovery in Configuration Manager

Enterprise solutions such as System Center 2012 Configuration Manager must prepare for both backup and recovery operations to avoid loss of critical data. For Configuration Manager sites, this preparation ensures that sites and hierarchies are recovered with the least data loss and in the quickest possible time. Use the sections in this topic to help you back up your Configuration Manager sites and recover a site in the event of site failure or data loss. SMS Writer Service Back up a Configuration Manager Site Backup Maintenance Task Using Data Protection Manager to Back up Your Site Database Archiving the Backup Snapshot Using the AfterBackup.bat File Supplemental Backup Tasks Determine Your Recovery Options Site Server Recovery Options Site Database Recovery Options

Recover a Configuration Manager Site

Unattended Site Recovery Script File Keys Post-Recovery Tasks Recover a Secondary Site

SMS Writer Service

The SMS Writer is a service that interacts with the Volume Shadow Copy Service (VSS) during the backup process. The SMS Writer service must be running for the Configuration Manager site back up to successfully complete.

Purpose
SMS Writer registers with the VSS service and binds to its interfaces and events. When VSS broadcasts events, or if it sends specific notifications to the SMS Writer, the SMS Writer responds to the notification and takes the appropriate action. The SMS Writer reads the backup control file (smsbkup.ctl), located in the <ConfigMgr Installation Path>\inboxes\smsbkup.box, and determines the files and data that is to be backed up. The SMS Writer builds metadata, which consists of various components, based on this information as well as specific data from the SMS registry key and subkeys. It sends the metadata to VSS when it is requested. VSS then sends the metadata to the requesting application; Configuration Manager Backup Manager. Backup Manager selects the data that gets backed up and sends this data to the SMS Writer via VSS.
917

The SMS Writer takes the appropriate steps to prepare for the backup. Later, when VSS is ready to take the snapshot, it sends an event, the SMS Writer stops all Configuration Manager services and ensures that the Configuration Manager activities are frozen while the snapshot is created. After the snapshot is complete, the SMS Writer restarts services and activities. The SMS Writer service is installed automatically. It must be running when the VSS application requests a backup or restore.

Writer ID
The writer ID for the SMS Writer is: 03ba67dd-dc6d-4729-a038-251f7018463b.

Permissions
The SMS Writer service must run under the Local System account.

Volume Shadow Copy Service

The VSS is a set of COM APIs that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes. The VSS provides a consistent interface that allows coordination between user applications that update data on disk (the SMS Writer service) and those that back up applications (the Backup Manager service). For more information about VSS, see the Volume Shadow Copy Service topic in the Windows Server TechCenter.

Back up a Configuration Manager Site

System Center 2012 Configuration Manager provides a backup maintenance task that runs on a schedule and backs up the site database, specific registry keys, and specific folders and files. You can create the AfterBackup.bat file to perform post-backup actions automatically after the backup maintenance task runs successfully. The AfterBackup.bat file is most frequently used to archive the backup snapshot to a secure location. However, you can also use the AfterBackup.bat file to copy files to your backup folder and start other supplemental backup tasks. Use the following sections to help you create your Configuration Manager backup strategy. Note Configuration Manager can recover the site database from the Configuration Manager backup maintenance task or from a site database backup that you perform by using another process. For example, you can restore the site database from a backup that is performed as part of a Microsoft SQL Server maintenance plan. Starting in Configuration Manager SP1, you can restore the site database from a backup that is performed by using System Center 2012 Data Protection Manager (DPM). For more information, see Using Data Protection Manager to Back up Your Site Database.

918

Backup Maintenance Task

You can automate backup for Configuration Manager sites by scheduling the predefined Backup Site Server maintenance task. You can back up a central administration site and primary site, but there is no backup support for secondary sites or site system servers. When the Configuration Manager backup service runs, it follows the instructions defined in the backup control file (<ConfigMgrInstallationFolder>\Inboxes\Smsbkup.box\Smsbkup.ctl). You can modify the backup control file to change the behavior of the backup service. Site backup status information is written to the Smsbkup.log file. This file is created in the destination folder that you specify in the Backup Site Server maintenance task properties. Use the following procedure to enable the site backup maintenance task for a site. To enable the site backup maintenance task 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the site in which you want to enable the site backup maintenance task. 4. On the Home tab, in the Settings group, click Site Maintenance Tasks. 5. Click Backup Site Server and then click Edit. 6. Select Enable this task, and then click Set Paths to specify the backup destination. You have the following options: Security To help prevent tampering of the backup files, store the files in a secure location. The most secure backup path is to a local drive so you can set NTFS file system permissions on the folder. Regardless of which option you select, Configuration Manager does not encrypt the backup data that is stored in the backup path. Local drive on site server for site data and database: Specifies that the backup files for the site and site database are stored in the specified path on the local disk drive of the site server. You must create the local folder before the backup task runs. Security The Local System account on the site server must have Write NTFS file system permissions to the local folder for the site server backup. The Local System account on the computer that is running SQL Server must have Write NTFS permissions to the folder for the site database backup. Network path (UNC name) for site data and database: Specifies that the backup files for the site and site database are stored in the specified UNC path. You must create the share before the backup task runs. Security The computer account of the site server and the computer account of the SQL Server, if SQL Server is installed on another computer, must have Write NTFS and share permissions to the shared network folder.
919

Local drives on site server and SQL Server: Specifies that the backup files for the site are stored in the specified path on the local drive of the site server, and the backup files for the site database are stored in the specified path on the local drive of the site database server. You must create the local folders before the backup task runs. Security The computer account of the site server must have Write NTFS permissions to the folder that you create on the site server. The computer account of the SQL Server must have Write NTFS permissions to the folder that you create on the site database server. This option is available only when the site database is not installed on the site server. Note The option to browse to the backup destination is only available when you specify the UNC path of the backup destination. Important The folder name or share name that is used for the backup destination does not support the use of Unicode characters.

7. Configure an appropriate schedule for the site backup task. As a best practice, consider a backup schedule that is outside active working hours. If you have a hierarchy, consider a schedule that runs at least two times a week to ensure maximum data retention in the event of site failure. Note When you run the Configuration Manager console on the same site server that you are configuring for backup, the Backup Site Server maintenance task uses local time for the schedule. When the Configuration Manager console is run from a computer remote from the site that you are configuring for backup, the Backup Site Server maintenance task uses UTC for the schedule. 8. Select whether to create an alert if the site backup task fails, click OK, and then click OK. When selected, Configuration Manager creates a critical alert for the backup failure that you can review in the Alerts node in the Monitoring workspace.

Verify that the Backup Site Server maintenance task is running successfully after you schedule it, to ensure that you are prepared to recover the site if it fails, and also to help plan for data recovery. Use the following procedure to verify that the site backup maintenance task is completed successfully. To verify that the Backup Site Server maintenance task is completed successfully Verify that the Site Backup maintenance task is completed successfully by reviewing any of the following: Review the timestamp on the files in the backup destination folder that the Backup
920

Site Server maintenance task created. Verify that the timestamp has been updated with a time that coincides with the time when the Backup Site Server maintenance task was last scheduled to run. In the Component Status node in the Monitoring workspace, review the status messages for SMS_SITE_BACKUP. When site backup is completed successfully, you see message ID 5035, which indicates that the site backup was completed without any errors. When the Backup Site Server maintenance task is configured to create an alert if backup fails, you can check the Alerts node in the Monitoring workspace for backup failures. In <ConfigMgrInstallationFolder >\Logs, review Smsbkup.log for warnings and errors. When site backup is completed successfully, you see Backup completed with a timestamp and message ID STATMSG: ID=5035. Tip When the backup maintenance task fails, you can restart the backup task by stopping and restarting the SMS_SITE_BACKUP service.

Using Data Protection Manager to Back up Your Site Database

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Starting in Configuration Manager SP1, you can use System Center 2012 Data Protection Manager (DPM) to back up your site database. You must create a new protection group in DPM for the site database computer. On the Select Group Members page of the Create New Protection Group Wizard, you select the SMS Writer service from the data source list, and then select the site database as an appropriate member. For more information about using DPM to back up your site database, see the Data Protection Manager Documentation Library on TechNet. Important Configuration Manager does not support DPM backup for a SQL Server cluster that uses a named instance, but does support DPM backup on a SQL Server cluster that uses the default instance of SQL Server. After you restore the site database, follow the steps in Setup to recover the site. Select the Use a site database that has been manually recovered recovery option to use the site database that you recovered by using Data Protection Manager.

Archiving the Backup Snapshot

The first time the Backup Site Server maintenance task runs, it creates a backup snapshot, which you can use to recover your site server in case of a failure. When the backup task runs again during subsequent cycles, it creates a new backup snapshot that overwrites the previous

921

snapshot. As a result, the site has only a single backup snapshot, and you have no way of retrieving an earlier backup snapshot. As a best practice, keep multiple archives of the backup snapshot for the following reasons: It is common for backup media to fail, get misplaced, or have only a partial backup stored on it. Recovering a failed stand-alone primary site from an older backup is better than recovering without any backup. For a site server in a hierarchy, the backup must be in the SQL Server change tracking retention period, or the backup is not required. A corruption in the site can go undetected for several backup cycles. You might have to go back several cycles and use the backup snapshot from before the site became corrupted. This applies to a stand-alone primary site and sites in a hierarchy where the backup is in the SQL Server change tracking retention period. The site might have no backup snapshot at all if, for example, the Backup Site Server maintenance task fails. Because the backup task removes the previous backup snapshot before it starts to back up the current data, there will not be a valid backup snapshot.

Using the AfterBackup.bat File

After successfully backing up the site, the Backup Site Server task automatically attempts to run a file that is named AfterBackup.bat. You must manually create the AfterBackup.bat file in <ConfigMgrInstallationFolder>\Inboxes\Smsbkup. If an AfterBackup.bat file exists, and is stored in the correct folder, the file automatically runs after the backup task is completed. The AfterBackup.bat file lets you archive the backup snapshot at the end of every backup operation, and automatically perform other post-backup tasks that are not part of the Backup Site Server maintenance task. The AfterBackup.bat file integrates the archive and the backup operations, thereby ensuring that every new backup snapshot is archived. When the AfterBackup.bat file is not present, the backup task skips it without effect on the backup operation. To verify that the site backup task successfully ran the AfterBackup.bat file, see the Component Status node in the Monitoring workspace and review the status messages for SMS_SITE_BACKUP. When the task successfully started the AfterBackup.bat command file, you see message ID 5040. Tip To create the AfterBackup.bat file to archive your site server backup files, you must use a copy command tool in the batch file such as Robocopy. For example, you could create the AfterBackup.bat file, and on the first line, you could add something similar to: Robocopy E:\ConfigMgr_Backup \\ServerName\ShareName\ConfigMgr_Backup /MIR. For more information about Robocopy, see the Robocopy command-line reference webpage. Although the intended use of the AfterBackup.bat is to archive backup snapshots, you can create an AfterBackup.bat file to perform additional tasks at the end of every backup operation.

Supplemental Backup Tasks

The Backup Site Server maintenance task provides a backup snapshot for the site server files and site database, but there are other items not backed up that you must consider when you

922

create your backup strategy. Use the following sections to help you complete your Configuration Manager backup strategy.

Back Up Custom Reporting Services Reports

When you have modified predefined or created custom Reporting Services reports, creating a backup for the report server database files is an important part of your backup strategy. The report server backup must include a backup of the source files for reports and models, encryption keys, custom assemblies or extensions, configuration files, custom SQL Server views used in custom reports, custom stored procedures, and so on. Important When System Center 2012 Configuration Manager is upgraded to a newer version, the predefined reports are overwritten by new reports. If you modify a predefined report, you must back up the report before you install the new version, and then restore the report in Reporting Services. For more information about backing up your custom reports in Reporting Services, see Backup and Restore Operations for a Reporting Services Installation in the SQL Server 2008 Books Online.

Backup Content Files

The content library in Configuration Manager is the location where all content files are stored for software updates, applications, operating system deployment, and so on. The content library is located on the site server and each distribution point. The Backup Site Server maintenance task does not include a backup for the content library or the package source files. When a site server fails, the information about the content library files is restored to the site database, but you must restore the content library and package source files on the site server. Content library: The content library must be restored before you can redistribute content to distribution points. When you start content redistribution, Configuration Manager copies the files from the content library on the site server to the distribution points. The content library for the site server is in the SCCMContentLib folder, which is typically located on the drive with the most free disk space at the time that the site installed. For more information about the content library, see Introduction to Content Management in Configuration Manager. Package source files: The package source files must be restored before you can update content on distribution points. When you start a content update, Configuration Manager copies new or modified files from the package source to the content library, which in turn copies the files to associated distribution points. You can run the following query in SQL Server to find the package source location for all packages and applications: SELECT * FROM v_Package. You can identify the package source site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001, the site code for the source site is CEN. When you restore the package source files, they must be restored to the same location in which they were before the failure. For more information about updating content, see the Update Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.
923

Verify that you include both the content library and package source locations in your file system backup for the site server.

Back Up Custom Software Updates

System Center Updates Publisher 2011 is a stand-alone tool that lets you publish custom software updates to Windows Server Update Services (WSUS), synchronize the software updates to Configuration Manager, assess software updates compliance, and deploy the custom software updates to clients. Updates Publisher 2011 uses a local database for its software update repository. When you use Updates Publisher 2011 to manage custom software updates, determine whether you have to include the Updates Publisher 2011 database in your backup plan. For more information about Updates Publisher, see System Center Updates Publisher 2011 in the System Center TechCenter Library. Use the following procedure to back up the Updates Publisher 2011 database. To back up the Updates Publisher 2011 database 1. On the computer that runs Updates Publisher, browse the Updates Publisher 2011 database file (Scupdb.sdf) in %USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\. There is a different database file for each user that runs Updates Publisher 2011. 2. Copy the database file to your backup destination. For example, if your backup destination is E:\ConfigMgr_Backup, you could copy the Updates Publisher 2011 database file to E:\ConfigMgr_Backup\SCUP2011. Tip When there is more than one database file on a computer, consider storing the file in a subfolder that indicates the user profile in which the database file is associated. For example, you could have one database file in E:\ConfigMgr_Backup\SCUP2011\User1 and another database file in E:\ConfigMgr_Backup\SCUP2011\User2.

User State Migration Data

You can use Configuration Manager task sequences to capture and restore the user state data in operating system deployment scenarios where you want to retain the user state of the current operating system. The folders that store the user state data are listed in the properties for the state migration point. This user state migration data is not backed up as part of the Site Server Backup maintenance task. As part of your backup plan, you must manually back up the folders that you specify to store the user state migration data. Use the following procedure to determine the folders used to store user state migration data. To determine the folders used to store user state migration data 1. In the Configuration Manager console, click Administration.
924

2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Select the site system that hosts the state migration role, and then select State migration point in Site System Roles. 4. On the Site Role tab, in the Properties group, click Properties. 5. The folders that store the user state migration data are listed in the Folder details section on the General tab.

Recover a Configuration Manager Site

A Configuration Manager site recovery is required whenever a Configuration Manager site fails or data loss occurs in the site database. Repairing and resynchronizing data are the core tasks of a site recovery and are required to prevent interruption of operations. Site recovery is started by running the Configuration Manager Setup Wizard from installation media or by configuring the unattended installation script and then using the Setup command /script option. Your recovery options vary depending on whether you have a backup of the Configuration Manager site database. Important If you run Configuration Manager Setup from the Start menu on the site server, the Recover a site option is not available. You must run Setup from installation media. Note After you restore a site database that was configured for database replicas, before you can use the database replicas you must reconfigure each database replica, recreating both the publications and subscriptions.

Determine Your Recovery Options

There are two main areas that you have to consider for Configuration Manager primary site server and central administration site recovery; the site server and the site database. Use the following sections to help you determine the options that you have to select for your recovery scenario. Important Beginning with Configuration Manager SP1, there are new options to recover a secondary site. For information about secondary site recovery, see the Recover a Secondary Site section. Note When a previous site recovery failed or when you are trying to recover a site that it is not completely uninstalled, you must select Uninstall a Configuration Manager site from Setup before you have the option to recover the site. If the failed site has child sites, and you have to uninstall the site, you must manually delete the site database from the failed
925

site before you select the Uninstall a Configuration Manager site option or the uninstall process fails.

Site Server Recovery Options

You must start Setup from the System Center 2012 Configuration Manager installation media, or a network shared folder that contains the source files, for the Recover a site option to be available. When you run Setup, you have the following recovery options for the failed site server: Recover the site server using an existing backup: Use this option when you have a backup of the Configuration Manager site server that was created on the site server as part of the Backup Site Server maintenance task before the site failure. The site is reinstalled, and the site settings are configured, based on the site that was backed up. Reinstall the site server: Use this option when you do not have a backup of the site server. The site server is reinstalled, and you must specify the site settings, just as you would during an initial installation. You must use the same site code and site database name that you used when the failed site was first installed to successfully recover the site. Note When Setup detects an existing Configuration Manager site on the server, you can start a site recovery, but the recovery options for the site server are limited. For example, if you run Setup on an existing site server, when you choose recovery, you can recover the site database server, but the option to recover the site server is disabled.

Site Database Recovery Options

When you run Setup, you have the following recovery options for the site database: Recover the site database using a backup set: Use this option when you have a backup of the Configuration Manager site database that was created as part of the Backup Site Server maintenance task run on the site before the site database failure. When you have a hierarchy, the changes that were made to the site database after the last site database backup are retrieved from the central administration site for a primary site, or from a reference primary site for a central administration site. When you recover the site database for a stand-alone primary site, you lose site changes after the last backup. When you recover the site database for a site in a hierarchy, the recovery behavior is different for a central administration site and primary site, and when the last backup is inside or outside of the SQL Server change tracking retention period. For more information, see the Site Database Recovery Scenarios section in this topic. Note The recovery fails if you select to restore the site database by using a backup set, but the site database already exists. Create a new database for this site: Use this option when you do not have a backup of the Configuration Manager site database. When you have a hierarchy, a new site database is created, and the data is recovered by using replicated data from the central administration site for a primary site, or a reference primary site for a central administration site. This option
926

is not available when you are recovering a stand-alone primary site or a central administration site that does not have primary sites. Use a site database that has been manually recovered: Use this option when you have already recovered the Configuration Manager site database but have to complete the recovery process. Configuration Manager can recover the site database from the Configuration Manager backup maintenance task or from a site database backup that you perform by using DPM or another process. After you restore the site database by using a method outside Configuration Manager, you must run Setup and select this option to complete the site database recovery. When you have a hierarchy, the changes that were made to the site database after the last site database backup are retrieved from the central administration site for a primary site, or from a reference primary site for a central administration site. When you recover the site database for a stand-alone primary site, you lose site changes after the last backup. Note When you use DPM to back up your site database, use the DPM procedures to restore the site database to a specified location before you continue the restore process in Configuration Manager. For more information about DPM, see the Data Protection Manager Documentation Library on TechNet. Skip database recovery: Use this option when no data loss has occurred on the Configuration Manager site database server. This option is only valid when the site database is on a different computer than the site server that you are recovering.

SQL Server Change Tracking Retention Period

Change tracking is enabled for the site database in SQL Server. Change tracking lets Configuration Manager query for information about the changes that have been made to database tables after a previous point in time. The retention period specifies how long change tracking information is retained. By default, the site database is configured to have a retention period of 5 days. When you recover a site database, the recovery process proceeds differently if your backup is inside or outsidethe retention period. For example, if your site database server fails, and your last backup is 7 days old, it is outside the retention period.

Process to Reinitialize Site or Global Data

The process to reinitialize site or global data replaces existing data in the site database with data from another site database. For example, when site ABC reinitializes data from site XYZ, the following steps occur: The data is copied from site XYZ to site ABC. The existing data for site XYZ is removed from the site database on site ABC. The copied data from site XYZ is inserted into the site database for site ABC.

927

Example Scenario 1 The primary site reinitializes the global data from the central administration site : The recovery process removes the existing global data for the primary site in the primary site database and replaces the data with the global data copied from the central administration site. Example Scenario 2 The central administration site reinitializes the site data from a primary site: The recovery process removes the existing site data for that primary site in the central administration site database and replaces the data with the site data copied from the primary site. The site data for other primary sites is not affected.

Site Database Recovery Scenarios

After a site database is restored from a backup, the Configuration Manager attempts to restore the changes in site and global data after the last database backup. The following table provides the actions that Configuration Manager starts after a site database is restored from backup.
Database backup within change tracking retention period Database backup older than change tracking retention period

Recovered site Primary site

Global data The changes in global data after the backup are replicated from the central administration site.

Site data The central administration site reinitializes the site data from the primary site. Changes after the backup are lost, but most data is regenerated by clients that send information to the primary site. The changes in site data after the backup are replicated from all primary sites.

Global data The primary site reinitializes the global data from the central administration site.

Site data The central administration site reinitializes the site data from the primary site. Changes after the backup are lost, but most data is regenerated by clients that send information to the primary site. The central administration site reinitializes the site data from each primary site.

Central administration site

The changes in global data after the backup are replicated from all primary sites.

The central administration site reinitializes the global data from the reference primary site, if you specify it. Then all other primary sites reinitialize the

928

Database backup within change tracking retention period

Database backup older than change tracking retention period

global data from the central administration site. If no reference site is specified, all primary sites reinitialize the global data from the central administration site (the data that was restored from backup).

Site Recovery Procedures

Use one of the following procedures to help you recover your site server and site database. To start a site recovery in the Setup Wizard 1. Run the Configuration Manager Setup Wizard from installation media or a shared network folder. For example, you can start the Setup wizard by using the Install option when you insert the Configuration Manager DVD. Or, you can open Setup.exe from a shared network folder to start the Setup wizard. 2. On the Getting Started page, select Recover a site, and then click Next. 3. Complete the wizard by using the options that are appropriate for your site recovery. Important During the recovery, Setup identifies the SQL Server Service Broker (SSB) port used by the SQL Server. Do not change this port setting during recovery or data replication will not work properly after the recovery completes. Note Starting with System Center 2012 R2 Configuration Manager, you can specify any path to use for the Configuration Manager installation in the Setup Wizard. Prior to this, you must specify the same path that was used when the site was originally installed. To start an unattended site recovery 1. Prepare the unattended installation script for the options that you require for the site
929

recovery. 2. Run Configuration Manager Setup by using the command /script option. For example, if you named your setup initialization file ConfigMgrUnattend.ini and saved it in the C:\Temp directory of the computer on which you are running Setup, the command would be as follows: Setup /script C:\temp\ConfigMgrUnattend.ini.

Unattended Site Recovery Script File Keys

To perform an unattended recovery of a Configuration Manager central administration site or primary site, you can create an unattended installation script and use Setup with the /script command option. The script provides the same type of information that the Setup Wizard prompts for, except that there are no default settings. All values must be specified for the setup keys that apply to the type of recovery you are using. You can run Configuration Manager Setup unattended by using an initialization file with the /script Setup command-line option. Unattended setup is supported for recovery of a Configuration Manager central administration site and primary site. To use the /script setup command-line option, you must create an initialization file and specify the initialization file name after the /script setup command-line option. The name of the file is unimportant as long as it has the .ini file name extension. When you reference the setup initialization file from the command line, you must provide the full path to the file. For example, if your setup initialization file is named setup.ini, and it is stored in the C:\setup folder, your command line would be: setup /script c:\setup\setup.ini. Security You must have Administrator rights to run Setup. When you run Setup with the unattended script, start the Command Prompt in an Administrator context by using Run as administrator. The script contains section names, key names, and values. Required section key names vary depending on the recovery type that you are scripting. The order of the keys within sections, and the order of sections within the file, is not important. The keys are not case sensitive. When you provide values for keys, the name of the key must be followed by an equals sign (=) and the value for the key. Use the following sections to help you to create your script for unattended site recovery. The tables list the available setup script keys, their corresponding values, whether they are required, which type of installation they are used for, and a short description for the key.

Recover a Central Administration Site Unattended

Use the following section to recover a central administration site by using an unattended Setup script file.

930

Section

Key Name

Requi red

Values

Description

Identification

Action

Yes Yes

RecoverCCAR 1, 2, or 4 1 = Recovery site server and SQL Server. 2 = Recover site server only. 4 = Recover SQL Server only.

Recovers a central administration site Specifies whether Setup will recover the site server, SQL Server, or both. The associated keys are required when you set the following value for the ServerRecoveryOption s setting: Value = 1: You have the option to specify a value for the SiteServerBacku pLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. The BackupLocation key is required when you configure a value of 10 for the DatabaseRecover yOptions key, which is to restore the site database from backup. Value = 2: You have the option to specify a value for the
931

RecoveryOpt ServerRecoveryO ions ptions

Section

Key Name

Requi red

Values

Description

SiteServerBacku pLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocation key is required when you configure a value of 10 for the DatabaseRecover yOptions key, which is to restore the site database from backup.

DatabaseRecover yOptions

Mayb e

10, 20, 40, 80 10 = Restore the site database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new database for the site. Use this option when there is no site database backup available. Global and site data is recovered through replication from other sites. 80 = skip database recovery.

Specifies how Setup will recover the site database in SQL Server. This key is required when the ServerRecoveryOptio ns setting has a value of 1 or 4.

ReferenceSite

Mayb e

<ReferenceSiteFQDN>

Specifies the reference primary site that the central administration

932

Section

Key Name

Requi red

Values

Description

site uses to recover global data if the database backup is older than the change tracking retention period or when you recover the site without a backup. When you do not specify a reference site and the backup is older than the change tracking retention period, all primary sites are reinitialized with the restored data from the central administration site. When you do not specify a reference site and the backup is within the change tracking retention period, only changes since the backup are replicated from primary sites. When there are conflicting changes from different primary sites, the central administration site uses the first one that it receives. This key is required when the DatabaseRecoveryO ptions setting has a value of 40. SiteServerBackup No <PathToSiteServerBackupS Specifies the path to
933

Section

Key Name

Requi red

Values

Description

Location

et>

the site server backup set. This key is optional when the ServerRecoveryOptio ns setting has a value of 1 or 2. Specify a value for the SiteServerBackupLo cation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryOptio ns key, and configure a value of 10 for the DatabaseRecoveryO ptions key. The Configuration Manager installation product key, including the dashes. Enter Eval can install the evaluation version of Configuration Manager. Three alpha-numeric characters that uniquely identifies the site in your hierarchy.
934

BackupLocation

Mayb e

<PathToSiteDatabaseBack upSet>

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx Eval

SiteCode

Yes

<SiteCode>

Section

Key Name

Requi red

Values

Description

You must specify the site code that was used by the site before the failure. For more information about site code restrictions, see the Configuration Manager Site Naming section in the Install Sites and Create a Hierarchy for Configuration Manager topic. SiteName SMSInstallDir Yes Yes <SiteName> <ConfigMgrInstallationPath > Description for this site. Specifies the installation folder for the Configuration Manager program files. Note Starting in System Center 2012 R2 Configuration Manager, you can specify any path for the Configuration Manager installation. Prior to this, you must specify the same path that was used prior to the site failure.
935

Section

Key Name

Requi red

Values

Description

SDKServer

Yes

<FQDN of SMS Provider>

Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure. You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic.

PrerequisiteComp

Yes

0 or 1 0 = download 1 = already downloaded

Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup will download the files.

PrerequisitePath

Yes

<PathToSetupPrerequisiteF Specifies the path to iles> the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. 0 or 1 Specifies whether to install the
936

AdminConsole

Mayb e

Section

Key Name

Requi red

Values

Description

0 = do not install 1 = install

Configuration Manager console. This key is required except when the ServerRecoveryOptio ns setting has a value of 4. Specifies whether to join the Customer Experience Improvement Program. The name of the server, or clustered instance name, running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. The name of the SQL Server database to create or use to install the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do
937

JoinCEIP

Yes

0 or 1 0 = do not join 1 = join

SQLConfigO ptions

SQLServerName

Yes

<SQLServerName>

DatabaseName

Yes

<SiteDatabaseName> or <InstanceName>\<SiteData baseName>

Section

Key Name

Requi red

Values

Description

not use the default instance. SQLSSBPort No <SSBPortNumber> Specify the SQL Server Service Broker (SSB) port used by SQL Server. Typically, SSB is configured to use TCP port 4022, but other ports are supported. You must specify the same SSB port that was used before the failure.

Recover a Primary Site Unattended

Use the following section to recover a primary site by using an unattended Setup script file.
Section Key Name Requi red Values Description

Identification RecoveryOptions

Action ServerRecovery Options

Yes Yes

RecoverPrimarySite 1, 2, or 4 1 = Recovery site server and SQL Server. 2 = Recover site server only. 4 = Recover SQL Server only.

Recovers a primary site Specifies whether Setup will recover the site server, SQL Server, or both. The associated keys are required when you set the following value for the ServerRecoveryOptio ns setting: Value = 1: You have the option to specify a value for the SiteServerBack upLocation key
938

Section

Key Name

Requi red

Values

Description

to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. The BackupLocatio n key is required when you configure a value of 10 for the DatabaseRecov eryOptions key, which is to restore the site database from backup. Value = 2: You have the option to specify a value for the SiteServerBack upLocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a backup set. Value = 4: The BackupLocatio n key is required when you
939

Section

Key Name

Requi red

Values

Description

configure a value of 10 for the DatabaseRecov eryOptions key, which is to restore the site database from backup. DatabaseRecove ryOptions Mayb e 10, 20, 40, 80 10 = Restore the site database from backup. 20 = Use a site database that has been manually recovered by using another method. 40 = Create a new database for the site. Use this option when there is no site database backup available. 80 = skip database recovery. SiteServerBacku pLocation No <PathToSiteServerBackup Specifies the path to Set> the site server backup set. This key is optional when the ServerRecoveryOpt ions setting has a value of 1 or 2. Specify a value for the SiteServerBackupL ocation key to recover the site by using a site backup. If you do not specify a value, the site is reinstalled without restoring it from a
940

Specifies how Setup will recover the site database in SQL Server. This key is required when the ServerRecoveryOpt ions setting has a value of 1 or 4.

Section

Key Name

Requi red

Values

Description

backup set. BackupLocation Mayb e <PathToSiteDatabaseBac kupSet> Specifies the path to the site database backup set. The BackupLocation key is required when you configure a value of 1 or 4 for the ServerRecoveryOpt ions key, and configure a value of 10 for the DatabaseRecovery Options key. The Configuration Manager installation product key, including the dashes. Enter Eval can install the evaluation version of Configuration Manager. Three alpha-numeric characters that uniquely identifies the site in your hierarchy. You must specify the site code that was used by the site before the failure. For more information about site code restrictions, see the Configuration Manager Site Naming section in the Install Sites and Create a Hierarchy
941

Options

ProductID

Yes

xxxxx-xxxxx-xxxxx-xxxxxxxxxx Eval

SiteCode

Yes

<SiteCode>

Section

Key Name

Requi red

Values

Description

for Configuration Manager topic. SiteName SMSInstallDir Yes Yes <SiteName> <ConfigMgrInstallationPat h> Description for this site. Specifies the installation folder for the Configuration Manager program files. Note Starting in System Center 2012 R2 Configuration Manager, you can specify any path for the Configuration Manager installation. Prior to this, you must specify the same path that was used prior to the site failure. SDKServer Yes <FQDN of SMS Provider> Specifies the FQDN for the server that will host the SMS Provider. You must specify the server that hosted the SMS Provider before the failure.
942

Section

Key Name

Requi red

Values

Description

You can configure additional SMS Providers for the site after the initial installation. For more information about the SMS Provider, see the Site System Roles in Configuration Manager section in the Planning for Site Systems in Configuration Manager topic. PrerequisiteCom p Yes 0 or 1 0 = download 1 = already downloaded Specifies whether Setup prerequisite files have already been downloaded. For example, if you use a value of 0, Setup will download the files. Specifies the path to the Setup prerequisite files. Depending on the PrerequisiteComp value, Setup uses this path to store downloaded files or to locate previously downloaded files. Specifies whether to install the Configuration Manager console. This key is required except when the
943

PrerequisitePath

Yes

<PathToSetupPrerequisite Files>

AdminConsole

Mayb e

0 or 1 0 = do not install 1 = install

Section

Key Name

Requi red

Values

Description

ServerRecoveryOpt ions setting has a value of 4. JoinCEIP Yes 0 or 1 0 = do not join 1 = join Specifies whether to join the Customer Experience Improvement Program. The name of the server, or clustered instance name, running SQL Server that will host the site database. You must specify the same server that hosted the site database before the failure. The name of the SQL Server database to create or use to install the central administration site database. You must specify the same database name that was used before the failure. Important You must specify the instance name and site database name if you do not use the default instance.
944

SQLConfigOption SQLServerName s

Yes

<SQLServerName>

DatabaseName

Yes

<SiteDatabaseName> or <InstanceName>\<SiteDat abaseName>

Section

Key Name

Requi red

Values

Description

SQLSSBPort

No

<SSBPortNumber>

Specify the SQL Server Service Broker (SSB) port used by SQL Server. Typically, SSB is configured to use TCP port 4022, but other ports are supported. You must specify the same SSB port that was used before the failure. Specifies the central administration site that a primary site will attach to when it joins the Configuration Manager hierarchy. This setting is required if the primary site was attached to a central administration site before the failure. You must specify the site code that was used for the central administration site before the failure. Specifies the retry interval (in minutes) to attempt a connection to the central administration site after the connection fails. For example, if the
945

HierarchyExpansi CCARSiteServer onOption

Mayb e

<SiteCodeForCentralAdmi nistrationSite>

CASRetryInterval

No

<Interval>

Section

Key Name

Requi red

Values

Description

connection to the central administration site fails, the primary site waits the number of minutes that you specify for CASRetryInterval, and then re-attempts the connection. WaitForCASTime No out <Timeout> Specifies the maximum timeout value (in minutes) for a primary site to connect to the central administration site. For example, if a primary site fails to connect to a central administration site, the primary site retries the connection to the central administration site based on the CASRetryInterval until the WaitForCASTimeout period is reached. You can specify a value of 0 to 100.

Post-Recovery Tasks
After you recover your site, there are several post-recovery tasks that you must consider before your site recovery is completed. Use the following sections to help you complete your site recovery process.

946

Re-Enter User Account Passwords

After a site server recovery, passwords for the user accounts specified for the site must be reentered because they are reset during the site recovery. The accounts are listed on the Finished page of the Setup Wizard after site recovery is completed and saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server. To re-enter user account passwords after site recovery 1. Open the Configuration Manager console and connect to the recovered site. 2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Security, and then click Accounts. 4. For each account in which you have to re-enter the password, do the following: a. Select the account from the list of accounts that were identified after site recovery. You can find this list in C:\ConfigMgrPostRecoveryActions.html on the recovered site server. b. On the Home tab, in the Properties group, click Properties to open the account properties. c. On the General tab, click Set, and then re-enter the passwords for the account. d. Click Verify, select the appropriate data source for the selected user account, and then click Test connection to verify that the user account can connect to the data source. e. Click OK to save the password changes, and then click OK.

Re-Enter Sideloading Keys

For System Center 2012 R2 Configuration Manager only: After a site server recovery, you must re-enter Windows sideloading keys specified for the site because they are reset during site recovery. After you re-enter the sideloading keys, the count in the Activations used column for Windows sideloading keys is reset in the Configuration Manager console. For example, lets say before the site failure you have a Total activations count set to 100 and Activations used is at 90 for the number of the keys that have been used by devices. After the site recovery, the Total activations column still displays 100, but the Activations used column incorrectly displays 0. However, after 10 new devices use a sideloading key, there will be no remaining sideloading keys, and the next device will fail to apply a sideloading key. For more information about sideloading keys, see the Obtain Certificates or Keys to Meet Prerequisites per Platform section in the How to Manage Mobile Devices by Using Configuration Manager and Windows Intune topic.

Configure SSL for Site System Roles that Use IIS

When you recover site systems that run IIS and that were configured for HTTPS before the failure, you must reconfigure IIS to use the web server certificate. For more information, see Configuring IIS to Use the Web Server Certificate in the Deploying the Web Server Certificate
947

for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Reinstall Hotfixes in the Recovered Site Server

After a site recovery, you must reinstall any hotfixes that were applied to the site server. A list of the previously installed hotfixes are listed on the Finished page of the Setup Wizard after site recovery and saved to C:\ConfigMgrPostRecoveryActions.html on the recovered site server.

Recover Custom Reports on the Computer Running Reporting Services

When you have created custom Reporting Services reports, and Reporting Services fails, you can recover the reports when you have backed up the report server. For more information about restoring your custom reports in Reporting Services, see Backup and Restore Operations for a Reporting Services Installation in the SQL Server 2008 Books Online.

Recover Content Files

The site database contains information about where the content files are stored on the site server, but the content files are not backed up or restored as part of the backup and recovery process. To fully recover content files, you must restore the content library and package source files to the original location. There are several methods for recovering your content files, but the easiest method is to restore the files from a file system backup of the site server. If you do not have a file system backup for the package source files, you have to manually copy or download them as you did originally when you first created the package. You can run the following query in SQL Server to find the package source location for all packages and applications: SELECT * FROM v_Package. You can identify the package source site by looking at the first three characters of the package ID. For example, if the package ID is CEN00001, the site code for the source site is CEN. When you restore the package source files, they must be restored to the same location in which they were before the failure. If you do not have a file system backup that contains the content library, you have the following restore options: Import a prestaged content file: When you have a Configuration Manager hierarchy, you can create a prestaged content file with all packages and applications from another location, and then import the prestaged content file to recover the content library on the site server. For more information about prestaged content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Update content: When you start the update content action for a package or application deployment type, the content is copied from the package source to the content library. The package source files must be available in the original location for this action to finish successfully. You must perform this action on each package and application. For more information about updating content, see the Update Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.

948

Recover Custom Software Updates on the Computer Running Updates Publisher

When you have included Updates Publisher 2011 database files in your backup plan, you can recover the databases in case of a failure on the computer on which Updates Publisher 2011 runs. For more information about Updates Publisher, see System Center Updates Publisher 2011 in the System Center TechCenter Library. Use the following procedure to restore the Updates Publisher 2011 database. To restore the Updates Publisher 2011 database 1. Reinstall Updates Publisher 2011 on the recovered computer. 2. Copy the database file (Scupdb.sdf) from your backup destination to %USERPROFILE%\AppData\Local\Microsoft\System Center Updates Publisher 2011\5.00.1727.0000\ on the computer that runs Updates Publisher 2011. 3. When more than one user runs Updates Publisher 2011 on the computer, you must copy each database file to the appropriate user profile location.

User State Migration Data

As part of the state migration point site system properties, you specify the folders that store user state migration data. After you recover a server with a folder that stores user state migration data, you must manually restore the user state migration data on the server to the same folders that stored the data prior to the failure.

Update Certificates Used for Cloud-Based Distribution Points

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Configuration Manager requires a management certificate that it uses for site server to cloudbased distribution point communication. After a site recovery, you must update the certificates for cloud-based distribution points. For more information, see the About Subscriptions and Certificates for Distribution Points for Windows Azure section in the Planning for Content Management in Configuration Manager topic.

Reprovision Previously Provisioned Intel AMT-Based Computers

After you have recovered the site, perform the following configuration steps: 1. Request the AMT provisioning certificate again and select it in the out of band service point properties. 2. Reconfigure the passwords for the following accounts in the out of band management component properties: The MEBx Account The AMT Provisioning Removal Account The AMT Provisioning and Discovery Accounts
949

For more information about how to perform these steps, see How to Provision and Configure AMT-Based Computers in Configuration Manager. Then use the following procedure to reprovision Intel AMT-based computers that were previously provisioned. To reprovision Intel AMT-based computers 1. Ensure that you have configured the AMT Provisioning Removal Account in the out of band management component properties. 2. Remove AMT provisioning information from the Intel AMT-based computers: Do not select Disable automatic provisioning. Select Use AMT Provisioning Removal Account.

For more information about how to remove AMT provisioning information, see How to Remove AMT Information. 3. Monitor the AMT status for these computers: Not Provisioned: These computers are ready to be reprovisioned by Configuration Manager. Detected: These computers cannot be reprovisioned by Configuration Manager. If Configuration Manager cannot remove the AMT provisioning information, you must manually remove this information by configuring the BIOS extensions on the computer. Note The AMT Provisioning Removal Account cannot remove provisioning information if the audit trail is enabled and unlocked, or if the account that is configured for the AMT Provisioning Removal Account is not an AMT User Account on that computer. 4. Ensure that the Enable provisioning for AMT-based computers check box is selected on the Out of Band Management tab in the collection properties. 5. Confirm that the AMT status changes to Provisioned. You can also run the View the Computers with out of band management controllers report to confirm the AMT provisioning status.

Recover a Secondary Site

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Secondary site recovery is required when a Configuration Manager secondary site fails. You can recover a secondary site by using the Recover Secondary Site action from the Sites node in the Configuration Manager console. Unlike recovery for a central administration site or primary site, recovery for a secondary site does not use a backup file. Instead, Configuration Manager installs the secondary site files on the failed secondary site computer and then the secondary site data is reinitialized with data from the parent primary site. During the recovery process, Configuration
950

Manager verifies that the content library exists on the secondary site computer and that the appropriate content is available. The secondary site will use the content library, if it exists on the computer and contains the appropriate content. Otherwise, to recover the content library you must redistribute or prestage the content to the secondary site. For more information, see Operations and Maintenance for Content Management in Configuration Manager. When you have a distribution point that is not on the secondary site, you are not required to reinstall the distribution point during a recovery of the secondary site. After the secondary site recovery, the site automatically synchronizes with the distribution point. You can verify the status of the secondary site recovery, by using the Show Install Status action from the Sites node in the Configuration Manager console. Important You must use a computer with the same configuration as the failed computer, such as its FQDN, to successfully recover the secondary site. The computer must also meet all secondary site prerequisites and have appropriate security rights configured. Also, use the same installation path that was used for the failed site. Important During a secondary site recovery, Configuration Manager does not install SQL Server Express if it is not installed on the computer. Therefore, before you recover a secondary site, you must manually install SQL Server Express or SQL Server. You must use the same version of SQL Server and the same instance of SQL Server that you used for the secondary site database before the failure.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Update System Center 2012 Configuration Manager

To update System Center 2012 Configuration Manager, you can install a cumulative update or a service pack: A cumulative update provides a rollup of multiple updates for the current product version. A service pack upgrades Configuration Manager to a new version of the product. For information about upgrading Configuration Manager, see Planning to Upgrade System Center 2012 Configuration Manager. Note This topic provides general guidance about how to update System Center 2012 Configuration Manager. For details about a specific update, refer to its corresponding Knowledge Base (KB) article at Microsoft Support.
951

Use the following information to help you install updates for Configuration Manager: About Cumulative Updates for Configuration Manager About Update Bundles for Configuration Manager How to Install Updates Use Updates Publisher 2011 to Install Updates Use Software Deployment to Install Updates Create Collections for Deploying Updates to Configuration Manager Deploy Updates for Configuration Manager

About Cumulative Updates for Configuration Manager

In System Center 2012 Configuration Manager, you install cumulative updates to update Configuration Manager sites and clients. Cumulative updates for Configuration Manager are similar to cumulative updates for other Microsoft products, such as SQL Server. Cumulative updates include one or more fixes for a specific version of Configuration Manager. Each new cumulative update is described in a Microsoft Knowledge Base article. Typically, cumulative updates release quarterly, but this schedule is subject to change, based on the volume and nature of the issues that are addressed. When you install a cumulative update for Configuration Manager, the update installs an update bundle. Update bundles contain the update files for one or more components of Configuration Manager. You can install a cumulative update on the site server of a central administration site or primary site.

About Update Bundles for Configuration Manager

When you run a cumulative update for Configuration Manager on a site server, it installs and runs an update bundle. Update bundles can run on a central administration site server, a primary site server, a secondary site server, or a computer that runs an instance of the SMS Provider. However, if you plan to create deployments to install updates on additional computers, you must install the update bundle on a central administration site server or primary site server. An update bundle contains fixes for Configuration Manager. When the update bundle runs, it extracts the update files for each applicable component from the update bundle, and then starts a wizard that guides you through a process to configure the updates and deployment options for the updates. When you complete the wizard, the updates in the bundle that apply to the site server are installed on the site server. However, the wizard also creates deployments that you can use to install the updates on additional computers. You deploy the updates to additional computers by using a supported deployment method, such as a software deployment package or Microsoft System Center Updates Publisher 2011. When the wizard runs, it creates a .cab file on the site server for use with Updates Publisher 2011. Optionally, you can configure the wizard to also create one or more packages for software deployment. You can use these deployments to install
952

updates on components, such as clients or the Configuration Manager console. You can also install updates manually on computers that do not run the Configuration Manager client. The following three groups in Configuration Manager can be updated: System Center 2012 Configuration Manager server roles, which include: Central administration site Primary site Secondary site Remote SMS Provider Note Updates for site system roles, including updates for the site database, are installed as part of the update for site servers. Beginning with Configuration Manager SP1, updates for site system roles include updates that apply to cloud-based distribution points. However, updates that apply to a pull-distribution point, install as an update for the Configuration Manager client and not as an update for site system roles. System Center 2012 Configuration Manager console System Center 2012 Configuration Manager client

Each updates bundle for Configuration Manager is a self-extractable .exe file (SFX) that contains the files that are necessary to install the update on the applicable components of Configuration Manager. Typically, the SFX file can contain the following files.
File More information

<Product>-<service pack>-<cumulative update version>-<KB article ID>-<platform><language>.msi

This is the update file. The command line for this file is managed by Updatesetup.exe. For example: configMgr-2012-rtm-cu1-kb1234567-x64enu.msi

Updatesetup.exe

This .msi wrapper manages the installation of the update bundle. When you run the update, Updatesetup.exe detects the display language of the computer where it runs. By default, the user interface for the update is in English. However, when the display language is supported, the user interface displays in the computer's local language.

License_<language>.rtf

When applicable, each update contains one or more license files for supported languages.
953

File

More information

<Product&updatetype><servicepack><cumulative update version><KB article ID>-<platform>.msp

When the update applies to the Configuration Manager console or clients, the update bundle includes separate Windows Installer patch (.msp) files. For example: Configuration Manager console update: ConfigMgr2012AdminUI-RTM-cu1kb1234567-i386.msp ConfigMgr2012ac-RTM-cu1-kb1234567i386.msp ConfigMgr2012ac-RTM-cu1-kb1234567x64.msp

Client update:

By default, the update bundle logs its actions to a .log file on the site server. The log file has the same name as the update bundle and is written to the %SystemRoot%/Temp folder. When you run the update bundle, it extracts a file with the same name as the update bundle to a temporary folder on the computer, and then runs Updatesetup.exe. Updatesetup.exe starts the Cumulative Update <number> for System Center 2012 Configuration Manager <Service pack> <KB Number> Wizard. The wizard creates a series of folders under the System Center 2012 Configuration Manager installation folder on the site server. The folder structure resembles the following: \\<Server Name>\SMS_<Site Code>\Hotfix\<KB Number>\<Update Type>\<Platform>. The following table provides details about the folders in the folder structure.
Folder name More information

<Server name> SMS_<Site Code>

This is the name of the site server where you run the update bundle. This is the share name of the System Center 2012 Configuration Manager installation folder. This is the ID number of the Knowledge Base article for this update bundle. These are the types of updates for Configuration Manager. The wizard creates a separate folder for each type of update that is contained in the update bundle. The folder
954

<KB Number> <Update type>

Folder name

More information

names represent the update types. They include the following: Server: Includes updates to site servers, site database servers, and computers that run the SMS Provider. Client: Includes updates to the Configuration Manager client. AdminConsole: Includes updates to the Configuration Manager console

In addition to the preceding update types, the wizard creates a folder named SCUP. This folder does not represent an update type, but instead contains the .cab file for Updates Publisher 2011. <Platform> This is a platform-specific folder. It contains update files that are specific to a type of processor. These folders include: x64 I386

To help you to deploy the updates to computers other than the site server where you run the update bundle, the wizard can create a software deployment package for each category of components that are included in the update (site server and computers that run the SMS Provider, Configuration Manager console, and clients). You can then deploy each package to computers that run the Configuration Manager client. Also, the wizard always creates a .cab file that you can import to Updates Publisher 2011 in case you choose to use Updates Publisher 2011. For information about how to use the package to deploy the updates, see the Use Software Deployment to Install Updates section in this topic. For information about how to use Updates Publisher 2011 to deploy the updates, see the Use Updates Publisher 2011 to Install Updates section in this topic.

How to Install Updates

To install updates, you must first install the update bundle on a site server. When you install an update bundle, it starts the Cumulative Update <Number> for System Center 2012 Configuration Manager <Service Pack> <KB Number> Wizard. This wizard does the following: Extracts the update files Helps you to configure deployments Installs applicable updates on the server components of the local computer
955

After you install the update bundle on a site server, you can then update additional components for Configuration Manager. The following table describes update actions for these various components.
Component Instructions

Site server

Deploy updates to a remote site server when you do not choose to install the update bundle directly on that remote site server. For remote site servers, deploy server updates that include an update to the site database if you do not install the update bundle directly on that remote site server. After initial installation of the Configuration Manager console, you can install updates for the Configuration Manager console on each computer that runs the console. You cannot modify the Configuration Manager console installation files to apply the updates during the initial installation of the console. Install updates for each instance of the SMS Provider that runs on a computer other than the site server where you installed the update bundle. After initial installation of the Configuration Manager client, you can install updates for the Configuration Manager client on each computer that runs the client.

Site database

Configuration Manager console

Remote SMS Provider

Configuration Manager clients

Note You can deploy updates only to computers that run the Configuration Manager client. If you reinstall a client, Configuration Manager console, or SMS Provider, you must also reinstall the updates for these components. Use the information in the following sections to install updates on the each of the components for Configuration Manager.

Update Servers
Updates for servers can include updates for sites, the site database, and computers that run an instance of the SMS Provider. Use the information in the following sections to help you update each type of server component.
956

Update a Site
To update a Configuration Manager site, you can install the update bundle directly on the site server, or you can deploy the updates to a site server after you install the update bundle on a different site. When you install an update on a site server, the update installation process manages additional actions that are required to apply the update, such as updating site system roles. The exception to this is the site database. The following section contains information about how to update the site database.

Update a Site Database

To update the site database, the installation process runs a file named update.sql on the site database. You can configure the update process to automatically update the site database, or you can manually update the site database later. Automatic Update of the Site Database When you install the update bundle on a site server, you can choose to automatically update the site database when the server update is installed. This decision applies only to the site server where you install the update bundle and does not apply to deployments that are created to install the updates on remote site servers. Note When you choose to automatically update the site database, the process updates a database regardless whether the database is located on the site server or on a remote computer. Important Before you update the site database, create a backup of the site database. You cannot uninstall an update to the site database. For information about how to create a backup for Configuration Manager, see Backup and Recovery in Configuration Manager in the Site Administration for System Center 2012 Configuration Manager guide. Manual Update of the Site Database If you choose not to automatically update the site database when you install the update bundle on the site server, the server update does not modify the database on the site server where the update bundle runs. However, deployments that use the package that is created for software deployment or that Updates Publisher 2011 installs always update the site database. Warning When the update includes updates to both the site server and the site database, the update is not functional until the update is completed for both the site server and site database. Until the update applies to the site database, the site is in an unsupported state. To manually update a site database, use SQL Server Management Studio to connect to the site's SQL Server, and then run the update script named update.sql on that site's database.
957

When the update bundle installs, it extracts update.sql to the following location on the site server: \\<Server Name>\SMS_<Site Code>\Hotfix\<KB Number>\update.sql. For information about how to run a script to update a SQL Server database, see the documentation for the version of SQL Server that you use for your site database server.

Update a Computer that Runs the SMS Provider

After you install an update bundle that includes updates for the SMS Provider, you must deploy the update to each computer that runs the SMS Provider. The only exception to this is the instance of the SMS Provider that was previously installed on the site server where you install the update bundle. The local instance of the SMS Provider on the site server is updated when you install the update bundle. If you remove and then reinstall the SMS Provider on a computer, you must then reinstall the update for the SMS Provider on that computer.

Update Clients
After the initial installation of the client on a computer, you can update the client. You can deploy updates with Updates Publisher 2011 or a software deployment package, or you can choose to manually install the update on each client. For more information about how to use deployments to install updates, see the Deploy Updates for Configuration Manager section in this topic. Important When you install updates for clients and the update bundle includes updates for servers, be sure to also install the server updates on the primary site to which the clients are assigned. To manually install the client update, on each Configuration Manager client, you must run Msiexec.exe and reference the platform-specific client update .msp file. For example, you can use the following command line for a client update. This command line runs MSIEXEC on the client computer and references the .msp file that the update bundle extracted on the site server: msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\Client\<Platform>\<msp> /L*v <logfile>REINSTALLMODE=mous REINSTALL=ALL

Update Configuration Manager Consoles

To update a Configuration Manager console, you must install the update on the computer that runs the console after the console installation is finished. Important When you install updates for the Configuration Manager console, and the update bundle includes updates for servers, be sure to also install the server updates on the site that you use with the Configuration Manager console.
958

If the computer that you update runs the Configuration Manager client, you can use a deployment to install the update. Alternately, you can manually install the update on each computer. For more information about how to use deployments to install updates, see the Deploy Updates for Configuration Manager section in this topic. To manually install the Configuration Manager console update, on each computer that runs the Configuration Manager console, you must run Msiexec.exe and reference the Configuration Manager console update .msp file. For example, you can use the following command line to update a Configuration Manager console. This command line runs MSIEXEC on the computer and references the .msp file that the update bundle extracted on the site server: msiexec.exe /p \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\AdminConsole\<Platform>\<msp> /L*v <logfile>REINSTALLMODE=mous REINSTALL=ALL

Deploy Updates for Configuration Manager

After you install the update bundle on a site server, you can deploy updates to additional computers. Use the information in the following sections to configure deployments to distribute updates for Configuration Manager.

Use Updates Publisher 2011 to Install Updates

When you install the update bundle on a site server, the Cumulative Update <number> for System Center 2012 Configuration Manager <service pack> <KB Number> Wizard creates a catalog file for Updates Publisher 2011 that you can use to deploy the updates to applicable computers. The wizard always creates this catalog, even when you select the option Use package and program to deploy this update. The catalog for Updates Publisher 2011 is named SCUPCatalog.cab and can be found in the following location on the computer where the update bundle runs: \\<ServerName>\SMS_<SiteCode>\Hotfix\<KB Number>\SCUP\SCUPCatalog.cab Important Because the SCUPCatalog.cab file is created by using paths that are specific to the site server where the update bundle is installed, it cannot be used on other site servers. After the wizard is finished, you can import the catalog to Updates Publisher 2011, and then use Configuration Manager software updates to deploy the updates. For information about Updates Publisher 2011, see Updates Publisher 2011 in the TechNet library for System Center 2012. For information about software updates in Configuration Manager, see Software Updates in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Use the following procedure to import the SCUPCatalog.cab file to Updates Publisher 2011 and publish the updates.
959

To import the updates to Updates Publisher 2011 1. Start the Updates Publisher 2011 console and click Import. 2. On the Import Type page of the Import Software Updates Catalog Wizard, select Specify the path to the catalog to import, and then specify the SCUPCatalog.cab file. 3. Click Next, and then click Next again. 4. In the Security Warning - Catalog Validation dialog box, click Accept. Close the wizard after it is finished. 5. In the Updates Publisher 2011 console, select the update that you want to deploy, and then click Publish. 6. On the Publish Options page of the Publish Software Updates Wizard, select Full Content, and then click Next. 7. Complete the wizard to publish the updates. After you import the updates to Updates Publisher 2011, you can use Configuration Manager software updates to deploy the custom updates to client computers.

Use Software Deployment to Install Updates

When you install the update bundle on the site server of a primary site or central administration site, you can configure the Cumulative Update <number> for System Center 2012 Configuration Manager <service pack> <KB Number> Wizard to create update packages for software deployment. You can then deploy each package to a collection of computers that you want to update. To create a software deployment package, on the Configure Software Update Deployment page of the wizard, select the check box for each update package type that you want to update. The available types can include servers, Configuration Manager consoles, and clients. A separate package is created for each type of update that you select. Note The package for servers contains updates for the following components: Site server SMS Provider Site database

Next, on the Configure Software Update Deployment Method page of the wizard, select the option I will use software distribution. This selection directs the wizard to create the software deployment packages. Note The wizard always creates a .cab file for Updates Publisher 2011. However, if you select I will use System Center Updates Publisher, the wizard does not create software deployment packages.

960

After the wizard is finished, you can view the packages that it creates in the Configuration Manager console in the Packages node in the Software Library workspace. You can then use your standard process to deploy software packages to Configuration Manager clients. When a package runs on a client, it installs the updates to the applicable components of Configuration Manager on the client computer. For information about how to deploy packages to Configuration Manager clients, see How to Deploy Packages and Programs in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Create Collections for Deploying Updates to Configuration Manager

You can deploy specific updates to applicable clients. The following information can help you to create device collections for the different components for Configuration Manager.
Component of Configuration Manager Instructions

Central administration site server All primary site servers All secondary site servers All x86 clients

Create a direct membership query and add the central administration site server computer. Create a direct membership query and add each primary site server computer. Create a direct membership query and add each secondary site server computer. Create a collection with the following query criteria: Select * from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.SystemType = "X86-based PC"

All x64 clients

Create a collection with the following query criteria: Select * from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.SystemType = "X64-based PC"

All computers that run the Configuration

Create a direct membership query and add

961

Component of Configuration Manager

Instructions

Manager console Remote computers that run an instance of the SMS Provider

each computer. Create a direct membership query and add each computer.

Note To update a site database, deploy the update to the site server for that site. For information about how to create collections, see How to Create Collections in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide.

See Also
Operations and Maintenance for Site Administration in Configuration Manager

Reporting in Configuration Manager

Reporting in Microsoft System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of Microsoft SQL Server Reporting Services in the Configuration Manager console.

Reporting Topics
The following topics help you manage reporting in System Center 2012 Configuration Manager: Introduction to Reporting in Configuration Manager Planning for Reporting in Configuration Manager Configuring Reporting in Configuration Manager Operations and Maintenance for Reporting in Configuration Manager Security and Privacy for Reporting in Configuration Manager Technical Reference for Reporting in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

962

Introduction to Reporting in Configuration Manager

Reporting in System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services (SSRS) and the rich authoring experience that Reporting Services Report Builder provides. Reporting helps you gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organization. Reporting provides you with a number of predefined reports that you can use without changes, or that you can modify to meet your requirements, and you can create custom reports. Use the following sections to help you manage reporting in Configuration Manager: SQL Server Reporting Services Reporting Services Point Configuration Manager Reports Creating and Modifying Reports Running Reports Report Prompts Report Links

Report Folders Report Subscriptions Report Builder Whats New in Configuration Manager Whats New in Configuration Manager SP1 Whats New in System Center 2012 R2 Configuration Manager

SQL Server Reporting Services

SQL Server Reporting Services provides a full range of ready-to-use tools and services to help you create, deploy, and manage reports for your organization and programming features that enable you to extend and customize your reporting functionality. Reporting Services is a serverbased reporting platform that provides comprehensive reporting functionality for a variety of data sources. Configuration Manager uses SQL Server Reporting Services as its reporting solution. Integration with Reporting Services provides the following advantages: Uses an industry standard reporting system to query the Configuration Manager database. Displays reports by using the Configuration Manager Report Viewer or by using Report Manager, which is a web-based connection to the report. Provides high performance, availability, and scalability.
963

Provides subscriptions to reports that users can subscribe to; for example, a manager could subscribe to automatically receive an emailed report each day that details the status of a software update rollout. Exports reports that users can select in a variety of popular formats.

For more information about Reporting Services, see SQL Server Reporting Services in the SQL Server 2008 Books Online.

Reporting Services Point

The reporting services point is a site system role that is installed on a server that is running Microsoft SQL Server Reporting Services. The reporting services point copies the Configuration Manager report definitions to Reporting Services, creates report folders based on report categories, and sets security policy on the report folders and reports based on the role-based permissions for Configuration Manager administrative users. In a 10-minute interval, the reporting services point connects to Reporting Services to reapply the security policy if it has been changed, for example, by using Report Manager. For more information about how to plan for and install a reporting services point, see the following documentation: The Determine Where to Install the Reporting Services Point section in the Planning for Reporting in Configuration Manager topic. The Install a Reporting Services Point section in the Configuring Reporting in Configuration Manager topic.

Configuration Manager Reports

Configuration Manager provides report definitions for over 400 reports in over 50 report folders, which are copied to the root report folder in SQL Server Reporting Services during the reporting services point installation process. The reports are displayed in the Configuration Manager console and organized in subfolders based on the report category. Reports are not propagated up or down the Configuration Manager hierarchy; they run only against the database of the site in which they are created. However, because Configuration Manager replicates global data throughout the hierarchy, you have access to hierarchy-wide information. When a report retrieves data from a site database, it has access to site data for the current site and child sites, and global data for every site in the hierarchy. Like other Configuration Manager objects, an administrative user must have the appropriate permissions to run or modify reports. To run a report, an administrative user must have the Run Report permission for the object. To create or modify a report, an administrative user must have the Modify Report permission for the object.

Creating and Modifying Reports

Configuration Manager uses Microsoft SQL Server Report Builder as the exclusive authoring and editing tool for model-based and SQL-based reports. When you create or edit a report in the Configuration Manager console, Report Builder opens. For more information about managing

964

reports, see the Manage Configuration Manager Reports section in the Operations and Maintenance for Reporting in Configuration Manager topic.

Running Reports
When you run a report in the Configuration Manager console, Report Viewer opens and connects to Reporting Services. After you specify any required report parameters, Reporting Services then retrieves the data and displays the results in the viewer. You can also connect to the SQL Services Reporting Services, connect to the data source for the site, and run reports.

Report Prompts
A report prompt or report parameter in Configuration Manager is a report property that you can configure when a report is created or modified. Report prompts are created to limit or target the data that a report retrieves. A report can contain more than one prompt as long as the prompt names are unique and contain only alphanumeric characters that conform to the SQL Server rules for identifiers. When you run a report, the prompt requests a value for a required parameter and, based on the value, retrieves the report data. For example, the Computer information for a specific computer report retrieves the computer information for a specific computer and prompts the administrative user for a computer name. Reporting Services passes the specified value to a variable that is defined in the SQL statement for the report.

Report Links
Report links in Configuration Manager are used in a source report to provide administrative users with easy access to additional data, such as more detailed information about each of the items in the source report. If the destination report requires one or more prompts to run, the source report must contain a column with the appropriate values for each prompt. You must specify the column number that provides the value for the prompt. For example, you might link a report that lists computers that were discovered recently to a report that lists the last messages that were received for a specific computer. When the link is created, you might specify that column 2 in the source report contains computer names, which is a required prompt for the destination report. When the source report is run, link icons appear to the left of each row of data. When you click the icon on a row, Report Viewer passes the value in the specified column for that row as the prompt value that is required to display the destination report. A report can be configured with only one link, and that link can connect only to a single destination resource. Warning If you move a destination report to a different report folder, the location for the destination report changes. The report link in the source report is not automatically updated with the new location, and the report link will not work in the source report.

965

Report Folders
Report folders in System Center 2012 Configuration Manager provide a method to sort and filter reports that are stored in Reporting Services. Report folders are particularly useful when you have many reports to manage. When you install a reporting services point, reports are copied to Reporting Services and organized into more than 50 report folders. The report folders are readonly. You cannot modify them in the Configuration Manager console.

Report Subscriptions
A report subscription in Reporting Services is a recurring request to deliver a report at a specific time or in response to an event, and in an application file format that you specify in the subscription. Subscriptions provide an alternative to running a report on demand. On-demand reporting requires that you actively select the report each time you want to view the report. In contrast, subscriptions can be used to schedule and then automate the delivery of a report. You can manage report subscriptions in the Configuration Manager console. They are processed on the report server. The subscriptions are distributed by using delivery extensions that are deployed on the server. By default, you can create subscriptions that send reports to a shared folder or to an email address. For more information about managing report subscriptions, see the Manage Report Subscriptions section in the Operations and Maintenance for Reporting in Configuration Manager topic.

Report Builder
Configuration Manager uses Microsoft SQL Server Reporting Services Report Builder as the exclusive authoring and editing tool for both model-based and SQL-based reports. When you initiate the action to create or edit a report in the Configuration Manager console, Report Builder opens. When you create or modify a report for the first time, Report Builder is installed automatically. Starting in Configuration Manager SP1, the version of Report Builder associated with the installed version of SQL Server opens when you run or edit reports. Important For Configuration Manager with no service pack only: By default, Configuration Manager opens the ClickOnce version of Report Builder 2.0, which installs and runs Report Builder 2.0, when you try to create a new or modify an existing report. If your report server is running SQL Server 2008 R2, the ClickOnce version of Report Builder 3.0 is installed automatically with SQL Server 2008 R2 Reporting Services. Therefore, when Configuration Manager attempts to open the ClickOnce version of Report Builder 2.0, the file will not be available and an error is displayed. For more information about how to use Report Builder 3.0, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic.

966

The Report Builder installation adds support for over 20 languages. When you run Report Builder, it displays data in the language of the operating system that is running on the local computer. If Report Builder does not support the language, the data is displayed in English. Report Builder supports the full capabilities of SQL Server 2008 Reporting Services, which includes the following capabilities: Delivers an intuitive report authoring environment with an appearance similar to Microsoft Office. Offers the flexible report layout of SQL Server 2008 Report Definition Language (RDL). Provides various forms of data visualization including charts and gauges. Provides richly formatted text boxes. Exports to Microsoft Word format.

You can also open Report Builder from SQL Server Reporting Services.

Report Models in SQL Server Reporting Services

SQL Reporting Services in Configuration Manager uses report models to help administrative users select items from the database to include in model-based reports. For the administrative user who is building the report, report models expose only specified views and items to choose from. To create model-based reports, at least one report model has to be available. Report models have the following features: You can give database fields and views logical business names to facilitate producing reports. Knowledge of the database structure is not required to produce reports. You can group items logically. You can define relationships between items. You can secure model elements so that administrative users can see only the data that they have permission to see.

Although Configuration Manager provides sample report models, you can also define report models to meet your own business requirements. For more information about how to create report models, see Creating Custom Report Models in SQL Server Reporting Services.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for reporting since Configuration Manager 2007: Configuration Manager no longer uses the reporting point; the reporting services point is the only site system role that Configuration Manager now uses for reporting. Full integration of the Configuration Manager 2007 R2 SQL Server Reporting Services solution: In addition to standard report management, Configuration Manager 2007 R2 introduced support for SQL Server Reporting Services reporting. System Center 2012
967

Configuration Manager integrates the Reporting Services solution, adds new functionality, and removes standard report management as a reporting solution. Report Builder 2.0 integration: System Center 2012 Configuration Manager uses Microsoft SQL Server 2008 Reporting Services Report Builder 2.0 as the exclusive authoring and editing tool for both model-based and SQL-based reports. Report Builder 2.0 is automatically installed when you create or modify a report for the first time. Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified reports by email or to a file share in scheduled intervals. You can run Configuration Manager reports in the Configuration Manager console by using Report Viewer, or you can run reports from a browser by using Report Manager. Both methods for running reports provide a similar experience. Reports in Configuration Manager are rendered in the locale of the installed Configuration Manager console. Subscriptions are rendered in the locale that SQL Server Reporting Services is installed. When you author a report, you can specify the assembly and expression.

Whats New in Configuration Manager SP1

The following items are new or have changed for reporting in Configuration Manager SP1: Configuration Manager SP1 supports Microsoft SQL Server 2012 Reporting Services. When Microsoft SQL Server 2012 or SQL Server 2008 R2 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 3.0 when you create or modify reports. When Microsoft SQL Server 2008 runs on the Reporting Services point, Configuration Manager opens Reporting Services Report Builder 2.0 when you create or modify reports. The Monitoring workspace now displays links to SQL Server Reporting Services Report Manage from the Reporting node.

Whats New in System Center 2012 R2 Configuration Manager

The following items are new or have changed for reporting in System Center 2012 R2 Configuration Manager: Configuration Manager reports are now fully enabled for role-based administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. For more information, see the Planning for Role-Based Administration for Reports section in the Planning for Reporting in Configuration Manager topic.

See Also
Reporting in Configuration Manager
968

Planning for Reporting in Configuration Manager

Reporting in System Center 2012 Configuration Manager provides a set of tools and resources that help you use the advanced reporting capabilities of SQL Server Reporting Services. Use the following sections to help you plan for reporting in Configuration Manager.

Determine Where to Install the Reporting Services Point

When you run Configuration Manager reports at a site, the reports have access to the information in the site database in which it connects. Use the following sections to help you determine where to install the reporting services point and what data source to use. Note For more information about planning for site systems in Configuration Manager, see Planning for Site Systems in Configuration Manager.

Supported Site System Servers

You can install the reporting services point on a central administration site and primary sites, and on multiple site systems at a site and at other sites in the hierarchy. The reporting services point is not supported on secondary sites. The first reporting services point at a site is configured as the default report server. You can add more reporting services points at a site, but the default report server at each site is actively used for Configuration Manager reports. You can install the reporting services point on the site server or a remote site system. However, as a best practice for performance reasons, use Reporting Services on a remote site system server.

Data Replication Considerations

Configuration Manager classifies the data that it replicates as either global data or site data. Global data refers to objects that were created by administrative users and that are replicated to all sites throughout the hierarchy, while secondary sites receive only a subset of global data. Examples of global data include software deployments, software updates, collections, and rolebased administration security scopes. Site data refers to operational information that Configuration Manager primary sites and the clients that report to primary sites create. Site data replicates to the central administration site but not to other primary sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only visible at the central administration site and the primary site where the data originates. Consider the following factors to help you determine where to install your reporting services points:
969

A reporting services point with the central administration site database as its reporting data source has access to all global and site data in the Configuration Manager hierarchy. If you require reports that contain site data for multiple sites in a hierarchy, consider installing the reporting services point on a site system at the central administration site and use the central administration sites database as the reporting data source. A reporting services point with the child primary site database as its reporting data source has access to global data and site data for only the local primary site and any child secondary sites. Site data for other primary sites in the Configuration Manager hierarchy is not replicated to the primary site, and therefore Reporting Services cannot access it. If you require reports that contain site data for a specific primary site or global data, but you do not want the report user to have access to site data from other primary sites, install a reporting services point on a site system at the prim ary site and use the primary sites database as the reporting data source.

Network Bandwidth Considerations

Site system servers in the same site communicate with each other by using server message block (SMB), HTTP, or HTTPS, depending on how you configure the site. Because these communications are unmanaged and can occur at any time without network bandwidth control, review your available network bandwidth before you install the reporting services point role on a site system. Note For more information about planning for site systems, see Planning for Site Systems in Configuration Manager.

Planning for Role-Based Administration for Reports

Security for reporting is much like other objects in Configuration Manager where you can assign security roles and permissions to administrative users. Administrative users can only run and modify reports for which they have appropriate security rights. To run reports in the Configuration Manager console, you must have the Read right for the Site permission and the permissions configured for specific objects. However, unlike other objects in Configuration Manager, the security rights that you set for administrative users in the Configuration Manager console must also be configured in Reporting Services. When you configure security rights in the Configuration Manager console, the reporting services point connects to Reporting Services and sets appropriate permissions for reports. For example, the Software Update Manager security role has the Run Report and Modify Report permissions associated with it. Administrative users who are only assigned the Software Update Manager role can only run and modify reports for software updates. Reports for other objects are not displayed in the Configuration Manager console. The exception to this is that some reports are not associated with specific Configuration Manager securable objects. For these reports, the

970

administrative user must have the Read right for the Site permission to run the reports and the Modify right for the Site permission to modify the reports. Starting in System Center 2012 R2 Configuration Manager, reports are now fully enabled for rolebased administration. The data for all reports included with Configuration Manager is filtered based on the permissions of the administrative user who runs the report. Administrative users with specific roles can only view information defined for their roles. For more information about security rights for reporting, see the File Installation and Report Folder Security Rights section in the Configuring Reporting in Configuration Manager topic. For more information about role-based administration in Configuration Manager, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Supplemental Planning Topics for Reporting

Use the following additional topics to help you plan for reporting in Configuration Manager: Prerequisites for Reporting in Configuration Manager Best Practices for Reporting

See Also
Reporting in Configuration Manager

Prerequisites for Reporting in Configuration Manager

Reporting in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table lists the external dependencies for reporting.
Prerequisite More information

SQL Server Reporting Services

Before you can use reporting in Configuration Manager, you must install and configure SQL Server Reporting Services. For information about planning and deploying Reporting Services in your environment, see the Reporting Services section in the SQL Server 2008 Books Online.
971

Prerequisite

More information

Site system role dependencies for the computers that run the reporting services point.

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Dependencies Internal to Configuration Manager

The following table lists the dependencies for reporting in Configuration Manager.
Prerequisite More information

Reporting services point

The reporting services point site system role must be configured before you can use reporting in Configuration Manager. For more information about how to install and configure a reporting services point, see Configuring Reporting in Configuration Manager.

Supported SQL Server Versions for the Reporting Services Point

The Reporting Services database can be installed on either the default instance or a named instance of a 64-bit SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer. The following table lists the SQL Server versions that are supported by the reporting services point.
SQL Server version Reporting Services point

SQL Server 2008 SP2 with a minimum of cumulative update 9 Standard Enterprise Datacenter

SQL Server 2008 SP3 with a minimum of cumulative update 4 Standard Enterprise Datacenter

972

SQL Server version

Reporting Services point

SQL Server 2008 R2 with SP1 and with a minimum of cumulative update 6 Standard Enterprise Datacenter

SQL Server 2008 R2 with SP2 Standard Enterprise Datacenter

SQL Server Express 2008 R2 with SP1 and with a minimum of cumulative update 4 SQL Server Express 2008 R2 with SP2 SQL Server 2012 and with a minimum of cumulative update 2 Standard Enterprise

Not Supported Not Supported

SQL Server 2012 with SP1 and no minimum cumulative update Standard Enterprise

See Also
Planning for Reporting in Configuration Manager

Best Practices for Reporting

Use the following best practices for reporting in System Center 2012 Configuration Manager:

For best performance, install the reporting services point on a remote site system server
Although you can install the reporting services point on the site server or a remote site system, performance is increased when you install the reporting services point on a remote site system server.
973

Optimize SQL Server Reporting Services queries

Typically, any reporting delays are because of the time it takes to run queries and retrieve the results. If you are using Microsoft SQL Server, tools such as Query Analyzer and Profiler can help you optimize queries.

Schedule report subscription processing to run outside standard office hours

Whenever possible, schedule report subscription processing to run outside normal office standard hours to minimize the CPU processing on the Configuration Manager site database server. This practice also improves availability for unpredicted report requests.

See Also
Planning for Reporting in Configuration Manager

Configuring Reporting in Configuration Manager

Before you can create, modify, and run reports in the System Center 2012 Configuration Manager console, you must carry out a number of configuration tasks. Use the following sections in this topic to help you configure reporting in your Configuration Manager hierarchy: SQL Server Reporting Services Configure Reporting to Use Report Builder 3.0 Install a Reporting Services Point File Installation and Report Folder Security Rights Reporting Services Security Roles for Configuration Manager Verify the Reporting Services Point Installation Configure a Self-Signed Certificate for Configuration Manager Console Computers Modify Reporting Services Point Settings Configure Report Options

Before you proceed with installing and configuring Reporting Services in your hierarchy, review the following Configuration Manager reporting topics: Introduction to Reporting in Configuration Manager Planning for Reporting in Configuration Manager

974

SQL Server Reporting Services

SQL Server Reporting Services is a server-based reporting platform that provides comprehensive reporting functionality for a variety of data sources. The reporting services point in Configuration Manager communicates with SQL Server Reporting Services to copy Configuration Manager reports to a specified report folder, to configure Reporting Services settings, and to configure Reporting Services security settings. Reporting Services connects to the Configuration Manager site database to retrieve data that is returned when you run reports. Before you can install the reporting services point in a Configuration Manager site, you must install and configure SQL Server Reporting Services on the site system that hosts the reporting services point site system role. For information about installing Reporting Services, see the SQL Server TechNet Library. Use the following procedure to verify that SQL Server Reporting Services is installed and running correctly. To verify that SQL Server Reporting Services is installed and running 1. On the desktop, click Start, click All Programs, click Microsoft SQL Server 2008 R2, click Configuration Tools, and then click Reporting Services Configuration Manager. 2. In the Reporting Services Configuration Connection dialog box, specify the name of the server that is hosting SQL Server Reporting Services, on the menu, select the instance of SQL Server on which you installed SQL Reporting Services, and then click Connect. The Reporting Services Configuration Manager opens. 3. On the Report Server Status page, verify that Report Service Status is set to Started. If it is not, click Start. 4. On the Web Service URL page, click the URL in Report Service Web Service URLs to test the connection to the report folder. The Windows Security dialog box might open and prompt you for security credentials. By default, your user account is displayed. Enter your password and click OK. Verify that the webpage opens successfully. Close the browser window. 5. On the Database page, verify that the Report Server Mode setting is configured by using Native. 6. On the Report Manager URL page, click the URL in Report Manager Site Identification to test the connection to the virtual directory for Report Manager. The Windows Security dialog box might open and prompt you for security credentials. By default, your user account is displayed. Enter your password and click OK. Verify that the webpage opens successfully. Close the browser window. Note Reporting Services Report Manager is not required for Reporting in Configuration Manager, but it is required if you want to run reports on an Internet browser or manage reports by using Report Manager. 7. Click Exit to close Reporting Services Configuration Manager.

975

Configure Reporting to Use Report Builder 3.0

Important This section applies only to Configuration Manager with no service pack. Starting in Configuration Manager SP1, the installed version of Report Builder opens when you run or edit reports and no manual configuration is required. By default, Configuration Manager opens the ClickOnce version of Report Builder 2.0, which installs and runs Report Builder 2.0, when you try to create a new or modify an existing report. If your report server is running SQL Server 2008 R2, the ClickOnce version of Report Builder 3.0 is installed automatically with SQL Server 2008 R2 Reporting Services. Therefore, when Configuration Manager attempts to open the ClickOnce version of Report Builder 2.0, the file will not be available and an error is displayed. To create new or modify existing reports by using Report Builder 3.0, you must change the Report Builder manifest name in the registry on the computer running the Configuration Manager console. After you change the manifest name, Configuration Manager will open the ClickOnce version of Report Builder 3.0, and then install Report Builder 3.0 on the computer. Use the following procedure to change the Report Builder manifest name from Report Builder 2.0 to Report Builder 3.0. To change the Report Builder manifest name to Report Builder 3.0 1. On the computer running the Configuration Manager console, open the Windows Registry Editor. 2. Browse to HKEY_LOCAL_MACHINE/SOFTWARE/Wow6432Node/Microsoft/ConfigMgr10/Admi nUI/Reporting. 3. Double-click the ReportBuilderApplicationManifestName key to edit the value data. 4. Change ReportBuilder_2_0_0_0.application to ReportBuilder_3_0_0_0.application, and then click OK. 5. Close the Windows Registry Editor.

Install a Reporting Services Point

The reporting services point must be installed on a site to manage reports at the site. The reporting services point copies report folders and reports to SQL Server Reporting Services, applies the security policy for the reports and folders, and sets configuration settings in Reporting Services. You must configure a reporting services point before reports are displayed in the Configuration Manager console, and before you can manage the reports in Configuration Manager. The reporting services point is a site system role that must be configured on a server with Microsoft SQL Server Reporting Services installed and running. For more information about prerequisites, see Prerequisites for Reporting in Configuration Manager. Important
976

When selecting a site to install the reporting services point, keep in mind that users who will access the reports must be in the same security scope as the site where the reporting services point is installed. Important After you install a reporting services point on a site system, do not change the URL for the report server. For example, if you create the reporting services point, and then in Reporting Services Configuration Manager you modify the URL for the report server, the Configuration Manager console will continue to use the old URL and you will be unable to run, edit, or create reports from the console. When you must change the URL report server, remove the reporting services point, change the URL, and then reinstall the reporting services point. Use the following procedure to install the reporting services point. To install the reporting services point on a site system 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. Tip To list only site systems that host the reporting services point site role, right-click Servers and Site System Roles to select Reporting services point. 3. Add the reporting services point site system role to a new or existing site system server by using the associated step: Note For more information about configuring site systems, see Install and Configure Site System Roles for Configuration Manager. New site system: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Existing site system: Click the server on which you want to install the reporting services point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the results pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the reporting services point to an existing site system server, verify the values that you previously configured. 5. On the System Role Selection page, select Reporting services point in the list of available roles, and then click Next. 6. On the Reporting services Point page, configure the following settings: Site database server name: Specify the name of the server that hosts the Configuration Manager site database. Typically, the wizard automatically retrieves
977

the fully qualified domain name (FQDN) for the server. To specify a database instance, use the format <Server Name>\<Instance Name>. Database name: Specify the Configuration Manager site database name, and then click Verify to confirm that the wizard has access to the site database. Security The user account that is creating the reporting services point must have Read access to the site database. If the connection test fails, a red warning icon appears. Move the cursor over this icon to read details of the failure. Correct the failure, and then click Test again. Folder name: Specify the folder name that is created and used to host the Configuration Manager reports in Reporting Services. Reporting Services server instance: Select in the list the instance of SQL Server for Reporting Services. When there is only one instance found, by default, it is listed and selected. When no instances are found, verify that SQL Server Reporting Services is installed and configured, and that the SQL Server Reporting Services service is started on the site system. Security Configuration Manager makes a connection in the context of the current user to Windows Management Instrumentation (WMI) on the selected site system to retrieve the instance of SQL Server for Reporting Services. The current user must have Read access to WMI on the site system, or the Reporting Services instances cannot be retrieved. Reporting Services Point Account: Click Set, and then select an account to use when SQL Server Reporting Services on the reporting services point connects to the Configuration Manager site database to retrieve the data that are displayed in a report. Select Existing account to specify a Windows user account that has previously been configured as a Configuration Manager account, or select New account to specify a Windows user account that is not currently configured as a Configuration Manager account. Configuration Manager automatically grants the specified user access to the site database. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the ConfigMgr Reporting Services Point account name. The account that runs Reporting Services must belong to the domain local security group Windows Authorization Access Group, and have the Read tokenGroupsGlobalAndUniversal permission set to Allow. The specified Windows user account and password are encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password. Security The account that you specify must have Log on Locally permissions on the computer hosting the Reporting Services database.
978

7. On the Reporting Services Point page, click Next. 8. On the Summary page, verify the settings, and then click Next to install the reporting services point. After the wizard is completed, report folders are created, and the Configuration Manager reports are copied to the specified report folders. Note When report folders are created and reports are copied to the report server, Configuration Manager determines the appropriate language for the objects. If the associated language pack is installed on the site, Configuration Manager creates the objects in the same language as the operating system running on the report server on the site. If the language is not available, the reports are created and displayed in English. When you install a reporting services point on a site without language packs, the reports are installed in English. If you install a language pack after you install the reporting services point, you must uninstall and reinstall the reporting services point for the reports to be available in the appropriate language pack language. For more information about language packs, see Technical Reference for Language Packs in Configuration Manager.

File Installation and Report Folder Security Rights

Configuration Manager performs the following actions to install the reporting services point and to configure Reporting Services: Security The actions in the following list are performed by using the credentials of the account that is configured for the SMS_Executive service, which typically is the site server local system account. Installs the reporting services point site role. Creates the data source in Reporting Services with the stored credentials that you specified in the wizard. This is the Windows user account and password that Reporting Services uses to connect to the site database when you run reports. Creates the Configuration Manager root folder in Reporting Services. Adds the ConfigMgr Report Users and ConfigMgr Report Administrators security roles in Reporting Services. Creates subfolders and deploys Configuration Manager reports from %ProgramFiles%\SMS_SRSRP to Reporting Services. Adds the ConfigMgr Report Users role in Reporting Services to the root folders for all user accounts in Configuration Manager that have Site Read rights. Adds the ConfigMgr Report Administrators role in Reporting Services to the root folders for all user accounts in Configuration Manager that have Site Modify rights. Retrieves the mapping between report folders and Configuration Manager secured object types (maintained in the Configuration Manager site database).
979

Configures the following rights for administrative users in Configuration Manager to specific report folders in Reporting Services: Adds users and assigns the ConfigMgr Report Users role to the associated report folder for administrative users who have Run Report permissions for the Configuration Manager object. Adds users and assigns the ConfigMgr Report Administrators role to the associated report folder for administrative users who have Modify Report permissions for the Configuration Manager object.

Configuration Manager connects to Reporting Services and sets the permissions for users on the Configuration Manager and Reporting Services root folders and specific report folders. After the initial installation of the reporting services point, Configuration Manager connects to Reporting Services in a 10-minute interval to verify that the user rights configured on the report folders are the associated rights that are set for Configuration Manager users. When users are added or user rights are modified on the report folder by using Reporting Services Report Manager, Configuration Manager overwrites those changes by using the role-based assignments stored in the site database. Configuration Manager also removes users that do not have Reporting rights in Configuration Manager.

Reporting Services Security Roles for Configuration Manager

When Configuration Manager installs the reporting services point, adds the following security roles in Reporting Services: ConfigMgr Report Users: Users assigned with this security role can only run Configuration Manager reports. ConfigMgr Report Administrators: Users assigned with this security role can perform all tasks related to reporting in Configuration Manager.

Verify the Reporting Services Point Installation

After you add the reporting services point site role, you can verify the installation by looking at specific status messages and log file entries. Use the following procedure to verify that the reporting services point installation was successful. Warning You can skip this procedure if reports are displayed in the Reports subfolder of the Reporting node in the Monitoring workspace in the Configuration Manager console. To verify the reporting services point installation 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, and then click Component Status.
980

3. Click SMS_SRS_REPORTING_POINT in the list of components. 4. On the Home tab, in the Component group, click Show Messages, and then click All. 5. Specify a date and time for a period before you installed the reporting services point, and then click OK. 6. Verify that status message ID 1015 is listed, which indicates that the reporting services point was successfully installed. Alternatively, you can open the Srsrp.log file, located in <ConfigMgr Installation Path>\Logs, and look for Installation was successful. In Windows Explorer, navigate to <ConfigMgr Installation Path>\Logs. 7. Open Srsrp.log and step through the log file starting from the time that the reporting services point was successfully installed. Verify that the report folders were created, the reports were deployed, and the security policy on each folder was confirmed. Look for Successfully checked that the SRS web service is healthy on server after the last line of security policy confirmations.

Configure a Self-Signed Certificate for Configuration Manager Console Computers

There are many options for you to author SQL Server Reporting Services reports. When you create or edit reports in the Configuration Manager console, Configuration Manager opens Report Builder to use as the authoring environment. Regardless of how you author your Configuration Manager reports, a self-signed certificate is required for server authentication to the site database server. Configuration Manager automatically installs the certificate on the site server and the computers with the SMS Provider installed. Therefore, you can create or edit reports from the Configuration Manager console when it runs from one of these computers. However, when you create or modify reports from a Configuration Manager console that is installed on a different computer, you must export the certificate from the site server and then add it to the Trusted People certificate store on the computer that runs the Configuration Manager console. Note For more information about other report authoring environments for SQL Server Reporting Services, see Comparing Report Authoring Environments in the SQL Server 2008 Books Online. Use the following procedure as an example of how to transfer a copy of the self-signed certificate from the site server to another computer that runs the Configuration Manager console when both computers run Windows Server 2008 R2. If you cannot follow this procedure because you have a different operating system version, refer to your operating system documentation for the equivalent procedure. To transfer a copy of self-signed certificate from the site server to another computer 1. Perform the following steps on the site server to export the self-signed certificate: a. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
981

b. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. c. In the Certificate snap-in dialog box, select Computer account, and then click Next.

d. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. e. In the Add or Remove Snap-ins dialog box, click OK. f. In the console, expand Certificates (Local Computer), expand Trusted People, and select Certificates.

g. Right-click the certificate with the friendly name of <FQDN of site server>, click All Tasks, and then select Export. h. Complete the Certificate Export Wizard by using the default options and save the certificate with the .cer file name extension. 2. Perform the following steps on the computer that runs the Configuration Manager console to add the self-signed certificate to the Trusted People certificate store: a. Repeat the preceding steps 1.a through 1.e to configure the Certificate snap-in MMC on the management point computer. b. In the console, expand Certificates (Local Computer), expand Trusted People, right-click Certificates, select All Tasks, and then select Import to start the Certificate Import Wizard. c. On the File to Import page, select the certificate saved in step 1.h, and then click Next.

d. On the Certificate Store page, select Place all certificates in the following store, with the Certificate store set to Trusted People, and then click Next. e. Click Finish to close the wizard and complete the certificate configuration on the computer.

Modify Reporting Services Point Settings

After the reporting services point is installed, you can modify the site database connection and authentication settings in the reporting services point properties. Use the following procedure to modify the reporting services point settings. To modify reporting services point settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles to list the site systems. Tip To list only site systems that host the reporting services point site role, right-click Servers and Site System Roles to select Reporting services point. 3. Select the site system that hosts the reporting services point on which you want to modify
982

settings, and then select Reporting service point in Site System Roles. 4. On the Site Role tab, in the Properties group, click Properties. 5. On the Reporting Services Point Properties dialog box, you can modify the following settings: Site database server name: Specify the name of the server that hosts the Configuration Manager site database. Typically, the wizard automatically retrieves the fully qualified domain name (FQDN) for the server. To specify a database instance, use the format <Server Name>\<Instance Name>. Database name: Specify the System Center 2012 Configuration Manager site database name, and then click Verify to confirm that the wizard has access to the site database. Security The user account that is creating the reporting services point must have Read access to the site database. If the connection test fails, a red warning icon appears. Move the cursor over this icon to read details of the failure. Correct the failure, and then click Test again. User account: Click Set, and then select an account that is used when SQL Server Reporting Services on the reporting services point connects to the Configuration Manager site database to retrieve the data that are displayed in a report. Select Existing account to specify a Windows user account that has existing Configuration Manager rights or select New account to specify a Windows user account that currently does not have rights in Configuration Manager. Configuration Manager automatically grants the specified user account access to the site database. The account is displayed as the ConfigMgr SRS reporting point account in the Accounts subfolder of the Security node in the Administration workspace. The specified Windows user account and password are encrypted and stored in the Reporting Services database. Reporting Services retrieves the data for reports from the site database by using this account and password. Security When the site database is on a remote site system, the account that you specify must have the Log on Locally permission for the computer. 6. Click OK to save the changes and exit the dialog box.

Upgrading SQL Server

After you upgrade SQL Server, and SQL Server Reporting Services that is used as the data source for a reporting services point, you might experience errors when you run or edit reports from the Configuration Manager console. For reporting to work properly from the Configuration Manager console, you must remove the reporting services point site system role for the site and reinstall it. However, after the upgrade you can continue to run and edit reports successfully from an Internet browser.
983

Configure Report Options

Use the report options for a Configuration Manager site to select the default reporting services point that is used to manage your reports. Although you can have more than one reporting services point at a site, only the default report server selected in report options is used to manage reports. Use the following procedure to configure report options for your site. To configure report options 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. On the Home tab, in the Settings group, click Report Options. 4. Select the default report server in the list, and then click OK. If no reporting services points are listed in the list, verify that you have a reporting services point successfully installed and configured in the site.

See Also
Reporting in Configuration Manager

Operations and Maintenance for Reporting in Configuration Manager

After the infrastructure is in place for reporting in Microsoft System Center 2012 Configuration Manager, there are a number of operations that you typically perform to manage reports and report subscriptions. Use the following sections in this topic to help you manage the operations for reports and report subscriptions in your Configuration Manager hierarchy: Manage Configuration Manager Reports Run a Configuration Manager Report Modify the Properties for a Configuration Manager Report Edit a Configuration Manager Report Create a Model-Based Report Create a SQL-Based Report Create a Report Subscription to Deliver a Report to a File Share Create a Report Subscription to Deliver a Report by Email

Manage Report Subscriptions

984

Manage Configuration Manager Reports

Configuration Manager provides over 400 predefined reports that help you gather, organize, and present information about users, hardware and software inventory, software updates, applications, site status, and other Configuration Manager operations in your organization. You can use the predefined reports as they are, or you can modify a report to meet your requirements. You can also create custom model-based and SQL-based reports to meet your requirements. Use the following sections to help you manage Configuration Manager reports.

Run a Configuration Manager Report

Reports in Configuration Manager are stored in SQL Server Reporting Services, and the data rendered in the report is retrieved from the Configuration Manager site database. You can access reports in the Configuration Manager console or by using Report Manager, which you access in a web browser. You can open reports on any computer that has access to the computer that is running SQL Server Reporting Services, and you must have sufficient rights to view the reports. When you run a report, the report title, description, and category are displayed in the language of the local operating system. Note In some non-English languages, characters may not appear correctly in reports. In this case, reports can be viewed using the web-based Report Manager or through the Remote Administrator Console. Warning To run reports, you must have Read rights for the Site permission and the Run Report permission that is configured for specific objects. Note Report Manager is a web-based report access and management tool that you use to administer a single report server instance on a remote location over an HTTP connection. You can use Report Manager for operational tasks, for example, to view reports, modify report properties, and manage associated report subscriptions. This topic provides the steps to view a report and modify report properties in Report Manager, but for more information about the other options that Report Manager provides, see Report Manager in SQL Server 2008 Books Online. Use the following procedures to run a Configuration Manager report. To run a report in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports to list the available reports. Important
985

In this version of Configuration Manager, the All content reports only display packages, not applications. Tip If no reports are listed, verify that the reporting services point is installed and configured. For more information, see Configuring Reporting in Configuration Manager. 3. Select the report that you want to run, and then on the Home tab, in the Report Group section, click Run to open the report. 4. When there are required parameters, specify the parameters, and then click View Report. To run a report in a web browser 1. In your web browser, enter the Report Manager URL, for example, http://Server1/Reports. You can determine the Report Manager URL on the Report Manager URL page in Reporting Services Configuration Manager. 2. In Report Manager, click the report folder for Configuration Manager, for example, ConfigMgr_CAS. Tip If no reports are listed, verify that the reporting services point is installed and configured. For more information, see Configuring Reporting in Configuration Manager. 3. Click the report category for the report that you want to run, and then click the link for the report. The report opens in Report Manager. 4. When there are required parameters, specify the parameters, and then click View Report.

Modify the Properties for a Configuration Manager Report

In the Configuration Manager console, you can view the properties for a report, such as the report name and description, but to change the properties, use Report Manager. Use the following procedure to modify the properties for a Configuration Manager report. To modify report properties in Report Manager 1. In your web browser, enter the Report Manager URL, for example, http://Server1/Reports. You can determine the Report Manager URL on the Report Manager URL page in Reporting Services Configuration Manager. 2. In Report Manager, click the report folder for Configuration Manager, for example, ConfigMgr_CAS. Tip If no reports are listed, verify that the Reporting Services point is installed and
986

configured. For more information, see Configuring Reporting in Configuration Manager 3. Click the report category for the report for which you want to modify properties, and then click the link for the report. The report opens in Report Manager. 4. Click the Properties tab. You can modify the report name and description. 5. When you are finished, click Apply. The report properties are saved on the report server, and the Configuration Manager console retrieves the updated report properties for the report.

Edit a Configuration Manager Report

When an existing Configuration Manager report does not retrieve the information that you have to have or does not provide the layout or design that you want, you can edit the report in Report Builder. Note You can also choose to clone an existing report by opening it for editing, and clicking Save As to save it as a new report. Security The user account must have Site Modify permission and Modify Report permissions on the specific objects associated with the report that you want to modify. Important When Configuration Manager is upgraded to a newer version, new reports overwrite the predefined reports. If you modify a predefined report, you must back up the report before you install the new version, and then restore the report in Reporting Services. If you are making significant changes to a predefined report, consider creating a new report instead. New reports that you create before you upgrade a site are not overwritten. Use the following procedure to edit the properties for a Configuration Manager report. To edit report properties 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports to list the available reports. 3. Select the report that you want to modify, and then on the Home tab, in the Report Group section, click Edit. Enter your user account and password if you are prompted, and then click OK. If Report Builder is not installed on the computer, you are prompted to install it. Click Run to install Report Builder, which is required to modify and create reports. Important For Configuration Manager with no service pack only: If you are running SQL Server 2008 R2, you must modify the Report Builder manifest name to have
987

Configuration Manager open Report Builder 3.0 instead of Report Builder 2.0. For more information, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. 4. In Report Builder, modify the appropriate report settings, and then click Save to save the report to the report server.

Create a Model-Based Report

A model-based report lets you interactively select the items you want to include in your report. For more information about creating custom report models, see Creating Custom Report Models in SQL Server Reporting Services. Security The user account must have Site Modify permission to create a new report. The user can only create a report in folders for which the user has Modify Report permissions. Use the following procedure to create a model-based Configuration Manager report. To create a model-based report 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting and click Reports. 3. On the Home tab, in the Create section, click Create Report to open the Create Report Wizard. 4. On the Information page, configure the following settings: Type: Select Model-based Report to create a report in Report Builder by using a Reporting Services model. Name: Specify a name for the report. Description: Specify a description for the report. Server: Displays the name of the report server on which you are creating this report. Path: Click Browse to specify a folder in which you want to store the report.

Click Next. 5. On the Model Selection page, select an available model in the list that you use to create this report. When you select the report model, the Preview section displays the SQL Server views and entities that are made available by the selected report model. 6. On the Summary page, review the settings. Click Previous to change the settings or click Next to create the report in Configuration Manager. 7. On the Confirmation page, click Close to exit the wizard, and then open Report Builder to configure the report settings. Enter your user account and password if you are prompted, and then click OK. If Report Builder is not installed on the computer, you are prompted to install it. Click Run to install Report Builder, which is required to modify and create reports. Important
988

For Configuration Manager with no service pack only: If you are running SQL Server 2008 R2, you must modify the Report Builder manifest name to have Configuration Manager open Report Builder 3.0 instead of Report Builder 2.0. For more information, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. 8. In Microsoft Report Builder, create the report layout, select data in the available SQL Server views, add parameters to the report, and so on. For more information about using Report Builder to create a new report, see the Report Builder Help. 9. Click Run to run your report. Verify that the report provides the information that you expect. Click Design to return to the Design view to modify the report, if needed. 10. Click Save to save the report to the report server. You can run and modify the new report in the Reports node in the Monitoring workspace.

Create a SQL-Based Report

A SQL-based report lets you retrieve data that is based on a report SQL statement. Important When you create an SQL statement for a custom report, do not directly reference SQL Server tables. Instead, reference reporting SQL Server views (view names that start with v_) from the site database. Starting in Configuration Manager SP1, you can also reference public stored procedures (stored procedure names that start with sp_) from the site database. Security The user account must have Site Modify permission to create a new report. The user can only create a report in folders for which the user has Modify Report permissions. Use the following procedure to create a SQL-based Configuration Manager report. To create a SQL-based report 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. On the Home tab, in the Create section, click Create Report to open the Create Report Wizard. 4. On the Information page, configure the following settings: Type: Select SQL-based Report to create a report in Report Builder by using a SQL statement. Name: Specify a name for the report. Description: Specify a description for the report. Server: Displays the name of the report server on which you are creating this report. Path: Click Browse to specify a folder in which you want to store the report.

Click Next.
989

5. On the Summary page, review the settings. Click Previous to change the settings or click Next to create the report in Configuration Manager. 6. On the Confirmation page, click Close to exit the wizard and open Report Builder to configure the report settings. Enter your user account and password if you are prompted, and then click OK. If Report Builder is not installed on the computer, you are prompted to install it. Click Run to install Report Builder, which is required to modify and create reports. Important For Configuration Manager with no service pack only: If you are running SQL Server 2008 R2, you must modify the Report Builder manifest name to have Configuration Manager open Report Builder 3.0 instead of Report Builder 2.0. For more information, see the Configure Reporting to Use Report Builder 3.0 section in the Configuring Reporting in Configuration Manager topic. 7. In Microsoft Report Builder, provide the SQL statement for the report or build the SQL statement by using columns in available SQL Server views, add parameters to the report, and so on. 8. Click Run to run your report. Verify that the report provides the information that you expect. Click Design to return to the Design view to modify the report, if needed. 9. Click Save to save the report to the report server. You can run the new report in the Reports node in the Monitoring workspace.

Manage Report Subscriptions

Report subscriptions in SQL Server Reporting Services let you configure the automatic delivery of specified reports by email or to a file share at scheduled intervals. Use the Create Subscription Wizard in System Center 2012 Configuration Manager to configure report subscriptions.

Create a Report Subscription to Deliver a Report to a File Share

When you create a report subscription to deliver a report to a file share, the report is copied in the specified format to the file share that you specify. You can subscribe to and request delivery for only one report at a time. Unlike reports that are hosted and managed by a report server, reports that are delivered to a shared folder are static files. Interactive features that are defined for the report do not work for reports that are stored as files on the file system. Interaction features are represented as static elements. If the report includes charts, the default presentation is used. If the report links through to another report, the link is rendered as static text. If you want to retain interactive features in a delivered report, use email delivery instead. For more information about email delivery, see the Create a Report Subscription to Deliver a Report by Email later in the topic. When you create a subscription that uses file share delivery, you must specify an existing folder as the destination folder. The report server does not create folders on the file system. The folder that you specify must be accessible over a network connection. When you specify the destination
990

folder in a subscription, use a UNC path and do not include trailing backslashes in the folder path. For example, a valid UNC path for the destination folder is: \\<servername>\reportfiles\operations\2011. Reports can be rendered in a variety of file formats, such as MHTML or Excel. To save the report in a specific file format, select that rendering format when creating your subscription. For example, choosing Excel saves the report as a Microsoft Excel file. Although you can select any supported rendering format, some formats work better than others when rendering to a file. Use the following procedure to create a report subscription to deliver a report to a file share. To create a report subscription to deliver a report to a file share 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting and click Reports to list the available reports. You can select a report folder to list only the reports that are associated with the folder. 3. Select the report that you want to add to the subscription, and then on the Home tab, in the Report Group section, click Create Subscription to open the Create Subscription Wizard. 4. On the Subscription Delivery page, configure the following settings: Report delivered by: Select Windows File Share to deliver the report to a file share. File Name: Specify the file name for the report. By default, the report file does not include a file name extension. Select Add file extension when created to automatically add a file name extension to this report based on the render format. Path: Specify a UNC path to an existing folder where you want to deliver this report (for example, \\<server name>\<server share>\<report folder>). Note The user name specified later on this page must have access to this server share and have Write permissions on the destination folder. Render Format: Select one of the following formats for the report file: XML file with report data: Saves the report in Extensible Markup Language format. CSV (comma delimited): Saves the report in comma-separated-value format. TIFF file: Saves the report in Tagged Image File Format. Acrobat (PDF) file: Saves the report in Acrobat Portable Document Format. HTML 4.0: Saves the report as a webpage viewable only in browsers that support HTML 4.0. Internet Explorer 5 and later versions support HTML 4.0. Note If you have images in your report, the HTML 4.0 format does not include them in the file. MHTML (web archive): Saves the report in MIME HTML format (mhtml), which is viewable in many web browsers.
991

RPL Renderer: Saves the report in Report Page Layout (RPL) format. Excel: Saves the report as a Microsoft Excel spreadsheet. Word: Saves the report as a Microsoft Word document.

User Name: Specify a Windows user account with permissions to access the destination server share and folder. The user account must have access to this server share and have Write permission on the destination folder. Password: Specify the password for the Windows user account. In Confirm Password, re-enter the password. Select one of the following options to configure the behavior when a file of the same name exists in the destination folder: Overwrite an existing file with a newer version: Specifies that when the report file already exists, the new version overwrites it. Do not overwrite an existing file: Specifies that when the report file already exists, there is no action. Increment file names as newer versions are added: Specifies that when the report file already exists, a number is added to the new report to the file name to distinguish it from other versions.

Description: Specifies the description for the report subscription.

Click Next. 5. On the Subscription Schedule page, select one of the following delivery schedule options for the report subscription: Use shared schedule: A shared schedule is a previously defined schedule that can be used by other report subscriptions. Select this check box, and then select a shared schedule in the list if any have been specified. Create new schedule: Configure the schedule on which this report runs, including the interval, start time and date, and the end date for this subscription.

6. On the Subscription Parameters page, specify the parameters for this report that are used when it is run unattended. When there are no parameters for the report, this page is not displayed. 7. On the Summary page, review the report subscription settings. Click Previous to change the settings or click Next to create the report subscription. 8. On the Completion page, click Close to exit the wizard. Verify that the report subscription was created successfully. You can view and modify report subscriptions in the Subscriptions node under Reporting in the Monitoring workspace.

Create a Report Subscription to Deliver a Report by Email

When you create a report subscription to deliver a report by email, an email is sent to the recipients that you configure, and the report is included as an attachment. The report server does not validate email addresses or obtain email addresses from an email server. You must know in advance which email addresses you want to use. By default, you can email reports to any valid

992

email account within or outside of your organization. You can select one or both of the following email delivery options: Send a notification and a hyperlink to the generated report. Send an embedded or attached report. The rendering format and browser determine whether the report is embedded or attached. If your browser supports HTML 4.0 and MHTML, and you select the MHTML (web archive) rendering format, the report is embedded as part of the message. All other rendering formats (CSV, PDF, Word, and so on) deliver reports as attachments. Reporting Services does not check the size of the attachment or message before sending the report. If the attachment or message exceeds the maximum limit allowed by your mail server, the report is not delivered. Important You must configure the email settings in Reporting Services for the Email delivery option to be available. For more information about configuring the email settings in Reporting Services, see Configuring a Report Server for Email Delivery in the SQL Server Books Online. Use the following procedure to create a report subscription to deliver a report by using email. To create a report subscription to deliver a report by email In the Configuration Manager console, click Monitoring. In the Monitoring workspace, expand Reporting and click Reports to list the available reports. You can select a report folder to list the only the reports that are associated with the folder. Select the report that you want to add to the subscription, and then on the Home tab, in the Report Group section, click Create Subscription to open the Create Subscription Wizard. On the Subscription Delivery page, configure the following settings: Report delivered by: Select E-mail to deliver the report as an attachment in an email message. To: Specify a valid email address to send this report to. Note You can enter multiple email recipients by separating each email address with a semicolon. Cc: Optionally, specify an email address to copy this report to. Bcc: Optionally, specify an email address to send a blind copy of this report to. Reply To: Specify the reply address to use if the recipient replies to the email message. Subject: Specify a subject line for the subscription email message. Priority: Select the priority flag for this email message. Select Low, Normal, or High. The priority setting is used by Microsoft Exchange to set a flag indicating the importance of the email message.
993

Comment: Specify text to be added to the body of the subscription email message. Description: Specify the description for this report subscription. Include Link: Includes a URL to the subscribed report in the body of the email message. Include Report: Specify that the report is attached to the e-mail message. The format in which the report will be attached is specified in the Render Format list. Render Format: Select one of the following formats for the attached report: XML file with report data: Saves the report in Extensible Markup Language format. CSV (comma delimited): Saves the report in comma-separated-value format. TIFF file: Saves the report in Tagged Image File Format. Acrobat (PDF) file: Saves the report in Acrobat Portable Document Format. MHTML (web archive): Saves the report in MIME HTML format (mhtml), which is viewable in many web browsers. Excel: Saves the report as a Microsoft Excel spreadsheet. Word: Saves the report as a Microsoft Word document.

On the Subscription Schedule page, select one of the following delivery schedule options for the report subscription: Use shared schedule: A shared schedule is a previously defined schedule that can be used by other report subscriptions. Select this check box, and then select a shared schedule in the list if any have been specified. Create new schedule: Configure the schedule on which this report will run, including the interval, start time and date, and the end date for this subscription.

On the Subscription Parameters page, specify the parameters for this report that are used when it is run unattended. When there are no parameters for the report, this page is not displayed. On the Summary page, review the report subscription settings. Click Previous to change the settings or click Next to create the report subscription. On the Completion page, click Close to exit the wizard. Verify that the report subscription was created successfully. You can view and modify report subscriptions in the Subscriptions node under Reporting in the Monitoring workspace.

See Also
Reporting in Configuration Manager

994

Creating Custom Report Models in SQL Server Reporting Services

Sample report models are included in Microsoft System Center 2012 Configuration Manager, but you can also define report models to meet your own business requirements, and then deploy the report model to Configuration Manager to use when you create new model-based reports. The following table provides the steps to create and deploy a basic report model. Note For the steps to create a more advanced report model, see the Steps for Creating an Advanced Report Model in SQL Server Reporting Services section in this topic.
Step Description More information

Verify that SQL Server Business Intelligence Development Studio is installed

Report models are designed and built by using SQL Server Business Intelligence Development Studio. Verify that SQL Server Business Intelligence Development Studio is installed on the computer on which you are creating the custom report model.

For more information about SQL Server Business Intelligence Development Studio, see the SQL Server 2008 documentation.

Create a report model project

A report model project For more information, see the contains the definition of the To create the report model data source (a .ds file), the project section in this topic. definition of a data source view (a .dsv file), and the report model (an .smdl file). After creating a report model project, you have to define one data source from which you extract business data. Typically, this is the Configuration Manager site database. After defining the data sources that you use in your report model project, the next step is to define a data source view For more information, see the To define the data source for the report model section in this topic.

Define a data source for a report model

Define a data source view for a report model

For more information, see the To define the data source view for the report model section in this topic.
995

Step

Description

More information

for the project. A data source view is a logical data model based on one or more data sources. Data source views encapsulate access to the physical objects, such as tables and views, contained in underlying data sources. SQL Server Reporting Services generates the report model from the data source view. Data source views facilitate the model design process by providing you with a useful representation of the data that you specified. Without changing the underlying data source, you can rename tables and fields, and add aggregate fields and derived tables in a data source view. For an efficient model, add only those tables to the data source view that you intend to use. Create a report model A report model is a layer on top of a database that identifies business entities, fields, and roles. When published, by using these models, Report Builder users can develop reports without having to be familiar with database structures or understand and write queries. Models are composed of sets of related report items that are grouped together under a friendly name, with predefined relationships between these business items and with predefined calculations. For more information, see the To create the report model section in this topic.

996

Step

Description

More information

Models are defined by using an XML language called Semantic Model Definition Language (SMDL). The file name extension for report model files is .smdl. Publish a report model To build a report by using the model that you just created, you must publish it to a report server. The data source and data source view are included in the model when it is published. Before you can use a custom report model in the Create Report Wizard to create a model-based report, you must deploy the report model to Configuration Manager. For more information, see the To publish the report model for use in SQL Server Reporting Services section in this topic.

Deploy the report model to Configuration Manager

For more information, see the To deploy the custom report model to Configuration Manager section in this topic.

Steps for Creating a Basic Report Model in SQL Server Reporting Services
You can use the following procedures to create a basic report model that users in your site can use to build particular model-based reports based on data in a single view of the System Center 2012 Configuration Manager database. You create a report model that presents information about the client computers in your site to the report author. This information is taken from the v_R_System view in the System Center 2012 Configuration Manager database. On the computer where you perform these procedures, ensure that you have installed SQL Server Business Intelligence Development Studio and that the computer has network connectivity to the reporting services point server. For detailed information about SQL Server Business Intelligence Development Studio, see the SQL Server 2008 documentation. To create the report model project 1. On the desktop, click Start, click Microsoft SQL Server 2008, and then click SQL Server Business Intelligence Development Studio. 2. After SQL Server Business Intelligence Development Studio opens in Microsoft Visual Studio, click File, click New, and then click Project.
997

3. In the New Project dialog box, select Report Model Project in the Templates list. 4. In the Name box, specify a name for this report model. For this example, type Simple_Model. 5. To create the report model project, click OK. 6. The Simple_Model solution is displayed in Solution Explorer. Note If you cannot see the Solution Explorer pane, click View, and then click Solution Explorer. To define the data source for the report model 1. In the Solution Explorer pane of SQL Server Business Intelligence Development Studio, right-click Data Sources to select Add New Data Source. 2. On the Welcome to the Data Source Wizard page, click Next. 3. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, and then click New. 4. In the Connection Manager dialog box, specify the following connection properties for the data source: Server name: Type the name of your System Center 2012 Configuration Manager site database server, or select it in the list. If you are working with a named instance instead of the default instance, type <database server>\<instance name>. Select Use Windows Authentication. In Select or enter a database name list, select the name of your Configuration Manager site database.

5. To verify the database connection, click Test Connection. 6. If the connection succeeds, click OK to close the Connection Manager dialog box. If the connection does not succeed, verify that the information you entered is correct, and then click Test Connection again. 7. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, verify that the data source you have just specified is selected in Data connections, and then click Next. 8. In Data source name, specify a name for the data source, and then click Finish. For this example, type Simple_Model. 9. The data source Simple_Model.ds is now displayed in Solution Explorer under the Data Sources node. Note To edit the properties of an existing data source, double-click the data source in the Data Sources folder of the Solution Explorer pane to display the data source properties in Data Source Designer. To define the data source view for the report model
998

1. In Solution Explorer, right-click Data Source Views to select Add New Data Source View. 2. On the Welcome to the Data Source View Wizard page, click Next. The Select a Data Source page is displayed. 3. In the Relational data sources window, verify that the Simple_Model data source is selected, and then click Next. 4. On the Select Tables and Views page, select the following view in the Available objects list to be used in the report model: v_R_System (dbo). Tip To help locate views in the Available objects list, click the Name heading at the top of the list to sort the objects in alphabetical order. 5. After selecting the view, click > to transfer the object to the Included objects list. 6. If the Name Matching page is displayed, accept the default selections, and click Next. 7. When you have selected the objects that you require, click Next, and then specify a name for the data source view. For this example, type Simple_Model. 8. Click Finish. The Simple_Model.dsv data source view is displayed in the Data Source Views folder of Solution Explorer. To create the report model 1. In Solution Explorer, right-click Report Models to select Add New Report Model. 2. On the Welcome to the Report Model Wizard page, click Next. 3. On the Select Data Source Views page, select the data source view in the Available data source views list, and then click Next. For this example, select Simple_Model.dsv. 4. On the Select report model generation rules page, accept the default values, and then click Next. 5. On the Collect Model Statistics page, verify that Update model statistics before generating is selected, and then click Next. 6. On the Completing the Wizard page, specify a name for the report model. For this example, verify that Simple_Model is displayed. 7. To complete the wizard and create the report model, click Run. 8. To exit the wizard, click Finish. The report model is shown in the Design window. To publish the report model for use in SQL Server Reporting Services 1. In Solution Explorer, right-click the report model to select Deploy. For this example, the report model is Simple_Model.smdl. 2. Examine the deployment status at the lower left corner of the SQL Server Business Intelligence Development Studio window. When the deployment has finished, Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is displayed in the Output window. The new report model is now available on your SQL Server
999

Reporting Services website. 3. Click File, click Save All, and then close SQL Server Business Intelligence Development Studio. To deploy the custom report model to Configuration Manager 1. Locate the folder in which you created the report model project. For example, %USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>. 2. Copy the following files from the report model project folder to a temporary folder on your computer: <Model Name>.dsv <Model Name>.smdl

3. Open the preceding files by using a text editor, such as Notepad. 4. In the file <Model Name>.dsv, locate the first line of the file, which reads as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine"> Edit this line to read as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine" xmlns:xsi="RelationalDataSourceView"> 5. Copy the entire contents of the file to the Windows Clipboard. 6. Close the file <Model Name>.dsv. 7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear as follows:
</Entity> </Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the file (<SemanticModel>). 9. Save and close the file <Model Name>.smdl. 10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft Configuration Manager \AdminConsole\XmlStorage\Other on the Configuration Manager site server. Important After copying the report model file to the Configuration Manager site server, you must exit and restart the Configuration Manager console before you can use the report model in the Create Report Wizard.

1000

Steps for Creating an Advanced Report Model in SQL Server Reporting Services
You can use the following procedures to create an advanced report model that users in your site can use to build particular model-based reports based on data in multiple views of the System Center 2012 Configuration Manager database. You create a report model that presents information about the client computers and the operating system installed on these computers to the report author. This information is taken from the following views in the System Center 2012 Configuration Manager database: V_R_System: Contains information about discovered computers and the System Center 2012 Configuration Manager client. V_GS_OPERATING_SYSTEM : Contains information about the operating system installed on the client computer.

Selected items from the preceding views are consolidated into one list, given friendly names, and then presented to the report author in Report Builder for inclusion in particular reports. On the computer where you perform these procedures, ensure that you have installed SQL Server Business Intelligence Development Studio and that the computer has network connectivity to the reporting services point server. For detailed information about SQL Server Business Intelligence Development Studio, see the SQL Server documentation. To create the report model project 1. On the desktop, click Start, click Microsoft SQL Server 2008, and then click SQL Server Business Intelligence Development Studio. 2. After SQL Server Business Intelligence Development Studio opens in Microsoft Visual Studio, click File, click New, and then click Project. 3. In the New Project dialog box, select Report Model Project in the Templates list. 4. In the Name box, specify a name for this report model. For this example, type Advanced_Model. 5. To create the report model project, click OK. 6. The Advanced_Model solution is displayed in Solution Explorer. Note If you cannot see the Solution Explorer pane, click View, and then click Solution Explorer. To define the data source for the report model 1. In the Solution Explorer pane of SQL Server Business Intelligence Development Studio, right-click Data Sources to select Add New Data Source. 2. On the Welcome to the Data Source Wizard page, click Next. 3. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, and then click New.
1001

4. In the Connection Manager dialog box, specify the following connection properties for the data source: Server name: Type the name of your System Center 2012 Configuration Manager site database server, or select it in the list. If you are working with a named instance instead of the default instance, type <database server>\<instance name>. Select Use Windows Authentication. In the Select or enter a database name list, select the name of your System Center 2012 Configuration Manager site database.

5. To verify the database connection, click Test Connection. 6. If the connection succeeds, click OK to close the Connection Manager dialog box. If the connection does not succeed, verify that the information you entered is correct, and then click Test Connection again. 7. On the Select how to define the connection page, verify that Create a data source based on an existing or new connection is selected, verify that the data source you have just specified is selected in the Data connections list box, and then click Next. 8. In Data source name, specify a name for the data source and then click Finish. For this example, type Advanced_Model. 9. The data source Advanced_Model.ds is displayed in Solution Explorer under the Data Sources node. Note To edit the properties of an existing data source, double-click the data source in the Data Sources folder of the Solution Explorer pane to display the data source properties in Data Source Designer. To define the data source view for the report model 1. In Solution Explorer, right-click Data Source Views to select Add New Data Source View. 2. On the Welcome to the Data Source View Wizard page, click Next. The Select a Data Source page is displayed. 3. In the Relational data sources window, verify that the Advanced_Model data source is selected, and then click Next. 4. On the Select Tables and Views page, select the following views in the Available objects list to be used in the report model: v_R_System (dbo) v_GS_OPERATING_SYSTEM (dbo)

After selecting each view, click > to transfer the object to the Included objects list. Tip To help locate views in the Available objects list, click the Name heading at the top of the list to sort the objects in alphabetical order. 5. If the Name Matching dialog box appears, accept the default selections, and click Next.
1002

6. When you have selected the objects you require, click Next, and then specify a name for the data source view. For this example, type Advanced_Model. 7. Click Finish. The Advanced_Model.dsv data source view is displayed in the Data Source Views folder of Solution Explorer. To define relationships in the data source view 1. In Solution Explorer, double-click Advanced_Model.dsv to open the Design window. 2. Right-click the title bar of the v_R_System window to select Replace Table, and then click With New Named Query. 3. In the Create Named Query dialog box, click the Add Table icon (typically the last icon in the ribbon). 4. In the Add Table dialog box, click the Views tab, select V_GS_OPERATING_SYSTEM in the list, and then click Add. 5. Click Close to close the Add Table dialog box. 6. In the Create Named Query dialog box, specify the following information: Name: Specify the name for the query. For this example, type Advanced_Model. Description: Specify a description for the query. For this example, type Example Reporting Services report model.

7. In the v_R_System window, select the following items in the list of objects to display in the report model: ResourceID ResourceType Active0 AD_Domain_Name0 AD_SiteName0 Client0 Client_Type0 Client_Version0 CPUType0 Hardware_ID0 User_Domain0 User_Name0 Netbios_Name0 Operating_System_Name_and0

8. In the v_GS_OPERATING_SYSTEM box, select the following items in the list of objects to display in the report model: ResourceID Caption0 CountryCode0
1003

CSDVersion0 Description0 InstallDate0 LastBootUpTime0 Locale0 Manufacturer0 Version0 WindowsDirectory0

9. To present the objects in these views as one list to the report author, you must specify a relationship between the two tables or views by using a join. You can join the two views by using the object ResourceID, which appears in both views. 10. In the v_R_System window, click and hold the ResourceID object and drag it to the ResourceID object in the v_GS_OPERATING_SYSTEM window. 11. Click OK. 12. The Advanced_Model window replaces the v_R_System window and contains all of the necessary objects required for the report model from the v_R_System and the v_GS_OPERATING_SYSTEM views. You can now delete the v_GS_OPERATING_SYSTEM window from the Data Source View Designer. Right-click the title bar of the v_GS_OPERATING_SYSTEM window to select Delete Table from DSV. In the Delete Objects dialog box, click OK to confirm the deletion. 13. Click File, and then click Save All. To create the report model 1. In Solution Explorer, right-click Report Models to select Add New Report Model. 2. On the Welcome to the Report Model Wizard page, click Next. 3. On the Select Data Source View page, select the data source view in the Available data source views list, and then click Next. For this example, select Simple_Model.dsv. 4. On the Select report model generation rules page, do not change the default values, and click Next. 5. On the Collect Model Statistics page, verify that Update model statistics before generating is selected, and then click Next. 6. On the Completing the Wizard page, specify a name for the report model. For this example, verify that Advanced_Model is displayed. 7. To complete the wizard and create the report model, click Run. 8. To exit the wizard, click Finish. 9. The report model is shown in the Design window. To modify object names in the report model 1. In Solution Explorer, right-click a report model to select View Designer. For this
1004

example, select Advanced_Model.smdl. 2. In the report model Design view, right-click any object name to select Rename. 3. Type a new name for the selected object, and then press Enter. For example, you could rename the object CSD_Version_0 to read Windows Service Pack Version. 4. When you have finished renaming objects, click File, and then click Save All. To publish the report model for use in SQL Server Reporting Services 1. In Solution Explorer, right-click Advanced_Model.smdl to select Deploy. 2. Examine the deployment status at the lower left corner of the SQL Server Business Intelligence Development Studio window. When the deployment has finished, Deploy Succeeded is displayed. If the deployment fails, the reason for the failure is displayed in the Output window. The new report model is now available on your SQL Server Reporting Services website. 3. Click File, click Save All, and then close SQL Server Business Intelligence Development Studio. To deploy the custom report model to Configuration Manager 1. Locate the folder in which you created the report model project. For example, %USERPROFILE%\Documents\Visual Studio 2008\Projects\<Project Name>. 2. Copy the following files from the report model project folder to a temporary folder on your computer: <Model Name>.dsv <Model Name>.smdl

3. Open the preceding files by using a text editor, such as Notepad. 4. In the file <Model Name>.dsv, locate the first line of the file, which reads as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine"> Edit this line to read as follows: <DataSourceView xmlns="http://schemas.microsoft.com/analysisservices/2003/engine" xmlns:xsi="RelationalDataSourceView"> 5. Copy the entire contents of the file to the Windows Clipboard. 6. Close the file <Model Name>.dsv. 7. In the file <Model Name>.smdl, locate the last three lines of the file, which appear as follows:
</Entity> </Entities>

</SemanticModel>

8. Paste the contents of the file <Model Name>.dsv directly before the last line of the file
1005

(<SemanticModel>). 9. Save and close the file <Model Name>.smdl. 10. Copy the file <Model Name>.smdl to the folder %programfiles%\Microsoft Configuration Manager\AdminConsole\XmlStorage\Other on the Configuration Manager site server. Important After copying the report model file to the Configuration Manager site server, you must exit and restart the Configuration Manager console before you can use the report model in the Create Report Wizard.

See Also
Configuring Reporting in Configuration Manager

Security and Privacy for Reporting in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security best practices and privacy information for reporting in System Center 2012 Configuration Manager. Configuration Manager reports display information that is collected during standard Configuration Manager management operations. For example, you can display a report of information that has been collected from discovery or inventory. Reports can also contain the current status information for client management operations, such as deploying software, and checking for compliance. For more information about any security best practices and privacy information for Configuration Manager operations that might generate data that can be displayed in reports, see Security Best Practices and Privacy Information for Configuration Manager.

See Also
Reporting in Configuration Manager

1006

Technical Reference for Reporting in Configuration Manager

This section contains technical reference information for reporting in System Center 2012 Configuration Manager.

Technical Reference Topics

There is currently no technical reference information for reporting in Configuration Manager.

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Reporting in Configuration Manager

Security and Privacy for Site Administration in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for System Center 2012 Configuration Manager sites and the hierarchy: Security Best Practices for Site Administration Security Best Practices for the Site Server Security Best Practices for SQL Server Security Best Practices for Site Systems that Run IIS Security Best Practices for the Management Point Security Best Practices for the Fallback Status Point Security Issues for Site Administration

Privacy Information for Discovery

Security Best Practices for Site Administration

Use the following security best practices to help you secure System Center 2012 Configuration Manager sites and the hierarchy.

1007

Security best practice

More information

Run Setup only from a trusted source and secure the communication channel between the Setup media and the site server.

To help prevent tampering of the source files, run Setup from a trusted source. If you store the files on the network, secure the network location. If you do run Setup from a network location, to help prevent an attacker from tampering with the files as they are transmitted over the network, use IPsec or SMB signing between the source location of the Setup files and the site server. In addition, if you use the Setup Downloader to download the files that are required by Setup, make sure that you also secure the location where these files are stored and secure the communication channel for this location when you run Setup.

Extend the Active Directory schema for System Center 2012 Configuration Manager and publish sites to Active Directory Domain Services.

Schema extensions are not required to run Microsoft System Center 20 12 Configuration Manager, but they do create a more secure environment because Configuration Manager clients and site servers can retrieve information from a trusted source. If clients are in an untrusted domain, deploy the following site system roles in the clients domain:
1008

Security best practice

More information

Management point Distribution point Application Catalog website point Note A trusted domain for Configuration Manager requires Kerberos authentication so if clients are in another forest that does not have a two-way forest trust with the site servers forest, these clients are considered to be in untrusted domain. An external trust is not sufficient for this purpose.

Use IPsec to secure communications between site system servers and sites.

Although Configuration Manager does secure communication between the site server and the computer that runs SQL Server, Configuration Manager does not secure communication between site system roles and SQL Server. Only some site systems (the enrollment point and the Application Catalog web service point) can be configured for HTTPS for intrasite communication. If you do not use additional controls to secure these
1009

Security best practice

More information

server-to-server channels, attackers can use various spoofing and man-in-themiddle attacks against site systems. Use SMB signing when you cannot use IPsec. Note It is particularly important to secure the communication channel between the site server and the package source server. This communication uses SMB. If you cannot use IPsec to secure this communication, use SMB signing to ensure that the files are not tampered with before clients download and run them. Do not change the security groups that Configuration Manager creates and manages for site system communication: SMS_SiteSystemToSiteServerConnection_SMSProv_< SiteCode> SMS_SiteSystemToSiteServerConnection_Stat_<SiteC ode> If clients cannot query the Global Catalog server for Configuration Manager information, manage the trusted root key provisioning process. SMS_SiteSystemToSiteServerConnection_MP_<SiteCode> Configuration Manager automatically creates and manages these security groups. This includes removing computer accounts when a site system role is removed. To ensure service continuity and least privileges, do not manually edit these groups. If clients cannot query the Global Catalog for Configuration Manager information, they must rely
1010

Security best practice

More information

on the trusted root key to authenticate valid management points. The trusted root key is stored in the client registry and can be set by using Group Policy or manual configuration. If the client does not have a copy of the trusted root key before it contacts a management point for the first time, it trusts the first management point it communicates with. To reduce the risk of an attacker misdirecting clients to an unauthorized management point, you can pre-provision the clients with the trusted root key. For more information, see Planning for the Trusted Root Key. Use non-default port numbers. When you use non-default port numbers, this can provide additional security because it makes it harder for attackers to explore the environment in preparation for an attack. If you decide to use non-default ports, plan for them before you install Configuration Manager and use them consistently across all sites in the hierarchy. Client request ports and Wake on LAN are examples where you can use non-default port numbers.
1011

Security best practice

More information

Use role separation on site systems.

Although you can install all the site system roles on a single computer, this practice is rarely used on production networks because it creates a single point of failure. When you isolate each site system role on a different server, this reduces the chance that an attack against vulnerabilities on one site system can be used against a different site system. Many site system roles require the installation of Internet Information Services (IIS) on the site system and this increases the attack surface. If you must combine site system roles to reduce hardware expenditure, combine IIS site system roles only with other site system roles that require IIS. Important The fallback status point role is an exception: Because this site system role accepts unauthenticated data from clients, the fallback status point role should never be assigned to any other Configuration Manager site
1012

Reduce the attack profile.

Security best practice

More information

system role. Follow security best practices for Windows Server and run the Security Configuration Wizard on all site systems. The Security Configuration Wizard (SCW) helps you to create a security policy that you can apply to any server on your network. After you install the System Center 2012 Configuration Manager template, SCW recognizes Configuration Manager site system roles, services, ports, and applications. It then permits the communication that is required for Configuration Manager, and blocks communication that is not required. The Security Configuration Wizard is included with the toolkit for System Center 2012 Configuration Manager, which you can download from the Microsoft Download Center: System Center 2012 Configuration Manager Component Add-ons and Extensions. Configure static IP addresses for site systems. Static IP addresses are easier to protect from name resolution attacks. Static IP addresses also make the configuration of IPsec easier, which is a security best practice for securing communication between site systems in
1013

Security best practice

More information

Configuration Manager. Do not install other applications on site system servers. When you install other applications on site system servers, you increase the attack surface for Configuration Manager and risk incompatibility issues. Enable the signing and encryption options for the site. Ensure that all clients can support the SHA-256 hash algorithm and then enable the option Require SHA-256. Grant administrative access to Configuration Manager only to users that you trust and then grant them minimum permissions by using the built-in security roles or by customizing the security roles. Administrative users who can create, modify, and deploy applications, task sequence, software updates, configuration items and configuration baselines, can potentially control devices in the Configuration Manager hierarchy. Periodically audit administrative user assignments and their authorization level to verify required changes. For more information about configuring role-based administration, see
1014

Require signing and enable encryption as a site option.

Restrict and monitor Configuration Manager administrative users and use role-based administration to grant these users the minimum permissions that they require.

Security best practice

More information

Configure Role-Based Administration. Secure Configuration Manager backups and secure the communication channel when you backup and restore. When you back up Configuration Manager, this information includes certificates and other sensitive data that could be used by an attacker for impersonation. Use SMB signing or IPsec when you transfer this data over the network, and secure the backup location. Whenever you export or import objects from the Configuration Manager console to a network location, secure the location and secure the network channel. Restrict who can access the network folder. Use SMB signing or IPsec between the network location and the site server, and between the computer that runs the Configuration Manager console and site server to prevent an attacker from tampering with the exported data. Use IPsec to encrypt the data on the network to prevent information disclosure. To remove the PeerTrust that was originally established with the site system and site system roles, manually remove the Configuration Manager certificates for the failed server in the Trusted People certificate store on other site system servers. This is particularly important if you repurpose the server without reformatting it.
1015

If a site system fails to uninstall or stops functioning and cannot be restored, manually remove the Configuration Manager certificates for this server from other Configuration Manager servers.

Security best practice

More information

For more information about these certificates, see the section Cryptographic Controls for Server Communication in Technical Reference for Cryptographic Controls Used in Configuration Manager. Do not configure Internet-based site systems to bridge the perimeter network and the intranet. Do not configure site system servers to be multihomed so that they connected to the perimeter network and the intranet. Although this configuration allows Internet-based site systems to accept client connections from the Internet and the intranet, it eliminates a security boundary between the perimeter network and the intranet. By default, site systems initiate connections to the site server to transfer data, which can be a security risk when the connection initiation is from an untrusted network to the trusted network. When site systems accept connections from the Internet or reside in an untrusted forest, configure the site system option Require the site server to initiate connections to this site system so that after the installation of the site system and any site
1016

If the site system server is on an untrusted network (such as a perimeter network), configure the site server to initiate connections to the site system.

Security best practice

More information

system roles, all connections are initiated from the trusted network. If you use a web proxy server for Internet-based client management, use SSL bridging to SSL, by using termination with authentication. When you configure SSL termination at the proxy web server, packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internetbased site systems. When Configuration Manager client computers use a proxy web server to connect to Internet-based site systems, the client identity (client GUID) is securely contained within the packet payload so that the management point does not consider the proxy web server to be the client. If your proxy web server cannot support the requirements for SSL bridging, SSL tunneling is also supported. This is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. If your proxy web server cannot support the
1017

Security best practice

More information

requirements for SSL bridging, you can use SSL tunneling. However, this is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. Warning Mobile devices that are enrolled by Configuration Manager cannot use SSL bridging and must use SSL tunneling only. If you configure the site to wake up computers to install software: Use AMT power commands rather than traditional wake-up packets If you use traditional wake-up packets, use unicast rather than subnet-directed broadcasts If you must use subnet-directed broadcasts, configure routers to allow IP-directed broadcasts only from the site server and only on a non-default port number Whenever possible, use a mail server that supports authenticated access and use the computer account of the site server for authentication. If you must specify a user account for authentication, use an account that has the least privileges. Note In Configuration
1018

For more information about the different wake on LAN technologies, see Planning for Client Communication in Configuration Manager.

If you use email notification, configure authenticated access to the SMTP mail server.

Security best practice

More information

Manager SP1, email notifications are no longer restricted to Endpoint Protection.

Security Best Practices for the Site Server

Use the following security best practices to help you secure the Configuration Manager site server.
Security best practice More information

Install Configuration Manager on a member server instead of a domain controller.

The Configuration Manager site server and site systems do not require installation on a domain controller. Domain controllers do not have a local Security Accounts Management (SAM) database other than the domain database. When you install Configuration Manager on a member server, you can maintain Configuration Manager accounts in the local SAM database rather than in the domain database. This practice also lowers the attack surface on your domain controllers.

Install secondary sites by avoiding copying the files to the secondary site server over the network.

When you run Setup and create a secondary site, do not select the option to copy the files from the parent site to the secondary site, or use a network source location. When you copy files over the network, a skilled attacker could hijack the secondary site installation package and tamper with the files before they are installed, although timing this attack would be difficult. This attack can be mitigated by using IPsec or SMB when you transfer the files. Instead of copying the files over the network, on the secondary site server, copy the source files from media to a local folder. Then, when you run Setup to create a secondary site, on
1019

Security best practice

More information

the Installation Source Files page, select Use the source files at the following location on the secondary site computer (most secure), and specify this folder. For more information, see the Install a Secondary Site section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Security Best Practices for SQL Server

Configuration Manager uses SQL Server as the back-end database. If the database is compromised, attackers could bypass Configuration Manager and access SQL Server directly to launch attacks through Configuration Manager. Consider attacks against the SQL Server to be very high risk and must be mitigated appropriately. Use the following security best practices to help you secure SQL Server for Configuration Manager.
Security best practice More information

Do not use the Configuration Manager site database server to run other SQL Server applications.

When you increase the access to the Configuration Manager site database server, this increases the risk to your Configuration Manager data. If the Configuration Manager site database is compromised, other applications on the same SQL Server computer then also become at risk. Although Configuration Manager accesses the site database by using a Windows account and Windows authentication, it is still possible to configure SQL Server to use SQL Server mixed mode. SQL Server mixed mode allows additional SQL logins to access the database, which is not required and increases the attack surface. When you install a primary site, Configuration Manager downloads SQL Server Express from the Microsoft Download Center and copies the files to the primary site server. When you install a secondary site and select the option that
1020

Configure SQL Server to use Windows authentication.

Take additional steps to ensure that secondary sites that use SQL Server Express have the latest software updates.

Security best practice

More information

installs SQL Server Express, Configuration Manager installs the previously downloaded version and does not check whether new versions are available. To ensure that the secondary site has the latest versions, perform one of the following: After the secondary site is installed, run Windows Update on the secondary site server. Before you install the secondary site, manually install SQL Server Express on the computer that will run the secondary site server and ensure that you install the latest version and any software updates. Then install the secondary site and select the option to use an existing SQL Server instance.

Periodically run Windows Update for these sites and all installed versions of SQL Server to make sure that they have the latest software updates. Follow best practices for SQL Server. Identify and follow the best practices for your version of SQL Server. However, take into consideration the following requirements for Configuration Manager: The computer account of the site server must be a member of the Administrators group on the computer that runs SQL Server. If you follow the SQL Server recommendation of provision admin principals explicitly, the account that you use to run Setup on the site server must be a member of the SQL Users group. If you install SQL Server by using a domain user account, make sure that the site server computer account is configured for a Service Principal Name (SPN) that is published to Active Directory Domain Services. Without the SPN, Kerberos authentication will fail and Configuration Manager Setup will fail.

1021

Security Best Practices for Site Systems that Run IIS

Several site system roles in Configuration Manager require IIS. When you secure IIS, this allows Configuration Manager to operate correctly and it reduces the risk of security attacks. When it is practical, minimize the number of servers that require IIS. For example, run only the number of management points that you require to support your client base, taking into consideration high availability and network isolation for Internet-based client management. Use the following security best practices to help you secure the site systems that run IIS.
Security best practice. More information

Disable IIS functions that you do not require.

Install only the minimum IIS features for the site system role that you install. For more information, see the Site System Requirements in the Supported Configurations for Configuration Manager topic. When clients connect to a site system by using HTTP rather than by using HTTPS, they use Windows authentication, which might fall back to using NTLM authentication rather than Kerberos authentication. When NTLM authentication is used, clients might connect to a rogue server. The exception to this security best practice might be distribution points because package access accounts do not work when the distribution point is configured for HTTPS. Package access accounts provide authorization to the content, so that you can restrict which users can access the content. For more information, see Security Best Practices for Content Management.

Configure the site system roles to require HTTPS.

Configure a certificate trust list (CTL) in IIS for the following site system roles: A distribution point that is configured for HTTPS. A management that is configured for HTTPS and enabled to support mobile devices.

A certificate trust list (CTL) is a defined list of trusted root certification authorities. When you use a CTL with Group Policy and a PKI deployment, a CTL allows you to supplement the existing trusted root certification authorities that are configured on your network, such as those automatically installed with Microsoft Windows or added through Windows enterprise root certification authorities. However, when a CTL is configured in IIS, a CTL defines a subset of those trusted root certification
1022

Security best practice.

More information

authorities. This subset provides you with more control over security because the CTL restricts the client certificates that are accepted to only those that are issued from the list of certification authorities in the CTL. For example, Windows ships with a number of well-known third-party certification authority certificates, such as VeriSign and Thawte. By default, the computer that runs IIS trusts certificates that chain to these well-known certification authorities. When you do not configure IIS with a CTL for the listed site system roles, any device that has a client certificate issued from these certification authorities are accepted as a valid Configuration Manager client. If you configure IIS with a CTL that did not include these certification authorities, client connections are refused if the certificate chained to these certification authorities. However, for Configuration Manager clients to be accepted for the listed site system roles, you must configure IIS with a CTL that specifies the certification authorities that are used by Configuration Manager clients. Note Only the listed site system roles require you to configure a CTL in IIS; the certificate issuers list that Configuration Manager uses for management points provides the same functionality for client computers when they connect to HTTPS management points. For more information about how to configure a list of trusted certification authorities in IIS, refer to your IIS documentation. Do not put the site server on a computer with IIS. Role separation helps to reduce the attack profile and improve recoverability. In addition, the computer account of the site server typically has administrative privileges on all site system
1023

Security best practice.

More information

roles (and possibly on Configuration Manager clients, if you use client push installation). Use dedicated IIS servers for Configuration Manager. Although you can host multiple web-based applications on the IIS servers that are also used by Configuration Manager, this practice can significantly increase your attack surface. A poorly configured application could allow an attacker to gain control of a Configuration Manager site system, which could allow an attacker to gain control of the hierarchy. If you must run other web-based applications on Configuration Manager site systems, create a custom web site for Configuration Manager site systems. Use a custom web site. For site systems that run IIS, you can configure Configuration Manager to use a custom website instead of the default website for IIS. If you must run other web applications on the site system, you must use a custom website. This setting is a site -wide setting rather than a setting for a specific site system. In addition to providing additional security, you must use a custom website if you run other web applications on the site system. If you switch from the default website to a custom website after any distribution point roles are installed, remove the default virtual directories. When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website. For example, the virtual directories to remove for a distribution point are the following: Follow best practices for IIS Server. SMS_DP_SMSPKG$ SMS_DP_SMSSIG$ NOCERT_SMS_DP_SMSPKG$ NOCERT_SMS_DP_SMSSIG$

Identify and follow the best practices for your version of IIS Server. However, take into
1024

Security best practice.

More information

consideration any requirements that Configuration Manager has for specific site system roles. For more information, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Security Best Practices for the Management Point

Management points are the primary interface between devices and Configuration Manager. Consider attacks against the management point and the server that it runs on to be very high risk and to be mitigated appropriately. Apply all appropriate security best practices and monitor for unusual activity. Use the following security best practices to help secure a management point in Configuration Manager.
Security best practice More information

When you install a Configuration Manager client on the management point, assign it to that management points site.

Avoid the scenario where a Configuration Manager client that is on a management point site system is assigned to a site other than the management points site. If you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, migrate the Configuration Manager 2007 client to System Center 2012 Configuration Manager as soon as possible.

Security Best Practices for the Fallback Status Point

Use the following security best practices if you install a fallback status point in Configuration Manager. For more information about the security considerations when you install a fallback status point, see Determine Whether You Require a Fallback Status Point.
Security best practice More information

Do not run other site system roles on the site system and do not install it on a domain

Because the fallback status point is designed to accept unauthenticated communication from
1025

Security best practice

More information

controller.

any computer, running this site system role with other site system roles or on a domain controller greatly increases the risk to that server.

When you use PKI certificates for client communication in Configuration Manager, If Configuration Manager site systems do not install the fallback status point before you install accept HTTP client communication, you might the clients. not know that clients are unmanaged because of PKI-related certificate issues. However, if clients are assigned to a fallback status point, these certificate issues will be reported by the fallback status point. For security reasons, you cannot assign a fallback status point to clients after they are installed; you can assign this role only during client installation. Avoid using the fallback status point in the perimeter network. By design, the fallback status point accepts data from any client. Although a fallback status point in the perimeter network could help you to troubleshoot Internet-based clients, you must balance the troubleshooting benefits with the risk of a site system that accepts unauthenticated data in a publicly accessible network. If you do install the fallback status point in the perimeter network or any untrusted network, configure the site server to initiate data transfers rather than the default setting that allows the fallback status point to initiate a connection to the site server.

Security Issues for Site Administration

Review the following security issues for Configuration Manager: Configuration Manager has no defense against an authorized administrative user who uses Configuration Manager to attack the network. Unauthorized administrative users are a high security risk and could launch numerous attacks, which include the following: Use software deployment to automatically install and run malicious software on every Configuration Manager client computer in the enterprise.
1026

Use remote control to take remote control of a Configuration Manager client without client permission. Configure rapid polling intervals and extreme amounts of inventory to create denial of service attacks against the clients and servers. Use one site in the hierarchy to write data to another site's Active Directory data.

The site hierarchy is the security boundary; consider sites to be management boundaries only. Audit all administrative user activity and routinely review the audit logs. Require all Configuration Manager administrative users to undergo a background check before they are hired and require periodic rechecks as a condition of employment. If the enrollment point is compromised, an attacker could obtain certificates for authentication and steal the credentials of users who enroll their mobile devices. The enrollment point communicates with a certification authority and can create, modify, and delete Active Directory objects. Never install the enrollment point in the perimeter network and monitor for unusual activity. If you allow user policies for Internet-based client management or configure the Application Catalog website point for users when they are on the Internet, you increase your attack profile. In addition to using PKI certificates for client-to-server connections, these configurations require Windows authentication, which might fall back to using NTLM authentication rather than Kerberos. NTLM authentication is vulnerable to impersonation and replay attacks. To successfully authenticate a user on the Internet, you must allow a connection from the Internet-based site system server to a domain controller. The Admin$ share is required on site system servers. The Configuration Manager site server uses the Admin$ share to connect to and perform service operations on site systems. Do not disable or remove the Admin$ share. Configuration Manager uses name resolution services to connect to other computers and these services are hard to secure against security attacks such as spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege. Identify and follow any security best practices for the version of DNS and WINS that you use for name resolution.

Privacy Information for Discovery

Discovery creates records for network resources and stores them in the System Center 2012 Configuration Manager database. Discovery data records contain computer information such as IP address, operating system, and computer name. Active Directory discovery methods can also be configured to discover any information that is stored in Active Directory Domain Services. The only discovery method that is enabled by default is Heartbeat Discovery, but that method only discovers computers that are already have the System Center 2012 Configuration Manager client software installed.
1027

Discovery information is not sent to Microsoft. Discovery information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance task Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you configure additional discovery methods or extend Active Directory discovery, consider your privacy requirements.

See Also
Site Administration for System Center 2012 Configuration Manager

Technical Reference for Site Administration in Configuration Manager

Technical Reference Topics
Technical Reference for Site Communications in Configuration Manager Technical Reference for Ports Used in Configuration Manager Technical Reference for Log Files in Configuration Manager Technical Reference for Accounts Used in Configuration Manager Technical Reference for Cryptographic Controls Used in Configuration Manager Technical Reference for Language Packs in Configuration Manager Technical Reference for Unicode and ASCII Support in Configuration Manager Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager Technical Reference for the Prerequisite Checker in Configuration Manager Technical Reference for International Support in Configuration Manager Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Site Administration for System Center 2012 Configuration Manager

1028

Technical Reference for Site Communications in Configuration Manager

The following sections provide technical details about site-to-site communications in System Center 2012 Configuration Manager. Types of Replication in Configuration Manager Database Replication File-Based Replication

Types of Replication in Configuration Manager

System Center 2012 Configuration Manager transfers data between sites by using database replication and file-based replication. Additionally, the data that is replicated is grouped into the following classifications: Global data that replicates by using database replication. Site data that replicates by using database replication. File content that replicates by using file-based replication.

The following table identifies replication methods and data types in System Center 2012 Configuration Manager.
Replication Type Data Type Examples

Database replication Database replication File-based replication

Global data Site data File content

Collections, package metadata, and deployments Collection membership, hardware inventory, and alerts Software packages and software updates

Database Replication
Database replication in System Center 2012 Configuration Manager uses Configuration Manager database replication. Configuration Manager database replication uses the SQL Server Service Broker to transfer data between the SQL Server database of different sites in a hierarchy. By default, the SQL Server Service Broker installs with SQL Server, and uses port 4022. Data, represented as objects, can include different types of information such as configuration settings or client inventory or status information. When a new site installs, a snapshot of the parent sites database is taken by bulk copy (BCP) and transferred by server message blocks (SMB) to the new site where it is inserted by BCP to the local database.
1029

Objects replicated by database replication include the following:

Global Data

Alert rules Client discovery Collections rules and count Configuration Items metadata Deployments Operating system images (boot images and driver packages) Package metadata Program metadata Site control file Site security objects (security roles and security scopes) Software updates metadata System Resource List (site system servers)

Site Data

Alert messages Asset Intelligence client access license (CAL) tracking data Client Health data Client Health history Collection membership results Component and Site Status Summarizers Hardware inventory Software distribution status details Software inventory and metering Software updates site data

1030

Site Data

Status messages Status summary data

File-Based Replication
File-based replication in System Center 2012 Configuration Manager transfers data in file format between System Center 2012 Configuration Manager sites. This is accomplished by use of a sender and file replication route that together define how and when a network connection to a parent or child site can be established. In a change from past versions of Configuration Manager, a single type of sender is supported by System Center 2012 Configuration Manager. File-based replication uses the Server Message Block protocol. Important Beginning with Configuration Manager SP1, the term address is now file replication route. If you use Configuration Manager with no service pack, replace file replication route with the word address. Objects replicated by file-based replication include the following:
Data Destination

Package files used by deployments Data from secondary sites Fallback status point state messages Discovery data records

Sent to primary and secondary sites. Sent to the primary site (parent) of the secondary site. Forwarded to the assigned site when only a single fallback status point is in use. Forwarded to the assigned site when not processed at the site where they are generated.

See Also
Technical Reference for Site Administration in Configuration Manager

1031

Technical Reference for Ports Used in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager is a distributed client/server system. The distributed nature of Configuration Manager means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some support custom ports you specify. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec. Note If you support Internet-based clients by using SSL bridging, in addition to port requirements, you might have to also allow some HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management in the Planning for Communications in Configuration Manager topic. The port listings that follow are used by Configuration Manager and do not include information for standard Windows services, such as Group Policy settings for Active Directory Domain Services and Kerberos authentication. For information about Windows Server services and ports, see Service overview and network port requirements for the Windows Server system. Configurable Ports Non-Configurable Ports Ports Used by Configuration Manager Clients and Site Systems Additional Lists of Ports AMT Out of Band Management Ports Client to Server Shares Connections to Microsoft SQL Server External Connections made by Configuration Manager Installation Requirements for Site Systems that Support Internet-Based Clients Ports Used by Configuration Manager Client Installation Ports Used by Migration Ports Used by Windows Server

Configurable Ports
Configuration Manager allows you to configure the ports for the following types of communication: Application Catalog Website point to Application Catalog web service point
1032

Enrollment proxy point to enrollment point Client to site systems that run IIS Client to Internet (as proxy server settings) Software update point to Internet (as proxy server settings) Software update point to WSUS server Site server to site database server Reporting services points Note The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site. The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication: Site to site Site server to site system Configuration Manager console to SMS Provider Configuration Manager console to the Internet Connections to cloud services, such as Windows Intune and cloud-based distribution points

Ports Used by Configuration Manager Clients and Site Systems

The following sections detail the ports used for communication in Configuration Manager. The arrows in the section title, between the computers, represent the direction of the communication: -- > indicates one computer initiates communication and the other computer always responds < -- > indicates that either computer can initiate communication

1033

Asset Intelligence Synchronization Point -- > Microsoft

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Application Catalog Web Service Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Application Catalog Website Point -- > Application Catalog Web Service Point
Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

---

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

Configuration Manager Policy Module (Network Device Enrollment Service) -- > Certificate Registration Point
Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Endpoint Protection Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80

1034

Enrollment Proxy Point -- > Enrollment Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Enrollment Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Exchange Server Connector -- > Exchange Online

Description UDP TCP

Windows Remote Management over HTTPS

--

5986

Exchange Server Connector -- > On Premises Exchange Server

Description UDP TCP

Windows Remote Management over HTTP

--

5985

Client -- > Application Catalog Website Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

---

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

1035

Client -- > Client

In addition to the ports listed in the following table, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client to another client when they are configured for wake-up proxy. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any host-based firewalls on these client computers or intervening network devices within the subnet must permit ICMP traffic for wake-up proxy communication to succeed.
Description UDP TCP

Wake on LAN Wake-up proxy

9 (See note 2, Alternate Port Available) 25536 (See note 2, Alternate Port Available)

---

Client -- > Configuration Manager Policy Module (Network Device Enrollment Service)
Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) --

80 443

Client -- > Cloud-Based Distribution Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Client -- > Distribution Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

1036

Description

UDP

TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Client -- > Distribution Point Configured for Multicast

Description UDP TCP

Server Message Block (SMB) Multicast Protocol

-63000-64000

445 --

Client -- > Distribution Point Configured for PXE

Description UDP TCP

Dynamic Host Configuration Protocol (DHCP) Trivial File Transfer Protocol (TFTP) Boot Information Negotiation Layer (BINL)

67 and 68 69 (See note 4 Trivial FTP (TFTP) Daemon) 4011

----

Client -- > Fallback Status Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.
Description UDP TCP

Global Catalog LDAP

--

3268
1037

Description

UDP

TCP

Global Catalog LDAP SSL

--

3269

Client -- > Management Point

Description UDP TCP

Client notification (default communication before falling back to HTTP or HTTPS) Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

10123 (See note 2, Alternate Port Available) 80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

---

Client -- > Software Update Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

--

Client -- > State Migration Point

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB)

----

80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available) 445

1038

Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see How to Enable IPsec Traffic Through a Firewall.

Configuration Manager Console -- > Client

Description UDP TCP

Remote Control (control) Remote Assistance (RDP and RTC)

---

2701 3389

Configuration Manager Console -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80

Configuration Manager Console -- > Reporting Services Point

Description Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) UDP --TCP 80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)

Configuration Manager Console -- > Site Server

Description UDP TCP

RPC (initial connection to WMI to locate provider system)

--

135

1039

Configuration Manager Console -- > SMS Provider

Description UDP TCP

RPC Endpoint Mapper RPC

135 --

135 DYNAMIC (See note 6, Dynamic ports)

Mac Computer -- > Enrollment Proxy Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Management Point -- > Domain Controller

Description UDP TCP

Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC

-636 --135 --

389 636 3268 3269 135 DYNAMIC (See note 6, Dynamic ports)

Management Point < -- > Site Server

(See note 5, Communication between the site server and site systems)
Description UDP TCP

RPC Endpoint mapper RPC

---

135 DYNAMIC (See note 6,

1040

Description

UDP

TCP

Dynamic ports) Server Message Block (SMB) -445

Management Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Mobile Device -- > Enrollment Proxy Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Mobile Device -- > Windows Intune

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Out of Band Service Point --> Enrollment Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Out of Band Service Point --> AMT Management Controller

Description UDP TCP

Power control, provisioning, and

--

16993
1041

Description

UDP

TCP

discovery

Out of Band Management Console --> AMT Management Controller

Description UDP TCP

General management tasks Serial over LAN and IDE redirection

---

16993 16995

Reporting Services Point -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Site Server < -- > Application Catalog Web Service Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Application Catalog Website Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

1042

Site Server < -- > Asset Intelligence Synchronization Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server -- > Client

Description UDP TCP

Wake on LAN

9 (See note 2, Alternate Port Available)

--

Site Server -- > Cloud-Based Distribution Point

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Site Server -- > Distribution Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server -- > Domain Controller

1043

Description

UDP

TCP

Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC

-636 --135 --

389 636 3268 3269 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Certificate Registration Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Endpoint Protection Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Enrollment Point

Description UDP TCP

Server Message Block (SMB)

--

445

1044

Description

UDP

TCP

RPC Endpoint Mapper RPC

135 --

135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Enrollment Proxy Point

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Fallback Status Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

Site Server < -- > Issuing Certification Authority (CA)

This communication is used when you deploy certificate profiles by using the certificate registration point. The communication is not used for every site server in the hierarchy; it is used only for the site server at the top of the hierarchy.
1045

Description

UDP

TCP

RPC Endpoint Mapper RPC (DCOM)

135 --

135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Reporting Services Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Site Server

Description UDP TCP

Server Message Block (SMB)

--

445

Site Server -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

During the installation of a site that will use a remote SQL Server to host the site database, you must open the following ports between the site server and the SQL Server:
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper

-135

445 135
1046

Description

UDP

TCP

RPC

--

DYNAMIC (See note 6, Dynamic ports)

Site Server -- > SMS Provider

Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

Site Server < -- > Software Update Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

---

445 80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

--

Site Server < -- > State Migration Point

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper

-135

445 135

1047

Site Server < -- > System Health Validator

(See note 5, Communication between the site server and site systems)
Description UDP TCP

Server Message Block (SMB) RPC Endpoint Mapper RPC

-135 --

445 135 DYNAMIC (See note 6, Dynamic ports)

SMS Provider -- > SQL Server

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

Software Update Point -- > Internet

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

Software Update Point -- > Upstream WSUS Server

Description UDP TCP

Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)

--

80 or 8530 (See note 3, Windows Server Update Services) 443 or 8531 (See note 3, Windows Server Update Services)

--

1048

SQL Server --> SQL Server

Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server of its parent or child site.
Description UDP TCP

SQL Server Service SQL Server Service Broker

---

1433 (See note 2, Alternate Port Available) 4022 (See note 2, Alternate Port Available)

Tip Configuration Manager does not require the SQL Server Browser, which uses port UDP 1434.

Windows Intune Connector -- > Windows Intune

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

Notes for Ports Used by Configuration Manager Clients and Site Systems
1. Proxy Server port: This port cannot be configured but can be routed through a configured proxy server. 2. Alternate Port Available: An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls. 3. Windows Server Update Services: WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530). After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higher for example, 8530 and 8531.

4. Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs:
1049

RFC 350TFTP RFC 2347Option extension RFC 2348Block size option RFC 2349Time-out interval, and transfer size options

Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69. 5. Communication between the site server and site systems: By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send status information. Reporting service points and distribution points do not send status information. If you select Require the site server to initiate connections to this site system on the site system properties, after the site system is installed, it will not initiate communication to the site server. Instead, the site server initiates the connections and uses the Site System Installation Account for authentication to the site system server. 6. Dynamic ports: Dynamic ports (also known as ephemeral ports) use a range of port numbers, which is defined by the operating system version. For more information about the default port ranges, see Service overview and network port requirements for Windows.

Additional Lists of Ports

The following sections provide additional information about ports used by Configuration Manager.

AMT Out of Band Management Ports

The following information lists the ports used by out of band management: Out of Band Service Point --&gt; Enrollment Point Out of Band Service Point --&gt; AMT Management Controller Out of Band Management Console --&gt; AMT Management Controller

Client to Server Shares

Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example: Manual client installation that specifies the CCMSetup.exe /source: command line property. Endpoint Protection clients that download definition files from a UNC path.
UDP TCP

Description

Server Message Block (SMB)

--

445

1050

Connections to Microsoft SQL Server

For communication to the SQL Server database engine and for intersite replication, you can use the default SQL Server port or specify custom ports: Intersite communications use: SQL Server Service Broker, which defaults to port TCP 4022. SQL Server Service, which defaults to port TCP 1433

Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles default to port TCP 1433. Warning Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication.

The following site system roles communicate directly with the SQL Server database: Application Catalog web service point Certificate registration point role Enrollment point role Management point Site server Reporting services point SMS Provider SQL Server --> SQL Server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports. If you have a firewall enabled on the SQL Server computer, ensure that it is configured to allow the ports in use by your deployment, and at any locations on the network between computers that communicate with the SQL Server. For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

External Connections made by Configuration Manager

Configuration Manager clients or site systems can make the following external connections: Asset Intelligence Synchronization Point -- &gt; Microsoft Endpoint Protection Point -- &gt; Internet Client -- &gt; Global Catalog Domain Controller Configuration Manager Console -- &gt; Internet
1051

Management Point -- &gt; Domain Controller Site Server -- &gt; Domain Controller Site Server &lt; -- &gt; Issuing Certification Authority (CA) Software Update Point -- &gt; Internet Software Update Point -- &gt; Upstream WSUS Server

Installation Requirements for Site Systems that Support InternetBased Clients

Management points and distribution points that support internet-based clients, the software update point, and the fallback status point use the following ports for installation and repair: Site server --> site system: RPC endpoint mapper using UDP and TCP port 135. Site server --> site system: RPC dynamic TCP ports. Site server < --> site system: Server message blocks (SMB) using TCP port 445. Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135. Site server --> distribution point: RPC dynamic TCP ports

Application and package installations on distribution points require the following RPC ports:

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see How to configure RPC to use certain ports and how to help secure those ports by using IPsec. Important Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a Site System Installation Account if the site system is in a different Active Directory forest without a trust relationship.

Ports Used by Configuration Manager Client Installation

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

Ports Used by Migration

The site server that runs Migration uses several ports to connect to applicable sites in the source hierarchy to gather data from the source sites SQL Server database, and to share distribution points.

1052

For information these ports, see the Required Configurations for Migration section in the Prerequisites for Prerequisites for Migration in System Center 2012 Configuration Manager topic.

Ports Used by Windows Server

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see Service overview and network port requirements for the Windows Server system.
Description UDP TCP

Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) NetBIOS Name Resolution NetBIOS Datagram Service NetBIOS Session Service

53 67 and 68 137 138 --

53 ---139

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Log Files in Configuration Manager

In System Center 2012 Configuration Manager, client and site server components record process information in individual log files. By default, client and server component logging is enabled in Configuration Manager. You can use the information in these log files to help you troubleshoot issues that might occur in your Configuration Manager hierarchy. The following sections provide details about the different log files. Use this information to view and monitor Configuration Manager client and server logs for operation details and identify error information that might help you to troubleshoot any problems. About Configuration Manager Log Files Configure Logging Options by Using the Configuration Manager Service Manager Locating Configuration Manager Logs Client Operations Client Installation Log Files
1053

Configuration Manager Client Logs

Client for Linux and UNIX Client for Mac Computers Site Server and Site System Server Logs Site Server Installation Log Files Fallback Status Point Logs Files Management Point Logs Files Software Update Point Log Files Application Management Asset Intelligence Backup and Recovery Client Notification Certificate Enrollment Compliance Settings and Company Resource Access Configuration Manager Console Content Management Discovery Endpoint Protection Extensions Inventory Metering Migration Mobile Devices Operating System Deployment Out of Band Management Power Management Remote Control Reporting Role-Based Administration Software Updates and Network Access Protection Wake On LAN Windows Intune Connector Windows Update Agent WSUS Server

Configuration Manager Site Server Log Files

Log Files for Configuration Manager Functionality

1054

About Configuration Manager Log Files

By default, most processes in Configuration Manager write operational information to a log file that is dedicated to that process. These log files are identified by the .LOG or .LO_ extension. Configuration Manager writes to the .LOG file until that log reaches it maximum size. When the log is full, the .LOG file is copied to a file of the same name but with the .LO_ extension, and the process or component continues to write to the .LOG file. When the .LOG file again reaches its maximum size, the .LO_ file is overwritten and the process repeats. Some components establish a log file history by appending a date and time stamp to the log file name and by retaining the .LOG extension. An exception to the maximum size and use of the .LO_ file is the client for Linux and UNIX. For information about how the client for Linux and UNIX uses log files, see Manage Log Files for the Client for Linux and UNIX in the Client for Linux and UNIX section in this topic. To view the logs, you can use the Configuration Manager log viewer tool, CMTrace, which is located in the \SMSSETUP\TOOLS folder of the System Center 2012 Configuration Manager source media. The CMTrace tool is also added to all boot images that are added to the Software Library.

Whats New in Configuration Manager

The Configuration Manager 2007 log viewer tool, Trace32, is now replaced with CMTrace.

Configure Logging Options by Using the Configuration Manager Service Manager

Configuration Manager supports options that enable you to change where log files are stored and the log file size. Use the following procedure to use the Configuration Manager Service Manager to modify the size of log files, the name and location of the log file, and to force multiple components to write to a single log file. To modify logging for a component: 1. In the Configuration Manager console, click Monitoring, click System Status, and then click either Site Status or Component Status. 2. On the Home tab, in the Component group, click Start and select Configuration Manager Service Manager. 3. When the Configuration Manager Service Manager opens, connect to the site that you want to manage. If you do not see the site that you want to manage, click Site, click Connect, and then enter the name of the site server for the correct site. 4. Expand the site and navigate to Components or Servers, depending on where the components that you want to manage are located. 5. In the right pane, select one or more components.
1055

6. On the Component menu, click Logging. 7. In the Configuration Manager Component Logging dialog box, complete the available configuration options for your selection. 8. Click OK to save the configuration.

Locating Configuration Manager Logs

By default, Configuration Manager log files are stored in a variety of locations that depend on the process that creates the log file, and on the configuration of your site systems. Because the location of the log on a given computer can vary, use search to locate the relevant log files on your Configuration Manager computers to help you troubleshoot a specific scenario.

Configuration Manager Client Logs

The following sections list the log files related to client operations, and client installation.

Client Operations
The following table lists the log files found on the Configuration Manager client.
Log name Description

CAS.log Ccm32BitLauncher.log CcmEval.log

Content Access service. Maintains the local package cache on the client. Records actions for starting applications on the client marked as "run as 32bit". Records Configuration Manager client status evaluation activities and details for components that are required by the Configuration Manager client. Records the Configuration Manager client status evaluation activities that are initiated by the evaluation scheduled task. Records activities of the client and the SMS Agent Host service. This log file also includes information about enabling and disabling wakeup proxy. Records activities related to communications between the client and management points. Records activities related to client notification operations.
1056

CcmEvalTask.log

CcmExec.log

CcmMessaging.log CCMNotificationAgent.log

Log name

Description

Ccmperf.log

Records activities related to the maintenance and capture of data related to client performance counters. Records client service restart activity. Records activities for the client SDK interfaces. Maintains certificates for Active Directory Domain Services and management points. Records details about configuration item definition downloads. Records tasks that are initiated for each application and deployment type, such as content download or install or uninstall actions. Records the signing and authentication activity for the client. Creates and maintains the client GUID and identifies tasks performed during client registration and assignment. Records tasks that are related to client site assignment. Records the results of running the Configuration Manager HTTPS Readiness Assessment Tool. This tool checks whether computers have a PKI client authentication certificate that can be used for Configuration Manager. Records information for the remote control service. Schedules the Background Intelligent Transfer Service (BITS) or the Server Message Block (SMB) to download or to access packages. Records all BITS communication for policy or package access. Records information about the installation of the Endpoint Protection client and the application of antimalware policy to that client.
1057

CcmRestart.log CCMSDKProvider.log CertificateMaintenance.log CIDownloader.log CITaskMgr.log

ClientAuth.log ClientIDManagerStartup.log

ClientLocation.log CMHttpsReadiness.log

CmRcService.log ContentTransferManager.log

DataTransferService.log EndpointProtectionAgent

Log name

Description

execmgr.log ExpressionSolver.log

Records details about packages and task sequences that run on the client. Records details about enhanced detection methods that are used when verbose or debug logging is enabled. Records the history of Endpoint Protection malware detection and events related to client status. Records all SMB package access tasks. Records the activity of the Windows Management Instrumentation (WMI) provider for software inventory and file collection. Records the activity for state messages that are sent to the fallback status point by the client. Records the network proxy configuration and usage activity for the client. Records activities of hardware inventory, software inventory, and heartbeat discovery actions on the client. Records the activity for location cache usage and maintenance for the client. Records the client activity for locating management points, software update points, and distribution points. Records the activity for general maintenance task activity for the client. Records the activity of the WMI provider for .MIF files. Monitors all software metering processes. Records requests for policies made by using the Data Transfer service. Records policy changes. Records details about the evaluation of policies
1058

ExternalEventAgent.log

FileBITS.log FileSystemFile.log

FSPStateMessage.log

InternetProxy.log InventoryAgent.log

LocationCache.log LocationServices.log

MaintenanceCoordinator.log Mifprovider.log mtrmgr.log PolicyAgent.log PolicyAgentProvider.log PolicyEvaluator.log

Log name

Description

on client computers, including policies from software updates. PolicyPlatformClient.log Records the process of remediation and compliance for all providers located in %Program Files%\Microsoft Policy Platform, except the file provider. Records activities for policy system SDK interfaces. Records information about enabling or disabling and configuring the wake-up proxy client settings. Records the activities of the power management provider (PWRInvProvider) hosted in the Windows Management Instrumentation (WMI) service. On all supported versions of Windows, the provider enumerates the current settings on computers during hardware inventory and applies power plan settings. Records the activity in Software Center for the specified user on the client computer. Records the historical activity in Software Center for the specified user on the client computer. Records activities of scheduled tasks for all client operations. Records the activity for notifying users about software for the specified user. Records the historical information for notifying users about software for the specified user. Records configuration and inventory policy creation in WMI. Main log file for wake-up proxy. Records usage of the Configuration Manager client in Control Panel.

PolicySdk.log Pwrmgmt.log

PwrProvider.log

SCClient_<domain>@<username>_1.log SCClient_<domain>@<username>_2.log

Scheduler.log SCNotify_<domain>@<username>_1.log SCNotify_<domain>@<username>_1<date_time>.log setuppolicyevaluator.log SleepAgent_<domain>@<@SYSTEM_0.log smscliui.log

1059

Log name

Description

SrcUpdateMgr.log

Records activity for installed Windows Installer applications that are updated with current distribution point source locations. Records status messages that are created by the client components. Generates a usage data report that is collected by the metering agent. This data is logged in Mtrmgr.log. Records details about user device affinity. Records information specific to the evaluation of App-V deployment types. Records operations related to write filters on Windows Embedded clients. Records installation information when clients receive the client setting option to enable wakeup proxy. Records information about uninstalling wake-up proxy when clients receive the client setting option to disable wake-up proxy, if wake-up proxy was previously enabled.

StatusAgent.log SWMTRReportGen.log

UserAffinity.log VirtualApp.log Wedmtrace.log wakeprxy-install.log

wakeprxy-uninstall.log

Client Installation Log Files

The following table lists the log files that contain information related to the installation of the Configuration Manager client.
Log name Description

ccmsetup.log

Records ccmsetup tasks for client setup, client upgrade, and client removal. Can be used to troubleshoot client installation problems. Records ccmsetup tasks for client status and remediation. Records the repair activities of the client agent. Records setup tasks performed by client.msi. Can be used to troubleshoot client installation
1060

ccmsetup-ccmeval.log CcmRepair.log client.msi.log

Log name

Description

or removal problems.

Client for Linux and UNIX

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Configuration Manager client for Linux and UNIX records information in the following log files. Tip Beginning with client for Linux and UNIX from cumulative update 1, you can use CMTrace to view the log files for the client for Linux and UNIX. Note When you use the initial release of the client for Linux and UNIX and reference the documentation in this section, replace the following references for each file or process: Replace omiserver.bin with nwserver.bin Replace omi with nanowbem
Details

Log name

scxcm.log

This is the log file for the core service of the Configuration Manager client for Linux and UNIX (ccmexec.bin). This log file contains information about the installation and ongoing operations of ccmexec.bin. By default, this log file is created in the following location: /var/opt/microsoft/scxcm.log To change the location of the log file, edit /opt/microsoft/configmgr/etc/scxcm.conf and change the PATH field. You do not need to restart the client computer or service for the change to take effect. You can set the log level to one of four different settings: ERROR: Indicates problems that require attention. WARNING: Indicates possible problems for the client operations. INFO: More detailed logging that indicates the status of various events on the client.
1061

Log name

Details

TRACE: Verbose logging that is typically used to diagnose problems.

To change the log level, edit /opt/microsoft/configmgr/etc/scxcm.conf and change each instance of the tag MODULE to the desired log level. scxcmprovider.log This is the log file for the CIM service of the Configuration Manager client for Linux and UNIX (omiserver.bin). This log file contains information about the ongoing operations of nwserver.bin. By default, this log is created in the following location: /var/opt/microsoft/configmgr/scxcmprovider.log To change the location of the log file, edit /opt/microsoft/omi/etc/scxcmprovider.conf and change the PATH field. You do not need to restart the client computer or service for the change to take effect. You can set the log level to one of three different settings: ERROR: Indicates problems that require attention. WARNING: Indicates possible problems for the client operations. INFO: More detailed logging that indicates the status of various events on the client.

To change the log level, edit /opt/microsoft/omi/etc/scxcmprovider.conf and change each instance of the tag MODULE to the desired log level. Under normal operating conditions the ERROR log level should be used. The ERROR level of logging creates the smallest log file. As the log level is increased from ERROR to WARNING to INFO to TRACE, each step results in a larger log file as more data is written to the log file.

Manage Log Files for the Client for Linux and UNIX Client
The client for Linux and UNIX does not limit the maximum size of the client log files, nor does the client automatically copy the contents of its .LOG files to another file such as a .LO_ file. If you

1062

want to control the maximum size of log files, implement a process to manage the log files independent from the Configuration Manager client for Linux and UNIX. For example, you can use the standard Linux and UNIX command logrotate to manage the size and rotation of the clients log files. The Configuration Manager client for Linux and UNIX provides an interface that enables logrotate to signal the client as to when the log rotation completes, allowing the client to resume logging to the log file. For information about logrotate, see the documentation for the Linux and UNIX distributions that you use.

Client for Mac Computers

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Configuration Manager client for Mac computers records information in the following log files.
Log name Details

CCMClient-<date_time>.log

Records activities that are related to the Mac client operations, which includes application management, inventory, and error logging. This log file is located in the folder /Library/Application Support/Microsoft/CCM/Logs on the Mac computer.

CCMAgent-<date_time>.log

Records information that is related to client operations, which includes user logon and logoff operations and Mac computer activity. This log file is located in the folder ~/Library/Logs on the Mac computer.

CCMNotifications-<date_time>.log

Records activities that are related to Configuration Manager notifications displayed on the Mac computer. This log file is located in the folder ~/Library/Logs on the Mac computer.

CCMPrefPane-<date_time>.log

Records activities related to the Configuration Manager preferences dialog box on the Mac computer, which includes general status and error logging. This log file is located in the folder ~/Library/Logs on the Mac computer.

1063

Additionally, the log file SMS_DM.log on the site system server records communication between Mac computers and the management point that is enabled for mobile devices and Mac computers.

Configuration Manager Site Server Log Files

The following sections list log files found on the site server or related to specific site system roles.

Site Server and Site System Server Logs

The following table lists the log files found on the Configuration Manager site server and site system servers.
Log name Description Computer with log file

adctrl.log ADForestDisc.log ADService.log

Records enrollment processing activity. Records Active Directory Forest Discovery actions. Records account creation and security group details in Active Directory. Records Active Directory Group Discovery actions. Records Active Directory System Discovery actions. Records Active Directory User Discovery actions. Records client push installation activities. Records the certificate activities for intra-site communications. Records activities of the client health manager. Records changes to the client settings by the Client Install Data Manager (CIDM).

Site server

Site server Site server

Site server

adsgdis.log adsysdis.log adusrdis.log ccm.log CertMgr.log

Site server Site server Site server Site system server

chmgr.log Cidm.log

Site server Site server

1064

Log name

Description

Computer with log file

colleval.log

Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records the status of component threads monitored for the site server. Records Component Status Summarizer tasks. Records the initial installation of COM registration results for a site server. Records information about the processing of Management Information Format (MIF) files and hardware inventory in the Configuration Manager database. Records activities of the discovery data manager. Records incoming site-tosite communication transfers. Records details about package creation, compression, delta replication, and information updates. Records information about the synchronization of malware threat information from the Endpoint Protection site system role server into the

Site server

compmon.log

Site system server

compsumm.log ComRegSetup.log

Site server Site system server

dataldr.log

Site Server

ddm.log despool.log

Site server Site server

distmgr.log

Site server

EPCtrlMgr.log

Site server

1065

Log name

Description

Computer with log file

Configuration Manager database. EPMgr.log Records the status of the Endpoint Protection site system role. Provides information about the installation of the Endpoint Protection site system role. Site system server

EPSetup.log

Site system server

EnrollSrv.log EnrollWeb.log

Records activities of the Site system server enrollment service process. Records activities of the enrollment website process. Records activities of the fallback status point site system role. Records information about site configuration changes, and the publishing of site information in Active Directory Domain Services. Records the files that are moved from the management point to the corresponding INBOXES folder on the site server. Records file transfer activities between inbox folders. Records the processing of inbox files and performance counter updates. Records the forwarding of MIF files from a secondary Site system server

fspmgr.log

Site system server

hman.log

Site server

Inboxast.log

Site server

inboxmgr.log

Site server

inboxmon.log

Site server

invproc.log

Site server

1066

Log name

Description

Computer with log file

site to its parent site. migmctrl.log Records information for Migration actions involving migration jobs, shared distribution points, and distribution point upgrades. The top-level site in the System Center 2012 Configuration Manager hierarchy, and each child primary site Note In a multi-primary site hierarchy, use the log file created at the central administration site. mpcontrol.log Records the registration of the management point with WINS. Records the availability of the management point every 10 minutes. Records the actions of the management point component that moves client files to the corresponding INBOXES folder on the site server. Records details of about the management point installation. Records the management point installation wrapper process. Records Network Discovery actions. Records the discovery activity of site system servers. Records the processing of object change notifications Site system server

mpfdm.log

Site system server

mpMSI.log

Site server

MPSetup.log

Site server

netdisc.log ntsvrdis.log

Site server Site server

Objreplmgr

Site server

1067

Log name

Description

Computer with log file

for replication. offermgr.log offersum.log Records advertisement updates. Site server

Records the summarization Site server of deployment status messages. Records the activities of applying updates to operating system image files. Records the processing of outbox files and performance counter updates. Records the results of the installation of performance counters. Records the actions of the SMS Executive component that is responsible for sending content from a primary site to a remote distribution point. Records updates to the client policies to reflect changes to client settings or deployments. Records the activities of database replication between sites in the hierarchy. Site server

OfflineServicingMgr.log

outboxmon.log

Site server

PerfSetup.log

Site system server

PkgXferMgr.log

Site server

policypv.log

Primary site server

rcmctrl.log

Site server

replmgr.log

Records the replication of Site server files between the site server components and the Scheduler component. Records errors, warnings, and information about The computer that runs the Configuration Manager
1068

ResourceExplorer.log

Log name

Description

Computer with log file

running the Resource Explorer. ruleengine.log Records details about automatic deployment rules for the identification, content download, and software update group and deployment creation. Records details about siteto-site job and file replication. Records the files that transfer by file-based replication between sites. Records information about the processing of software inventory data to the site database. Records details about the maintenance of the installed site components on all site system servers in the site. Records site setting changes made to site control objects in the database. Records the availability and disk space monitoring process of all site systems. Records Configuration Manager console activity. Records the installation activities of the Application Catalog web service. Records output from the

console Site server

schedule.log

Site server

sender.log

Site server

sinvproc.log

Site server

sitecomp.log

Site server

sitectrl.log

Site server

sitestat.log

Site server

SmsAdminUI.log

The computer that runs the Configuration Manager console Site system server

SMSAWEBSVCSetup.log

smsbkup.log

Site server
1069

Log name

Description

Computer with log file

site backup process. smsdbmon.log SMSENROLLSRVSetup.log Records database changes. Records the installation activities of the enrollment web service. Records the installation activities of the enrollment website. Records the processing of all site server component threads. Records messages generated by the installation of a fallback status point. Records the installation activities of the Application Catalog website. Records WMI provider access to the site database. Records detailed results of the reporting point installation process from the MSI output. Records results of the reporting point installation process. Records the processing of state system messages. Records the writing of all status messages to the database. Records the processing of metering files and settings. Site server Site system server

SMSENROLLWEBSetup.log

Site system server

smsexec.log

Site server or site system server Site system server

SMSFSPSetup.log

SMSPORTALWEBSetup.log

Site system server

SMSProv.log

Computer with the SMS Provider Site system server

srsrpMSI.log

srsrpsetup.log

Site system server

statesys.log statmgr.log

Site server Site server

swmproc.log

Site server

1070

Site Server Installation Log Files

The following table lists the log files that contain information related to site installation.
Log name Description Computer with log file

ConfigMgrPrereq.log

Records pre-requisite component evaluation and installation activities. Records detailed output from site server setup. Records information related to activity in the Setup wizard. Records information about the progress of launching the secondary site installation process. Details of the actual setup process are contained in ConfigMgrSetup.log. Records information about the installation, use, and removal of a Windows service that is used to test network connectivity and permissions between servers, using the computer account of the server initiating the connection.

Site server

ConfigMgrSetup.log ConfigMgrSetupWizard.log SMS_BOOTSTRAP.log

Site Server Site Server Site Server

smstsvc.log

Site server and site systems

Fallback Status Point Logs Files

The following table lists the log files that contain information related to the fallback status point.
Log name Description Computer with log file

FspIsapi

Records details about communications to the fallback status point from mobile device legacy clients and client computers.

Site system server

fspMSI.log

Records messages generated by Site system server

1071

Log name

Description

Computer with log file

the installation of a fallback status point. fspmgr.log Records activities of the fallback status point site system role. Site system server

Management Point Logs Files

The following table lists the log files that contain information related to the management point.
Log name Description Computer with log file

CcmIsapi.log MP_CliReg.log

Records client messaging activity on the endpoint. Records the client registration activity processed by the management point. Records the conversion of XML.ddr records from clients, and copies them to the site server. Records the activities of the core management point and client framework components. Records client authorization activity. Records policy request activity from client computers. Records details about the conversion of XML hardware inventory records from clients and the copy of those files to the site server. Records location request and reply activity from clients.

Site system server Site system server

MP_Ddr.log

Site system server

MP_Framework.log

Site system server

MP_GetAuth.log MP_GetPolicy.log MP_Hinv.log

Site system server Site system server Site system server

MP_Location.log MP_OOBMgr.log

Site system server

Records the management point Site system server activities related to receiving OTP from a client.
1072

Log name

Description

Computer with log file

MP_Policy.log MP_Relay.log

Records policy communication. Records the transfer of files that are collected from the client. Records the hardware inventory retry processes. Records details about the conversion of XML software inventory records from clients and the copy of those files to the site server. Records details about file collection. Records details about the conversion of XML.svf status message files from clients and the copy of those files to the site server. Records the registration of the management point with WINS. Records the availability of the management point every 10 minutes. Records the actions of the management point component that moves client files to the corresponding INBOXES folder on the site server. Records details of about the management point installation.

Site system server Site system server

MP_Retry.log MP_Sinv.log

Site system server Site system server

MP_SinvCollFile.log MP_Status.log

Site system server Site system server

mpcontrol.log

Site server

mpfdm.log

Site system server

mpMSI.log MPSetup.log

Site server

Records the management point Site server installation wrapper process.

Software Update Point Log Files

he following table lists the log files that contain information related to the software update point.
1073

Log name

Description

Computer with log file

objreplmgr.log

Records details about the replication of software updates notification files from a parent to child sites. Records details about the process of downloading software updates from the update source to the download destination on the site server.

Site server

PatchDownloader.log

The computer hosting the Configuration Manager console from which downloads are initiated

ruleengine.log

Records details about Site server automatic deployment rules for the identification, content download, and software update group and deployment creation. Records details about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file. Site system server

SUPSetup.log

WCM.log

Records details about the Site server that connects to software update point the Windows Server Update configuration and connections Services (WSUS) server to the Windows Server Update Services (WSUS) server for subscribed update categories, classifications, and languages. Records details about the configuration, database connectivity, and health of the WSUS server for the site. Records details about the software updates synchronization process. Site system server

WSUSCtrl.log

wsyncmgr.log

Site system server

1074

Log name

Description

Computer with log file

WUSSyncXML.log

Records details about the Inventory Tool for the Microsoft Updates synchronization process.

The client computer configured as the synchronization host for the Inventory Tool for Microsoft Updates.

Log Files for Configuration Manager Functionality

The following sections list log files related to the different functions in Configuration Manager.

Application Management
The following table lists the log files that contain information related to Application Management.
Log name Description Computer with log file

AppIntentEval.log

Records details about the current and intended state of applications, their applicability, whether requirements were met, deployment types, and dependencies. Records details about the discovery or detection of applications on client computers. Records details about enforcement actions (install and uninstall) taken for applications on the client. Records the monitoring activities for the Application Catalog web service point site system role. Records detailed installation information for the Application Catalog web service point site system

Client

AppDiscovery.log

Client

AppEnforce.log

Client

awebsctl.log

Site system server

awebsvcMSI.log

Site system server

1075

Log name

Description

Computer with log file

role. Ccmsdkprovider.log Records the activities of the application management SDK. Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records the activity of the Application Catalog, which includes its use of Silverlight. Records the monitoring activities for the Application Catalog website point site system role. Records the MSI installation activity for the Application Catalog website role. Client

colleval.log

Site system server

ConfigMgrSoftwareCatalog.log

Client

portlctl.log

Site system server

portlwebMSI.log

Site system server

PrestageContent.log

Records the details about the Site system server use of the ExtractContent.exe tool on a remote prestaged distribution point. This tool extracts content that has been exported to a file. Records the activity of the Application Catalog web service. Records the activity of the Application Catalog website. Records details about the distribution point health monitoring scheduled task that is configured on a distribution point. Site system server

ServicePortalWebService.log

ServicePortalWebSite.log SMSdpmon.log

Site system server Site server

1076

Log name

Description

Computer with log file

SoftwareCatalogUpdateEndpoint.log

Records the activities for managing the URL for the Application Catalog shown in Software Center. Records the activities for Software Center prerequisite component validation.

Client

SoftwareCenterSystemTasks.log

Client

The following table lists the log files that contain information related to deploying packages and programs.
Log name Description Computer with log file

colleval.log

Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records details about packages and task sequences that run.

Site server

execmgr.log

Client

Asset Intelligence
The following table lists the log files that contain information related to Asset Intelligence.
Log Name Description Computer with Log File

AssetAdvisor.log aikbmgr.log

Records the activities of Asset Intelligence inventory actions. Records details about the processing of XML files from the inbox for updating the Asset Intelligence catalog. Records the interaction of the Asset Intelligence synchronization point with SCO (System Center Online), the online web service.

Client Site server

AIUpdateSvc.log

Site system server

1077

Log Name

Description

Computer with Log File

AIUSMSI.log

Records details about the installation of Asset Intelligence synchronization point site system role. Records details about the installation of Asset Intelligence synchronization point site system role. Records details about discovering software with an associated software identification tag. Also records activities relating to hardware inventory. Records details about the processing of imported licensing files.

Site system server

AIUSSetup.log

Site system server

ManagedProvider.log

Site system server

MVLSImport.log

Site system server

Backup and Recovery

The following table lists log files that contain information related to backup and recovery actions including site resets, and changes to the SMS Provider.
Log name Description Computer with log file

ConfigMgrSetup.log

Records information about setup and recovery tasks when Configuration Manager recovers a site from backup. Records details about the site backup activity. Records output from the site database backup process when SQL Server is installed on a different server than the site server. Records information about the state of the Configuration

Site server

Smsbkup.log smssqlbkup.log

Site server Site database server

Smswriter.log

Site server

1078

Log name

Description

Computer with log file

Manager VSS writer that is used by the backup process.

Certificate Enrollment
The following table lists the Configuration Manager log files that contain information related to certificate enrollment, which uses the certificate registration point and the Configuration Manager Policy Module on the server running Network Device Enrollment Service.
Log name Description Computer with log file

Crp.log Crpctrl.log

Records the enrollment activities. Records the operational health of the certificate registration point. Records details about the installation and configuration of the certificate registration point. Records details about the installation and configuration of the certificate registration point. Records the challenge verification and certificate enrollment activities.

Certificate registration point Certificate registration point

Crpsetup.log

Certificate registration point

Crpmsi.log

Certificate registration point

NDESPlugin.log

Configuration Manager Policy Module and the Network Device Enrollment Service

In addition to the Configuration Manager log files, review the Windows Application logs in Event Viewer on the server running the Network Device Enrollment Service and the server hosting the certificate registration point. For example, look for messages from the NetworkDeviceEnrollmentService source. You can also use the following log files: IIS log files for Network Device Enrollment Service: <path>\inetpub\logs\LogFiles\W3SVC1 IIS log files for the certificate registration point: <path>\inetpub\logs\LogFiles\W3SVC1 Network Device Enrollment Policy log file: mscep.log Note This file is located in the folder for the Network Device Enrollment Service account profile, for example, in C:\Users\SCEPSvc. For more information about how to enable
1079

logging for the Network Device Enrollment Service, see the Enable Logging section in the Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS) article on the TechNet wiki.

Client Notification
The following table lists the log files that contain information related to client notification.
Log name Description Computer with log file

bgbmgr.log

Records details about the activities of the site server relating to client notification tasks and processing online and task status files. Records the activities of the notification server such as client-server communications and pushing tasks to clients. Also records information about online and task status files generation to be sent to the site server. Records the activities of the notification server installation wrapper process during installation and uninstall. Records details about the notification server installation and uninstall. Records the activities of the notification HTTP proxy as it relays the messages of clients using HTTP to and from the notification server. Records the activities of the notification agent such as client-server communication and information about tasks received and dispatched to other client agents.

Site server

BGBServer.log

Management point

BgbSetup.log

Management point

bgbisapiMSI.log

Management point

BgbHttpProxy.log

Client

CcmNotificationAgent.log

Client

1080

Compliance Settings and Company Resource Access

The following table lists the log files that contain information related to compliance settings and company resource access.
Log name Description Computer with log file

CIAgent.log

Records details about the Client process of remediation and compliance for compliance settings, software updates, and application management. Records information about configuration item task scheduling. Records high-level information about the evaluation, conflict reporting, and remediation of configuration items and applications. Records information about reporting policy platform results into state messages for configuration items. Records information about reading configuration item synclets from Windows Management Instrumentation (WMI). Client

CITaskManager.log

DCMAgent.log

Client

DCMReporting.log

Client

DcmWmiProvider.log

Client

Configuration Manager Console

The following table lists the log files that contain information related to the Configuration Manager console.
Log name Description Computer with log file

ConfigMgrAdminUISetup.log

Records the installation of the Configuration Manager console. Records information about

Computer that runs the Configuration Manager console Computer that runs the
1081

SmsAdminUI.log

Log name

Description

Computer with log file

the operation of the Configuration Manager console. Smsprov.log Records activities performed by the SMS Provider. Configuration Manager console activities use the SMS provider.

Configuration Manager console Site server or site system server

Content Management
The following table lists the log files that contain information related to content management.
Description Log name Computer with log file

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: CloudDP-<guid>.log CloudMgr.log

Records details for a specific cloud-based distribution point, including information about storage and content access.

Site system server

Records details about the provisioning of content, collecting storage and bandwidth statistics, and administrator initiated actions to stop or start the cloud service that runs a cloudbased distribution point. Records all BITS communication for policy or package access. This log is also used for content management by pulldistribution points. Records details about content that the pull-distribution point transfers from source distribution points.

Site system server

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: DataTransferService.log For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:

A computer that is configured as a pulldistribution point

A computer that is configured as a pulldistribution point

1082

Description Log name

Computer with log file

PullDP.log PrestageContent.log Records the details about the use of the ExtractContent.exe tool on a remote prestaged distribution point. This tool extracts content that has been exported to a file. Site system role

SMSdpmon.log

Records details about the Site system role distribution point health monitoring scheduled task that are configured on a distribution point. Records details about the extraction of compressed files received from a primary site. This log is generated by the WMI Provider of the remote distribution point. A distribution point computer that is not colocated with the site server.

smsdpprov.log

Discovery
he following table lists the log files that contain information related to Discovery.
Log name Description Computer with log file

adsgdis.log

Records Active Directory Security Group Discovery actions. Records Active Directory System Discovery actions.

Site server

adsysdis.log adusrdis.log ADForestDisc.Log ddm.log

Site server

Records Active Directory User Site server Discovery actions. Records Active Directory Forest Discovery actions. Records activities of the discovery data manager. Site server Site server

1083

Log name

Description

Computer with log file

InventoryAgent.log

Records activities of hardware Client inventory, software inventory, and heartbeat discovery actions on the client. Records Network Discovery actions. Site server

netdisc.log

Endpoint Protection
The following table lists the log files that contain information related to Endpoint Protection.
Log name Description Computer with log file

EndpointProtectionAgent.log

Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client. Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database. Monitors the status of the Endpoint Protection site system role. Provides information about the installation of the Endpoint Protection site system role.

Client

EPCtrlMgr.log

Site system server

EPMgr.log

Site system server

EPSetup.log

Site system server

Extensions
For System Center 2012 R2 Configuration Manager only: The following table lists the log files that contain information related to Extensions.

1084

Log name

Description

Computer with log file

AdminUI.ExtensionInstaller.log

Records information about the download of extensions from Microsoft, and the installation and uninstallation of all extensions. Records information about the installation and removal of individual extensions when they are enabled or disabled in the Configuration Manager console. Records Configuration Manager console activity.

The computer that runs the Configuration Manager console

FeatureExtensionInstaller.log

The computer that runs the Configuration Manager console

SmsAdminUI.log

The computer that runs the Configuration Manager console

Inventory
The following table lists the log files that contain information related to processing inventory data.
Log name Description Computer with log file

dataldr.log

Records information about the processing of Management Information Format (MIF) files and hardware inventory in the Configuration Manager database.

Site server

invproc.log

Records the forwarding of MIF Secondary site server files from a secondary site to its parent site. Records information about the processing of software inventory data to the site database. Site server

sinvproc.log

1085

Metering
The following table lists the log files that contain information related to metering.
Log name Description Computer with log file

mtrmgr.log

Monitors all software metering processes.

Site server

Migration
The following table lists the log files that contain information related to migration.
Log name Description Computer with log file

migmctrl.log

Records information about migration actions that involve migration jobs, shared distribution points, and distribution point upgrades.

The top-level site in the System Center 2012 Configuration Manager hierarchy, and each child primary site Note In a multi-primary site hierarchy, use the log file created at the central administration site.

Mobile Devices
The following sections list the log files that contain information related to managing mobile devices .

Enrollment
The following table lists logs that contain information related to mobile device enrollment.
Log name Description Computer with log file

DMPRP.log

Records communication between management points that are enabled for mobile devices and the management point endpoints. Records the Windows Installer data for the configuration of a

Site system server

dmpmsi.log

Site system server

1086

Log name

Description

Computer with log file

management point that is enabled for mobile devices. DMPSetup.log Records the configuration of the management point when it is enabled for mobile devices. Site system server

enrollsrvMSI.log

Records the Windows Installer data for the configuration of an enrollment point. Records communication between mobile devices and the enrollment proxy point. Records the Windows Installer data for the configuration of an enrollment proxy point. Records communication between an enrollment proxy point and an enrollment point. Records communication between mobile devices, Mac computers and the management point that is enabled for mobile devices and Mac computers.

Site system server

enrollmentweb.log

Site system server

enrollwebMSI.log

Site system server

enrollmentservice.log

Site system server

SMS_DM.log

Site system server

Exchange Server Connector

The following table lists logs that contain information related to the Exchange Server connector.
Log name Description Computer with log file

easdisc.log

Records the activities and the status of the Exchange Server connector.

Site server

Mobile Device Legacy

The following table lists logs that contain information related to the mobile device legacy client.
1087

Log name

Description

Computer with log file

DmCertEnroll.log

Records details about certificate enrollment data on mobile device legacy clients.

Client

DMCertResp.htm

Records the HTML response Client from the certificate server when the mobile device legacy client enroller program requests a PKI certificate. Records the GUIDs of all the mobile device legacy clients that communicate with the management point that is enabled for mobile devices. Records registration requests and responses to and from mobile device legacy clients. Records client setup data for mobile device legacy clients. Records client transfer data for mobile device legacy clients and for ActiveSync deployments. Records client transfer file installation for configuring mobile device legacy client transfer files. Site system server

DmClientHealth.log

DmClientRegistration.log

Site system server

DmClientSetup.log DmClientXfer.log

Client Client

DmCommonInstaller.log

Client

DmInstaller.log

Records whether DMInstaller Client correctly calls DmClientSetup, and whether DmClientSetup exits with success or failure for mobile device legacy clients. Records all the site database Site system server connections and queries made by the management point that is enabled for mobile devices. Records all the discovery data Site system server
1088

DmpDatastore.log

DmpDiscovery.log

Log name

Description

Computer with log file

from the mobile device legacy clients on the management point that is enabled for mobile devices. DmpHardware.log Records hardware inventory data from mobile device legacy clients on the management point that is enabled for mobile devices. Records mobile device legacy client communication with a management point that is enabled for mobile devices. Records the Windows Installer data for the configuration of a management point that is enabled for mobile devices. Records the configuration of the management point when it is enabled for mobile devices. Records software distribution data from mobile device legacy clients on a management point that is enabled for mobile devices. Site system server

DmpIsapi.log

Site system server

dmpmsi.log

Site system server

DMPSetup.log

Site system server

DmpSoftware.log

Site system server

DmpStatus.log

Records status messages Site system server data from mobile device clients on a management point that is enabled for mobile devices. Records client communication Client from mobile device legacy clients with a management point that is enabled for mobile devices. Records details about communications to the fallback status point from Site system server

DmSvc.log

FspIsapi.log

1089

Log name

Description

Computer with log file

mobile device legacy clients and client computers.

Operating System Deployment

The following table lists the log files that contain information related to operating system deployment.
Log name Description Computer with log file

CAS.log

Records details when distribution points are found for referenced content.

Client

ccmsetup.log

Records ccmsetup tasks for Client client setup, client upgrade, and client removal. Can be used to troubleshoot client installation problems. Records details for task sequence media creation. Records details about the VHD creation and modification process Records driver installation actions or update apply actions for offline servicing. Records details about the configuration of enabling a distribution point for PXE. The computer that runs the Configuration Manager console The computer that runs the Configuration Manager console Site system server

CreateTSMedia.log

For System Center 2012 R2 Configuration Manager only: DeployToVhd.log Dism.log

Distmgr.log

Site system server

DriverCatalog.log

Records details about Site system server device drivers that have been imported into the driver catalog. Records information for multicast package transfer and client request Site system server

mcsisapi.log

1090

Log name

Description

Computer with log file

responses. mcsexec.log Records health check, namespace, session creation and certificate check actions. Records changes to configuration, security mode and availability. Records multicast provider interaction with Windows Deployment Services (WDS). Records details about multicast server role installation. Records details about multicast server role installation. Records details about multicast performance counter updates. Records management point responses to the client ID requests task sequences initiated from PXE or boot media. Records management point responses to Auto Apply Driver task sequence action requests. Records details of offline servicing schedules and update apply actions on operating system .wim files. Site system server

mcsmgr.log

Site system server

mcsprv.log

Site system server

MCSSetup.log

Site system server

MCSMSI.log

Site system server

Mcsperf.log

Site system server

MP_ClientIDManager.log

Site system server

MP_DriverManager.log

Site system server

OfflineServicingMgr.log

Site system server

Setupact.log

Records details about Client Windows Sysprep and setup logs.

1091

Log name

Description

Computer with log file

Setupapi.log

Records details about Client Windows Sysprep and setup logs. Records details about Client Windows Sysprep and setup logs. Records details about the client state capture and restore actions, and threshold information. Records details about the results of state migration point health checks and configuration changes. Records installation and configuration details about the state migration point. Records the state migration point performance counter updates. Records details about the responses to clients that PXE boot and details about the expansion of boot images and boot files. Records installation and configuration details about the state migration point. Records task sequence activities. Client

Setuperr.log

smpisapi.log

Smpmgr.log

Site system server

smpmsi.log

Site system server

smpperf.log

Site system server

smspxe.log

Site system server

smssmpsetup.log

Site system server

Smsts.log TSAgent.log

Client

Records the outcome of task Client sequence dependencies before starting a task sequence. Records details about task sequences when they are imported, exported, or Site system server

TaskSequenceProvider.log

1092

Log name

Description

Computer with log file

edited. loadstate.log Records details about the User State Migration Tool (USMT) and restoring user state data. Records details about the User State Migration Tool (USMT) and capturing user state data. Client

scanstate.log

Client

Out of Band Management

The following sections list the log files that contain information related to out of band management, for when you manage Intel AMT-based computers.

Site System Roles for Out of Band Management

The following table lists the log files that contain information related to the out of band service point.
Log name Description Computer with log file

amtopmgr.log

Records the activities of the out of band service point, which include the discovery of management controllers, provisioning, audit log control, and power control commands. Records details about managing Active Directory accounts that are used by out of band management.

Out of band service point site system server

adctrl.log

Site server

ADService.log Records details about account creation and security group details in Active Directory. amtproxymgr.log Records details about the activities of the site server relating to provisioning and

Site server

Site server

1093

Log name

Description

Computer with log file

sending instruction files to the out of band service point, which include the following: Discovery of management controllers AMT provisioning Audit log control Power control commands

This log file also records information about out of band management site replication. amtspsetup.log Records details about the installation of the out of band service point. Out of band service point site system server

Out of Band Management Client Computer Log Files

The following table lists the log files that contain information about the management activities on Intel AMT-based computers.
Log name Description Computer with log file

oobmgmt.log

Records details about out of band management activities on AMT-based computers, which includes the AMT provisioning state of the management controller.

Client

Out of Band Management Console Log Files

The following table lists the log files that contain information related to the out of band management console.
Log name Description Computer with log file

Oobconsole_<Machine Name>_<User Name>.log

Records details about running the out of band management console.

Computer that runs the out of band management console

1094

Power Management
The following table lists the log files that contain information related to power management.
Log name Description Computer with log file

pwrmgmt.log

Records details about power management activities on the client computer, which include monitoring and the enforcement of settings by the Power Management Client Agent.

Client

Remote Control
The following table lists the log files that contain information related to remote control.
Log name Description Computer with log file

CMRcViewer.log

Records details about the activity of the remote control viewer.

Located in the %temp% folder on the computer running the remote control viewer.

Reporting
The following table lists the Configuration Manager log files that contain information related to reporting.
Log name Description Computer with log file

srsrp.log

Records information about the activity and status of the reporting services point. Records detailed results of the reporting services point installation process from the MSI output. Records results of the reporting services point

Site system server

srsrpMSI.log

Site system server

srsrpsetup.log

Site system server

1095

Log name

Description

Computer with log file

installation process.

Role-Based Administration
The following table lists the log files that contain information related to managing role-based administration.
Log name Description Computer with log file

hman.log

Records information about site configuration changes, and the publishing of site information to Active Directory Domain Services. Records WMI provider access to the site database.

Site server

SMSProv.log

Computer with the SMS Provider

Software Updates and Network Access Protection

The following table lists the log files that contain information related to software updates and Network Access Protection.
Log name Description Computer with log file

ccmcca.log

Records details about the processing of compliance evaluation based on Configuration Manager NAP policy processing, and contains the processing of remediation for each software update required for compliance. Records activities related to the maintenance and capture of data related to client performance counters. Records details about the process of downloading software updates from the update source to the download destination on the site server.

Client

ccmperf.log PatchDownloader.lo g

Client The computer hosting the Configura tion Manager console

1096

Log name

Description

Computer with log file

from which download s are initiated PolicyEvaluator.log RebootCoordinator.l og ScanAgent.log SdmAgent.log Records details about the evaluation of policies on client computers, including policies from software updates. Records details about the coordination of system restarts on client computers after software update installations. Records details about scan requests for software updates, the WSUS location, and related actions. Client Client Client

Records details about tracking of remediation and compliance. Client However, the software updates log file, Updateshandler.log, provides more informative details about installing the software updates required for compliance. This log file is shared with compliance settings.

ServiceWindowMan ager.log smssha.log

Records details about the evaluation of maintenance windows. Client The main log file for the Configuration Manager Network Client Access Protection client and it contains a merged statement of health information from the two Configuration Manager components: location services (LS) and the configuration compliance agent (CCA). This log file also contains information about the interactions between the Configuration Manager System Health Agent and the operating system NAP agent, and also between the Configuration Manager System Health Agent and both the configuration compliance agent and the location services. It provides information about whether the NAP agent successfully initialized, the statement of health data, and the statement of health response. This is the main log file for the System Health Validator point and records the basic operations of the System Health Validator service, such as the initialization progress. Records details about the retrieval of Configuration Manager health state references from Active Directory Domain Site system server Site system
1097

Smsshv.log

Smsshvadcacheclie nt.log

Log name

Description

Computer with log file

Services. SmsSHVCacheStor e.log Records details about the cache store used to hold the Configuration Manager NAP health state references retrieved from Active Directory Domain Services, such as reading from the store and purging entries from the local cache store file. The cache store is not configurable. Records client statement of health information and processing operations. To obtain full information, change the registry key LogLevel from 1 to 0 in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMSSHV\ Logging\@GLOBAL Records any dynamic change to the System Health Validator component configuration while the service is running. Records the success or failure (with failure reason) of installing the System Health Validator point. Records details about the scan process for the Inventory Tool for Microsoft Updates. Records details about software updates state messages that are created and sent to the management point. Records details about the software update point installation. When the software update point installation completes, Installation was successful is written to this log file. Records details about deployments on the client, including software update activation, evaluation, and enforcement. Verbose logging shows additional information about the interaction with the client user interface. Records details about software update compliance scanning and about the download and installation of software updates on the client. Records details about compliance status for the software updates that were assessed during the compliance scan cycle.

server Site system server

smsSHVQuarValidat or.log

Site system server

smsshvregistrysettin gs.log SMSSHVSetup.log

Site system server Site system server Client Client Site system server Client

SmsWusHandler.log StateMessage.log SUPSetup.log

UpdatesDeployment .log

UpdatesHandler.log

Client

UpdatesStore.log

Client

1098

Log name

Description

Computer with log file

WCM.log

Records details about software update point configurations and connections to the Windows Server Update Services (WSUS) server for subscribed update categories, classifications, and languages. Records details about the configuration, database connectivity, and health of the WSUS server for the site. Records details about the software updates synchronization process. Records details about the Windows Update Agent on the client when it searches for software updates.

Site server

WSUSCtrl.log

Site system server Site server Client

wsyncmgr.log WUAHandler.log

Wake On LAN
The following table lists the log files that contain information related to using Wake on LAN. Note If you supplement Wake On LAN by using wake-up proxy in Configuration Manager SP1, this activity is logged on the client. For example, see CcmExec.log and SleepAgent_<domain>@SYSTEM_0.log in the Client Operations section of this topic.
Log name Description Computer with log file

wolcmgr.log

Records details about which Site server clients need to be sent wake-up packets, the number of wakeup packets sent, and the number of wake-up packets retried. Records details about wake-up procedures, such as when to wake up deployments that are configured for Wake On LAN. Site server

wolmgr.log

1099

Windows Intune Connector

The following table lists the log files that contain information related to the Windows Intune connector.
Log name Description Computer with log file

CertMgr.log

Records certificate and proxy account information. Records details about when collections are created, changed, and deleted by the Collection Evaluator. Records license enablement for users. Records information about the processing of MIX files. Records activities of the discovery data manager.

Site server

CollEval.log

Primary site and central administration site

Cloudusersync.log Dataldr.log ddm.log Distmgr.log Dmpdownloader.log

Computer with the Windows Intune connector Site server Site server

Records details about Top-level site server content distribution requests. Records details on downloads from Windows Intune. Computer with the Windows Intune connector

Dmpuploader.log

Records details for Computer with the uploading database changes Windows Intune connector to Windows Intune. Records information about message forwarding. Records the processing of policy and assignment. Records policy generation of all policies. Site server Primary site server Site server

hman.log objreplmgr.log PolicyPV.log outgoingcontentmanager.log Sitecomp.log

Records content uploaded to Computer with the Windows Intune. Windows Intune connector Records details of connector role installation. Site server

1100

Log name

Description

Computer with log file

SmsAdminUI.log

Records Configuration Manager console activity. Records activities performed by the SMS Provider. Configuration Manager console activities use the SMS Provider. Records details about the Windows Intune connector installer service. Records the processing of mobile device management messages.

Computer that runs the Configuration Manager console Computer with the SMS Provider

Smsprov.log

SrvBoot.log

Computer with the Windows Intune connector Primary site and central administration site

Statesys.log

Windows Update Agent

The following table lists the log files that contain information related to the Windows Update Agent.
Log name Description Computer with log file

WindowsUpdate.log

Records details about when the Windows Update Agent connects to the WSUS server and retrieves the software updates for compliance assessment and whether there are updates to the agent components.

Client

WSUS Server
The following table lists the log files that contain information related to the WSUS server.
Log name Description Computer with log file

Change.log

Records details about the

WSUS server
1101

Log name

Description

Computer with log file

WSUS server database information that has changed. SoftwareDistribution.log Records details about the software updates that are synchronized from the configured update source to the WSUS server database. WSUS server

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Accounts Used in Configuration Manager

Use the following information to identify the Windows groups and the accounts that are used in System Center 2012 Configuration Manager, how they are used, and any requirements.

Windows Groups That Configuration Manager Creates and Uses

Configuration Manager automatically creates and in many cases, automatically maintains the following Windows groups: Note When Configuration Manager creates a group on a computer that is a domain member, the group is a local security group. If the computer is a domain controller, the group is a domain local group that is shared among all domain controllers in the domain.

ConfigMgr_CollectedFilesAccess
This group is used by Configuration Manager to grant access to view files collected by software inventory. The following table lists additional details for this group:
1102

Detail

More information

Type and location

This group is a local security group created on the primary site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. Membership includes administrative users that are granted the View Collected Files permission to the Collection securable object from an assigned security role. By default, this group has Read permission to the following folder on the site server: %path%\Microsoft Configuration Manager\sinv.box\FileCol.

Permissions

ConfigMgr_DViewAccess
This group is a local security group created on the site database server or database replica server by System Center 2012 Configuration Manager and is not currently used. This group is reserved for future use by Configuration Manager.

ConfigMgr Remote Control Users

This group is used by Configuration Manager remote tools to store the accounts and groups that you configure in the permitted viewers list that are assigned to each client. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the Configuration Manager client when the client receives policy that enables remote tools. Important After you disable remote tools for a client, this group is not automatically removed and must be manually deleted this from each client computer.

1103

Detail

More information

Membership

By default, there are no members in this group. When you add users to the Permitted Viewers list, they are automatically added to this group. Tip Use the Permitted Viewers list to manage the membership of this group instead of adding users or groups directly to this group. In addition to being a Permitted Viewer, an administrative user must have the Remote Control permission to the Collection object. You can assign this permission by using the Remote Tools Operator security role.

Permissions

By default, this group does not have permissions to any locations on the computer, and is used only to hold the list of Permitted Viewers.

SMS Admins
This group is used by Configuration Manager to grant access to the SMS Provider, through WMI. Access to the SMS Provider is required to view and modify objects in the Configuration Manager console. Note The role-based administration configuration of an administrative user determines which objects they can view and manage when using the Configuration Manager console. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on each computer that has a SMS Provider. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, each

1104

Detail

More information

administrative user in a hierarchy and the site server computer account are members of the SMS Admins group on each SMS Provider computer in a site. Permissions SMS Admins rights and permissions are set in the WMI Control MMC snap-in. By default, the SMS Admins group is granted Enable Account and Remote Enable on the Root\SMS namespace. Authenticated Users has Execute Methods, Provider Write, and Enable Account Note Administrative users who will use a remote Configuration Manager console require Remote Activation DCOM permissions on both the site server computer and the SMS Provider computer. It is a best practice to grant these rights to the SMS Admins to simplify administration instead of granting these rights directly to users or groups. For more information, see the Configure DCOM Permissions for Remote Configuration Manager Console Connections section in the Manage Site and Hierarchy Configurations topic.

SMS_SiteSystemToSiteServerConnection_MP_<sitecode>
This group is used by Configuration Manager management points that are remote from the site server to connect to the site database. This group provides a management point access to the inbox folders on the site server and the site database. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on each computer that has a SMS Provider.

1105

Detail

More information

Note When you uninstall a site, this group is not automatically removed and must be manually deleted. Membership Configuration Manager automatically manages the group membership. By default, membership includes the computer accounts of remote computers that have a management point for the site. By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder on the site server. Additionally, this group has the additional permission of Write to various subfolders below the inboxes to which the management point writes client data.

Permissions

SMS_SiteSystemToSiteServerConnection_SMSProv_<sitecode>
This group is used by Configuration Manager SMS Provider computers that are remote from the site server to connect to the site server. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account that is used to connect to the site server from each remote computer that has installed a SMS Provider for the site.
1106

Detail

More information

Permissions

By default, this group has Read, Read & execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder on the site server. Additionally, this group has the additional permission of Write or the permissions of Write and Modify to various subfolders below the inboxes to which the SMS Provider requires access. This group also has Read, Read & execute, List folder contents, Write, and Modify permissions to the folders below %path%\Microsoft Configuration Manager\OSD\boot and Read permission to the folders below %path%\Microsoft Configuration Manager\OSD\Bin on the site server.

SMS_SiteSystemToSiteServerConnection_Stat_<sitecode>
This group is used by the File Dispatch Manager on Configuration Manager remote site system computers to connect to the site server. The following table lists additional details for this group:
Detail More information

Type and location

This group is a local security group created on the site server. Note When you uninstall a site, this group is not automatically removed and must be manually deleted.

Membership

Configuration Manager automatically manages the group membership. By default, membership includes the computer account or the domain user account that is used to connect to the site server from each remote site system computer that runs the File Dispatch Manager. By default, this group has Read, Read &
1107

Permissions

Detail

More information

execute, and List folder contents permission to the %path%\Microsoft Configuration Manager\inboxes folder and various subfolders below that location on the site server. Additionally, this group has the additional permissions of Write and Modify to the %path%\Microsoft Configuration Manager\inboxes\statmgr.box folder on the site server.

SMS_SiteToSiteConnection_<sitecode>
This group is used by Configuration Manager to enable file-based replication between sites in a hierarchy. For each remote site that directly transfers files to this site, this group contains the following accounts: Accounts configured as a Site Address Account, from Configuration Manager sites with no service pack Accounts configured as a File Replication Account, from Configuration Manager SP1 sites Note Beginning with Configuration Manager SP1 only, the File Replication Account replaces the Site Address Account. The following table lists additional details for this group:
Detail More information

Type and location Membership

This group is a local security group created on the site server. When you install a new site as a child of another site, Configuration Manager automatically adds the computer account of the new site to the group on the parent site server, and the parent sites computer account to the group on the new site server. If you specify another account for file-based transfers, add that account to this group on the destination site server. Note When you uninstall a site, this group is not automatically removed and must be
1108

Detail

More information

manually deleted. Permissions By default, this group has full control to the %path%\Microsoft Configuration Manager\inboxes\despoolr.box\receive folder.

Accounts That Configuration Manager Uses

You can configure the following accounts for Configuration Manager:

Active Directory Group Discovery Account

The Active Directory Group Discovery Account is used to discover local, global, and universal security groups, the membership within these groups, and the membership within distribution groups from the specified locations in Active directory Domain Services. Distribution groups are not discovered as group resources. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory System Discovery Account

The Active Directory System Discovery Account is used to discover computers from the specified locations in Active Directory Domain Services. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory User Discovery Account

The Active Directory User Discovery Account is used to discover user accounts from the specified locations in Active Directory Domain Services. This account can be a computer account of the site server that runs discovery, or a Windows user account. It must have Read access permission to the Active Directory locations that are specified for discovery.

Active Directory Forest Account

The Active Directory Forest Account is used to discover network infrastructure from Active Directory forests, and is also used by central administration sites and primary sites to publish site data to the Active Directory Domain Services of a forest.
1109

Note Secondary sites always use the secondary site server computer account to publish to Active Directory. Note Active Directory Forest Account must be a global account to discover and publish to untrusted forests. If you do not use the computer account of the site server, you can only select a global account. This account must have Read permissions to each Active Directory forest where you want to discover network infrastructure. This account must have Full Control permissions to the System Management container and all its child objects in each Active Directory forest where you want to publish site data.

AMT Provisioning and Discovery Account

The AMT Provisioning and Discovery Account is functionally equivalent to the AMT Remote Admin Account and resides in the Management Engine BIOS extension (MEBx) of Intel AMTbased computers. This account is used by the server that runs the out of band service point role to manage some network interface features of AMT, by using the out of band management feature. If you specify an AMT Provisioning and Discovery Account in Configuration Manager, it must match the AMT Remote Admin Account name and password that is specified in the BIOS extensions in the AMT-based computers. Note For more information about whether to specify an AMT Provisioning and Discovery Account, see Step 5: Configuring the Out of Band Management Component in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic in the Assets and Compliance in System Center 2012 Configuration Manager guide. The account is stored in the Management Engine BIOS extensions of the AMT-based computer and does not correspond to any account in Windows.

AMT Provisioning Removal Account

The AMT Provisioning Removal Account can remove AMT provisioning information if you have to recover the site. You might also be able to use it when a Configuration Manager client was reassigned and the AMT provisioning information was not removed from the computer in the old site. To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, all the following must be true: The AMT Provisioning Removal Account is configured in the out of band management component properties.

1110

The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMTbased computer was provisioned or updated. The account that is configured for the AMT Provisioning Removal Account must be a member of the local Administrators group on the out of band service point computer. The AMT auditing log is not enabled.

Because this is a Windows user account, specify an account with a strong password that does not expire.

AMT Remote Admin Account

The AMT Remote Admin Account is the account in the Management Engine BIOS extension (MEBx) of Intel AMT-based computers that is used by the server running the out of band service point role to manage some network interface features of AMT in Configuration Manager, by using the out of band management feature. Configuration Manager automatically sets the remote admin account password for computers that it provisions for AMT, and this is then used for subsequent authenticated access to the AMT firmware. This account is functionally equivalent to the Configuration Manager AMT Provisioning and Discovery Account. The account is stored in the Management Engine BIOS extensions of the AMT-based computer and does not correspond to any account in Windows.

AMT User Accounts

AMT User Accounts control which Windows users or groups can run management functions in the Out of Band Management console. The configuration of the AMT User Accounts creates the equivalent of an access control list (ACL) in the AMT firmware. When the logged on user attempts to run the Out of Band Management console, AMT uses Kerberos to authenticate the account and then authorizes or denies access to run the AMT management functions. Configure the AMT User Accounts before you provision the AMT-based computers. If you configure AMT User Accounts after computers are provisioned for AMT, you must manually update the AMT memory for these computers so that they are reconfigured with the new settings. Because the AMT User Accounts use Kerberos authentication, the user accounts and security groups must exist in an Active Directory domain.

Asset Intelligence Synchronization Point Proxy Server Account

The Asset Intelligence Synchronization Point Proxy Server Account is used by the Asset Intelligence synchronization point to access the Internet via a proxy server or firewall that requires authenticated access. Security
1111

Specify an account that has the least possible permissions for the required proxy server or firewall.

Certificate Registration Point Account

The Certificate Registration Point Account connects the certificate registration point to the Configuration Manager database. By default, the computer account of the certificate registration point server is used, but you can configure a user account instead. You must specify a user account whenever the certificate registration point is in an untrusted domain from the site server. This account requires only Read access to the site database, because write operations are handled by the state message system.

Capture Operating System Image Account

The Capture Operating System Image Account is used by Configuration Manager to access the folder where captured images are stored when you deploy operating systems. This account is required if you add the step Capture Operating System Image to a task sequence. The account must have Read and Write permissions on the network share where the captured image is stored. If the password the account is changed in Windows, you must update the task sequence with the new password. The Configuration Manager client will receive the new password when it next downloads client policy. If you use this account, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access account for this account.

Client Push Installation Account

The Client Push Installation Account is used to connect to computers and install the Configuration Manager client software if you deploy clients by using client push installation. If this account is not specified, the site server account is used to try to install the client software. This account must be a member of the local Administrators group on the computers where the Configuration Manager client software is to be installed. This account does not require Domain Admin rights. You can specify one or more Client Push Installation Accounts, which Configuration Manager tries in turn until one succeeds. Tip To more effectively coordinate account updates in large Active Directory deployments, create a new account with a different name, and then add the new account to the list of Client Push Installation Accounts in Configuration Manager. Allow sufficient time for
1112

Active Directory Domain Services to replicate the new account, and then remove the old account from Configuration Manager and Active Directory Domain Services. Security Do not grant this account the right to log on locally.

Enrollment Point Connection Account

The Enrollment Point Connection Account connects the enrollment point to the Configuration Manager site database. By default, the computer account of the enrollment point is used, but you can configure a user account instead. You must specify a user account whenever the enrollment point is in an untrusted domain from the site server. This account requires Read and Write access to the site database.

Exchange Server Connection Account

The Exchange Server Connection Account connects the site server to the specified Exchange Server computer to find and manage mobile devices that connect to Exchange Server. This account requires Exchange PowerShell cmdlets that provide the required permissions to the Exchange Server computer. For more information about the cmdlets, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.

Exchange Server Connector Proxy Server Account

The Exchange Server Connector Proxy Server Account is used by the Exchange Server connector to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Endpoint Protection SMTP Server Connection Account

For Configuration Manager with no service pack: The Endpoint Protection SMTP Server Connection Account is used by the site server to send email alerts for Endpoint Protection when the SMTP server requires authenticated access. Security Specify an account that has the least possible permissions to send emails.

Health State Reference Publishing Account

The Health State Reference Publishing Account is used to publish the Network Access Protection (NAP) health state reference for Configuration Manager to Active Directory Domain Services. If you do not configure an account, Configuration Manager attempts to use the site server computer account to publish the health state references.
1113

This account requires Read, Write and Create permissions to the Active Directory forest that stores the health state reference. Create the account in the forest that is designated to store the health state references. Assign the least possible permissions to this account and do not use the same account that is specified for the Health State Reference Querying Account, which requires only Read permissions.

Health State Reference Querying Account

The Health State Reference Querying Account is used to retrieve the Network Access Protection (NAP) health state reference for Configuration Manager from Active Directory Domain Services. If you do not configure an account, Configuration Manager attempts to use the site server computer account to retrieve the health state references. This account requires Read permissions to the Configuration Manager Systems Management container in the Global Catalog. Create the account in the forest that is designated to store the health state references. Do not use the same account for the Health State Reference Publishing Account, which requires more privileges. Security Do not grant this account interactive logon rights.

Management Point Database Connection Account

The Management Point Database Connection Account is used to connect the management point to the Configuration Manager site database so that it can send and retrieve information for clients. By default, the computer account of the management point is used, but you can configure a user account instead. You must specify a user account whenever the management point is in an untrusted domain from the site server. Create the account as a low-rights, local account on the computer that runs Microsoft SQL Server. Security Do not grant this account interactive logon rights.

MEBx Account
The MEBx Account is the account in the Management Engine BIOS extension (MEBx) on Intel AMT-based computers and it is used for initial authenticated access to the AMT firmware on AMT-based computers. The MEBx Account is named admin, and by default, the password is admin. Your manufacturer might provide a customized password, or you might have specified your choice of password in AMT. If the MEBx password is set to a value that is not admin, you must configure an AMT Provisioning and Discovery Account. For more information, see Step 5: Configuring the Out of
1114

Band Management Component in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic. The account is stored in the Management Engine BIOS extensions of the AMT-based computer. This account does not correspond to any account in Windows. If the default MEBx password has not been changed before Configuration Manager provisions the computer for AMT, during the AMT provisioning process, Configuration Manager sets the password that you configure.

Multicast Connection Account

The Multicast Connection Account is used by distribution points that are configured for multicast to read information from the site database. By default, the computer account of the distribution point is used, but you can configure a user account instead. You must specify a user account whenever the site database is in an untrusted forest. For example, if your data center has a perimeter network in a forest other than the site server and site database, you can use this account to read the multicast information from the site database. If you create this account, create it as a low-rights, local account on the computer that runs Microsoft SQL Server. Security Do not grant this account interactive logon rights.

Network Access Account

The Network Access Account is used by client computers when they cannot use their local computer account to access content on distribution points. For example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain. Note The Network Access Account is never used as the security context to run programs, install software updates, or run task sequences; only for accessing resources on the network. Grant this account the minimum appropriate permissions on the content that the client requires to access the software. The account must have the Access this computer from the network right on the distribution point or other server that holds the package content. Prior to System Center 2012 R2 Configuration Manager, you can create only one Network Access Account per site and this account must function for all packages and task sequences for which it is required. Beginning with System Center 2012 R2 Configuration Manager, you can configure multiple Network Access Accounts per site. Warning

1115

When Configuration Manager tries to use the computername$ account to download the content and it fails, it automatically tries the Network Access Account again, even if it has previously tried and failed. Create the account in any domain that will provide the necessary access to resources. The Network Access Account must always include a domain name. Pass-through security is not supported for this account. If you have distribution points in multiple domains, create the account in a trusted domain. Tip To avoid account lockouts, do not change the password on an existing Network Access Account. Instead, create a new account and configure the new account in Configuration Manager. When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account. Security Do not grant this account interactive logon rights Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account. For System Center 2012 R2 Configuration Manager only: You can now specify multiple network access accounts for a site. When clients try to access content and cannot use their local computer account, they will first use the last network access account that successfully connected. Configuration Manager supports adding up to ten network access accounts.

Package Access Account

Package Access Accounts enable you to set NTFS permissions to specify the users and user groups that can access a package folder on distribution points. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators, but you can control access for client computers by using additional Windows accounts or groups. Mobile devices always retrieve package content anonymously, so the Package Access Accounts are not used by mobile device. By default, when Configuration Manager creates the package share on a distribution point, it grants Read access to the local Users group and Full Control to the local Administrators group. The actual permissions required will depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the Network Access Account to access the package content. Make sure that the Network Access Account has permissions to the package by using the defined Package Access Accounts. Use accounts in a domain that can access the distribution points. If you create or modify the account after the package is created, you must redistribute the package. Updating the package does not change the NTFS permissions on the package.

1116

You do not have to add the Network Access Account as a Package Access Account, because membership of the Users group adds it automatically. Restricting the Package Access Account to only the Network Access Account does not prevent clients from accessing the package.

Reporting Services Point Account

The Reporting Services Point Account is used by SQL Server Reporting Services to retrieve the data for Configuration Manager reports from the site database. The Windows user account and password that you specify are encrypted and stored in the SQL Server Reporting Services database.

Remote Tools Permitted Viewer Accounts

The accounts that you specify as Permitted Viewers for remote control are a list of users who are allowed to use remote tools functionality on clients.

Site System Installation Account

The Site System Installation Account is used by the site server to install, reinstall, uninstall, and configure site systems. If you configure the site system to require the site server to initiate connections to this site system, Configuration Manager also uses this account to pull data from the site system computer after the site system and any site system roles are installed. Each site system can have a different Site System Installation Account, but you can configure only one Site System Installation Account to manage all site system roles on that site system. This account requires local administrative permissions on the site systems that they will install and configure. Additionally, this account must have Access this computer from the network in the security policy on the site systems that they will install and configure. Tip If you have many domain controllers and these accounts will be used across domains, verify that the accounts have replicated before you configure the site system. When you specify a local account on each site system to be managed, this configuration is more secure than using domain accounts, because it limits the damage that attackers can do if the account is compromised. However, domain accounts are easier to manage, so consider the trade-off between security and effective administration.

SMTP Server Connection Account

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The SMTP Server Connection Account is used by the site server to send email alerts when the SMTP server requires authenticated access. Security Specify an account that has the least possible permissions to send emails.

1117

Software Update Point Connection Account

The Software Update Point Connection Account is used by the site server for the following two software updates services: WSUS Configuration Manager, which configures settings such as product definitions, classifications, and upstream settings. WSUS Synchronization Manager, which requests synchronization to an upstream WSUS server or Microsoft Update.

The Site System Installation Account can install components for software updates, but cannot perform software updates-specific functions on the software update point. If you cannot use the site server computer account for this functionality because the software update point is in an untrusted forest, you must specify this account in addition to the Site System Installation Account. This account must be a local administrator on the computer where WSUS is installed, and be part of the local WSUS Administrators group.

Software Update Point Proxy Server Account

The Software Update Point Proxy Server Account is used by the software update point to access the Internet via a proxy server or firewall that requires authenticated access. Security Specify an account that has the least possible permissions for the required proxy server or firewall.

Source Site Account

The Source Site Account is used by the migration process to access the SMS Provider of the source site. This account requires Read permissions to site objects in the source site to gather data for migration jobs. If you upgrade Configuration Manager 2007 distribution points or secondary sites that have colocated distribution points to System Center 2012 Configuration Manager distribution points, this account must also have Delete permissions to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade. Note Both the Source Site Account and Source Site Database Account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

Source Site Database Account

The Source Site Database Account is used by the migration process to access the SQL Server database for the source site. To gather data from the SQL Server database of the source site, the Source Site Database Account must have the Read and Execute permissions to the source site SQL Server database.
1118

Note If you use the System Center 2012 Configuration Manager computer account, ensure that all the following are true for this account: It is a member of the security group Distributed COM Users in the domain where the Configuration Manager 2007 site resides. It is a member of the SMS Admins security group. It has the Read permission to all Configuration Manager 2007 objects. Note Both the Source Site Account and Source Site Database Account are identified as Migration Manager in the Accounts node of the Administration workspace in the Configuration Manager console.

Task Sequence Editor Domain Joining Account

The Task Sequence Editor Domain Joining Account is used in a task sequence to join a newly imaged computer to a domain. This account is required if you add the step Join Domain or Workgroup to a task sequence, and then select Join a domain. This account can also be configured if you add the step Apply Network Settings to a task sequence, but it is not required. This account requires the Domain Join right in the domain that the computer will be joining. Tip If you require this account for your task sequences, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.

Task Sequence Editor Network Folder Connection Account

The Task Sequence Editor Network Folder Connection Account is used by a task sequence to connect to a shared folder on the network. This account is required if you add the step Connect to Network Folder to a task sequence. This account requires permissions to access the specified shared folder and must be a user domain account. Tip If you require this account for your task sequences, you can create one domain user account with minimal permissions to access the required network resources and use it for all task sequence accounts. Security
1119

Do not assign this account interactive logon permissions. Do not use the Network Access Account for this account.

Task Sequence Run As Account

The Task Sequence Run As Account is used to run command lines in task sequences and use credentials other than the local system account. This account is required if you add the step Run Command Line to a task sequence but do not want the task sequence to run with Local System account permissions on the managed computer. Configure the account to have the minimum permissions required to run the command line that specified in the task sequence. The account requires interactive login rights, and it usually requires the ability to install software and access network resources. Security Do not use the Network Access account for this account. Never make the account a domain administrator. Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, which leaves the profile vulnerable to access on the local computer. Limit the scope of the account. For example, create different Task Sequence Run As Accounts for each task sequence so that if one account is compromised, only the client computers to which that account has access are compromised. If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As Account on all computers that will run the task sequence, and delete the account as soon as it is no longer needed.

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Cryptographic Controls Used in Configuration Manager

Note This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. System Center 2012 Configuration Manager uses signing and encryption to help protect the management of the devices in the Configuration Manager hierarchy. Signing ensures that if data
1120

has been altered in transit, the data will be discarded. Encryption prevents an attacker from reading the data by using a network protocol analyzer. The primary hashing algorithm that Configuration Manager uses for signing is SHA-256. When two Configuration Manager sites communicate with each other, they sign their communications by using SHA-256. The primary encryption algorithm implemented in Configuration Manager is 3DES. This is used for storing data in the Configuration Manager database and for when clients communicate by using HTTP. When you use client communication over HTTPS, you can configure your public key infrastructure (PKI) to use RSA certificates with the maximum hashing algorithms and key lengths that are documented in PKI Certificate Requirements for Configuration Manager. For most cryptographic operations for Windows-based operating systems, Configuration Manager uses the SHA-1 and SHA-2, 3DES and AES, and RSA algorithms from the Windows CryptoAPI library rsaenh.dll. Use the following sections for more information. Cryptographic Controls for Configuration Manager Operations Certificates Used by Configuration Manager Cryptographic Controls for Server Communication Cryptographic Controls for Clients That Use HTTPS Communication to Site Systems Cryptographic Controls for Clients That Use HTTP Communication to Site Systems

Cryptographic Controls for Configuration Manager Operations

Information in Configuration Manager can be signed and encrypted, regardless of whether you use PKI certificates with Configuration Manager.

Policy Signing and Encryption

Client policy assignments are signed by the self-signed site server signing certificate to help prevent the security risk of a compromised management point sending policies that have been tampered with. This safeguard is particularly relevant if you are using Internet-based client management because this environment requires a management point that is exposed to Internet communication. Policy is encrypted by using 3DES when it contains sensitive data. Policy that contains sensitive data is sent to authorized clients only. Policy that does not have sensitive data is not encrypted. When policy is stored on the clients, it is encrypted by using Data Protection application programming interface (DPAPI).

Policy Hashing
When Configuration Manager clients request policy, they first get a policy assignment so that they know which policies apply to them, and then request only those policy bodies. Each policy
1121

assignment contains the calculated hash for the corresponding policy body. The client retrieves the applicable policy bodies and then calculates the hash on that body. If the hash on the downloaded policy body does not match the hash in the policy assignment, the client discards the policy body. The hashing algorithm for policy is SHA-1 and SHA-256.

Content Hashing
The distribution manager service on the site server hashes the content files for all packages. The policy provider includes the hash in the software distribution policy. When the Configuration Manager client downloads the content, the client regenerates the hash locally and compares it to the one supplied in the policy. If the hashes match, the content has not been altered and the client installs it. If a single byte of the content has been altered, the hashes will not match and the software will not be installed. This check helps to ensure that the correct software is installed because the actual content is crosschecked with the policy. The default hashing algorithm for content is SHA-256. To change this default, see the documentation for the Configuration Manager Software Development Kit (SDK). Not all devices can support content hashing. The exceptions include the following: Windows clients when they stream App-V content. Windows Phone clients: However, these clients verify the signature of an application that is signed by a trusted source. Windows RT clients: However, these clients verify the signature of an application that is signed by a trusted source and also use package full name (PFN) validation. iOS: However, these devices verify the signature of an application that is signed by any developer certificate from a trusted source. Nokia clients: However, these clients verify the signature of an application that uses a selfsigned certificate. Or, the signature of a certificate from a trusted source and the certificate can sign Nokia Symbian Installation Source (SIS) applications. Android. In addition, these devices do not use signature validation for application installation. Clients that run on versions of Linux and UNIX that do not support SHA-256. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Inventory Signing and Encryption

Inventory that clients send to management points is always signed by devices, regardless of whether they communicate with management points over HTTP or HTTPS. If they use HTTP, you can choose to encrypt this data, which is a security best practice.

State Migration Encryption

Data stored on state migration points for operating system deployment is always encrypted by the User State Migration Tool (USMT) by using 3DES.
1122

Encryption for Multicast Packages to Deploy Operating Systems

For every operating system deployment package, you can enable encryption when the package is transferred to computers by using multicast. The encryption uses Advanced Encryption Standard (AES). If you enable encryption, no additional certificate configuration is required. The multicast-enabled distribution point automatically generates symmetric keys for encrypting the package. Each package has a different encryption key. The key is stored on the multicastenabled distribution point by using standard Windows APIs. When the client connects to the multicast session, the key exchange occurs over a channel encrypted with either the PKI-issued client authentication certificate (when the client uses HTTPS) or the self-signed certificate (when the client uses HTTP). The client stores the key in memory only for the duration of the multicast session.

Encryption for Media to Deploy Operating Systems

When you use media to deploy operating systems and specify a password to protect the media, the environment variables are encrypted by using Advanced Encryption Standard (AES). Other data on the media, including packages and content for applications, is not encrypted.

Encryption for Content that is Hosted on Cloud-Based Distribution Points

When you use cloud-based distribution points in Configuration Manager SP1, the content that you upload to these distribution points is encrypted by using Advanced Encryption Standard (AES) with a 256-bit key size. The content is re-encrypted whenever you update it. When clients download the content, it is encrypted and protected by the HTTPS connection.

Signing in Software Updates

All software updates must be signed by a trusted publisher to protect against tampering. On client computers, the Windows Update Agent (WUA) scans for the updates from the catalog, but will not install the update if it cannot locate the digital certificate in the Trusted Publishers store on the local computer. If a self-signed certificate was used for publishing the updates catalog, such as WSUS Publishers Self-signed, the certificate must also be in the Trusted Root Certification Authorities certificate store on the local computer to verify the validity of the certificate. WUA also checks whether the Allow signed content from intranet Microsoft update service location Group Policy setting is enabled on the local computer. This policy setting must be enabled for WUA to scan for the updates that were created and published with Updates Publisher. When software updates are published in System Center Updates Publisher, a digital certificate signs the software updates when they are published to an update server. You can either specify a PKI certificate or configure Updates Publisher to generate a self-signed certificate to sign the software update.

1123

Signed Configuration Data for Compliance Settings

When you import configuration data, Configuration Manager verifies the file's digital signature. If the files have not been signed, or if the digital signature verification check fails, you will be warned and prompted whether to continue with the import. Continue to import the configuration data only if you explicitly trust the publisher and the integrity of the files.

Encryption and Hashing for Client Notification

If you use client notification, all communication uses TLS and the highest encryption that the server and client operating systems can negotiate. For example, a client computer running Windows 7 and a management point running Windows Server 2008 R2 can support 128-bit AES encryption, whereas a client computer running Vista to the same management point but will negotiate down to 3DES encryption. The same negotiation occurs for hashing the packets that are transferred during client notification, which uses SHA-1 or SHA-2.

Certificates Used by Configuration Manager

For a list of the public key infrastructure (PKI) certificates that can be used by Configuration Manager, any special requirements or limitations, and how the certificates are used, see PKI Certificate Requirements for Configuration Manager. This list includes the supported hash algorithms and key lengths. Most certificates support SHA-256 and 2048 bits key length. Note All certificates that Configuration Manager uses must contain only single-byte characters in the subject name or subject alternative name. PKI certificates are required for the following scenarios: When you manage Configuration Manager clients on the Internet. When you manage Configuration Manager clients on mobile devices. When you manage Mac computers. When you use cloud-based distribution points. When you manage Intel AMT-based computers out of band.

For most other Configuration Manager communications that require certificates for authentication, signing, or encryption, Configuration Manager automatically uses PKI certificates if they are available. If they are not available, Configuration Manager generates self-signed certificates. Configuration Manager does not use PKI certificates when it manages mobile devices by using the Exchange Server connector.

Mobile Device Management and PKI Certificates

If the mobile device has not been locked by the mobile operator, you can use Configuration Manager or Windows Intune to request and install a client certificate. This certificate provides mutual authentication between the client on the mobile device and Configuration Manager site systems or Windows Intune services. If your mobile device is locked, you cannot use
1124

Configuration Manager or Windows Intune to deploy certificates. For more information, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. If you enable hardware inventory for mobile devices, Configuration Manager or Windows Intune also inventories the certificates that are installed on the mobile device.

Out of Band Management and PKI Certificates

Out of band management for Intel AMT-based computers uses at least two types of PKI-issued certificates: an AMT provisioning certificate and a web server certificate. The out of band service point uses an AMT provisioning certificate to prepare computers for out of band management. The AMT-based computers that will be provisioned must trust the certificate presented by the out of band management point. By default, AMT-based computers are configured by the computer manufacturer to use external certification authorities (CAs), such as VeriSign, Go Daddy, Comodo, and Starfield. If you purchase a provisioning certificate from one of the external CAs and configure Configuration Manager to use this provisioning certificate, AMT-based computers will trust the CA of the provisioning certificate and provisioning can succeed. However, it is a security best practice to use your own internal CA to issue the AMT provisioning certificate. For more information, see Security Best Practices for Out of Band Management. The AMT-based computers run a web server component within their firmware and that web server component encrypts the communication channel with the out of band service point by using Transport Layer Security (TLS). There is no user interface into the AMT BIOS to manually configure a certificate, so you must have a Microsoft enterprise certification authority that automatically approves certificate requests from requesting AMT-based computers. The request uses PKCS#10 for the request format, which in turn, uses PKCS#7 for transmitting the certificate information to the AMT-based computer. Although the AMT-based computer is authenticated to the computer managing it, there is no corresponding client PKI certificate on the computer managing it. Instead, these communications use either Kerberos or HTTP Digest authentication. When HTTP Digest is used, it is encrypted by using TLS. An additional type of certificate might be required for managing AMT-based computers out of band: an optional client certificate for 802.1X authenticated wired networks and wireless networks. The client certificate might be required by the AMT-based computer for authentication to the RADIUS server. When the RADIUS server is configured for EAP-TLS authentication, a client certificate is always required. When the RADIUS server is configured for EAPTTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, the RADIUS configuration specifies whether a client certificate is required or not. This certificate is requested by the AMT-based computer by using the same processes as the web server certificate request.

Operating System Deployment and PKI Certificates

When you use Configuration Manager to deploy operating systems and a management point requires HTTPS client connections, the client computer must also have a certificate to
1125

communicate with the management point, even though it is in a transitional phase such as booting from task sequence media or a PXE-enabled distribution point. To support this scenario, you must create a PKI client authentication certificate and export it with the private key and then import it to the site server properties and also add the management points trusted root CA certificate. If you create bootable media, you import the client authentication certificate when you create the bootable media. Configure a password on the bootable media to help protect the private key and other sensitive data configured in the task sequence. Every computer that boots from the bootable media will present the same certificate to the management point as required for client functions such as requesting client policy. If you use PXE boot, you import the client authentication certificate to the PXE-enabled distribution point and it uses the same certificate for every client that boots from that PXE-enabled distribution point. As a security best practice, require users who connect their computers to a PXE service to supply a password to help protect the private key and other sensitive data in the task sequences. If either of these client authentication certificates is compromised, block the certificates in the Certificates node in the Administration workspace, Security node. To manage these certificates, you must have the Manage operating system deployment certificate right. After the operating system is deployed and the Configuration Manager is installed, the client will require its own PKI client authentication certificate for HTTPS client communication.

ISV Proxy Solutions and PKI Certificates

Independent Software Vendors (ISVs) can create applications that extend Configuration Manager. For example, an ISV could create extensions to support non-Windows client platforms such as Macintosh or UNIX computers. However, if the site systems require HTTPS client connections, these clients must also use PKI certificates for communication with the site. Configuration Manager includes the ability to assign a certificate to the ISV proxy that enables communications between the ISV proxy clients and the management point. If you use extensions that require ISV proxy certificates, consult the documentation for that product. For more information about how to create ISV proxy certificates, see the Configuration Manager Software Developer Kit (SDK). If the ISV certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node.

Asset Intelligence and Certificates

Configuration Manager installs with an X.509 certificate that the Asset Intelligence synchronization point uses to connect to Microsoft. Configuration Manager uses this certificate to request a client authentication certificate from the Microsoft certificate service. The client authentication certificate is installed on the Asset Intelligence synchronization point site system server and it is used to authenticate the server to Microsoft. Configuration Manager uses the

1126

client authentication certificate to download the Asset Intelligence catalog and to upload software titles. This certificate has a key length of 1024 bits.

Cloud-Based Distribution Points and Certificates

Cloud-based distribution points in Configuration Manager SP1 require a management certificate (self-signed or PKI) that you upload to Windows Azure. This management certificate requires server authentication capability and a certificate key length of 2048 bits. In addition, you must configure a service certificate for each cloud-based distribution point, which cannot be self-signed but also has server authentication capability and a minimum certificate key length of 2048 bits. Note The self-signed management certificate is for testing purposes only and not for use on production networks. Clients do not require a client PKI certificate to use cloud-based distribution points; they authenticate to the management by using either a self-signed certificate or a client PKI certificate. The management point then issues a Configuration Manager access token to the client, which the client presents to the cloud-based distribution point. The token is valid for 8 hours.

The Windows Intune Connector and Certificates

When Windows Intune enrolls mobile devices, you can manage these mobile devices in Configuration Manager by creating a Windows Intune connector. The connector uses a PKI certificate with client authentication capability to authenticate Configuration Manager to Windows Intune and to transfer all information between them by using SSL. The certificate key size is 2048 bits and uses the SHA-1 hash algorithm. When you install the connector, a signing certificate is created and stored on the site server for sideloading keys, and an encryption certificate is created and stored on the certificate registration point to encrypt the Simple Certificate Enrollment Protocol (SCEP) challenge. These certificates also have a key size of 2048 bits and use the SHA-1 hash algorithm. When Windows Intune enrolls mobile devices, it installs a PKI certificate onto the mobile device. This certificate has client authentication capability, uses a key size of 2048 bits, and uses the SHA-1 hash algorithm. These PKI certificates are automatically requested, generated, and installed by Windows Intune.

CRL Checking for PKI Certificates

A PKI certificate revocation list (CRL) increases administrative and processing overhead but it is more secure. However, if CRL checking is enabled but the CRL is inaccessible, the PKI connection fails. For more information, see the Planning for PKI Certificate Revocation section in the Planning for Security in Configuration Manager topic.
1127

Certificate revocation list (CRL) checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on most Configuration Manager site systems that run IIS. The exception is for software updates, which requires a manual step to enable CRL checking to verify the signatures on software update files. CRL checking is enabled by default for client computers when they use HTTPS client connections. CRL checking is not enabled by default when you run the Out of Band Management console to connect to AMT-based computer, and you can enable this option. You cannot disable CRL checking for clients on Mac computers in Configuration Manager SP1. CRL checking is not supported for the following connections in Configuration Manager: Server-to-server connections. Mobile devices that are enrolled by Configuration Manager. Mobile devices that are enrolled by Windows Intune.

Cryptographic Controls for Server Communication

Configuration Manager uses the following cryptographic controls for server communication.

Server Communication Within a Site

Each site system server uses a certificate to transfer data to other site systems in the same Configuration Manager site. Some site system roles also use certificates for authentication. For example, if you install the enrollment proxy point on one server and the enrollment point on another server, they can authenticate one another by using this identity certificate. When Configuration Manager uses a certificate for this communication, if there is a PKI certificate available that has server authentication capability, Configuration Manager automatically uses it; if not, Configuration Manager generates a self-signed certificate. This self-signed certificate has server authentication capability, uses SHA-256, and has a key length of 2048 bits. Configuration Manager copies the certificate to the Trusted People store on other site system servers that might need to trust the site system. Site systems can then trust one another by using these certificates and PeerTrust. In addition to this certificate for each site system server, Configuration Manager generates a selfsigned certificate for most site system roles. When there is more than one instance of the site system role in the same site, they share the same certificate. For example, you might have multiple management points or multiple enrollment points in the same site. This self-signed certificate also uses SHA-256 and has a key length of 2048 bits. It is also copied to the Trusted People Store on site system servers that might need to trust it. The following site system roles generate this certificate: Application Catalog web service point Application Catalog website point Asset Intelligence synchronization point Certificate registration point
1128

Endpoint Protection point Enrollment point Fallback status point Management point Multicast-enabled distribution point Out of band service point Reporting services point Software update point State migration point System Health Validator point Windows Intune connector

These certificates are managed automatically by Configuration Manager, and where necessary, automatically generated. Configuration Manager also uses a client authentication certificate to send status messages from the distribution point to the management point. When the management point is configured for HTTPS client connections only, you must use a PKI certificate. If the management point accepts HTTP connections, you can use a PKI certificate or select the option to use a self-signed certificate that has client authentication capability, uses SHA-256, and has a key length of 2048 bits.

Server Communication Between Sites

Configuration Manager transfers data between sites by using database replication and file-based replication. For more information, see Technical Reference for Site Communications in Configuration Manager. Configuration Manager automatically configures the database replication between sites and uses PKI certificates that have server authentication capability if these are available; if not, Configuration Manager creates self-signed certificates for server authentication. In both cases, authentication between sites is established by using certificates in the Trusted People Store that uses PeerTrust. This certificate store is used to ensure that only the SQL Server computers that are used by the Configuration Manager hierarchy participate in site-to-site replication. Whereas primary sites and the central administration site can replicate configuration changes to all sites in the hierarchy, secondary sites can replicate configuration changes only to their parent site. Site servers establish site-to-site communication by using a secure key exchange that happens automatically. The sending site server generates a hash and signs it with its private key. The receiving site server checks the signature by using the public key and compares the hash with a locally generated value. If they match, the receiving site accepts the replicated data. If the values do not match, Configuration Manager rejects the replication data. Database replication in Configuration Manager uses the SQL Server Service Broker to transfer data between sites by using the following mechanisms:

1129

SQL Server to SQL Server connection: This uses Windows credentials for server authentication and self-signed certificates with 1024 bits to sign and encrypt the data by using Advanced Encryption Standard (AES). If PKI certificates with server authentication capability are available, these will be used. The certificate must be located in the Personal store for the Computer certificate store. SQL Service Broker: This uses self-signed certificates with 2048 bits for authentication and to sign and encrypt the data by using Advanced Encryption Standard (AES). The certificate must be located in the SQL Server master database.

File-based replication uses the Server Message Block (SMB) protocol, and uses SHA-256 to sign this data that is not encrypted but does not contain any sensitive data. If you want to encrypt this data, you can use IPsec and must implement this independently from Configuration Manager.

Cryptographic Controls for Clients That Use HTTPS Communication to Site Systems
When site system roles accept client connections, you can configure them to accept HTTPS and HTTP connections, or only HTTPS connections. Site system roles that accept connections from the Internet only accept client connections over HTTPS. Client connections over HTTPS offer a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. However, configuring HTTPS client connections without a thorough understanding of PKI planning, deployment, and operations could still leave you vulnerable. For example, if you do not secure your root CA, attackers could compromise the trust of your entire PKI infrastructure. Failing to deploy and manage the PKI certificates by using controlled and secured processes might result in unmanaged clients that cannot receive critical software updates or packages. Important The PKI certificates that are used for client communication protect the communication only between the client and some site systems. They do not protect the communication channel between the site server and site systems or between site servers.

Communication That Is Unencrypted When Clients Use HTTPS Communication

When clients communicate with site systems by using HTTPS, communications are usually encrypted over SSL. However, in the following situations, clients communicate with site systems without using encryption: Client fails to make an HTTPS connection on the intranet and fall back to using HTTP when site systems allow this configuration Communication to the following site system roles: Client sends state messages to the fallback status point Client sends PXE requests to a PXE-enabled distribution point Client sends notification data to a management point
1130

Reporting services points are configured to use HTTP or HTTPS independently from the client communication mode.

Cryptographic Controls for Clients That Use HTTP Communication to Site Systems
When clients use HTTP communication to site system roles, they can use PKI certificates for client authentication, or self-signed certificates that Configuration Manager generates. When Configuration Manager generates self-signed certificates, they have a custom object identifier for signing and encryption, and these certificates are used to uniquely identify the client. For all supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a key length of 2048 bits. For Windows Server 2003, SHA1 is used with a key length of 1024 bits.

Operating System Deployment and Self-signed Certificates

When you use Configuration Manager to deploy operating systems with self-signed certificates, a client computer must also have a certificate to communicate with the management point, even if the computer is in a transitional phase such as booting from task sequence media or a PXEenabled distribution point. To support this scenario for HTTP client connections, Configuration Manager generates self-signed certificates that have a custom object identifier for signing and encryption, and these certificates are used to uniquely identify the client. For all supported operating systems except Windows Server 2003, these self-signed certificates use SHA-256, and have a key length of 2048 bits. For Windows Server 2003, SHA1 is used with a key length of 1024 bits.. If these self-signed certificates are compromised, to prevent attackers from using them to impersonate trusted clients, block the certificates in the Certificates node in the Administration workspace, Security node.

Client and Server Authentication

When clients connect over HTTP, they authenticate the management points by using either Active Directory Domain Services or by using the Configuration Manager trusted root key. Clients do not authenticate other site system roles, such as state migration points or software update points. When a management point first authenticates a client by using the self-signed client certificate, this mechanism provides minimal security because any computer can generate a self-signed certificate. In this scenario, the client identity process must be augmented by approval. Only trusted computers must be approved, either automatically by Configuration Manager, or manually, by an administrative user. For more information, see the approval section in Planning for Client Communication to Site Systems.

1131

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Language Packs in Configuration Manager

This topic provides technical details about language support in System Center 2012 Configuration Manager.

Supported Operating System Languages

You can install support for the following display languages by installing server language packs or client language packs at a central administration site and at primary sites. Use the following table to map a locale ID to a language that you want to support on servers or clients. For more information about locale IDs, see Locale IDs Assigned by Microsoft in the MSDN online library.

Server Languages
Server language Locale ID (LCID) Three letter code Configuration Manager version

English (default)

0409

ENU

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1
1132

Chinese (Traditional, Hong Kong SAR) 0c04 ZHH

Chinese (Simplified) 0804 CHS

Server language

Locale ID (LCID)

Three letter code

Configuration Manager version

Chinese (Traditional, Taiwan) 0404 CHT

System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012
1133

Czech 0405 CSY

Dutch - Netherlands 0413 NLD

French 040c FRA

German 0407 DEU

Hungarian 040e HUN

Italian - Italy 0410 ITA

Server language

Locale ID (LCID)

Three letter code

Configuration Manager version

Configuration Manager with SP1 Japanese 0411 JPN System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2
1134

Korean 0412 KOR

Polish 0415 PLK

Portuguese - Brazil 0416 PTB

Portuguese - Portugal 0816 PTG

Russian 0419 RUS

Server language

Locale ID (LCID)

Three letter code

Configuration Manager version

Configuration Manager Spanish Spain 0c0a ESN System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager

Swedish 041d SVE

Turkish 041f TRK

Client Languages
Client language Locale ID (LCID) Three letter code Configuration Manager version

English (default)

0409

ENG

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager
1135

Chinese (Traditional, Hong Kong SAR) 0c04 ZHH

Chinese -Simplified 0804 CHS

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

with SP1 Chinese (Traditional, Taiwan) 0404 CHT System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager
1136

Czech 0405 CSY

Danish 0406 DAN

Dutch - Netherlands 0413 NLD

Finnish 040b FIN

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

with SP1 French 040c FRA System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager
1137

German 0407 DEU

Greek 0408 ELL

Hungarian 040e HUN

Italian - Italy 0410 ITA

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

with SP1 Japanese 0411 JPN System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager
1138

Korean 0412 KOR

Norwegian 0414 NOR

Polish 0415 PLK

Portuguese (Brazil) 0416 PTB

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

with SP1 Portuguese (Portugal) 0816 PTG System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager
1139

Russian 0419 RUS

Spanish - Spain 0c0a ESN

Swedish 041d SVE

Turkish 041f TRK

Client language

Locale ID (LCID)

Three letter code

Configuration Manager version

with SP1 System Center 2012 R2 Configuration Manager

Mobile Device Client Languages

When you add support for mobile device languages, all mobile device client languages are included. You cannot select individual language packs for mobile device support. For information about supported languages for the mobile device client, see the Mobile Device Requirements section in the Supported Configurations for Configuration Manager topic.

How to Identify Installed Language Packs

You can identify the language packs that are installed on a computer that runs the Configuration Manager client by viewing the locale ID (LCID) of the installed language packs in the computers registry. This information is available in the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup\InstalledLangs You can use hardware inventory to collect this information, and then build a custom report to view the language details. For information about collecting custom hardware inventory, see How to Extend Hardware Inventory in Configuration Manager. For information on creating reports, see the Manage Configuration Manager Reports section in the Operations and Maintenance for Reporting in Configuration Manager topic.

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for Unicode and ASCII Support in Configuration Manager

System Center 2012 Configuration Manager creates most objects by using Unicode characters. However, several objects support ASCII characters only or they have other limitations. The following sections list the objects that must use characters from the ASCII character set only, or that have additional limitations. Objects That Use ASCII Characters Additional Limitations Configuration Manager Objects that Are Not Localized

1140

Objects That Use ASCII Characters

Configuration Manager supports the ASCII character set only when you create the following objects: Site code All site system server computer names The following Configuration Manager accounts: Note These accounts support ASCII characters and RUS characters on a site that runs in the Russian language. Client Push Installation Account Health State Reference Publishing Account Health State Reference Querying Account Management Point Database Connect Account Network Access Account Package Access Account Standard Sender Account Site System Installation Account Software Update Point Connection Account Software Update Point Proxy Server Account Note The accounts that you specify for role-based administration support Unicode. The Reporting Services Point Account supports Unicode, with the exception of RUS characters. FQDN for site servers and site systems Installation path for Configuration Manager SQL Server instance names The path for the following site system roles: Application Catalog web service point Application Catalog website point Enrollment point Enrollment proxy point Reporting services point State migration point The folder that stores client state migration data The folder that contains the Configuration Manager reports The folder that stores the Configuration Manager Backup
1141

The path for the following folders:

The folder that stores the installation source files for site setup. The folder that stores the prerequisite downloads for use by Setup IIS website Virtual application installation path Virtual application name The FQDN of the AMT-based computer The computer name of the AMT-based computer The domain NetBIOS name The wireless profile name and SSID The trusted root certification authority name The name of the certification authority (CA) and template names The file name and path for the IDE redirection image file The contents of the AMT data storage

The path for the following objects:

The following objects for AMT and out of band management:

Boot media .ISO file names

Additional Limitations
The following are additional limitations for supported character sets and language versions: Configuration Manager does not support changing the locale of the site server computer. An enterprise certification authority (CA) does not support client computer names that use double-byte character sets (DBCS). The client computer names that you can use are restricted by the PKI limitation of the IA5 character set. In addition, Configuration Manager does not support CA names or subject name values that use DBCS.

Configuration Manager Objects that Are Not Localized

The Configuration Manager database supports Unicode for most objects that it stores, and when possible, it displays this information in the operating system language that matches the locale of a computer. For the client interface or Configuration Manager console to display information in the computers operating system language, the computers locale must match a client or server language that you install at a site. However, several Configuration Manager objects do not support Unicode, and they are stored in the database by using ASCII, or they have additional language limitations. This information is always displayed by using the ASCII character set or in the language that was in use when the object was created.

1142

Technical Reference for the Hierarchy Maintenance Tool (Preinst.exe) in Configuration Manager
The Hierarchy Maintenance tool (Preinst.exe) passes commands to the Configuration Manager Hierarchy Manager while the Hierarchy Manager service is running. The Hierarchy Maintenance tool is automatically installed when you install a Configuration Manager site. You can find Preinst.exe in the \\<SiteServerName>\SMS_<SiteCode\bin\X64\00000409 shared folder on the site server. You might use the Hierarchy Maintenance tool in the following scenarios: When secure key exchange is required, there are situations in which you must manually perform the initial public key exchange between sites. For more information, see Manually Exchange Public Keys Between Sites in this topic. To remove active jobs that are for a destination site that is no longer available. To delete a site server from the Configuration Manager console when you are unable to uninstall the site by using Setup. For example, if you physically remove a Configuration Manager site without first running Setup to uninstall the site, the site information will still exist in the parent sites database, and the parent site will continue to attempt to communicate with the child site. To resolve this issue, you must run the Hierarchy Maintenance tool and manually delete the child site from the parent sites database. To stop all Configuration Manager services at a site without having to stop services individually. When you are recovering a site, you can use the CHILDKEYS option to distribute the public keys from multiple child sites to the recovering site.

To run the Hierarchy Maintenance tool, the current user must have administrative privileges on the local computer. Also, the user must explicitly have the Site - Administer security right; it is not sufficient that the user inherits this right by being a member of a group that has that permission.

Hierarchy Maintenance Tool Command-Line Options

When you use the Hierarchy Maintenance Tool, you must run it locally on the central administration site, primary site, or secondary site server. When you run the Hierarchy Maintenance tool, you must use the following syntax: preinst.exe /<option>. The following table describes the available command-line options.
Command-Line Parameter Description

/DELJOB <SiteCode>

Use this option at a site to delete all jobs or commands from the current site to the specified
1143

Command-Line Parameter

Description

destination site. /DELSITE <ChildSiteCodeToRemove> Use this option at a parent site to delete the data for child sites from the site database of the parent site. Typically, you use this option if a site server computer is decommissioned before you uninstall the site from it. Note The /DELSITE option does not uninstall the site on the computer specified by the ChildSiteCodeToRemove parameter. This option only removes the site information from the Configuration Manager site database. /DUMP <SiteCode> Use this option on the local site server to write site control images to the root folder of the drive on which the site is installed. You can write a specific site control image to the folder or write all site control files in the hierarchy. /DUMP <SiteCode> writes the site control image only for the specified site. /DUMP writes the site control files for all sites.

An image is a binary representation of the site control file, which is stored in the Configuration Manager site database. The dumped site control file image is a sum of the base image plus the pending delta images. After dumping a site control file image with the Hierarchy Maintenance tool, the file name is in the format sitectrl_<SiteCode>.ct0. /STOPSITE Use this option on the local site server to initiate a shutdown cycle for the Configuration Manager Site Component Manager service, which partially resets the site. When this shutdown cycle is run, some Configuration Manager services on a site server and its remote site systems are stopped. These services are flagged for reinstallation. As a result of this shutdown cycle, some passwords
1144

Command-Line Parameter

Description

are automatically changed when the services are reinstalled. Note If you want to see a record of shutdown, reinstallation, and password changes for Site Component Manager, enable logging for this component before using this command-line option. After the shutdown cycle is started, it proceeds automatically, skipping any non-responding components or computers. However, if the Site Component Manager service cannot access a remote site system during the shutdown cycle, the components that are installed on the remote site system are reinstalled when the Site Component Manager service is restarted. When it is restarted, the Site Component Manager service repeatedly attempts reinstallation of all services that are flagged for reinstallation until it is successful. You can restart the Site Component Manager service using Service Manager. After it is restarted, all affected services are uninstalled, reinstalled, and restarted. After you use the /STOPSITE option to initiate the shutdown cycle, you cannot avoid the reinstallation cycles after the Site Component Manager service is restarted. /KEYFORPARENT Use this option on a site to distribute the site's public key to a parent site. The /KEYFORPARENT option places the public key of the site in the file <SiteCode>.CT4 at the root of the program files drive. After you run preinst.exe with this option, manually copy the <SiteCode>.CT4 file to the parent site's \Inboxes\hman.box folder (not hman.box\pubkey). /KEYFORCHILD Use this option on a site to distribute the site's public key to a child site.
1145

Command-Line Parameter

Description

The /KEYFORCHILD option places the public key of the site in the file <SiteCode>.CT5 at the root of the program files drive. After you run preinst.exe with this option, manually copy the <SiteCode>.CT5 file to the child site's \Inboxes\hman.box folder (not hman.box\pubkey).

/CHILDKEYS

You can use this option on the child sites of a site that you are recovering. Use this option to distribute public keys from multiple child sites to the recovering site. The /CHILDKEYS option places the key from the site where you run the option, and all of that sites child sites public keys into the file <SiteCode>.CT6. After you run preinst.exe with this option, manually copy the <SiteCode>.CT6 file to the recovering site's \Inboxes\hman.box folder (not hman.box\pubkey).

/PARENTKEYS

You can use this option on the parent site of a site that you are recovering. Use this option to distribute public keys from all parent sites to the recovering site. The /PARENTKEYS option places the key from the site where you run the option, and the keys from each parent site above that site into the file <SiteCode>.CT7. After you run preinst.exe with this option, manually copy the <SiteCode>.CT7 file to the recovering site's \Inboxes\hman.box folder (not hman.box\pubkey).

Manually Exchange Public Keys Between Sites

By default, the Require secure key exchange option is enabled for Configuration Manager sites. When secure key exchange is required, there are two situations in which you must manually perform the initial key exchange between sites: If the Active Directory schema has not been extended for Configuration Manager
1146

Configuration Manager sites are not publishing site data to Active Directory

You can use the Hierarchy Maintenance tool to export the public keys for each site. Once they have been exported, you must manually exchange the keys between the sites. Note After the public keys are manually exchanged, you can review the hman.log log file, which records site configuration changes and site information publication to Active Directory Domain Services, on the parent site server to ensure that the primary site has processed the new public key. To manually transfer the child site public key to the parent site 1. While logged on to the child site, open a command prompt and navigate to the location of Preinst.exe. 2. Type the following to export the child sites public key: Preinst /keyforparent 3. The /keyforparent option places the public key of the child site in the <site code>.CT4 file located at the root of the system drive. 4. Move the <site code>.CT4 file to the parent site's <install directory>\inboxes\hman.box folder. To manually transfer the parent site public key to the child site 1. While logged on to the parent site, open a command prompt and navigate to the location of Preinst.exe. 2. Type the following to export the parent sites public key: Preinst /keyforchild. 3. The /keyforchild option places the public key of the parent site in the <site code>.CT5 file located at the root of the system drive. 4. Move the <site code>.CT5 file to the <install directory>\inboxes\hman.box directory on the child site.

Technical Reference for the Prerequisite Checker in Configuration Manager

The Prerequisite Checker (prereqchk.exe) is a standalone application that verifies server readiness for a site server or specific site system roles. Before site installation, Setup runs the Prerequisite Checker. You might choose to manually run the Prerequisite Checker on potential site servers or site systems to verify server readiness. This allows you to remediate any issues that you find before you run Setup. The Prerequisite Checker notifies you of any warnings or errors encountered that would cause Setup to fail. Tests that result in a warning do not prevent you from successfully installing Configuration Manager. However, resolving the condition that generated the warnings now might prevent issues later and helps to ensure optimum site
1147

performance. Tests that result in an error prevent you from completing the setup process and you must resolve the condition that generated the error. Note The Configuration Manager Setup prerequisite check rules verify that software and settings required for setup are installed. In some cases, the required software itself might require additional software updates not verified by Configuration Manager Setup. Before you start Setup, verify that the operating system running on the computer, and additional installed software that Configuration Manager Setup relies on, have been updated with all relevant software updates. Tip When the prerequisite check runs, it logs its results in the ConfigMgrPrereq.log file on the system drive of computer. The log file can contain additional information that does not display in user interface. The following sections provide technical details about available prerequisite checks. Prerequisite Checks for Security Rights Prerequisite Checks for Configuration Manager Dependencies Prerequisite Checks for System Requirements Prerequisite Checks for Upgrade

For more information about the Prerequisite Checker, see the Prerequisite Checker section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Prerequisite Checks for Security Rights

The following table provides a list of the prerequisite checks that Prerequisite Checker performs for security rights.
Prerequisite check name Severity Version of Configuration Manager Applicability Description

Administrator rights on central administration site

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Primary site

Verifies the user account that runs Configuration Manager Setup has local Administrator rights on the central administration site computer. Verifies that the user running
1148

Administrative rights on

Error

System Center 2012 Configuration Manager

Central administratio

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

expand primary site

SP1 System Center 2012 R2 Configuration Manager

n site

Setup has local Administrator rights on the stand-alone primary site that will be expanded. Verifies the user account that runs Configuration Manager Setup has local Administrator rights on the site server computer. Verifies that the computer account of the central administration site has local Administrator rights on the stand-alone primary site that will be expanded. Verifies the user account that runs Configuration Manager Setup on the primary site to join an existing hierarchy has the sysadmin role on the instance of the SQL Server for the central administration site.

Administrative rights on site system

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Central administratio n site Primary site Secondary site

CAS Machine administrative rights on expand primary site Error

Central administratio n site

Connection to SQL Server on central administration site

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Primary site

1149

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Site server computer account administrative rights

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

SQL Server Secondary site

Verifies that the site server computer account has administrative rights on the SQL Server and management point computers. Verifies that a valid Service Principal Name (SPN) is registered in Active Directory Domain Services for the account configured to run the SQL Server service for the SQL Server instance used to host the Configuration Manager site database. A valid SPN must be registered in Active Directory Domain Services to support Kerberos authentication. Verifies that SQL Server is configured for Windows authentication security.
1150

Site System to SQL Server Communication

Warning

Manage ment point Secondary site

SQL Server security mode

Warning

System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

SQL Server

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

SQL Server sysadmin rights

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

SQL Server

Verifies the user account that runs Configuration Manager Setup has the sysadmin role on the SQL Server instance selected for site database installation. This check also fails when Setup is unable to access the instance for the SQL Server to verify permissions. Verifies that the user account running Configuration Manager Setup has the sysadmin role on the SQL Server role instance selected as the reference site database. SQL Server sysadmin role permissions are required in order to modify the site database.

SQL Server sysadmin rights for reference site

Error

System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

SQL Server

1151

Prerequisite Checks for Configuration Manager Dependencies

The following table provides a list of the prerequisite checks that Prerequisite Checker performs for Configuration Manager dependencies.
Prerequisite check name Severit y Version of Configuration Manager Applicability Description

Active migration mappings on the target primary site

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Central administr ation site

Verifies that there are no active migration mappings to primary sites.

Active Replica MP

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Primary site

Checks for an active management point replica.

Administrative Warni rights on ng distribution point

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Distri bution point

Verifies that the user running Setup has local Administrator rights on the distribution point computer.

Administrative Warni rights on ng management point

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration

Mana gement point

Verifies that the computer account of site server has Administrator rights on the management point and distribution point computer.

1152

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Manager Administrative Warni share (Site ng system) Configuration Manager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager SP1 System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager Mana gement point Mana gement point Verifies that the required administrative shares are present on the site system computer.

Application Compatibility

Warni ng

Central administr ation site Primary site

Verifies that current applications are compliant with the application schema.

BITS enabled

Error

Verifies that Background Intelligent Transfer Service (BITS) is installed on the management point site system computer. When this check fails, BITS is not installed, IIS 6 WMI compatibility component for IIS7 is not installed on the computer or the remote IIS host, or Setup was unable to verify remote IIS settings because IIS common components were not installed on the site server computer. Verifies that Background Intelligent Transfer Service (BITS) is installed in Internet Information Services (IIS).

BITS installed Warni ng

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center

Mana gement point

1153

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

2012 R2 Configuration Manager Caseinsensitive collation on SQL Server Error System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration
1154

SQL Server

Verifies that the SQL Server installation uses a caseinsensitive collation, such as SQL_Latin1_General_CP1_ CI_AS.

Check existing stand-alone primary site for version and sitecode

Error

Central administr ation site

Verify that the primary site you plan to expand is a standalone primary site, and has the same version of Configuration Manager, but a different sitecode than the central administration site to be installed. Verifies that you are installing the management point on a computer that does not have a different version of the Configuration Manager client installed.

Client version on management point computer

Error

Mana gement point

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Manager Configuration for SQL Server memory usage Warni ng System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack Central administr ation site Checks whether a dedicated instance of the SQL Server is configured to host the Primary Configuration Manager site site database. If another site uses the instance, you must Seco select a different instance for ndary site the new site to use. Alternatively, you can uninstall the other site or move its database to a different instance for the SQL Server. SQL Server Checks whether SQL Server is configured for unlimited memory usage. You should configure SQL Server memory to have a maximum limit.

Dedicated SQL Server instance

Error

Existing Configuration Manager server components on secondary site server Existing Configuration

Error

Verifies that a site server or Seco site system role is not ndary site already installed on the computer selected for secondary site installation.

Error

System Center

Central administr

Verifies that a site server or site system role is not

1155

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Manager server components on server

2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

ation site Seco ndary site Primary site

already installed on the computer selected for site installation.

Firewall exception for SQL Server

Error

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1

Central administr ation site

System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack

Checks whether the Windows Firewall is disabled or if a relevant Windows Primary Firewall exception exists for site SQL Server. You must allow sqlservr.exe or the required Seco TCP ports to be accessed ndary site remotely. By default, SQL Server listens on TCP Mana port 1433 and the gement SQL Broker Service uses point TCP port 4022.

Firewall exception for SQL Server (stand-alone primary site)

Warni ng

Primary site (standalone only)

System Center 2012 Configuration Man ager SP1 System Center 2012 R2

Checks whether the Windows Firewall is disabled or if a relevant Windows Firewall exception exists for SQL Server. You must allow sqlservr.exe or the required TCP ports to be accessed remotely. By default, SQL Server listens on TCP port 1433 and the SQL Broker Service uses TCP port 4022.

1156

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Configuration Manager Firewall exception for SQL Server for management point Warni ng System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager
1157

Mana gement point

Checks whether the Windows Firewall is disabled or if a relevant Windows Firewall exception exists for SQL Server.

IIS HTTPS Configuration

Warni ng

Mana gement point Distri bution point

Verifies Internet Information Services (IIS) website bindings for HTTPS communication protocol. When you select to install site roles that require HTTPS, you must configure IIS site bindings on the specified server with a valid PKI certificate.

IIS service running

Error

Mana gement point Distri bution point

Verifies Internet Information Services (IIS) is installed and running on the computer to install the management point or distribution point.

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Match Collation of expand primary site

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Central administr ation site

Verify that the site database for the stand-alone primary site that you will expand has same collation as the site database at the central administration site.

Microsoft Remote Differential Compression (RDC) library registered

Error

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1

Central administr ation site Primary site Seco ndary site

Verifies that the Microsoft Remote Differential Compression (RDC) library is registered on the Configuration Manager site server.

System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 Central administr ation site Verifies the Windows Installer version. When this check fails, Setup was not Primary able to verify the version or site the installed version does not meet the minimum Seco requirement of Windows ndary site Installer version 4.5.

Microsoft Windows Installer

Error

System Center 2012 R2 Configuration Manager System Center Central administr Verifies that Microsoft Core XML Services (MSXML) 6.0,
1158

Microsoft XML Core

Warni

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Services 6.0 (MSXML60)

ng

2012 Configuration Man ager with no service pack

ation site Seco ndary site Confi guration Manager console Mana gement point Distri bution point Primary site

or a later version, is installed on the computer.

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Minimum .NET Framework version for Configuration Manager console

Error

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Confi guration Manager console

Checks whether Microsoft .NET Framework version 4.0 is installed on the Configuration Manager console computer. You can download Microsoft .NET Framework version 4.0 from Microsoft Download Center.

Minimum .NET Framework version for Configuration Manager site

Error

System Center 2012 Configuration Man ager with no service pack

Central administr ation site Primary site Seco

Checks whether Microsoft .NET Framework version 3.5 is installed on the Configuration Manager site server. For Windows Server 2008, you can download the Microsoft .NET
1159

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

server

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager

ndary site Framework version 3.5 from Microsoft Download Center . For Windows Server 2008 R2, you can enable the Microsoft .NET Framework version 3.5 as a feature within Server Manager. Verifies that the Microsoft Seco .NET Framework version 4.0 ndary site is installed on Configuration Manager secondary site computers for installing SQL Server Express edition.

Minimum Error .NET Framew ork version for SQL Server Express edition installation for Configuration Manager secondary site Parent/child database collation Error

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1

Primary site

Verifies that the collation of the site database matches the collation of the parent Seco site's database. All sites in a ndary site hierarchy must use the same database collation.

System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no Primary site Verifies that Windows PowerShell version 2.0 or later is installed on the site server for the Configuration Manager Exchange
1160

PowerShell 2. Warni 0 on site ng server

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack Confi guration Manager console Mana gement point Distri bution point Primary FQDN Error System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Central administr ation site Primary site Seco ndary site SQL Server

Connector. For more information about PowerShell 2.0, see Article 968930 in the Microsoft Knowledge Base.

Primary FQDN

Error

Verifies that the NetBIOS name of the computer matches the local hostname (first label of the FQDN) of the computer.

Verifies that the NetBIOS name of the computer matches the local hostname (first label of the FQDN) of the computer.

Remote Warni Connection to ng WMI on

Checks whether Setup is Seco able to establish a remote ndary site connection to WMI on the
1161

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Secondary Site

Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager Central administr ation site

secondary site server.

Required SQL Server Collation

Error

Verifies that the instance for SQL Server and the Configuration Manager site Primary database, if installed, is site configured to use the SQL_Latin1_General_CP1_ Seco CI_AS collation, unless you ndary site are using a Chinese operating system and require GB18030 support. For information about changing your SQL Server instance and database collations, see Setting and Changing Collations in the SQL Server 2008 R2 Books Online. For information about enabling GB18030 support, see Technical Reference for International Support in Configuration Manager.

Setup Source Folder

Error

System Center 2012 Configuration Man ager with no service pack

Verifies that the computer Seco account for the secondary ndary site site has Read NTFS file system permissions and Read share permissions to the Setup source folder and
1162

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

share. Note The secondary site computer account must be an administrator on the computer if you use administrative shares (for example, C$ and D$). System Center 2012 Configuration Man ager with no service pack Verifies that the Seco Configuration Manager ndary site version in the source folder that you specified for the secondary site installation must match the Configuration Manager version of the primary site.

Setup Source Version

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Site code in use

Error

Primary site

Checks that the site code that you specified is not already in use in the Configuration Manager hierarchy. You must specify a unique site code for this site. For more information about site naming, see the Configuration Manager Site Naming section in Install Sites and Create a Hierarchy for Configuration Manager topic.

1163

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

SMS Provider Error machine has same domain as site server

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

SMS Provider

Checks if a computer that runs an instance of the SMS Provider has same domain as the site server.

SQL Server Edition

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

SQL Server

Checks that the edition of SQL Server at the site is not SQL Server Express.

SQL Server Express on Secondary Site

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Checks that SQL Server Seco Express can successfully ndary site install on the site server computer for a secondary site.

SQL Server Error on Secondary Site

System Center 2012 Configuration Man ager with no service pack

Checks that an instance of Seco SQL Server is not already ndary site installed on the secondary site server and that it does not use the instance name CONFIGMGRSEC. It also verifies that another instance for SQL Server does not use the specified TCP port. Note This check applies only when you select to have Setup install
1164

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

SQL Server Express. SQL Server on the Secondary Site Computer Error System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager SQL Server Checks that SQL Server is Seco installed on the secondary ndary site site computer. It is not supported to install SQL Server on remote site system. Warning This check applies only when you select to have Setup use an existing instance of SQL Server.

SQL Server process memory allocation

Warni ng

Verifies that SQL Server reserves a minimum of 8 GB of memory for the central administration site and primary site, and a minimum of 4 GB of memory for the secondary site. For more information about how to set a fixed amount of memory by using SQL Server Management Studio, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio). Note This check is not applicable to SQL Server Express on a secondary site, which is limited to 1 GB of reserved memory
1165

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

SQL Server service running account

Error

System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1

Central administr ation site

Verifies that the logon account for the SQL Server service is not a local user Primary account or LOCAL site SERVICE. You must configure the SQL Server Seco service to use a valid domain ndary site account, NETWORK SERVICE, or LOCAL SYSTEM.

System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager SP1 SQL Server Checks that TCP is enabled for the SQL Server and is set to use a static port.

SQL Server TCP Port

Error

System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack SQL Server Verifies that a supported version of SQL Server is installed on the specified site database server. For more information, see SQL Server Requirements section in the Supported Configurations for Configuration Manager topic.

SQL Server version

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center Central administr

Unsupported site system

Error

Checks that the Asset Intelligence synchronization

1166

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

role 'Asset Intelligence synchronizati on point' on the expanded primary site Unsupported site system role 'Endpoint Protection point' on the expanded primary site Error

2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager SP1

ation site

point site system role is not on installed on the standalone primary site that you are expanding.

Central administr ation site

Checks that the Endpoint Protection point site system role is not installed on the stand-alone primary site that you are expanding.

Unsupported Error site system role 'Windows Intune Connector' on the expanded primary site User State Migration Tool (USMT) installed Error

System Center 2012 R2 Configuration Manager

Central Checks that the 'Windows administration Intune Connector' site site system role is not installed on the stand-alone primary site that you are expanding.

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Central administr ation site Primary site (standalone only)

With System Center 2012 Configuration Manager SP1, this checks whether the User State Migration Tool (USMT) component of the Assessment and Deployment Kit (ADK) is installed. With System Center 2012 R2 Configuration Manager, this checks whether the User State Migration Tool (USMT) component of Windows Assessment and Deployment Kit (ADK) for Windows 8.1 is installed.

Validate FQDN of

Error

System Center

SQL

Checks that the FQDN that you specified for the

1167

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

SQL Server Computer

2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

Server

SQL Server computer is valid.

Verify Central Error Administratio n Site Version

Primary site

Checks that the central administration site has the same version of Configuration Manager.

Verify site Warni server ng permissions to publish to Active Directo ry.

Central administr ation site

Verifies that the computer account for the site server has Full Control Primary permissions to the System site Management container in the Active Directory domain. Seco For more information about ndary site your options to configure required permissions, see Prepare the Windows Environment for Configuration Manager. Note You can ignore this warning if you have manually verified the permissions.

1168

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Windows Warni Automated ng Installation Kit (Windows AIK ) language

System Center 2012 Configuration Man ager with no service pack

SMS Provider

Checks that the language version for Windows AIK is the same as the operating system language of the Configuration Manager site server. For more information about Windows AIK installation, see Windows Automated Installation Kit for Windows 7. With System Center 2012 Configuration Manager SP1, this checks whether the Windows Deployment Tools component of the Assessment and Deployment Kit (ADK) is installed. With System Center 2012 R2 Configuration Manager, this checks whether the Windows Deployment Tools component of Windows Assessment and Deployment Kit (ADK) for Windows 8.1 is installed.

Windows Deployment Tools installed

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager

SMS Provider

Windows Failover Cluster

Error

System Center 2012 Configuration Man ager SP1

SMS Provider

Checks that computers that run an instance of the SMS Provider are not part of a Windows Cluster. Checks that computers that have a management point or distribution point are not part of a Windows Cluster.

Windows Failover Cluster

Error

System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration

Mana gement point Distri bution point

1169

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

Manager Windows Error Preinstallation Environment installed System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager SMS Provider With System Center 2012 Configuration Manager SP1, this checks whether the Windows Preinstallation Environment component of the Assessment and Deployment Kit (ADK) is installed. With System Center 2012 R2 Configuration Manager, this checks whether the Windows Preinstallation Environment component of the Windows Assessment and Deployment Kit (ADK) for Windows 8.1 is installed. System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center Primary site Verifies that a specific Schannel hotfix for Windows Server 2003 is installed on the site server for the out of band service point. For more information about the hotfix, see Article 942841 in the Microsoft
1170

Windows Remote Management (WinRM) v1.1

Warni ng

Primary site Confi guration Manager console

Verifies that WinRM v1.1 is installed on the primary site server or Configuration Manager console computer to run the out of band management console. For more information about how to download WinRM 1.1, see Article 936059 in the Microsoft Knowledge Base.

Windows Server 2003based Schannel hotfix

Warni ng

Prerequisite check name

Severit y

Version of Configuration Manager

Applicability

Description

2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Man ager with no service pack System Center 2012 Configuration Man ager SP1 System Center 2012 R2 Configuration Manager Central administr ation site Primary site

Knowledge Base.

WSUS on site Warni server ng

Verifies that Windows Server Update Services (WSUS) version 3.0 Service Pack 2 is installed on the site server. When you use a software update point on a different computer than the site server, you must install the WSUS Administration Console on the site server. For more information about WSUS, see Windows Server Update Services web page. For information about how to configure WSUS for use with a software update point on a computer that runs Windows Server 2012, see the Step 2: Install the WSUS Server Role from the Windows Server Update Services web page.

Prerequisite Checks for System Requirements

The following table lists the prerequisite checks that Prerequisite Checker performs for system requirements.
Prerequisite check name Severity Version of Configuration Manager Applicability Description

Active Directory

Warning

System Center 2012 Configuration Manager

Central Verifies that the administration Active Directory

1171

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Domain Functional Level Check

with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

site Primary site

domain functional level is a minimum of Windows Server 2003. The domain functional level must be a minimum of Windows Server 2003 if you configure discovery to filter and remove stale computer records. For more information about Active Directory domain functional levels, see What are Active Directory Functional Levels.

Check Server Service is running

Error

System Center 2012 Configuration Manager with no service pack

Check Server Service is running Error System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager SP1

Central Verifies that the administration Server Service is site started. Primary site Secondary site Management point Central Verifies that the administration Server Service is site started. Primary site Secondary site Management point Verifies that the Server Service is started.
1172

Check Server Service is running

Warning

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Domain membership

Error

System Center 2012 Configuration Manager with no service pack

Central Verifies that administration Configuration site Manager the Primary site computer is a member of a Secondary Windows domain. site Configuration Manager console SMS Provider SQL Server Management point Distribution point Central Verifies that administration Configuration site Manager the Primary site computer is a member of a Secondary Windows domain. site SMS Provider SQL Server Management point Distribution point Verifies that Configuration Manager the computer is a member of a Windows domain. Checks whether the disk drive is formatted with the FAT file system. Install site server components on disk drives formatted with the NTFS file system
1173

Domain membership Error System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Domain membership

Warning

System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

FAT Drive on Site Server

Warning

Primary site

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

for better security. Free disk space for Windows Automated Installation Kit (Windows AIK) Error System Center 2012 Configuration Manager with no service pack SMS Provider Checks that the SMS Provider site system computer has at least 1 GB of free disk space to install the Windows Automated Installation Kit. Central The site server administration computer must site have at least Primary site 5 GB of free disk space to install Secondary the site server. site You must have an additional 1 GB of free space if you install the SMS Provider site system role on the same computer. Central Checks whether administration another program site requires the Primary site server to be restarted before Secondary you run Setup. site Configuration Manager console SMS Provider SQL Server Management point Distribution point
1174

Free disk space on site server

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Pending system restart

Error

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Read-Only Domain Controller

Error

System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Central Site database administration servers and site secondary site Primary site servers are not supported on a Secondary read-only domain site controller (RODC). For more information, see You may encounter problems when installing SQL Server on a domain controller in the Microsoft Knowledge Base. Central Determines administration whether the site Active Directory Primary site Domain Services schema has been extended, and if so, the version of the schema extensions that were used. Configuration Manager Active Directory schema extensions are not required for site server installation, but are recommended to fully support the use of all Configuration
1175

Schema extensions

Warning

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

Manager features. For more information about the advantages of extending the schema, see Determine Whether to Extend the Active Directory Schema for Configuration Manager. Site Server FQDN Length Error System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager Central Checks the length administration of the FQDN of site the site server Primary site computer. Secondary site Configuration Manager console Verifies that the Configuration Manager consoles can be installed on computers that run a supported operating system version. For more information, see the Configuration Manager Console Requirements section in the Supported Configurations for Configuration Manager topic.

Unsupported Configuration Manager console operating system

Error

Unsupported site server

Error

System Center 2012 Configuration Manager

Central Verifies that a administration supported

1176

Prerequisite check name

Severity

Version of Configuration Manager

Applicability

Description

operating system version for Setup

with no service pack System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

site Primary site Secondary site Configuration Manager console Management point Distribution point

WIM filter driver Error System Center 2012 Configuration Manager with no service pack

operating system is running on the server. For more information, see the Supported Configurations for Configuration Manager topic.

SMS Provider Checks whether the WIM filter driver is currently running on the SMS Provider computer, which prevents Setup from installing the Windows Automated Installation Kit.

Prerequisite Checks for Upgrade

The following table lists the prerequisite checks that Prerequisite Checker performs when you upgrade Configuration Manager to a new service pack version.
Prerequisite check name Severit y Versions of Configuration Manager Applicability Description

Backlogged inboxes

Warnin g

System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manag

Primary site

Verifies that the site server is processing messages in critical inboxes in a timely fashion, and that inboxes do not contain files older than one day. Verifies that all distribution points in the site have the
1177

Distribution point

Warnin g

Primary site

Prerequisite check name

Severit y

Versions of Configuration Manager

Applicability

Description

package version

er SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager Central administr ation site Primary site Primary site

latest version of software distribution packages.

Migration active source hierarchy

Error

Verifies that no active source hierarchy is currently configured for migration.

Parent site replication status Share Name in Package

Error

Verifies that the replication status of the parent site is Replication Active (corresponds to status=125). Verifies that the Share Name in Package does not have the unsupported character: #.

Warnin g

System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manag er SP1

Primary site

Software Error update points in NLB Configuratio n

Central administr ation site Primary site Seco ndary site

Verifies that software updates management does not use any virtual locations for active software update points.

SQL instance hosting an active site Database SQL Server database collation

Error

System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manag er SP1 System Center 2012

SQL Server

Checks that the site database being tested for database upgrade is not an active site database.

Error

Primary site

Verifies that the SQL Server database collation settings are the same for the tempdb database and the site
1178

Prerequisite check name

Severit y

Versions of Configuration Manager

Applicability

Description

R2 Configuration Manager SQL Server Express version on secondary site Warnin g System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager

database. Checks if the version of Seco SQL Server Express on the ndary secondary site is at least Site SQL Server 2008 R2 Service Pack 1 (version 10.51.2500.0). If Configuration Manager did not install SQL Server Express when the secondary site installed, then Setup skips this check. With System Center 2012 R2 Configuration Manager, this checks if the version of SQL Server is at least SQL Server 2012 Express with no service pack and cumulative update 2.

SQL Server Native Client

Error

System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manag er SP1 System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager

SQL Server

Verifies that the SQL Server Native Client 2012 is installed.

Unsupporte d ConfigMgr database version Unsupporte d upgrade path

Error

SQL Server

Verifies that the site database version to be upgraded is at least System Center 2012 Configuration Manager SP1 R C1. Verifies that all site servers in the hierarchy meet the Configuration Manager minimum version that is required for upgrade. Verifies that the built-in collections have not been modified.
1179

Error

Central administr ation site Primary site Central administr ation site Primary

Verify that the built-in collections have not Warnin g System Center 2012 Configuration Manag er SP1

Prerequisite check name

Severit y

Versions of Configuration Manager

Applicability

Description

been modified

site

See Also
Technical Reference for Site Administration in Configuration Manager

Technical Reference for International Support in Configuration Manager

The following sections provide technical details to help you configure System Center 2012 Configuration Manager to be compliant for specific international requirements.

GB18030 Requirements
Configuration Manager meets the standards that are defined in GB18030 so that you can use Configuration Manager in China. A Configuration Manager deployment must have the following configurations to meet the GB18030 requirements: Each site server computer and SQL Server computer that you use with Configuration Manager must use a Chinese operating system. Each site database and each instance of SQL Server in the hierarchy must use the same collation, and must be one of the following: Chinese_Simplified_Pinyin_100_CI_AI Chinese_Simplified_Stroke_Order_100_CI_AI Note These database collations are an exception to the requirements noted in the SQL Server Requirements section in the Supported Configurations for Configuration Manager topic. You must place a file with the name GB18030.SMS in the root folder of the system volume of each site server computer in the hierarchy. This file does not contain any data and can be an empty text file that is named to meet this requirement.

See Also
Technical Reference for Site Administration in Configuration Manager

1180

Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
This step-by-step example deployment, which uses a Windows Server 2008 certification authority (CA), contains procedures to guide you through the process of creating and deploying the public key infrastructure (PKI) certificates that Microsoft System Center 2012 Configuration Manager uses. These procedures use an enterprise certification authority (CA) and certificate templates. The steps are appropriate for a test network only, as a proof of concept. Because there is no single method of deployment for the required certificates, you must consult your particular PKI deployment documentation for the required procedures and best practices to deploy the required certificates for a production environment. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. Tip The instructions in this topic can easily be adapted for operating systems other than the ones documented in the Test Network Requirements section. However, if you are running the issuing CA on Windows Server 2012, you are not prompted for the certificate template version. Instead, specify this on the Compatibility tab of the template properties, as follows: Certification Authority: Windows Server 2003 Certificate recipient: Windows XP / Server 2003

In This Section
The following sections include example step-by-step instructions to create and deploy the following certificates that can be used with System Center 2012 Configuration Manager: Test Network Requirements Overview of the Certificates Deploying the Web Server Certificate for Site Systems that Run IIS Deploying the Service Certificate for Cloud-Based Distribution Points Deploying the Client Certificate for Windows Computers Deploying the Client Certificate for Distribution Points Deploying the Enrollment Certificate for Mobile Devices Deploying the Certificates for AMT Deploying the Client Certificate for Mac Computers

1181

Test Network Requirements

The step-by-step instructions have the following requirements: The test network is running Active Directory Domain Services with Windows Server 2008, and it is installed as a single domain, single forest. You have a member server running Windows Server 2008 Enterprise Edition, which has installed on it the Active Directory Certificate Services role, and it is configured as an enterprise root certification authority (CA). You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition) installed on it and that is designated as a member server, and Internet Information Services (IIS) is installed on it. This computer will be the Configuration Manager site system server that you will configure with an intranet FQDN (to support client connections on the intranet) and an Internet FQDN if you must support mobile devices that are enrolled by Configuration Manager and clients on the Internet. You have one Windows Vista client with the latest service pack installed, and this computer is configured with a computer name that comprises ASCII characters and is joined to the domain. This computer will be a Configuration Manager client computer. You can log in with a root domain administrator account or an enterprise domain administrator account and use this account for all procedures in this example deployment.

Overview of the Certificates

The following table lists the types of PKI certificates that might be required for System Center 2012 Configuration Manager and describes how they are used.
Certificate Requirement Certificate Description

Web server certificate for site systems that run IIS

This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: This certificate might also be required on management points when client notification traffic falls back to using HTTPS. For the steps to configure and install this certificate, see Deploying the Web Server Certificate for Site Systems that Run IIS in this this topic.
1182

Certificate Requirement

Certificate Description

Service certificate for clients to connect to cloud-based distribution points

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: This certificate is used to encrypt data and authenticate the cloud-based distribution point service to clients. It must be requested, installed, and exported externally from Configuration Manager so that it can be imported when you create a cloud-based distribution point. For the steps to configure and install this certificate, see Deploying the Service Certificate for Cloud-Based Distribution Points in this this topic. Note This certificate is used in conjunction with the Windows Azure management certificate. For more information about the management certificate, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library.

Client certificate for Windows computers

This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers. For the steps to configure and install this certificate, see Deploying the Client Certificate for Windows Computers in this topic.

Client certificate for distribution points

This certificate has two purposes: The certificate is used to authenticate the distribution point to an HTTPS-enabled
1183

Certificate Requirement

Certificate Description

management point before the distribution point sends status messages. When the Enable PXE support for clients distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPSenabled management point during the deployment of the operating system.

For the steps to configure and install this certificate, see Deploying the Client Certificate for Distribution Points in this topic. Enrollment certificate for mobile devices This certificate is used to authenticate Configuration Manager mobile device clients to site systems that are configured to use HTTPS. It must be installed as part of mobile device enrollment in Configuration Manager and you select the configured certificate template as a mobile device client setting. For the steps to configure this certificate, see Deploying the Enrollment Certificate for Mobile Devices in this topic. Certificates for Intel AMT There are three certificates that relate to out of band management for Intel AMT-based computers: An AMT provisioning certificate; an AMT web server certificate; and optionally, a client authentication certificate for 802.1X wired or wireless networks. The AMT provisioning certificate must be installed externally from Configuration Manager on the out of band service point computer, and then you select the installed certificate in the out of band service point properties. The AMT web server certificate and the client authentication certificate are installed during AMT provisioning and management, and you select the configured certificate templates in the out of band management component properties. For the steps to configure these certificates, see Deploying the Certificates for AMT in this
1184

Certificate Requirement

Certificate Description

topic. Client certificate for Mac computers For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: This certificate is used to authenticate Configuration Manager SP1 Mac computers to management points and distribution points that are configured to support HTTPS. You can request and install this certificate from a Mac computer when you use Configuration Manager enrollment and select the configured certificate template as a mobile device client setting. For the steps to configure this certificate, see Deploying the Client Certificate for Mac Computers in this topic.

Deploying the Web Server Certificate for Site Systems that Run IIS
This certificate deployment has the following procedures: Creating and Issuing the Web Server Certificate Template on the Certification Authority Requesting the Web Server Certificate Configuring IIS to Use the Web Server Certificate

Creating and Issuing the Web Server Certificate Template on the Certification Authority
This procedure creates a certificate template for Configuration Manager site systems and adds it to the certification authority. To create and issue the web server certificate template on the certification authority 1. Create a security group named ConfigMgr IIS Servers that contains the member servers to install System Center 2012 Configuration Manager site systems that will run IIS. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
1185

3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate. 6. Click the Subject Name tab, and make sure that Supply in the request is selected. 7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK. 9. Select the Enroll permission for this group, and do not clear the Read permission. 10. Click OK, and close the Certificate Templates Console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK. 13. If you do not need to create and issue any more certificate, close Certification Authority.

Requesting the Web Server Certificate

This procedure allows you to specify the intranet and Internet FQDN values that will be configured in the site system server properties, and then installs the web server certificate on to the member server that runs IIS. To request the web server certificate 1. Restart the member server that runs IIS, to ensure that the computer can access the certificate template that you created, by using the Read and Enroll permissions that you configured. 2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 6. In the Add or Remove Snap-ins dialog box, click OK. 7. In the console, expand Certificates (Local Computer), and then click Personal.
1186

8. Right-click Certificates, click All Tasks, and then click Request New Certificate. 9. On the Before You Begin page, click Next. 10. If you see the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings. 12. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS. 13. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box. Examples: If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is server1.internal.contoso.com: Type server1.internal.contoso.com, and then click Add. If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is server1.internal.contoso.com and the Internet FQDN of the site system server is server.contoso.com: i. ii. Type server1.internal.contoso.com, and then click Add. Type server.contoso.com, and then click Add. Note It does not matter in which order you specify the FQDNs for Configuration Manager. However, check that all devices that will use the certificate, such as mobile devices and proxy web servers, can use a certificate SAN and multiple values in the SAN. If devices have limited support for SAN values in certificates, you might have to change the order of the FQDNs or use the Subject value instead. 14. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll. 15. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 16. Close Certificates (Local Computer).

Configuring IIS to Use the Web Server Certificate

This procedure binds the installed certificate to the IIS Default Web Site. To configure IIS to use the web server certificate 1. On the member server that has IIS installed, click Start, click Programs, click
1187

Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Sites, right-click Default Web Site, and then select Edit Bindings. 3. Click the https entry, and then click Edit. 4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK. Note If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box. 5. Click OK in the Edit Site Binding dialog box, and then click Close. 6. Close Internet Information Services (IIS) Manager. The member server is now provisioned with a Configuration Manager web server certificate. Important When you install the Configuration Manager site system server on this computer, make sure that you specify the same FQDNs in the site system properties as you specified when you requested the certificate.

Deploying the Service Certificate for Cloud-Based Distribution Points

Note The service certificate for cloud-based distribution points applies to Configuration Manager SP1 only. This certificate deployment has the following procedures: Creating and Issuing a Custom Web Server Certificate Template on the Certification Authority Requesting the Custom Web Server Certificate Exporting the Custom Web Server Certificate for Cloud-Based Distribution Points

Creating and Issuing a Custom Web Server Certificate Template on the Certification Authority
This procedure creates a custom certificate template that is based on the Web Server certificate template. The certificate is for Configuration Manager cloud-based distribution points and the

1188

private key must be exportable. After the certificate template is created, it is added to the certification authority. Note This procedure uses a different certificate template from the web server certificate template that you created for site systems that run IIS, because although both certificates require server authentication capability, the certificate for cloud-based distribution points requires you to enter a custom-defined value for the Subject Name and the private key must be exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The cloudbased distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. On a production network, you might also consider adding the following modifications for this certificate: Require approval to install the certificate, for additional security. Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate. Use a custom value in the certificate Subject Alternative Name (SAN) to help identify this certificate from standard web server certificates that you use with IIS. To create and issue the custom Web Server certificate template on the certification authority 1. Create a security group named ConfigMgr Site Servers that contains the member servers to install System Center 2012 Configuration Manager SP1 primary site servers that will manage cloud-based distribution points. 2. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web server certificate for cloud-based distribution points, such as ConfigMgr Cloud-Based Distribution Point Certificate. 6. Click the Request Handling tab, and select Allow private key to be exported.
1189

7. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group. 8. Click Add, enter ConfigMgr Site Servers in the text box, and then click OK. 9. Select the Enroll permission for this group, and do not clear the Read permission. 10. Click OK and close Certificate Templates Console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Cloud-Based Distribution Point Certificate, and then click OK. 13. If you do not have to create and issue any more certificates, close Certification Authority.

Requesting the Custom Web Server Certificate

This procedure requests and then installs the custom web server certificate on to the member server that will run the site server. To request the custom web server certificate 1. Restarted the member server after you created and configured the ConfigMgr Site Servers security group to ensure that the computer can access the certificate template that you created, by using the Read and Enroll permissions that you configured. 2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 6. In the Add or Remove Snap-ins dialog box, click OK. 7. In the console, expand Certificates (Local Computer), and then click Personal. 8. Right-click Certificates, click All Tasks, and then click Request New Certificate. 9. On the Before You Begin page, click Next. 10. If you see the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, identify the ConfigMgr Cloud-Based Distribution Point Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings . 12. In the Certificate Properties dialog box, in the Subject tab, for the Subject name, select Common name as the Type. 13. In the Value box, specify your choice of service name and your domain name by using an FQDN format. For example: clouddp1.contoso.com.
1190

Note It does not matter what service name you specify, as long as it is unique in your namespace. You will use DNS to create an alias (CNAME record) to map this service name to an automatically generated identifier (GUID) and an IP address from Windows Azure. 14. Click Add, and click OK to close the Certificate Properties dialog box. 15. On the Request Certificates page, select ConfigMgr Cloud-Based Distribution Point Certificate from the list of displayed certificates, and then click Enroll. 16. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 17. Close Certificates (Local Computer).

Exporting the Custom Web Server Certificate for Cloud-Based Distribution Points
This procedure exports the custom web server certificate to a file, so that it can be imported when you create the cloud-based distribution point. To export the custom web server certificate for cloud-based distribution points 1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export. 2. In the Certificates Export Wizard, click Next. 3. On the Export Private Key page, select Yes, export the private key, and then click Next. Note If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again. 4. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected. 5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next. 6. On the File to Export page, specify the name of the file that you want to export, and then click Next. 7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. 8. Close Certificates (Local Computer). 9. Store the file securely and ensure that you can access it from the Configuration Manager console.
1191

The certificate is now ready to be imported when you create a cloud-based distribution point.

Deploying the Client Certificate for Windows Computers

This certificate deployment has the following procedures: Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority
This procedure creates a certificate template for System Center 2012 Configuration Manager client computers and adds it to the certification authority. To create and issue the Workstation Authentication certificate template on the certification authority 1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. 3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate. 5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll. 6. Click OK and close Certificate Templates Console. 7. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 8. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK. 9. If you do not need to create and issue any more certificate, close Certification
1192

Authority.

Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy

This procedure configures Group Policy to autoenroll the client certificate on computers. To configure autoenrollment of the workstation authentication template by using Group Policy 1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management. 2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here. Note This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point. 3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK. 4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit. 5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies. 6. Right-click the object type named Certificate Services Client Auto-enrollment, and then click Properties. 7. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates , select Update certificates that use certificate templates, and then click OK. 8. Close Group Policy Management.

Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers
This procedure installs the client certificate on computers and verifies the installation.

1193

To automatically enroll the workstation authentication certificate and verify its installation on the client computer 1. Restart the workstation computer, and wait a few minutes before logging on. Note Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment. 2. Log on with an account that has administrative privileges. 3. In the search box, type mmc.exe., and then press Enter. 4. In the empty management console, click File, and then click Add/Remove Snap-in. 5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 6. In the Certificate snap-in dialog box, select Computer account, and then click Next. 7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish. 8. In the Add or Remove Snap-ins dialog box, click OK. 9. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates. 10. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column. 11. Close Certificates (Local Computer). 12. Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate. The computer is now provisioned with a Configuration Manager client certificate.

Deploying the Client Certificate for Distribution Points

Note This certificate can also be used for media images that do not use PXE boot, because the certificate requirements are the same. This certificate deployment has the following procedures: Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority Requesting the Custom Workstation Authentication Certificate Exporting the Client Certificate for Distribution Points

1194

Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
This procedure creates a custom certificate template for Configuration Manager distribution points that allows the private key to be exported, and adds the certificate template to the certification authority. Note This procedure uses a different certificate template from the certificate template that you created for client computers, because although both certificates require client authentication capability, the certificate for distribution points requires that the private key is exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. In our example deployment, this will be the security group that you previously created for Configuration Manager site system servers that run IIS. On a production network that distributes the IIS site system roles, consider creating a new security group for the servers that run distribution points so that you can restrict the certificate to just these site system servers. You might also consider adding the following modifications for this certificate: Require approval to install the certificate, for additional security. Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate. Use a custom value in the certificate Subject field or Subject Alternative Name (SAN) to help identify this certificate from standard client certificates. This can be particularly helpful if you will use the same certificate for multiple distribution points. To create and issue the custom Workstation Authentication certificate template on the certification authority 1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. 3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition.
1195

4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate. 5. Click the Request Handling tab, and select Allow private key to be exported. 6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group. 7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK. 8. Select the Enroll permission for this group, and do not clear the Read permission. 9. Click OK and close Certificate Templates Console. 10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 11. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK. 12. If you do not have to create and issue any more certificates, close Certification Authority.

Requesting the Custom Workstation Authentication Certificate

This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point. To request the custom Workstation Authentication certificate 1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 3. In the Certificate snap-in dialog box, select Computer account, and then click Next. 4. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 5. In the Add or Remove Snap-ins dialog box, click OK. 6. In the console, expand Certificates (Local Computer), and then click Personal. 7. Right-click Certificates, click All Tasks, and then click Request New Certificate. 8. On the Before You Begin page, click Next. 9. If you see the Select Certificate Enrollment Policy page, click Next. 10. On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll. 11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 12. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.
1196

13. Do not close Certificates (Local Computer).

Exporting the Client Certificate for Distribution Points

This procedure exports the custom Workstation Authentication certificate to a file, so that it can be imported in the distribution point properties. To export the client certificate for distribution points 1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export. 2. In the Certificates Export Wizard, click Next. 3. On the Export Private Key page, select Yes, export the private key, and then click Next. Note If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again. 4. On the Export File Format page, ensure that the option Personal Information Exchange - PKCS #12 (.PFX) is selected. 5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next. 6. On the File to Export page, specify the name of the file that you want to export, and then click Next. 7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box. 8. Close Certificates (Local Computer). 9. Store the file securely and ensure that you can access it from the Configuration Manager console. The certificate is now ready to be imported when you configure the distribution point. Tip You can use the same certificate file when you configure media images for an operating system deployment that does not use PXE boot, and the task sequence to install the image must contact a management point that requires HTTPS client connections.

Deploying the Enrollment Certificate for Mobile Devices

This certificate deployment has a single procedure to create and issue the enrollment certificate template on the certification authority.
1197

Creating and Issuing the Enrollment Certificate Template on the Certification Authority
This procedure creates an enrollment certificate template for System Center 2012 Configuration Manager mobile devices and adds it to the certification authority. To create and issue the enrollment certificate template on the certification authority 1. Create a security group that contains users who will enroll mobile devices in System Center 2012 Configuration Manager. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the enrollment certificates for the mobile devices to be managed by Configuration Manager, such as ConfigMgr Mobile Device Enrollment Certificate. 6. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name. 7. Click the Security tab, select the security group that contains users who have mobile devices to enroll, and select the additional permission of Enroll. Do not clear Read. 8. Click OK and close Certificate Templates Console. 9. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mobile Device Enrollment Certificate, and then click OK. 11. If you do not need to create and issue any more certificate, close the Certification Authority console. The mobile device enrollment certificate template is now ready to be selected when you configure a mobile device enrollment profile in the client settings.

Deploying the Certificates for AMT

This certificate deployment has the following procedures: Creating, Issuing, and Installing the AMT provisioning certificate Creating and Issuing the Web Server Certificate for AMT-Based Computers
1198

Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers

Creating, Issuing, and Installing the AMT Provisioning Certificate

Create the provisioning certificate with your internal CA when the AMT-based computers are configured with the certificate thumbprint of your internal root CA. When this is not the case and you must use an external certification authority, use the instructions from the company issuing the AMT provisioning certificate, which will often involve requesting the certificate from the companys public Web site. You might also find detailed instructions for your chosen external CA on the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001). Important External CAs might not support the Intel AMT provisioning object identifier. When this is the case, use the alternative method of supplying the OU attribute of Intel(R) Client Setup Certificate. When you request an AMT provisioning certificate from an external CA, install the certificate into the Computer Personal certificate store on the member server that will host the out of band service point. To request and issue the AMT provisioning certificate 1. Create a security group that contains the computer accounts of site system servers that will run the out of band service point. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console. 3. In the results pane, right-click the entry that displays Web Server in the Template Display Name column, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name for the AMT provisioning certificate template, such as ConfigMgr AMT Provisioning. 6. Click the Subject Name tab, select Build from this Active Directory information, and then select Common name. 7. Click the Extensions tab, make sure Application Policies is selected, and then click Edit. 8. In the Edit Application Policies Extension dialog box, click Add. 9. In the Add Application Policy dialog box, click New. 10. In the New Application Policy dialog box, type AMT Provisioning in the Name field,
1199

and then type the following number for the Object identifier: 2.16.840.1.113741.1.2.3. 11. Click OK, and then click OK in the Add Application Policy dialog box. 12. Click OK in the Edit Application Policies Extension dialog box. 13. In the Properties of New Template dialog box, you should now see the following listed as the Application Policies description: Server Authentication and AMT Provisioning. 14. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 15. Click Add, enter the name of a security group that contains the computer account for the out of band service point site system role, and then click OK. 16. Select the Enroll permission for this group, and do not clear the Read permission.. 17. Click OK, and close the Certificate Templates console. 18. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 19. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT Provisioning, and then click OK. Note If you cannot complete steps 18 or 19, check that you are using the Enterprise Edition of Windows Server 2008. Although you can configure templates with Windows Server Standard Edition and Certificate Services, you cannot deploy certificates using modified certificate templates unless you are using the Enterprise Edition of Windows Server 2008. 20. Do not close Certification Authority. The AMT provisioning certificate from your internal CA is now ready to be installed on the band service point computer. To install the AMT provisioning certificate 1. Restart the member server that runs IIS, to ensure it can access the certificate template with the configured permission. 2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in. 3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add. 4. In the Certificate snap-in dialog box, select Computer account, and then click Next. 5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish. 6. In the Add or Remove Snap-ins dialog box, click OK. 7. In the console, expand Certificates (Local Computer), and then click Personal. 8. Right-click Certificates, click All Tasks, and then click Request New Certificate. 9. On the Before You Begin page, click Next.

1200

10. If you see the Select Certificate Enrollment Policy page, click Next. 11. On the Request Certificates page, select AMT Provisioning from the list of displayed certificates, and then click Enroll. 12. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish. 13. Close Certificates (Local Computer). The AMT provisioning certificate from your internal CA is now installed and is ready to be selected in the out of band service point properties.

Creating and Issuing the Web Server Certificate for AMT-Based Computers
Use the following procedure to prepare the web server certificates for AMT-based computers. To create and issue the Web server certificate template 1. Create an empty security group to contain the AMT computer accounts that System Center 2012 Configuration Manager creates during AMT provisioning. 2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console. 3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT Web Server Certificate. 6. Click the Subject Name tab, click Build from this Active Directory information, select Common name for the Subject name format, and then clear User principal name (UPN) for the alternative subject name. 7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 8. Click Add and enter the name of the security group that you created for AMT provisioning. Then click OK. 9. Select the following Allow permissions for this security group: Read and Enroll. 10. Click OK, and close the Certificate Templates console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have
1201

just created, ConfigMgr AMT Web Server Certificate, and then click OK. 13. If you do not have to create and issue any more certificates, close Certification Authority. The AMT Web server template is now ready to provision AMT-based computers with web server certificates. Select this certificate template in the out of band management component properties.

Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers
Use the following procedure if AMT-based computers will use client certificates for 802.1X authenticated wired or wireless networks. To create and issue the client authentication certificate template on the CA 1. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates console. 2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. Important Do not select Windows 2008 Server, Enterprise Edition. 3. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used for out of band management on AMT computers, such as ConfigMgr AMT 802.1X Client Authentication Certificate . 4. Click the Subject Name tab, click Build from this Active Directory information and select Common name for the Subject name format. Clear DNS name for the alternative subject name, and then select User principal name (UPN). 5. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins. 6. Click Add and enter the name of the security group that you will specify in the out of band management component properties, to contain the computer accounts of the AMT-based computers. Then click OK. 7. Select the following Allow permissions for this security group: Read and Enroll. 8. Click OK, and close the Certificate Templates management console, certtmpl [Certificate Templates]. 9. In the Certification Authority management console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 10. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr AMT 802.1X Client Authentication Certificate, and then click OK. 11. If you do not need to create and issue any more certificate, close Certification Authority.
1202

The client authentication certificate template is now ready to issue certificates to AMT-based computers that can be used for 802.1X client authentication. Select this certificate template in the out of band management component properties.

Deploying the Client Certificate for Mac Computers

Note The client certificate for Mac computers applies to Configuration Manager SP1 only. This certificate deployment has a single procedure to create and issue the enrollment certificate template on the certification authority.

Creating and Issuing a Mac Client Certificate Template on the Certification Authority
This procedure creates a custom certificate template for Configuration Manager Mac computers and adds the certificate template to the certification authority. Note This procedure uses a different certificate template from the certificate template that you might have created for Windows client computers or for distribution points. By creating a new certificate template for this certificate, you can restrict the certificate request to authorized users. To create and issue the Mac client certificate template on the certification authority 1. Create a security group that contains user accounts for administrative users who will enroll the certificate on the Mac computer by using Configuration Manager. 2. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console. 3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template. 4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Important Do not select Windows 2008 Server, Enterprise Edition. 5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as ConfigMgr Mac Client Certificate. 6. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name.
1203

7. Click the Security tab, and remove the Enroll permission from the Domain Admins and Enterprise Admins security groups. 8. Click Add, specify the security group that you created in step one, and then click OK. 9. Select the Enroll permission for this group, and do not clear the Read permission. 10. Click OK and close Certificate Templates Console. 11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. 12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mac Client Certificate, and then click OK. 13. If you do not have to create and issue any more certificates, close Certification Authority. The Mac client certificate template is now ready to be selected when you configure client settings for enrollment.

See Also
Technical Reference for Site Administration in Configuration Manager

Migrating Hierarchies in System Center 2012 Configuration Manager

The Migrating Hierarchies in System Center 2012 Configuration Manager guide provides documentation to help you migrate hierarchies within your Microsoft System Center 2012 Configuration Manager environment. You can migrate the following hierarchies: With System Center 2012 Configuration Manager, you can migrate an existing Configuration Manager 2007 SP2 infrastructure to System Center 2012 Configuration Manager. With System Center 2012 Configuration Manager SP1, you can migrate an existing Configuration Manager 2007 SP2 infrastructure or an existing System Center 2012 Configuration Manager SP1 infrastructure to System Center 2012 Configuration Manager SP1. With System Center 2012 R2 Configuration Manager, you can migrate an existing Configuration Manager 2007 SP2 infrastructure or an existing System Center 2012 R2 Configuration Manager infrastructure to System Center 2012 R2 Configuration Manager.

However, before you migrate any data, you must first install and configure the appropriate destination hierarchy. The destination hierarchy is the hierarchy where the data is migrated to. Read the Site Administration for System Center 2012 Configuration Manager guide and Whats New in System Center 2012 Configuration Manager before you read this guide.

1204

Migration Topics
Use the following topics to help you migrate Configuration Manager hierarchies: Introduction to Migration in System Center 2012 Configuration Manager Planning for Migration to System Center 2012 Configuration Manager Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager Operations for Migrating to System Center 2012 Configuration Manager Security and Privacy for Migration to System Center 2012 Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Introduction to Migration in System Center 2012 Configuration Manager

With System Center 2012 Configuration Manager, you can migrate data from a supported Configuration Manager source hierarchy to your destination hierarchy. When you migrate data from a source hierarchy, you access data from the site databases that you identify in the source infrastructure and then transfer that data to your current environment. Migration does not change the data in the source hierarchy, but instead discovers the data and stores a copy in the database of the destination hierarchy. Consider the following when you plan your migration strategy: With System Center 2012 Configuration Manager, you can migrate an existing Configuration Manager 2007 SP2 infrastructure to System Center 2012 Configuration Manager. With System Center 2012 Configuration Manager SP1, you can migrate an existing Configuration Manager 2007 SP2 infrastructure or an existing System Center 2012 Configuration Manager SP1 infrastructure to System Center 2012 Configuration Manager SP1. With System Center 2012 R2 Configuration Manager, you can migrate an existing Configuration Manager 2007 SP2 infrastructure or an existing System Center 2012 R2 Configuration Manager infrastructure to System Center 2012 R2 Configuration Manager. You can migrate some or all of the supported data from a source site. You can migrate the data from a single source site to several different sites in the destination hierarchy. You can move data from multiple source sites to a single site in the destination hierarchy. Migration Scenarios
1205

Use the following sections to help you plan and implement your migration:

The Migration Workflow Migration Concepts in System Center 2012 Configuration Manager Whats New in Configuration Manager SP1 Whats New in System Center 2012 R2 Configuration Manager

Migration Scenarios
Configuration Manager supports the following migration scenarios. Note The expansion of a hierarchy that contains a stand-alone site into a hierarchy that contains a central administration site is not categorized as a migration. For information about hierarchy expansion, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic.

Migration from Configuration Manager 2007 Hierarchies

When you use migration to migrate data from Configuration Manager 2007 to a System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, or System Center 2012 R2 Configuration Manager hierarchy, you can maintain your investment in your existing site infrastructure and gain the following benefits:
Benefit More information

Site database improvements

The System Center 2012 Configuration Manager database supports full Unicode. Replication in System Center 2012 Configuration Manager is based on Microsoft SQL Server. This improves the performance of site-to-site data transfer. Users are the focus of management tasks in System Center 2012 Configuration Manager. For example, you can distribute software to a user even if you do not know the device name for that user. Additionally, System Center 2012 Configuration Manager gives users much more control over what software is installed on their devices and when that software is installed. In System Center 2012 Configuration Manager, the new central administration site type and changes to the behavior of primary and
1206

Database replication between sites

User-centric management

Hierarchy simplification

Benefit

More information

secondary sites let you build a simpler site hierarchy that uses less network bandwidth and requires fewer servers. Role-based administration This central security model in System Center 2012 Configuration Manager offers hierarchy-wide security and management that corresponds to your administrative and business requirements.

Note Because of the design changes that were introduced in System Center 2012 Configuration Manager, you cannot upgrade an existing Configuration Manager 2007 infrastructure to System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager.

Migration from System Center 2012 Configuration Manager SP1 Hierarchies

With System Center 2012 Configuration Manager SP1, you can migrate data from one Configuration Manager SP1 hierarchy to another. This includes migrating data from multiple source hierarchies into a single destination hierarchy, such as when your company acquires additional resources that are already managed by Configuration Manager. Additionally, you can migrate data from a Configuration Manager SP1 test environment to your Configuration Manager SP1 production environment. This allows you to maintain your investment in the Configuration Manager test environment. Note The expansion of a hierarchy that contains a stand-alone site into a hierarchy that contains a central administration site is not categorized as a migration. For information about hierarchy expansion, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic.

Migration from System Center 2012 R2 Configuration Manager Hierarchies

With System Center 2012 R2 Configuration Manager, you can migrate data from one System Center 2012 R2 Configuration Manager hierarchy to another. This includes migrating data from multiple source hierarchies into a single destination hierarchy, such as when your company acquires additional resources that are already managed by Configuration Manager. Additionally, you can migrate data from a System Center 2012 R2 Configuration Manager test environment to

1207

your System Center 2012 R2 Configuration Manager production environment. This allows you to maintain your investment in the Configuration Manager test environment.

The Migration Workflow

The following steps describe the basic migration workflow. 1. Specify a supported source hierarchy. 2. Configure data gathering. Data gathering enables Configuration Manager to collect information about data that can migrate from the source hierarchy. Configuration Manager automatically repeats the process to collect data on a simple schedule until you stop the data gathering process. By default, the data gathering process repeats every four hours so that Configuration Manager can identify changes to data in the source hierarchy that you might want to migrate. Data gathering is also necessary to share distribution points from the source hierarchy to the destination hierarchy. 3. Create migration jobs to migrate data between the source and destination hierarchy. 4. You can stop the data gathering process at any time by using the Stop Gathering Data command. When you stop data gathering, Configuration Manager no longer identifies changes to data in the source hierarchy, and can no longer share distribution points between the source and destination hierarchies. Typically, you use this action when you no longer plan to migrate data or share distribution points from the source hierarchy. 5. Optionally, after data gathering has stopped at all sites for the source hierarchy, you can clean up the migration data by using the Clean Up Migration Data command. This command deletes the historical data about migration from a source hierarchy from the database of the destination hierarchy. After you migrate data from a Configuration Manager source hierarchy that you will no longer use to manage your environment, you can plan to decommission that source hierarchy and infrastructure.

Migration Concepts in System Center 2012 Configuration Manager

Use the following information about the concepts and terms that you encounter when you migrate from a source hierarchy to System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager.
Concept or term More information

Source hierarchy

A Configuration Manager 2007 SP2, System Center 2012 Configuration Manager SP1, or System Center 2012 R2 Configuration Manager hierarchy that contains data that you want to migrate. You
1208

Concept or term

More information

specify a source hierarchy when you specify the top-level site of a source hierarchy. After you specify a source hierarchy, the top-level site of the destination hierarchy gathers data from the database of the designated source site to identify the data that you can migrate. For more information, see the Migration Source Hierarchies section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic. Source sites The sites in the source hierarchy that have data that you can migrate to your destination hierarchy. For more information, see the Migration Source Sites section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic. Destination hierarchy A System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, or System Center 2012 R2 Configuration Manager hierarchy where migration runs to import data from the site database of a source hierarchy. The ongoing process of identifying the information in a source hierarchy that you can migrate to System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager. Configuration Manager checks the source hierarchy on a schedule to identify any changes to information in the source hierarchy that you previously migrated and that you might want to update in the destination hierarchy. For more information, see the Migration Data Gathering section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic. Migration jobs The process of configuring the specific objects
1209

Data gathering

Concept or term

More information

to migrate, and then managing the migration of those objects to the destination hierarchy. For more information, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. Client migration The process of transferring information that clients use from the database of the source site to the database of the destination hierarchy. This migration of data is then followed by an upgrade of client software on devices to the client software version from the destination hierarchy. For more information, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Shared distribution points The distribution points from the source hierarchy that are shared with the destination hierarchy during the migration period. During the migration period, clients assigned to sites in the destination hierarchy can obtain content from shared distribution points. For more information, see the Share Distribution Points Between Source and Destination Hierarchies section in the About Shared Distribution Points in System Center 2012 Configuration Manager Migration topic Monitoring migration The process of monitoring migration activities. You monitor the migration progress and success from the Migration node in the Administration workspace. For more information, see Planning to Monitor Migration Activity in System Center 2012 Configuration Manager. Stop gathering data The process of stopping data gathering from source sites. When you no longer have data to migrate from a source hierarchy, or if you want to temporarily suspend migration-related activities, you can configure the destination hierarchy to stop gathering data from the
1210

Concept or term

More information

source hierarchy. For more information, see the Migration Data Gathering section in the Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager topic. Clean up migration data The process of finishing migration from a source hierarchy by removing information about the migration from the destination hierarchies database. For more information, see Planning to Complete Migration in System Center 2012 Configuration Manager.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for migration in Configuration Manager SP1: You can merge data from other hierarchies that run the same version of Configuration Manager as your hierarchy. This includes migrating data from a test environment into your production environment. Some UI labels and descriptions are updated to reflect the change in functionality that lets you migrate data between two System Center 2012 Configuration Manager hierarchies.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for migration in System Center 2012 R2 Configuration Manager: Some UI labels and descriptions are updated to reflect the functionality of migrating, not upgrading, distribution point between hierarchies that run the same version of System Center 2012 Configuration Manager.

1211

When you use the Reassign Shared Distribution Points Wizard, you have the same options as when you deploy a new distribution point, including options make the distribution point a pull-distribution point and to add it to boundary groups in the destination hierarchy.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Planning for Migration to System Center 2012 Configuration Manager

Before you migrate data to a Microsoft System Center 2012 Configuration Manager destination hierarchy, make sure that you are familiar with the changes to sites and hierarchies in System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager. For more information about sites and hierarchies, see Planning for Sites and Hierarchies in Configuration Manager. You must first install a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager hierarchy to be the destination hierarchy before you can migrate data from a supported source hierarchy. After you install the destination hierarchy, configure the management features and functions that you want to use in your destination hierarchy before you start to migrate data. Additionally, you might have to plan for overlap between the source hierarchy and your destination hierarchy. As an example, consider when the source hierarchy is configured to use the same network locations or boundaries as your destination hierarchy and you then install new clients to your destination hierarchy and use automatic site assignment. In this scenario, because a newly installed Configuration Manager client can select a site to join from either hierarchy, the client could incorrectly assign to your source hierarchy. Therefore, plan to assign each new client in the destination hierarchy to a specific site in that hierarchy instead of using automatic-site assignment. For more information about site assignments, see the Client Site Assignment Considerations section in the Interoperability between Different Versions of Configuration Manager topic. For more information about client site assignment for Configuration Manager 2007, see About Client Site Assignment in Configuration Manager in the Configuration Manager 2007 documentation library.

Planning Topics
Use the following topics to help you plan how to migrate a supported Configuration Manager hierarchy to System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager: Prerequisites for Migration in System Center 2012 Configuration Manager
1212

Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration Manager Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager Planning a Migration Job Strategy in System Center 2012 Configuration Manager Planning a Client Migration Strategy in System Center 2012 Configuration Manager Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager Planning for the Migration of Configuration Manager Objects to System Center 2012 Configuration Manager Planning to Monitor Migration Activity in System Center 2012 Configuration Manager Planning to Complete Migration in System Center 2012 Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Migrating Hierarchies in System Center 2012 Configuration Manager

Prerequisites for Migration in System Center 2012 Configuration Manager

To migrate from a supported source hierarchy, you must have access to each applicable Configuration Manager source site, and permissions within the System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager destination site to configure and run migration operations. Use the information in the following sections to help you understand the versions of Configuration Manager that are supported for migration, and the required configurations. Versions of Configuration Manager That Are Supported for Migration Source Site Languages That Are Supported for Migration Required Configurations for Migration

Versions of Configuration Manager That Are Supported for Migration

The following table lists the versions of Configuration Manager 2007 and System Center 2012 Configuration Manager that are supported for migration to a destination hierarchy of each version of System Center 2012 Configuration Manager.

1213

Destination hierarchy

Source hierarchy

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager SP1

Configuration Manager 2007 SP2 Configuration Manager 2007 SP2 System Center 2012 Configuration Manager SP1

System Center 2012 R2 Configuration Manager Configuration Manager 2007 SP2 System Center 2012 R2 Configuration Manager

Source Site Languages That Are Supported for Migration

When you migrate data between Configuration Manager hierarchies, the data is stored in the destination hierarchy in the language neutral format for System Center 2012 Configuration Manager. Because Configuration Manager 2007 does not store data in a language neutral format, the migration process must convert objects to this format during migration from Configuration Manager 2007. Therefore, only Configuration Manager 2007 source sites that are installed with the following languages are supported for migration: English French German Japanese Korean Russian Simplified Chinese Traditional Chinese

When you migrate data from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager hierarchy, there are no source site language limitations. Objects in the source site database are already in a language neutral format.

Required Configurations for Migration

The following table lists the required configurations for using migration and migration operations.
Migration operation Details

To configure, run, and monitor migration in the

In the destination site, your account must be

1214

Migration operation

Details

Configuration Manager console

assigned the role-based administration security role of Infrastructure Administrator. This security role grants permissions to manage all migration operations, which includes the creation of migration jobs, clean up, monitoring, and the action to share and upgrade distribution points. To enable the destination site to gather data, you must configure the following two source site access accounts for use with each source site: Source Site Account: This account is used to access the SMS Provider of the source site. For a Configuration Manager 2007 SP2 source site, this account requires Read permission to all source site objects. For a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source site, this account requires Read permission to all source site objects, You grant this permission to the account by using role-based administration. For information about how to use role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Data Gathering

Source Site Database Account: This account is used to access the SQL Server database of the source site and requires Connect, Execute, and Select permissions to the source site database.

You can configure these accounts when you configure a new source hierarchy, data gathering for an additional source site, or when you reconfigure the credentials for a source site. These accounts can use a domain user account, or you can specify the computer
1215

Migration operation

Details

account of the top-level site of the destination hierarchy. Security If you use the Configuration Manager computer account for either access account, ensure that this account is a member of the security group Distributed COM Users in the domain where the source site resides. When gathering data, the following network protocols and ports are used: Migrate Software Updates NetBIOS/SMB 445 (TCP) RPC (WMI) - 135 (TCP) SQL Server - The TCP ports in use by both the source and destination site databases.

Before you migrate software updates, you must configure the destination hierarchy with a software update point. For more information, see Planning to Migrate Software Updates To successfully share any distribution points from a source site, at least one primary site or the central administration site in the destination hierarchy must use the same port numbers for client requests as the source site. For information about client request ports, see How to Configure Client Communication Port Numbers in Configuration Manager topic in the Deploying Clients for System Center 2012 Configuration Manager guide. For each source site, only the distribution points that are installed on site system servers that are configured with a FQDN are shared. In addition, to share a distribution point from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source site, the Source Site Account (which accesses the SMS Provider for the source site server), must have Modify permissions to the
1216

Share distribution points

Migration operation

Details

Site object on the source site. You grant this permission to the account by using role-based administration. For information about how to use role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. Upgrade or reassign distribution points The Source Site Access Account configured to gather data from the SMS Provider of the source site must have the following permissions: To upgrade a Configuration Manager 2007 distribution point, the account requires Read, Execute, and Delete permissions to the Site class on the Configuration Manager 2007 site server to successfully remove the distribution point from the Configuration Manager 2007 source site To reassign a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager distribution point, the account must have Modify permission to the Site object on the source site. You grant this permission to the account by using role-based administration. For information about how to use rolebased administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

To successfully upgrade or reassign a distribution point to a new hierarchy, the ports that are configured for client requests at the site that manages the distribution point in the source hierarchy must match the ports that are configured for client requests at the destination site that will manage the distribution point. For information about client request ports, see How to Configure Client Communication Port Numbers in Configuration Manager topic in the Deploying Clients for System Center 2012
1217

Migration operation

Details

Configuration Manager guide.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Administrator Checklists for Migration Planning in System Center 2012 Configuration Manager
Use the following administrator checklists to help you plan your migration strategy to Microsoft System Center 2012 Configuration Manager: Administrator Checklist for Migration Planning Administrator Checklist for Hierarchy Migration Administrator Checklist for Migration

Administrator Checklist for Migration Planning

Use the following checklist for pre-migration planning steps.
Action More information

Assess the current environment.

Identify existing business requirements that are met by the source hierarchy and develop plans to continue to meet those requirements in the destination hierarchy. For more information, see Fundamentals of Configuration Manager and Whats New in System Center 2012 Configuration Manager.

Review the functionality and changes that are available with the version of System Center 2012 Configuration Manager that you use, and use this information to help you design your destination hierarchy. Determine the administrative security model to use for role-based administration.

For more information, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.
1218

Action

More information

Assess your network and Active Directory topology.

Review your existing domain structure and network topology and consider how this influences your hierarchy design and migration tasks. Decide upon the placement of a central administration site, primary sites, secondary sites, and content distribution options. Identify the computers that sites and site system servers will use in the destination hierarchy, and ensure that they have sufficient capacity to meet existing and future operational requirements. Plan to use the available migration jobs to migrate different objects, which include site boundaries, collections, advertisements, and deployments. For more information, see Types of Migration in System Center 2012 Configuration Manager. Configuration Manager migrates only the objects that you select. Any objects that are not migrated and that are required in the destination hierarchy must be re-created in the destination hierarchy. Objects that can migrate are displayed when you configure migration jobs.

Finalize your destination hierarchy design.

Map your hierarchy to the computers that you will use for sites and site servers in the destination hierarchy.

Plan your object migration strategy.

Plan your client migration strategy.

Plan to migrate clients by using a controlled approach that limits the network bandwidth and server processing requirements when you migrate clients to the destination hierarchy. For more information about planning a client migration strategy, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Configuration Manager does not support migrating hardware inventory, software inventory, or desired configuration management compliance data for software updates or clients.
1219

Plan for inventory and compliance data.

Action

More information

Instead, after the client migrates to its new site in the destination hierarchy and receives policy for these configurations, the client submits this information to its assigned site. This action populates the destination site database with current inventory and compliance data. Plan for the completion of migration from the source hierarchy. Decide when objects and clients will be migrated. After migration completes, you can plan to decommission the site servers in the source hierarchy.

Administrator Checklist for Hierarchy Migration

Use the following checklist to help you plan a destination hierarchy before you start migration.
Action More information

Identify the computers to use in the destination hierarchy.

Configuration Manager does not support an inplace upgrade of Configuration Manager 2007 infrastructure. Therefore, if you migrate from Configuration Manager 2007, you must use a side-by-side deployment and install System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager on new computers. Similarly, when you migrate from another System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager hierarchy, you must install a new destination hierarchy that is a side-by-side deployment to your source hierarchy.

Create your destination hierarchy.

To prepare for migration, install and configure a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager destination hierarchy that includes a primary site. For example: Install a central administration site and then install at least one child primary Install a stand-alone primary if you do not
1220

Action

More information

plan to use a central administration site. If you want to migrate information that is related to software updates, configure a software update point in the destination hierarchy and synchronize software updates. You must configure and synchronize software updates in the destination hierarchy before you can migrate software updates information from the source hierarchy. For more information, see Configuring Software Updates in Configuration Manager Install and configure additional site system roles in the destination hierarchy. Verify operational functionality in the destination hierarchy. Configure additional site system roles and site systems that you will require. Check the following: If the destination hierarchy includes multiple sites, confirm that database replication is working between sites. Database replication is not applicable to stand-alone primary sites. Verify that all installed site system roles are operational. Verify that Configuration Manager clients you install to the destination hierarchy can communicate successfully with their assigned site.

Note For more information about how to plan a Configuration Manager hierarchy, see Planning for Sites and Hierarchies in Configuration Manager.

Administrator Checklist for Migration

Use the following checklist to migrate data from the source hierarchy to the destination hierarchy.
Action More information

Enable migration in the destination hierarchy.

Configure a source hierarchy by specifying the top-level site of the source hierarchy. For more information about specifying the source site, see Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager. For each additional site in the Configuration Manager 2007 SP2 source hierarchy that you
1221

When the source hierarchy runs Configuration Manager 2007 SP2, select and configure

Action

More information

additional sites in the source hierarchy.

want to collect data from, you must configure credentials for data gathering. When you configure each source site, the data gathering process begins immediately and continues throughout the migration period until you stop data gathering for that site. Data gathering ensures that you can migrate objects from the source hierarchy that are updated or new since a previous data gathering process. Note When the source hierarchy runs System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager, you do not need to configure additional source sites.

Configure distribution point sharing.

You can share distribution points between the two hierarchies to make content for objects that you migrate available to clients in the destination hierarchy. This ensures that the same content remains available for clients in both hierarchies and that you can maintain this content until you stop gathering data and complete the migration. For information about shared distribution points, see the Shared Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic.

Create and run migration jobs to migrate Create migration jobs to migrate objects objects associated with the clients in the source between hierarchies. The required hierarchy. configurations for each migration job can vary depending on what data the job migrates. For example, when you migrate content, regardless of the migration job you use, you must assign a site in the destination hierarchy to own management of that content. The assigned site will access the original source file
1222

Action

More information

location for the content and is responsible for distributing that content to distribution points in the destination hierarchy. For more information, see the Create and Edit Migration Jobs for System Center 2012 Configuration Manager section in the Operations for Migrating to System Center 2012 Configuration Manager topic. Migrate clients to the destination hierarchy. The process of migrating clients depends on your migration scenario: When you migrate clients that have a client version that is not the same as the destination hierarchy, the client software must upgrade. Upgrade requires the removal of the current Configuration Manager client, followed by the installation of the new client version that matches the destination site. When you migrate clients that have a client version that matches the version of the destination hierarchy, the client does not upgrade or reinstall. Instead, the client reassigns to a primary site in the destination hierarchy.

When you migrate a client to the destination hierarchy, the client is associated with its data that you previously migrated to that destination hierarchy. For more information, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Upgrade or reassign shared distribution points. When you no longer have to support clients in your source hierarchy, you can upgrade shared distribution points from a Configuration Manager 2007 source site, or reassign shared distribution points from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source site. When you upgrade or reassign a distribution point, the site system role transfers to a primary site in the destination hierarchy and the distribution
1223

Action

More information

point is removed from the source site in the source hierarchy. When you upgrade or reassign a shared distribution point the content remains on the distribution point computer and you do not have to redeploy the content to new distribution points in the destination hierarchy. You can also upgrade a distribution point that is co-located on a Configuration Manager 2007 secondary site server. This removes the secondary site and results in only a distribution point in the destination hierarchy. For information about shared distribution points, see the Shared Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic. Complete migration. After you have migrated data and clients from all sites in the source hierarchy, and you have upgraded applicable distribution points, you can complete migration. To complete migration you stop gathering data for each source site in the source hierarchy. You can then remove migration information that you do not need and decommission your source hierarchy infrastructure. For more information, see Planning to Complete Migration in System Center 2012 Configuration Manager.

See Also
Planning for Migration to System Center 2012 Configuration Manager

1224

Determine Whether to Migrate Configuration Manager 2007 to System Center 2012 Configuration Manager
In Microsoft System Center 2012 Configuration Manager, the built-in migration functionality replaces in-place upgrades of existing Configuration Manager infrastructure by providing a process that transfers data from active Configuration Manager 2007 sites. The functionality provided by migration helps you maintain investments that you have made in configurations and deployments while you can take full advantage of core changes in the product introduced in System Center 2012 Configuration Manager. These changes include a simplified Configuration Manager hierarchy that uses fewer sites and resources, and the improved processing by use of native 64-bit code that runs on 64-bit hardware. Migration can transfer most data from Configuration Manager 2007. If you do not migrate Configuration Manager 2007 to System Center 2012 Configuration Manager, or if you migrate data and want to maintain objects that migration does not migrate, you must re-create nonmigrated objects in the new System Center 2012 Configuration Manager hierarchy. Use the following sections to help you plan for data you can or cannot migrate to System Center 2012 Configuration Manager: Data That You Can Migrate to Configuration Manager 2012 Data That You Cannot Migrate to Configuration Manager 2012

Data That You Can Migrate to Configuration Manager 2012

Migration can migrate most objects from Configuration Manager 2007 to System Center 2012 Configuration Manager. The migrated instances of some objects must be modified to conform to the System Center 2012 Configuration Manager schema and object format. These modifications do not affect the data in the Configuration Manager 2007 database. You can migrate the following types of objects: Collections Advertisements Boundaries Software distribution packages Virtual application packages Software Updates: Deployments Deployment packages Templates Software update lists
1225

Operating System Deployment: Boot images Driver packages Drivers Images Packages Task sequences Configuration baselines Configuration items

Desired Configuration Management:

Asset Intelligence customizations Software metering rules

Data That You Cannot Migrate to Configuration Manager 2012

Migration cannot successfully convert some Configuration Manager 2007 objects and data to the System Center 2012 Configuration Manager database schema during migration. These objects and data must be recreated in the System Center 2012 Configuration Manager database. You cannot migrate the following types of objects: Queries Security rights and instances for the site and objects Configuration Manager 2007 reports from SQL Server Reporting Services Configuration Manager 2007 web reports Client inventory and history data AMT client provisioning information Files in the client cache

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager

Before you configure a migration job in your System Center 2012 Configuration Manager environment, you must configure a source hierarchy and gather data from at least one source site in that hierarchy. Use the following sections to help you plan for configuring source hierarchies,
1226

configuring source sites, and determining the way in which Configuration Manager gathers information from the source sites in the source hierarchy. Migration Source Hierarchies Migration Source Sites Migration Data Gathering

Migration Source Hierarchies

A source hierarchy is a Configuration Manager hierarchy that contains data that you want to migrate. When you configure migration and specify a source hierarchy, you specify the top-level site of the source hierarchy. This site is also called a source site. Additional sites that you can migrate data from in the source hierarchy are also called source sites. When you configure a migration job to migrate data from a Configuration Manager 2007 source hierarchy, you configure it to migrate data from one or more specific source sites in the source hierarchy. When you configure a migration job to migrate data from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy, you only need to specify the top-level site. You can configure only one source hierarchy at a time. If you configure a new source hierarchy, that hierarchy automatically becomes the current source hierarchy replacing the previous source hierarchy. When you configure a source hierarchy you must specify the top-level site of the source hierarchy specify credentials for Configuration Manager to use to connect to the SMS Provider and site database of that source site. Configuration Manager uses these credentials to run data gathering to retrieve information about the objects and distribution points from the source site. As part of the data gathering process, child sites in the source hierarchy are identified. If the source hierarchy is a Configuration Manager 2007 hierarchy, you can then configure those additional sites as source sites, with separate credentials for each source site. Although you can configure multiple source hierarchies in succession, migration is active for only one source hierarchy at a time. If you configure an additional source hierarchy before you complete migration from the current source hierarchy, Configuration Manager cancels any active migration jobs and postpones any scheduled migration jobs for the current source hierarchy. The newly configured source hierarchy then becomes the current source hierarchy. You can then configure connection credentials, additional source sites, and migration jobs for the new source hierarchy. The original source hierarchy is now inactive. If you restore an inactive source hierarchy, and you have not previously used the Cleanup Migration Data action, you can view the previously configured migration jobs for that source hierarchy. However, before you can continue migration from that hierarchy, you must reconfigure the credentials to connect to applicable source sites in the hierarchy, and then reschedule any migration jobs that did not finish. Caution If you migrate data from more than a single source hierarchy, each additional source hierarchy must contain a unique set of site codes.
1227

For more information about configuring a source hierarchy, see the Configuring a Source Hierarchy for Migration section of the Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager topic.

Migration Source Sites

Source sites are the sites in the source hierarchy that have the data that you want to migrate. The top-level site of the source hierarchy is always the first source site. When migration collects data from the first source site of a new source hierarchy, it discovers information about additional sites in that hierarchy. After data gathering completes for the initial source site, the actions you take next depend on the product version of the source hierarchy.

Configuration Manager 2007 SP2 Source Sites

After data is gathered from the initial source site of the Configuration Manager 2007 SP2 hierarchy, you do not have to configure additional source sites before you create migration jobs. However, before you can migrate data from additional sites, you must configure additional sites as source sites, and Configuration Manager must successfully gather data from those sites. To gather data from additional sites, you individually configure each site as a source site. This requires you to specify the credentials for Configuration Manager to connect to the SMS Provider and site database of each site. After you configure the credentials for a source site, the data gathering process for that site begins. When you configure additional source sites in a Configuration Manager 2007 SP2 source hierarchy, you must configure source sites from the top down, which means you configure the bottom-tier sites last. You can configure source sites in a branch of the hierarchy at any time, but you must configure a site as a source site before you configure any of its child sites as source sites. Note Only primary sites in a Configuration Manager 2007 SP2 hierarchy are supported for migration.

System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager Source Sites
After data is gathered from the initial source site of the System Center 2012 Configuration Manager SP1 or System Center 2012 R2 Configuration Manager hierarchy, you do not have to configure additional source sites to migrate data from the source hierarchy. This is because these versions of Configuration Manager use a shared database and the shared database allows you to identify and then migrate all available objects from the initial source site. However, when you configure the access accounts to gather data, you might need to grant the Source Site SMS Provider Account access to multiple computers in the source hierarchy. This
1228

is because System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager sites support multiple instances of the SMS Provider, each on a different computer. When data gathering begins, the top-level site of the destination hierarchy contacts the top-level site in the source hierarchy to identify the locations of the SMS Provider for that site. Only the first instance of the SMS provider is identified. If the data gathering process cannot access the SMS Provider at the location it identifies, the process fails and does not try to connect to additional computers that run an instance of SMS Provider for that site.

Migration Data Gathering

Immediately after you specify a source hierarchy, configure credentials for each additional source site in a source hierarchy, or share the distribution points for a source site, Configuration Manager starts to gather data from the source site. The data gathering process then repeats itself on a simple schedule to maintain synchronization with any changes to data in the source site. By default, the process repeats every four hours. You can modify the schedule for this cycle by editing the Properties of the source site. The initial data gathering process must review all objects in the Configuration Manager database and can take time to finish. Subsequent data gathering processes identify only changes to the data and require less time to finish. To gather data, the top-level site in the destination hierarchy connects to the SMS Provider and the site database of the source site to retrieve a list of objects and distribution points. These connections use the source site access accounts. For information about required configurations for gathering data, see Prerequisites for Migration in System Center 2012 Configuration Manager. You can start and stop the data gathering process by using the Gather Data Now, and Stop Gathering Data actions in the Configuration Manager console. After you use the Stop Gathering Data option for a source site for any reason, you must reconfigure credentials for the site before you can gather data from that site again. Until you reconfigure the source site, Configuration Manager cannot identify new objects or changes to previously migrated objects at that site. Note Before you expand a stand-alone primary site into a hierarchy with a central administration site, you must stop all Data Gathering. You can reconfigure Data Gathering after the site expansion completes.

Gather Data Now

After the initial data gathering process runs for a site, this process repeats itself to identify objects that have updated since the last data gathering cycle. You can also use the Gather Data Now action in the Configuration Manager console to immediately start the process and to reset the start time of the next cycle. After a data gathering process successfully finishes for a source site, you can share the distribution points from the source site and configure migration jobs to migrate data from the site.
1229

Data gathering is a repeating process for migration and continues until you change the source hierarchy, or use the Stop Gathering Data action to end the data gathering process for that site.

Stop Gathering Data

You can use the Stop Gathering Data action to end the data gathering process for a source site when you no longer want Configuration Manager to identify new or changed objects from that site. This action also prevents Configuration Manager from offering clients in the destination hierarchy any shared distribution points from the source as content locations for the content that you have migrated. To stop gathering data from each source site, you must perform the Stop Gathering Data action on the bottom-tier source sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop data gathering at each child site before performing this action at a parent site. Typically, you only stop gathering data when you are ready to complete the migration process. After you stop gathering data for a source site, information previously gathered about object and collections from that site remain available to use when you configure new migration jobs. However, you do not see any new objects or collections, or see changes that were made to existing objects. If you reconfigure the source site and begin gathering data again, you will see information and status about previously migrated objects.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Migration Job Strategy in System Center 2012 Configuration Manager

Use migration jobs to configure the specific data that you want to migrate to your System Center 2012 Configuration Manager environment. Migration jobs identify the objects that you plan to migrate, and they run at the top-level site in your destination hierarchy. You can configure one or more migration jobs per source site. This allows you to migrate all objects at one time or limited subsets of data with each job. You can create migration jobs after Configuration Manager has successfully gathered data from one or more sites from the source hierarchy. You can migrate data in any sequence from the source sites that have gathered data. With a Configuration Manager 2007 source site, you can migrate data only from the site where an object was created. With System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source sites, all data that you can migrate is available at the top-level site of the source hierarchy. Before you migrate clients between hierarchies, ensure that the objects that clients use have migrated and that these objects are available in the destination hierarchy. For example, when you
1230

migrate from a Configuration Manager 2007 SP2 source hierarchy, you might have an advertisement for content that is deployed to a custom collection that contains a client. In this scenario you should migrate the collection, the advertisement, and the associated content before you migrate the client. This is because, when the content, collection and advertisement are not migrated before the client migrates, this data cannot be associated with the client in the destination hierarchy. If a client is not associated with the data related to a previously run advertisement and content, the client can be offered the content for installation in the destination hierarchy, which might be unnecessary. When the client migrates after the data has migrated, the client is associated with this content and advertisement, and unless the advertisement is recurring, is not offered this content for the migrated advertisement again. Some objects require more than the migration of data from the source hierarchy to the destination hierarchy. For example, to successfully migrate software updates for your clients to your destination hierarchy, in the destination hierarchy you must deploy an active software update point, configure the catalog of products, and synchronize the software update point with a Windows Server Update Services (WSUS). Use the following sections to help you plan your migration jobs. Types of Migration Jobs General Planning for All Migration Jobs Planning for Collection Migration Jobs Planning for Object Migration Jobs Planning for Previously Migrated Object Migration Jobs

Types of Migration Jobs

Configuration Manager supports the following types of migration jobs. Each job type is designed to help define the objects that you can include in that job.
Migration job type Source hierarchy More information

Collection migration

Supported for migration from the following source hierarchies: Configuration Manager 2007 SP2

Migrate objects that are related to collections you select. By Default, collection migration includes all objects that are associated with members of the collection. You can exclude specific object instances when you use a collection migration job. Migrate individual objects that you select. You select only the specific data that
1231

Object migration

Supported for migration from the following source hierarchies: Configuration Manager

Migration job type

Source hierarchy

More information

2007 SP2 Previously migrated object migration System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

you want to migrate.

Supported for migration from the following source hierarchies: Configuration Manager 2007 SP2 System Center 2012 Configuration Manager SP1 System Center 2012 R2 Configuration Manager

Migrate objects that you previously migrated, when those objects have updated in the source hierarchy after they were last migrated.

Objects That You Can Migrate

Not every object can migrate by a specific type of migration job. The following table identifies the type of objects that you can migrate with each type of migration job. Note Collection migration jobs are available only when you migrate objects from a Configuration Manager 2007 SP2 source hierarchy.
Object type Collection migration Object migration and previously migrated object migration

Advertisements (Available to migrate from supported Configuration Manager 2007 source sites) Asset Intelligence catalog Asset Intelligence hardware requirements Asset Intelligence software list Boundaries Configuration baselines Configuration items

Yes

No

No No No No Yes Yes

Yes Yes Yes Yes Yes Yes

1232

Object type

Collection migration

Object migration and previously migrated object migration

Maintenance windows Operating system deployment boot images Operating system deployment driver packages Operating system deployment drivers Operating system deployment images Operating system deployment packages Software distribution packages Software metering rules Software update deployment packages Software update deployment templates Software update deployments Software update lists Task sequences Virtual application packages

Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes No Yes Yes

No Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Important Although you can migrate a virtual application package by using object migration, the packages cannot be migrated by using the migration job type of Previously Migrated Object Migration. Instead, you must delete the migrated virtual
1233

Object type

Collection migration

Object migration and previously migrated object migration

application package from the destination site and then create a new migration job to migrate the virtual application.

General Planning for All Migration Jobs

Use the Create Migration Job Wizard to create a migration job to migrate objects to your destination hierarchy. The type of the migration job that you create determines which objects are available to migrate. You can create and use multiple migration jobs to migrate data from the same source site, or from multiple source sites. The use of one type of migration job does not block the use of a different type of migration job. After a migration job runs successfully, its status is listed as Completed and it cannot be run again. However, you can create a new migration job to migrate any of the objects that were migrated by the original job, and the new migration job can include additional objects as well. When you create additional migration jobs the objects that have been previously migrated display with the state of Migrated. You can select these objects to migrate them again; however, unless the object has been updated in the source hierarchy, migrating these objects again is not necessary. If the object has been updated in the source hierarchy after it was originally migrated, you can identify that object when you use the migration job type of Objects modified after migration. You can delete a migration job before it runs. However, after a migration job completes, it remains visible in the Configuration Manager console and cannot be deleted. Each migration job that has completed or has not yet run remains visible in the Configuration Manager console until you complete the migration process and clean up migration data. Note After you have completed migration by using the Clean Up Migration Data action, you can reconfigure the same hierarchy as the current source hierarchy to restore visibility to the objects you previously migrated. You can view the objects contained in any migration job in the Configuration Manager console by selecting the migration job, and then clicking the Objects in Job tab. Use the information in the following sections to help you plan for all migration jobs.

Data Selection
When you create a collection migration job, you must select one or more collections. After you select the collections the Create Migration Job Wizard displays the objects that are associated with the collections. By default, all objects associated with the selected collections are migrated,
1234

but you can clear the objects that you do not want to migrate with that job. When you clear an object that has dependent objects, those dependent objects are also cleared. All cleared objects are added to an exclusion list. Objects on an exclusion list are removed from automatic selection for future migration jobs. You must manually edit the exclusion list to remove objects that you want to have automatically selected for migration in migration jobs you create in the future.

Site Ownership for Migrated Content

When you migrate content for deployments, you must assign the content object to a site in the destination hierarchy. This site then becomes the owner for that content in the destination hierarchy. Although the top-level site of your destination hierarchy is the site that actually migrates the metadata for content, it is the assigned site that accesses the original source files for the content across the network. To minimize the network bandwidth that is used during migration, consider transferring ownership of content to the closest available site. Because information about the content is shared globally in System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager, it will be available at every site. Although information about content is shared to all sites in the destination hierarchy by using database replication, any content that you assign to a primary site and then deploy to distribution points at other primary sites, transfers by using file-based replication. This transfer is routed through the central administration site and then to each additional primary site. By centralizing packages that you plan to distribute to multiple primary sites before or during migration when you assign a site as the content owner, you can reduce data transfers across low bandwidth networks.

Configure Role-based Administration Security Scopes for Migrated Data

When you migrate data to a destination hierarchy, you must assign one or more role-based administration security scopes to the objects whose data is migrated. This ensures that only the appropriate administrative users have access to this data after it is migrated. The security scopes that you specify are defined by the migration job and are applied to each object that is migrated by that job. If you require different security scopes to be applied to different sets of objects, and you want to assign those scopes during migration, you must migrate the different sets of objects by using different migration jobs. Before you configure a migration job, review how role-based administration works in System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager, and if necessary, configure one or more security scopes for the data that you migrate to control who will have access to the migrated objects in the destination hierarchy. For more information about security scopes and role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

1235

Review Migration Actions

When you configure a migration job, the Create Migration Job Wizard displays a list of actions that you must take to ensure a successful migration and a list of actions that Configuration Manager takes during the migration of the selected data. Review this information carefully to verify the expected outcome.

Scheduling Migration Jobs

By default, a migration job runs immediately after it is created. However, you can specify when the migration job runs when you create the job or later by editing the properties of the job. You can schedule the migration job to run at the following times. Run the job now Run the job at a specific start time Not run the job

Specify Conflict Resolution for Migrated Data

By default, migration jobs do not overwrite data in the destination database, unless you configure the migration job to skip or overwrite data that has previously been migrated to the destination database.

Planning for Collection Migration Jobs

Collection migration jobs are available only when you migrate data from a source hierarchy that runs a supported version of Configuration Manager 2007. You must specify one or more collections to migrate when you migrate by collection. For each collection that you specify, the migration job automatically selects all related objects for migration. For example, if you select a specific collection of users, the collection members are then identified, and you can migrate the deployments associated with that collection. Optionally, you can select other deployment objects to migrate that are associated with those members. All these selected items are added to the list of objects that can be migrated. When you migrate a collection, Configuration Manager also migrates collection settings including maintenance windows and collection variables, but cannot migrate collection settings for AMT client provisioning. Use the information in the following sections to understand additional configurations that can apply to collection-based migration jobs.

Excluding Objects from Collection Migration Jobs

You can exclude specific objects from a collection migration job. When you exclude a specific object from a collection migration job, that object is added to a global exclusion list that contains all the objects that you have excluded from migration jobs created for any source site in the

1236

current source hierarchy. Objects on the exclusion list are still available for migration in future jobs but are not automatically included when you create a new collection-based migration job. You can edit the exclusion list to remove objects that you have previously excluded. After you remove an object from the exclusion list, it is then automatically selected when an associated collection is specified during the creation of a new migration job.

Unsupported Collections
Configuration Manager can migrate any of the default user collections, device collections, and most custom collections from a Configuration Manager 2007 source hierarchy. However, Configuration Manager cannot migrate collections that contain users and devices in the same collection. The following collections cannot be migrated: A collection that contains users and devices. A collection that contains a reference to a collection of a different resource type. For example, a device-based collection that has either a subcollection or a link to a user-based collection. In this example only the top-level collection migrates. A collection that contains a rule to include unknown computers. The collection migrates, but the rule to include unknown computers does not migrate.

Empty Collections
An empty collection is a collection that has no resources associated with it. When Configuration Manager migrates an empty collection, it converts the collection to an organizational folder that contains no users or devices. This folder is created with the name of the empty collection under the User Collections or Device Collections node in the Assets and Compliance workspace in the Configuration Manager console.

Linked Collections and Subcollections

When you migrate collections that are linked to other collections or that have subcollections, Configuration Manager creates a folder under the User Collections or Device Collections node in addition to the linked collections and subcollections.

Collection Dependencies and Include Objects

When you specify a collection to migrate in the Create Migration Job Wizard, any dependent collections are automatically selected to be included with the job. This behavior ensures that all necessary resources are available after migration. For example: You select a collection for devices that run Windows 7 and that is named Win_7. This collection is limited to a collection that contains all your client operating systems and that is named All_Clients. The collection All_Clients will be automatically selected for migration.

1237

Collection Limiting
Because System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager collections are global data and are evaluated at each site in the hierarchy, plan how to limit the scope of a collection after it is migrated. During migration, you can identify a collection from the destination hierarchy to use to limit the scope of the collection that you are migrating so that the migrated collection does not include unanticipated members. For example, in Configuration Manager 2007, collections are evaluated at the site that creates them, and at child sites. An advertisement might be deployed to only a child site, and this would limit the scope for that advertisement to that child site. In comparison, System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager evaluate collections at every site, and associated advertisements are then evaluated for each site. Collection limiting lets you refine the collection members based on another collection to avoid the addition of unexpected collection members.

Site Code Replacement

When you migrate a collection that contains criteria that identifies a Configuration Manager 2007 site, you must specify a specific site in the destination hierarchy. This ensures that the migrated collection remains functional in your destination hierarchy and does not increase in scope.

Specify Behavior for Migrated Advertisements

By default, collection-based migration jobs disable advertisements that migrate to the destination hierarchy. This includes any programs that are associated with the advertisement. When you create a collection-based migration job that contains advertisements, you see the Enable programs for deployment in Configuration Manager 2012 after an advertisement is migrated option on the Settings page of the Create Migration Job Wizard. If you select this option, programs that are associated with the advertisements are enabled after they have migrated. As a best practice, do not select this option and instead, enable the programs after they have migrated when you can verify the clients that will receive them. Note You see the Enable programs for deployment in Configuration Manager 2012 after an advertisement is migrated option only when you create a collection-based migration job, and the migration job contains advertisements. To enable a program after migration, clear the option Disable this program on computers where it is advertised on the Advanced tab of the program properties.

Planning for Object Migration Jobs

Unlike collection migration, you must select each object and object instance that you want to migrate. You can select the individual objects, such as advertisements from a Configuration Manager 2007 hierarchy or a publication from a System Center 2012 Configuration Manager or
1238

System Center 2012 R2 Configuration Manager hierarchy, to add to the list of objects to migrate for a specific migration job. Any objects that you do not add to the migration list are not migrated to the destination site by the object migration job. Object-based migration jobs do not have any additional configurations to plan for beyond those applicable to all migration jobs.

Planning for Previously Migrated Object Migration Jobs

When an object that you have already migrated to the destination hierarchy is updated in the source hierarchy, you can migrate that object again by using the Objects modified after migration job type. For example, when you rename, or update the source files for a package in the source hierarchy, the package version increments in the source hierarchy. After the package version increments, the package can be identified for migration by this job type. This job type is similar to the object migration type except that when you select objects to migrate, you can only select from objects that have been updated after they were migrated by a previous migration job. When you select this job type, the conflict resolution behavior on the Settings page of the Create Migration Job Wizard is configured to overwrite previously migrated objects, and this setting cannot be changed. Note This migration job can identify objects that are automatically updated by the source hierarchy and objects that an administrative user updates.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Client Migration Strategy in System Center 2012 Configuration Manager

To migrate clients from the source hierarchy to a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager destination hierarchy, you must perform two tasks. You must migrate the objects that are associated with the client and you must then reinstall or reassign the clients from the source hierarchy to the destination hierarchy. You migrate the objects first so that they are available when the clients are migrated. The objects associated with the client are migrated by using migration jobs. For information about how to migrate the objects that are associated with the client, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager.
1239

Use the following sections to help you plan to migrate clients to the destination hierarchy. Planning How to Migrate Clients to the Destination Hierarchy Planning How to Handle Data Maintained on Clients During Migration Planning for Handling Inventory and Compliance Data During Migration

Planning How to Migrate Clients to the Destination Hierarchy

When you migrate clients from a source hierarchy, the client software on the client computer updates to match the product version of the destination hierarchy: Configuration Manager 2007 source hierarchy: When you migrate clients from a source hierarchy that runs a supported version of Configuration Manager 2007, the client software upgrades to the client version for the destination hierarchy. System Center 2012 Configuration Manager SP1 or System Center 2012 R2 Configuration Manager source hierarchy: When you migrate clients between hierarchies that are of the same product version, the client software does not change or upgrade. Instead, the client reassigns from the source hierarchy to a site in the destination hierarchy. Note When the product version of a hierarchy is not supported for migration to your destination hierarchy, upgrade all sites and clients in the source hierarchy to a compatible product version. After the source hierarchy upgrades to a supported product version, you can migrate between the hierarchies. For more information, see the Versions of Configuration Manager That Are Supported for Migration section in the Prerequisites for Migration in System Center 2012 Configuration Manager topic. Use the following information to help you plan the client migration: To upgrade or reassign clients from a source site to a destination site, you can use any client deployment method that is supported for deploying clients in the destination hierarchy. Typical client deployment methods include client push installation, software distribution, Group Policy, and software update-based client installation. For more information, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. Ensure the device that runs the client software in the source hierarchy meets the minimum hardware requirements and runs an operating system that is supported by the version of Configuration Manager in the destination hierarchy. Before you migrate a client, run a migration job to migrate the information the client will use in the destination hierarchy. Clients that upgrade retain their run history for deployments to prevent deployments from rerunning unnecessarily in the destination hierarchy: For Configuration Manager 2007 clients, advertisement run history is retained. For System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager clients, deployment run history is retained.
1240

You can migrate clients from sites in the source hierarchy in any order that you choose. However, consider migrating limited numbers of clients in phases, rather than large numbers of clients at a single time. A phased migration reduces the network bandwidth requirements and server processing when each newly upgraded client submits its initial full inventory and compliance data to its assigned site. When you migrate Configuration Manager 2007 clients, the existing client software is uninstalled from the client computer, and the new client software is installed. Configuration Manager cannot migrate a Configuration Manager 2007 client that has the AppV client installed, unless the App-V client version is 4.6 SP1 or later.

You can monitor the client migration process in the Migration node of the Administration workspace in the Configuration Manager console. After you migrate the client to the destination hierarchy, you can no longer manage that device by using your source hierarchy and should consider removing the client from the source hierarchy. Although this is not a requirement when you migrate hierarchies, it can help prevent identification of a migrated client in a source hierarchy report, or an incorrect count of resources between the two hierarchies during the migration. For example, when a migrated client remains in the source site database, you might run a software updates report that incorrectly identifies the computer as an unmanaged resource when it is now managed by the destination hierarchy.

Planning How to Handle Data Maintained on Clients During Migration

When you migrate a client from its source hierarchy to the destination hierarchy, some information is retained on the device, while other information is not available on the device after migration. The following information is retained on the client device: The unique identifier (GUID), which associates a client with its information in the Configuration Manager database. The advertisement or deployment history, which prevents clients from unnecessarily rerunning advertisements or deployments in the destination hierarchy. The files in the client cache. If the client requires these files to install software, the client downloads them again from the destination hierarchy. Information from the source hierarchy about any advertisements or deployments that have not yet run. If you want the client to run the advertisements or deployments after it migrates, you must redeploy them to the client in the destination hierarchy. Information about inventory. The client resends this information to its assigned site in the destination hierarchy after the client migrates, and the new client data has been generated. Compliance data. The client resends this information to its assigned site in the destination hierarchy after the client migrates, and the new client data has been generated.

The following information is not retained on the client device:

1241

When a client migrates, information that is stored in the Configuration Manager client registry and file path is not retained. After migration, reapply these settings. Typical settings include the following: Power schemes Logging settings Local policy settings

Additionally, you might have to reinstall some applications.

Planning for Handling Inventory and Compliance Data During Migration

Client inventory and compliance data is not saved when you migrate a client to the destination hierarchy. Instead, this information is recreated in the destination hierarchy when a client first sends its information to its assigned site. To help reduce the resulting network bandwidth requirements and server processing, consider migrating a small number of clients in phases rather than migrating a large number of clients at a single time. Additionally, you cannot migrate customizations for hardware inventory from a source hierarchy. You must introduce these to the destination hierarchy independently from migration. For information about how to extend hardware inventory, see How to Extend Hardware Inventory in Configuration Manager.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager
While you are actively migrating data to a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager destination hierarchy, Configuration Manager clients in both hierarchies can maintain access to content that you deployed in the source hierarchy. Additionally, you can use migration to upgrade or reassign distribution points from the source hierarchy to become distribution points in the destination hierarchy. When you share and upgrade or reassign distribution points, this strategy can help you avoid having to redeploy content to new servers in the destination hierarchy for the clients that you migrate. Although you can recreate and distribute content in the destination hierarchy, you can also use the following options to manage this content: Share distribution points in the source hierarchy with clients in the destination hierarchy.
1242

Upgrade stand-alone Configuration Manager 2007 distribution points or Configuration Manager 2007 secondary sites in the source hierarchy to become distribution points in the destination hierarchy. Reassign distribution points from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy to a site in the destination hierarchy. Share Distribution Points Between Source and Destination Hierarchies Planning to Upgrade Configuration Manager 2007 Shared Distribution Points Distribution Point Upgrade Process Planning to Upgrade Configuration Manager 2007 Secondary Sites Distribution Point Reassignment Process

Use the following sections to help you plan for content deployment during migration:

Planning to Reassign System Center 2012 Configuration Manager Distribution Points Content Ownership when Migrating Content

Share Distribution Points Between Source and Destination Hierarchies

During migration, you can share distribution points from a source hierarchy with the destination hierarchy. You can use shared distribution points to make content that you have migrated from a source hierarchy immediately available to clients in the destination hierarchy without having to recreate that content, and then distribute it to new distribution points in the destination hierarchy. When clients in the destination hierarchy request content that is deployed to distribution points that you have shared, the shared distribution points can be offered to the clients as valid content locations. In addition to being a valid content location for clients in the destination hierarchy as long as migration from the source hierarchy remains active, it is possible to upgrade or reassign a distribution point to the destination hierarchy. You can upgrade Configuration Manager 2007 shared distribution points and reassign System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager shared distribution points. When you upgrade or reassign a shared distribution point, the distribution point is removed from the source hierarchy and becomes a distribution point in the destination hierarchy. After you upgrade or reassign a shared distribution point, you can continue to use the distribution point in the destination hierarchy after migration from the source hierarchy is finished. For more information about how to upgrade a shared distribution point, see Planning to Upgrade Configuration Manager 2007 Shared Distribution Points. For information about how to reassign a shared distribution point, see Planning to Reassign System Center 2012 Configuration Manager Distribution Points. You can choose to share distribution points from any source site in your source hierarchy. When you share distribution points for a source site, each qualifying distribution point at that primary site and at each of the primary sites child secondary sites are shared. To qualify to be a shared distribution point, the site system server that hosts the distribution point must be configured with a
1243

fully qualified domain name (FQDN). Any distribution points that are configured with a NetBIOS name are disregarded. Tip Configuration Manager 2007 does not require you to configure an FQDN for site system servers. Use the following information to help you plan for shared distribution points: Distribution points that you share must meet the prerequisites for shared distribution points. For information about these prerequisites, see the Required Configurations for Migration section in the Prerequisites for Migration in System Center 2012 Configuration Manager topic. The share distribution point action is a site-wide setting that shares all qualifying distribution points at a source site and at any direct child secondary sites. You cannot select individual distribution points to share when you enable distribution point sharing. Clients in the destination hierarchy can receive content location information for packages that are distributed to distribution points that are shared from the source hierarchy. For distribution points from a Configuration Manager 2007 source hierarchy, this includes branch distribution points, distribution points on server shares, and standard distribution points. Caution If you change the source hierarchy, shared distribution points from the original source hierarchy are no longer available and cannot be offered as content locations to clients in the destination hierarchy. If you reconfigure migration to use the original source hierarchy, the previously shared distribution points are restored as valid content location servers. When you migrate a package that is hosted on a shared distribution point, the package version must remain the same in the source and destination hierarchies. When a package version is not the same in the source and destination hierarchy, clients in the destination hierarchy cannot retrieve that content from the shared distribution point. Therefore, if you update a package in the source hierarchy, you must re-migrate the package data before clients in the destination hierarchy can retrieve that content from a shared distribution point. Note When you view details for a package that is hosted on a shared distribution point, the number of packages that display as Hosted Migrated Packages on the source sites Shared Distribution Points tab is not updated until the next data gathering cycle is finished. You can view shared distribution points and their properties in the Source Hierarchy node of the Administration workspace in the Configuration Manager console that connects to the destination hierarchy. You cannot use a shared distribution point from a Configuration Manager 2007 source hierarchy to host packages for Microsoft Application Virtualization (App-V). App-V packages must migrate and be converted for use by clients in the destination hierarchy. However, you can use a shared distribution point from a System Center 2012 Configuration Manager or
1244

System Center 2012 R2 Configuration Manager source hierarchy to host App-V packages for clients in a destination hierarchy. When you share a protected distribution point from a Configuration Manager 2007 source hierarchy, the destination hierarchy creates a boundary group that includes the protected network locations of that distribution point. You cannot modify this boundary group in the destination hierarchy. However, if you change the protected boundary information for the distribution point in the Configuration Manager 2007 source hierarchy, that change is reflected in the destination hierarchy after the next data gathering cycle finishes. Note Because System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager sites use the concept of preferred distribution points instead of protected distribution points, this condition only applies to distribution points that are shared from Configuration Manager 2007 source sites. Before you share distribution points from a source site, the eligible distribution points are not visible in the Configuration Manager console. After you share distribution points, only the distribution points that are successfully shared are listed. After you have shared distribution points, you can change the configuration of any shared distribution point in the source hierarchy. Changes that you make to the configuration of a distribution point are reflected in the destination hierarchy after the next data gathering cycle. Distribution points that you updated to qualify for sharing are shared automatically, while those that no longer qualify stop sharing distribution points. For example, you might have a distribution point that is not configured with an intranet FQDN and was not initially shared with the destination hierarchy. After you configure the FQDN for that distribution point, the next data gathering cycle identifies this configuration, and the distribution point is then shared with the destination hierarchy.

Planning to Upgrade Configuration Manager 2007 Shared Distribution Points

When you migrate from a Configuration Manager 2007 source hierarchy, you can upgrade a shared distribution point to make it a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager distribution point. You can upgrade distribution points at both primary sites and secondary sites. The upgrade process removes the distribution point from the Configuration Manager 2007 hierarchy and makes it a site system server in the destination hierarchy. This process also copies the existing content that is on the distributing point to a new location on the distribution point computer. The upgrade process then modifies the copy of the content to create the single instance store for use with content deployment in the destination hierarchy. Therefore, when you upgrade a distribution point, you do not have to redistribute migrated content that was hosted on the Configuration Manager 2007 distribution point. After Configuration Manager converts the content to the single instance store, the following action is taken depending on the version of the Configuration Manager destination hierarchy:

1245

A hierarchy that runs System Center 2012 Configuration Manager with no service pack leaves the original source content intact on the distribution point computer. Beginning with System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager, Configuration Manager deletes the original source content on the distribution point computer to free up disk space and does not use the original source content location.

Not all Configuration Manager 2007 distribution points that you can share are eligible for upgrade to System Center 2012 Configuration Manager. To be eligible for upgrade, a Configuration Manager 2007 distribution point must meet the conditions for upgrade that include the site system server on which the distribution point is installed, and the type of Configuration Manager 2007 distribution point that is installed. For example, you cannot upgrade any type of distribution point that is installed on the site server computer at a primary site, but you can upgrade a standard distribution point that is installed on the site server computer at a secondary site. Note You can upgrade only those Configuration Manager 2007 shared distribution points that are on a computer that runs an operating system version that is supported for distribution points in the destination hierarchy. For example, although you can share a Configuration Manager 2007 distribution point that is on a computer that runs Windows XP SP2, you cannot upgrade this shared distribution point because the operating system is not supported by System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager for use as a distribution point. The following table lists the supported locations for each type of Configuration Manager 2007 distribution point that can you can upgrade.
Type of distribution point Distribution point on a site system computer other than the site server Distribution point on a site system computer other than the site server and hosting other site system roles Distribution point on a secondary site server

Standard distribution point Distribution point on 1 server shares Branch distribution point
1

Yes Yes Yes

No No No

Yes No No

Beginning with System Center 2012 Configuration Manager, Configuration Manager does not support server shares for site systems but does support the upgrade of a Configuration Manager 2007 distribution point that is on a server share. When you upgrade a Configuration Manager 2007 distribution point that is on a server share, the distribution point type is automatically
1246

converted to a server, and you must select the drive on the distribution point computer that will store the single instance content store. Warning Before you upgrade a branch distribution point, uninstall the Configuration Manager 2007 client software. When you upgrade a branch distribution point that has the Configuration Manager 2007 client software installed, the content that was previously deployed to the computer is removed from the computer, and the upgrade of the distribution point fails. To identify distribution points that are eligible for upgrade in the Configuration Manager console in the Source Hierarchy node, select a source site, and then select the Shared Distribution Points tab. Eligible distribution points display Yes in the Eligible for Upgrade column. When you upgrade a distribution point that is installed on a Configuration Manager 2007 secondary site server, the secondary site is uninstalled from the source hierarchy. Although this scenario is called a secondary site upgrade, this applies only to the distribution point site system role. The result is that the secondary site is not upgraded and instead is uninstalled. This leaves only a distribution point from the destination hierarchy on the computer that was the secondary site server. Because the secondary site is removed from the source hierarchy, if you plan to upgrade the distribution point on a secondary site, see the Planning to Upgrade Configuration Manager 2007 Secondary Sites section in this topic.

Distribution Point Upgrade Process

You can use the Configuration Manager console to upgrade Configuration Manager 2007 distribution points that you have shared with the destination hierarchy. When you upgrade a shared distribution point, the distribution point is uninstalled from the Configuration Manager 2007 site, and then installed as a distribution point that is attached to a primary or secondary site that you specify in the destination hierarchy. The upgrade process creates a copy of the migrated content that is stored on the distribution point, and then converts this copy to the single instance content store. When Configuration Manager converts a package to the single instance content store, it deletes that package from the SMSPKG share on the distribution point computer unless the package has one or more advertisements that are configured to Run program from distribution point. To upgrade the distribution point, Configuration Manager uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. Although this account requires only Read permission for site objects to gather data from the source site, it must also have Delete and Modify permission to the Site class to successfully remove the distribution point from the Configuration Manager 2007 site during the upgrade. Note Configuration Manager can convert content to the single instance store on only one distribution point at a time. When you configure multiple distribution point upgrades, the distribution points are queued for upgrade and processed one at a time.

1247

Before you upgrade a shared distribution point, ensure that all content that is deployed to the distribution point is migrated. Content that you do not migrate before you upgrade the distribution point is not available in the destination hierarchy after the upgrade. When you upgrade a distribution point, the content in the migrated packages is converted into a format that is compatible with the single instance store of the destination hierarchy. To upgrade a distribution point from within the Configuration Manager console, the Configuration Manager 2007 site system server must meet the following conditions: The distribution point configuration and location must be eligible for upgrade. The distribution point computer must have sufficient disk space for the content to be converted from the Configuration Manager 2007 content storage format to the single instance store format. For System Center 2012 Configuration Manager with no service pack, this conversion requires available free disk space equal to two times the size of the existing data on the distribution point. Beginning with System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager, this conversion requires available free disk space equal to the size of the largest package that is stored on the distribution point. The distribution point computer must run an operating system version that is supported as a distribution point in the destination hierarchy. Note When Configuration Manager checks for the eligibility of a distribution point for upgrade, it does not validate the operating system version of the distribution point computer. To upgrade a distribution point, in the Administration workspace, expand Migration, expand the Source Hierarchy node, and then select the site that contains the distribution point that you want to upgrade. Next, in the details pane, on the Shared Distribution Points tab, select the distribution point that you want to upgrade. You can confirm that the distribution point is ready for upgrade by viewing the status in the Eligible for Reassignment column (Prior to System Center 2012 R2 Configuration Manager, this column is named Eligible for Upgrade). Next, in the Configuration Manager console ribbon, on the Distribution Points tab, in the Distribution Point group, select Reassign (Prior to System Center 2012 R2 Configuration Manager, this button is named Upgrade). This opens a wizard that you use to complete the upgrade of the distribution point. When you upgrade a shared distribution point, you must assign the distribution point to a primary or secondary site of your choice in the destination hierarchy. After the distribution point is upgraded, you manage the distribution point as a distribution point in the destination hierarchy, as you would any other distribution point. You can monitor the progress of a distribution point upgrade in the Configuration Manager console by selecting the Distribution Point Migration node under the Migration node of the Administration workspace (Prior to System Center 2012 R2 Configuration Manager, this node is named Distribution Point Upgrades). You can also view information in the Migmctrl.log on the central administration site server of the destination hierarchy, or in the distmgr.log on the site server in the destination hierarchy that manages the upgraded distribution point.
1248

Note When you upgrade a distribution point to the destination hierarchy, the distribution point site system role is removed from the Configuration Manager 2007 source site; however, packages that were sent to the distribution point are not updated in the Configuration Manager 2007 hierarchy. In the Configuration Manager 2007 console, packages that had been sent to the distribution point continue to list the site system computer as a distribution point with a Type of Unknown. Subsequent updates to the package in Configuration Manager 2007 result in Distribution Manager reporting errors in the distmgr.log for that site when the site attempts to update the package on the unknown site system. If you decide not to upgrade a shared distribution point, you can still install a distribution point from the destination hierarchy on a former Configuration Manager 2007 distribution point. Before you can install the new distribution point, you must first uninstall all Configuration Manager 2007 site system roles from the distribution point computer. This includes the Configuration Manager 2007 site if it is the site server computer. When you uninstall a Configuration Manager 2007 distribution point, content that was deployed to the distribution point is not deleted from the computer.

Planning to Upgrade Configuration Manager 2007 Secondary Sites

When you use migration to upgrade a shared distribution point that is hosted on a Configuration Manager 2007 secondary site server, Configuration Manager not only upgrades the distribution point site system role to be a distribution point in the destination hierarchy, but also uninstalls the secondary site from the source hierarchy. The result is a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager distribution point, but no secondary site. For a distribution point on the site server computer to be eligible for upgrade, Configuration Manager must be able to uninstall the secondary site including each of the site system roles on that computer. Typically, a shared distribution point on a Configuration Manager 2007 server share is eligible for upgrade. However, when a server share exists on the secondary site server, the secondary site and any shared distribution points on that computer are not eligible for upgrade. This is because when the process attempts to uninstall the secondary site, the server share is treated as an additional site system object, and this process cannot uninstall this object. In this scenario, you can enable a standard distribution point on the secondary site server and then redistribute the content to that standard distribution point. This does not use network bandwidth, and when completed, you can uninstall the distribution point on the server share, remove the server share, and then upgrade the distribution point and secondary site. Before you upgrade a shared distribution point, review the distribution point configuration in Configuration Manager 2007 to avoid upgrading a distribution point on a secondary site that you still want to use with Configuration Manager 2007. This is because after you upgrade a shared distribution point that is on a secondary site server, the site system server is removed from the
1249

Configuration Manager 2007 hierarchy and is no longer available for use with that hierarchy. When the secondary site is removed, any remaining distribution points at that secondary site are orphaned. This means they become unmanaged from Configuration Manager 2007 and are no longer shared or eligible for upgrade. Caution When you view shared distribution points in the Configuration Manager console, there is no visible indication that a shared distribution point is on a remote site system server or whether it is located on the secondary site server. Consider upgrading secondary sites that have a shared distribution point when you have a secondary site in a remote network location that is used primarily to control the deployment of content to that remote location. Because you can configure bandwidth control for when you distribute content to a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager distribution point, you can often upgrade a secondary site to a distribution point, configure the distribution point for v, and avoid installing a secondary site in that network location in the destination hierarchy. The process to upgrade a shared distribution point on a secondary site server operates the same as any other shared distribution point upgrade. Content is copied and converted to the single instance store in use by the destination hierarchy. However, when you upgrade a shared distribution point that is on a secondary site server the upgrade process also uninstalls the management point, if it is present, and then uninstalls the secondary site from the server. The result is that the secondary site is removed from the Configuration Manager 2007 hierarchy. To uninstall the secondary site, Configuration Manager uses the account that is configured to gather data from the source site. During the upgrade, there is a delay between when the Configuration Manager 2007 secondary site is uninstalled and the when the installation of the distribution point in the destination hierarchy begins. The data gathering cycle determines this delay of up to four hours. The delay is intended to provide time for the secondary site to uninstall before the new distribution point installation begins. For more information about how to upgrade a shared distribution point, see Planning to Upgrade Configuration Manager 2007 Shared Distribution Points.

Planning to Reassign System Center 2012 Configuration Manager Distribution Points

When you migrate from a supported version of System Center 2012 Configuration Manager to a hierarchy of the same version, you can reassign a shared distribution point from the source hierarchy to a site in the destination hierarchy. This is similar to the concept of upgrading a Configuration Manager 2007 distribution point to become a distribution point in the destination hierarchy. You can reassign distribution points from both primary sites and secondary sites. The action to reassign a distribution point removes the distribution point from the source hierarchy and makes the computer, and its distribution point, a site system server of the site that you select in
1250

the destination hierarchy. You can reassign distribution points from both primary sites and secondary sites in the source hierarchy. When you reassign a distribution point, you do not have to redistribute migrated content that was hosted on the source site distribution point. Additionally, unlike the upgrade of a Configuration Manager 2007 distribution point, reassignment of a distribution point does not require additional disk space on the distribution point computer. This is because beginning with System Center 2012 Configuration Manager, distribution points use the single instance store format for content and the content on the distribution point computer does not need to be converted when the distribution point is reassigned between hierarchies. For a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager distribution point to be eligible for reassignment, it must meet the following criteria: A shared distribution point must be installed on a computer other than the site server. A shared distribution point cannot be co-located with any additional site system roles.

To identify distribution points that are eligible for reassignment in the Configuration Manager console in the Source Hierarchy node, select a source site, and then select the Shared Distribution Points tab. Eligible distribution points display Yes in the Eligible for Reassignment column (Prior to System Center 2012 R2 Configuration Manager, this column is named Eligible for Upgrade).

Distribution Point Reassignment Process

You can use the Configuration Manager console to reassign distribution points that you have shared from an active source hierarchy. When you reassign a shared distribution point, the distribution point is uninstalled from its source site, and then installed as a distribution point that is attached to a primary or secondary site that you specify in the destination hierarchy. To reassign the distribution point, the destination hierarchy uses the Source Site Access Account that is configured to gather data from the SMS Provider of the source site. For information about required permissions and additional prerequisites, see Prerequisites for Migration in System Center 2012 Configuration Manager.

Content Ownership when Migrating Content

When you migrate content for deployments, you must assign the content object to a site in the destination hierarchy. This site then becomes the owner for that content in the destination hierarchy. Although the top-level site of your destination hierarchy is the site that actually migrates the metadata for content, it is the assigned site that accesses the original source files for the content across the network. To minimize the network bandwidth that is used when you migrate content, consider transferring ownership of content to a site in the destination hierarchy that is close on the network to the content location in the source hierarchy. Because information about the content in the destination hierarchy is shared globally, it will be available at every site.

1251

Although information about content is shared to all sites by using database replication, any content that you assign to a primary site and then deploy to distribution points at other primary sites, transfers by using file-based replication. This transfer is routed through the central administration site and then to the additional primary site. By centralizing packages that you plan to distribute to multiple primary sites before or during migration when you assign a site as the content owner, you can reduce data transfers across low bandwidth networks.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning for the Migration of Configuration Manager Objects to System Center 2012 Configuration Manager
With System Center 2012 Configuration Manager, you can migrate many of the different objects that are associated with different features found at a source site. Use the following sections to help you plan for the migration of objects between hierarchies. Planning to Migrate Software Updates Planning to Migrate Content Planning to Migrate Collections Planning to Migrate Operating System Deployments Planning to Migrate Desired Configuration Management Planning to Migrate AMT-Based Computers that are Provisioned for Out of Band Management Planning to Migrate Boundaries Planning to Migrate Reports Planning to Migrate Organizational and Search Folders Planning to Migrate Asset Intelligence Customizations Planning to Migrate Software Metering Rules Customizations

Planning to Migrate Software Updates

You can migrate software update objects, such as software update packages and software update deployments. To successfully migrate software update objects, you must first configure your destination hierarchy with configurations that match your source hierarchy environment. This requires the following actions: Deploy an active software update point in the destination hierarchy.
1252

Configure the catalog of products and languages to match the configuration of your source hierarchy. Synchronize the software update point in the destination hierarchy with a Windows Server Update Services (WSUS). Migration of software update objects can fail when you have not synchronized information in your destination hierarchy to match the configuration of your source hierarchy. Warning It is not supported to use the WSUSutil tool to synchronize data between a source and destination hierarchy.

When you migrate software updates, consider the following:

You cannot migrate custom updates that are published by using System Center Updates Publisher. Instead, custom updates must be republished to the destination hierarchy.

When you migrate from a Configuration Manager 2007 source hierarchy, the migration process modifies some software updates objects to the format in use by the destination hierarchy. Use the following table to help you plan the migration of software update objects from Configuration Manager 2007.
Configuration Manager 2007 object Object name after migration

Software update lists Software update deployments

Software update lists are converted to software update groups. Software update deployments are converted to deployments and update groups. Note After you migrate a software update deployment from Configuration Manager 2007, you must enable it in the destination hierarchy before you can deploy it.

Software update packages Software update templates

Software update packages remain software update packages. Software update templates remain software update templates. Note The Duration value in Configuration Manager 2007 deployment templates does not migrate.

1253

When you migrate objects from a supported System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager hierarchy, the software updates objects are not modified.

Planning to Migrate Content

You can migrate content from a supported source hierarchy to your destination hierarchy. For a Configuration Manager 2007 source hierarchy, this content includes software distribution packages and programs and virtual applications, such as Microsoft Application Virtualization (App-V). Beginning with System Center 2012 Configuration Manager source hierarchies, this content includes applications, and App-V virtual applications. When you migrate content between hierarchies, it is the compressed source files that migrate to the destination hierarchy.

Packages and Programs

When you migrate packages and programs, they are not modified by migration. However, before you migrate these, you must configure each package to use a Universal Naming Convention (UNC) path for its source file location. As part of the configuration to migrate packages and programs, you must assign a site in the destination hierarchy to manage this content. The content is not migrated from the assigned site, but after migration the assigned site accesses the original source file location by using the UNC mapping. After you migrate a package and program to the destination hierarchy and while migration from the source hierarchy remains active, you can make the content available to clients in that hierarchy by using a shared distribution point. To use a shared distribution point, the content must remain accessible on the distribution point at the source site. For information about shared distribution points, see the Share Distribution Points Between Source and Destination Hierarchies section in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic. For content that has migrated, if the content version changes in either source hierarchy or the destination hierarchy, clients can no longer access the content from the shared distribution point in the destination hierarchy. In this scenario, you must re-migrate the content to restore a consistent version of the package between the source hierarchy and the destination hierarchy. This information synchronizes during the data gathering cycle. Tip For each package that you migrate, update the package in the destination hierarchy. This action can prevent issues with deploying the package to distribution points in the destination hierarchy. However, when you update a package on the distribution point in the destination hierarchy, clients in that hierarchy will no longer be able to acquire that package from a shared distribution point. To update a package in the destination hierarchy, in the Configuration Manager console, navigate to the Software Library, right click on the package, and then select Update Distribution Points. Do this action for each package that you migrated.
1254

Tip You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and programs into System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager applications. Download Package Conversion Manager from the Microsoft Download Center site. For more information, see Configuration Manager Package Conversion Manager.

Virtual Applications
When you migrate App-V packages from a supported Configuration Manager 2007 site, the migration process converts them to applications in the destination hierarchy. Additionally, based on existing advertisements for the App-V package, the following deployment types are created in the destination hierarchy: If there are no advertisements, one deployment type is created that uses the default deployment type settings. If one advertisement exists, one deployment type is created that uses the same settings as the Configuration Manager 2007 advertisement. If multiple advertisements exist, a deployment type is created for each Configuration Manager 2007 advertisement, using the settings for that advertisement. Important If you migrate a previously migrated Configuration Manager 2007 App-V , the migration fails because virtual application packages do not support the overwrite migration behavior. In this scenario, you must delete the migrated virtual application package from the destination hierarchy, and then create a new migration job to migrate the virtual application. Note After you migrate an App-V package, you can use the Update Content Wizard to change the source path for App-V deployment types. For information on how to update content for a deployment type, see the How to Manage Deployment Types section in the How to Manage Applications and Deployment Types in Configuration Manager topic. When you migrate from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy, in addition to App-V deployment types and applications, you can migrate objects for the e App-V virtual environment. For information about App-V environments, see the App-V Virtual Environments section in the Introduction to Application Management in Configuration Manager topic.

Advertisements
You can migrate advertisements from a supported Configuration Manager 2007 source site to the destination hierarchy by using collection-based migration. If you upgrade a client, it retains the history of previously run advertisements to prevent the client from rerunning migrated advertisements.
1255

Note You cannot migrate advertisements for virtual packages. This is an exception to the migration of advertisements.

Applications
You can migrate applications from a supported System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy to a destination hierarchy. If you reassign a client from the source hierarchy to the destination hierarchy, the client retains the history of previously installed applications to prevent the client from rerunning a migrated application.

Planning to Migrate Collections

You can migrate the criteria for collections from a supported System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy. For this, you use an object-based migration job. When you migrate a collection, you migrate the rules for the collection and not information about the members of the collection or information or objects related to the members of the collection. Migration of the collection object is not supported when you migrate from a Configuration Manager 2007 source hierarchy.

Planning to Migrate Operating System Deployments

You can migrate the following operating system deployment objects from a supported source hierarchy: Operating system images and packages. The source path of boot images are updated to the default image location for the Windows Administrative Installation Kit (Windows AIK) on the destination site. The following are requirements and limitations to migrating operating system images and packages: To successfully migrate image files, the computer account of the SMS Provider server for the destination hierarchies top-level site must have Read and Write permission to the image source files of the source sites Windows AIK location. When you migrate an operating system installation package, ensure that the configuration of the package on the source site points to the folder that contains the WIM file, and not to the WIM file itself. If the installation package points to the WIM file, the migration of the installation package will fail. When you migrate a boot image package from a Configuration Manager 2007 source site, the package ID of the package is not maintained in the destination site. The result of this is that clients in the destination hierarchy cannot use boot image packages that are available on shared distribution points.
1256

Task sequences. When you migrate a task sequence that contains a reference to a client installation package, that reference is replaced with a reference to the client installation package of the destination hierarchy. Note When you migrate a task sequence, Configuration Manager might migrate objects that are not required in the destination hierarchy. These objects include boot images and Configuration Manager 2007 client installation packages.

Drivers and driver packages.

Planning to Migrate Desired Configuration Management

You can migrate configuration items and configuration baselines. Note Uninterpreted configuration items from Configuration Manager 2007 source hierarchies are not supported for migration. You cannot migrate or import these configuration items to the destination hierarchy. For information about uninterpreted configuration items, see the Uninterpreted Configuration Item section in the About Configuration Items in Desired Configuration Management topic in the Configuration Manager 2007 documentation library. You can import Configuration Manager 2007 Configuration Packs. The import process automatically converts the Configuration Pack to be compatible with System Center 2012 Configuration Manageror System Center 2012 R2 Configuration Manager.

Planning to Migrate AMT-Based Computers that are Provisioned for Out of Band Management
You cannot migrate the AMT provisioning information between hierarchies and must take additional steps before you can manage an AMT-based computer out of band in the destination hierarchy. These steps include the removal from clients of the AMT provisioning information from the source site, and then provisioning new information from a site in the destination hierarchy. To do this, make sure that you have installed and configured a site in the destination hierarchy for AMT provisioning, and then use one of the following strategies: In the source site, remove the AMT provisioning information and select the option Disable automatic provisioning. Migrate the client. Then in the destination site, provision the AMTbased computer. In the destination site, configure the AMT Provisioning Removal Account in the Out of Band Management Component Properties: Provisioning tab. Specify a Windows account that has been specified as an AMT User Account in the source site. For migration from a supported Configuration Manager 2007 site, ensure this AMT User Account has the Platform Administration (Configuration Manager 2007 SP2) or PT Administration (Configuration
1257

Manager 2007 SP1) permission. Migrate the client and assign it to the destination site. Then remove the provisioning information from the AMT-based computer by using the AMT Provisioning Removal Account, and provision it again. Warning If the account that you specify for the AMT Provisioning Removal Account is not an AMT User Account for the computer, or the AMT User Account does not have the required permission, or if the audit log contains data, you will not be able to remove the provisioning information from the destination site. If you are not sure whether the AMT-based computer is configured with this AMT User Account, for Configuration Manager 2007 source sites either check and update the management controller in the Configuration Manager 2007 site, or remove the provisioning information when the client is still assigned to the Configuration Manager 2007 site. If AMT auditing is enabled, either clear the audit log or disable auditing when the client is still assigned to the Configuration Manager 2007 site. For more information about how to manage the audit log in Configuration Manager 2007, see How to Manage the Audit Log for AMT-based Computers in the Configuration Manager 2007 documentation library. Migrate the client. Manually remove the provisioning information in the BIOS extensions of the AMT-computer. Then in the destination site, provision the AMT-based computer.

For more information about how to remove the AMT provisioning information, configure AMT User Accounts, and update the management controllers from a Configuration Manager 2007 site, see the following topics in the Configuration Manager 2007 documentation library: How to Remove Provisioning Information for AMT-Based Computers How to Configure AMT Settings and AMT User Accounts How to Update AMT Settings in Provisioned Computers Using Out of Band Management

For more information about how to configure AMT provisioning, the AMT Provisioning Removal Account, and how to remove AMT provisioning information in a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager site, see the following: How to Provision and Configure AMT-Based Computers in Configuration Manager The How to Remove AMT Information section in the How to Manage AMT Provisioning Information in Configuration Manager topic.

Planning to Migrate Boundaries

You can migrate boundaries between hierarchies. When you migrate boundaries from Configuration Manager 2007, each boundary from the source site migrates at the same time and is added to a new boundary group that is created in the destination hierarchy. When you migrate boundaries from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager hierarchy, each boundary you select is added to a new boundary group in the destination hierarchy.

1258

Each automatically created boundary group is enabled for content location but not for site assignment. This prevents overlapping boundaries for site assignment between the source and destination hierarchies. When you migrate from a Configuration Manager 2007 source site, this helps prevent new Configuration Manager 2007 clients that install from incorrectly assigning to the destination hierarchy. By default, System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager clients do not automatically assign to Configuration Manager 2007 sites. During migration, if you share a distribution point with the destination hierarchy, any boundaries that are associated with that distribution automatically migrate to the destination hierarchy. In the destination hierarchy, migration creates a new read-only boundary group for each shared distribution point. If you change the boundaries for the distribution point in the source hierarchy, the boundary group in the destination hierarchy updates with these changes during the next data gathering cycle.

Planning to Migrate Reports

Configuration Manager does not support the migration of reports. Instead, use SQL Server Reporting Services Report Builder to export reports from the source hierarchy, and then import them to the destination hierarchy. Note Because there are schema changes for reports between Configuration Manager 2007 and System Center 2012 Configuration Manager, test each report that you import from a Configuration Manager 2007 hierarchy to ensure that it functions as expected. For more information about reporting, see Reporting in Configuration Manager.

Planning to Migrate Organizational and Search Folders

You can migrate organizational folders and search folders from a supported source hierarchy to a destination hierarchy. In addition, from a System Center 2012 Configuration Manager source hierarchy, you can migrate the criteria for a saved search to a destination hierarchy. By default, the migration process maintains your search folder and administrative folder structures for objects and collections when you migrate. However, in the Create Migration Job Wizard, on the Settings page, you can configure a migration job to not migrate the organizational structure for objects by clearing the check box for this option. The organizational structures of collections are always maintained. One exception to this is a search folder that contains virtual applications. When an App-V package is migrated, the App-V package is transformed into an application in System Center 2012 Configuration Manager. After migration of the search folder, only the remaining packages are found, and the search folder cannot locate an App-V package because of this conversion to an application when the App-V package migrates.
1259

When you migrate a saved search from a System Center 2012 Configuration Manager source hierarchy, you migrate the criteria for the search, and not the information about the search results. Migration of a saved search is not applicable from a Configuration Manager 2007 source site.

Planning to Migrate Asset Intelligence Customizations

You can migrate customizations for Asset Intelligence from a supported source hierarchy to a destination hierarchy. There are no significant changes to the structure of Asset Intelligence customizations between Configuration Manager 2007 and System Center 2012 Configuration Manager. Note System Center 2012 Configuration Manager does not support the migration of Asset Intelligence objects from a Configuration Manager 2007 site that is using Asset Intelligence Service 2.0 (AIS 2.0).

Planning to Migrate Software Metering Rules Customizations

There are no significant changes to software metering between Configuration Manager 2007 and System Center 2012 Configuration Manager. You can migrate your software metering rules from a supported source hierarchy to a destination hierarchy. By default, software metering rules that you migrate to a destination hierarchy are not associated with a specific site in the destination hierarchy and instead apply to all clients in the hierarchy. To apply a software metering rule to clients at a specific site, you must edit the metering rule after it migrates.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning to Monitor Migration Activity in System Center 2012 Configuration Manager

With System Center 2012 Configuration Manager, you can monitor migration in the Configuration Manager console that connects to the destination hierarchy. In the Configuration Manager console in the Administration workspace, you can use the Migration node to monitor the progress and success of migration jobs. You can view summary information for each migration job that identifies objects that have migrated, those objects that have not yet migrated, and the
1260

number of objects that are excluded from a migration job. You will also see details about any migration problems.

View Migration Progress

To view the progress of a migration job, use any of the following actions: In the Administration workspace of the Configuration Manager console, expand the Migration Jobs node, select a migration job, and then select the Objects in Job tab. Use the Configuration Manager log files to review the migration progress or to identify any problems. Migration Manager is the Configuration Manager process that tracks migration actions and records these in the migmctrl.log file in the <InstallationPath>\LOGS folder on the site server. Note If a migration job fails, review the details in the migmctrl.log file as soon as possible. The migration log entries are continually added to the file and overwrite old details. If the entries are overwritten, you might not be able to identify whether any problems that you might encounter with the migrated objects relate to migration issues. Migration activity is logged at the top-level site of the hierarchy regardless of the site your Configuration Manager console connects to when you configure migration. Use Configuration Manager reporting. Configuration Manager provides several built-in reports for migration, or you can edit those reports to fit your requirements. For more information about Configuration Manager reports, see Reporting in Configuration Manager.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Planning to Complete Migration in System Center 2012 Configuration Manager

With System Center 2012 Configuration Manager, when a source hierarchy no longer contains data that you want to migrate to your destination hierarchy, you can complete the process of migration. Completing migration includes the following general steps: Ensure data that you require has migrated. Before you complete migration from a source hierarchy, make sure that you have successfully migrated all of the resources from the source hierarchy that you require in the destination hierarchy. This can include data and clients. Stop gathering data from source sites. To complete migration from a source hierarchy, you must first stop gathering data from source sites.

1261

Clean up migration data. After you stop gathering data from all source sites in a source hierarchy, you can remove data about the migration process and source hierarchy from the database of the destination hierarchy. Decommission the source hierarchy. After you complete migration from a source hierarchy and that hierarchy no longer contains resources that you manage, you can decommission the sites in the source hierarchy and remove the related infrastructure from your environment. For information about how to decommission sites and source hierarchies, consult the documentation for that version of Configuration Manager.

Use the following sections to help you plan to complete migration from a source hierarchy by stopping data gathering, and then cleaning up migration data: Plan to Stop Gathering Data Plan to Clean Up Migration Data

Plan to Stop Gathering Data

Before you complete migration and clean up migration data, you must stop gathering data from each source site in the source hierarchy. To stop gathering data from each source site, you must perform the Stop Gathering Data command on the bottom tier source sites, and then repeat the process at each parent site. The top-level site of the source hierarchy must be the last site on which you stop gathering data. You must stop data gathering at each child site before performing this command on a parent site. Typically, you only stop gathering data when you are ready to complete the migration process. After you stop gathering data from a source site, shared distribution points from that site are no longer available as content locations for clients in the destination hierarchy. Therefore, ensure that any migrated content that the clients in the destination hierarchy require access to remains available by using one of the following options: In the destination hierarchy, distribute the content to at least one distribution point. Before you stop gathering data from a source site, upgrade or reassign shared distribution points that have the required content. For more information about upgrading or reassigning shared distribution points, see the applicable sections in the Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager topic.

After you stop gathering data from each source site in the source hierarchy, you can clean up migration data. Until you clean up migration data, each migration job that has run or that is scheduled to run remains accessible in the Configuration Manager console. For more information about source sites and data gathering, see Planning a Source Hierarchy Strategy in System Center 2012 Configuration Manager.

Plan to Clean Up Migration Data

The last step to complete migration is to clean up migration data. You can use the Clean Up Migration Data command after you have stopped gathering data for each source site in the

1262

source hierarchy. This optional action removes data about the current source hierarchy from the database of the destination hierarchy. When you clean up migration data, most data about the migration is removed from the database of the destination hierarchy. However, details about migrated objects are retained. With these details, you can use the Migration workspace to reconfigure the source hierarchy that contains the data that was migrated to either resume migration from that source hierarchy, or to review the objects and site ownership of the objects that previously migrated.

See Also
Planning for Migration to System Center 2012 Configuration Manager

Configuring Source Hierarchies and Source Sites for Migration to System Center 2012 Configuration Manager
To enable migration of data to your System Center 2012 Configuration Manager environment, you must configure a supported Configuration Manager source hierarchy and one or more source sites in that hierarchy that contain data that you want to migrate. Note Operations for migration are run at the top-level site in the destination hierarchy. If you configure migration when you use a Configuration Manager console that is connected to a primary child site, you must allow time for the configuration to replicate to the central administration site, to start, and to then replicate status back to the primary site to which you are connected. Use the information and procedures in the following sections to specify the source hierarchy and to add additional source sites. After you complete these procedures, you can create migration jobs and start to migrate data from the source hierarchy to the destination hierarchy. Specify a Source Hierarchy for Migration Identify Additional Source Sites of the Source Hierarchy

Specify a Source Hierarchy for Migration

To migrate data to your destination hierarchy, you must specify a supported source hierarchy that contains the data that you want to migrate. By default, the top-level site of that hierarchy becomes a source site of the source hierarchy. If you migrate from a Configuration Manager 2007 hierarchy, after data is gathered from the initial source site, you can then configure additional source sites for migration. If you migrate from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager hierarchy, you do not have to configure
1263

additional source sites to migrate data from the source hierarchy. This is because the these versions of Configuration Manager use a shared database which is available at the top-level site of the source hierarchy. The shared database contains all the information that you can migrate. Use the following procedures to specify a source hierarchy for migration and to identify additional source sites in a Configuration Manager 2007 hierarchy. Perform this procedure with a Configuration Manager console that is connected to the destination hierarchy. To configure a source hierarchy 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. On the Home tab, in the Migration group, click Specify Source Hierarchy. 4. In the Specify Source Hierarchy dialog box, for Source Hierarchy, select New source hierarchy. 5. For Top-level Configuration Manager site server, enter the name or IP address of the top-level site of a supported source hierarchy. 6. Specify source site access accounts that have the following permissions: Source Site Account: Read permission to the SMS Provider for the specified top-level site in the source hierarchy. Source Site Database Account: Read and Execute permission to the SQL Server database for the specified top-level site in the source hierarchy.

If you specify the use of the computer account, Configuration Manager uses the computer account of the top-level site of the destination hierarchy. For this option ensure that this account is a member of the security group Distributed COM Users in the domain where the top-level site of the source hierarchy resides. 7. To share distribution points between the source and destination hierarchies, select the Enable distribution point sharing for the source site server check box. If you do not enable distribution point sharing at this time, you can do so after data gathering completes by editing the credentials of the source site. 8. Click OK to save the configuration. This opens the Data Gathering Status dialog box, and data gathering starts automatically. 9. When data gathering finishes, click Close to close the Data Gathering Status dialog box and complete the configuration.

Identify Additional Source Sites of the Source Hierarchy

When you configure a supported source hierarchy, the top-level site of that hierarchy is automatically configured as a source site, and data is automatically gathered from that site. The next action that you take depends on the version of Configuration Manager that is run by the source hierarchy:
1264

For a Configuration Manager 2007 source hierarchy, after the data gathering finishes for the initial source site, you can begin migration from only that initial source site, or you can configure additional source sites from the source hierarchy. You would configure additional source sites for a Configuration Manager 2007 hierarchy to migrate data that is only available from a child site. For example, you might configure additional source sites to gather data about content you want to migrate when that content was created at a child site in the source hierarchy and is not available at the top site of the source hierarchy. For a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy, you do not need to configure additional source sites. This is because these versions of Configuration Manager use a shared database which is available at the top-level site of the source hierarchy. The shared database contains all the information that you can migrate from all of the sites in that source hierarchy. This results in the data that you can migrate being available from the top-level site of the source hierarchy.

When you configure additional source sites for a Configuration Manager 2007 source hierarchy, you must configure the additional source sites from the top of the source hierarchy to the bottom. You must configure a parent site as a source site before you configure any of its child sites as source sites. Use the following procedure to configure additional source sites for Configuration Manager 2007 source hierarchies. To identify additional source sites in the source hierarchy 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. Click the site that you want to configure as a source site. 4. On the Home tab, in the Source Site group, click Configure 5. In the Source Site Credentials dialog box, for the source site access accounts, specify accounts that have the following permissions: Source Site Account: Read permission to the SMS Provider for the specified top-level site in the source hierarchy. Source Site Database Account: Read and Execute permission to the SQL Server database for the specified top-level site in the source hierarchy.

If you specify the use of the computer account, Configuration Manager uses the computer account of the top-level site of the destination hierarchy. For this option ensure that this account is a member of the security group Distributed COM Users in the domain where the top-level site of the source hierarchy resides. 6. To share distribution points between the source and destination hierarchies, select the Enable distribution point sharing for the source site server check box. If you do not enable distribution point sharing at this time, you can do so after data gathering completes by editing the credentials for the source site. 7. Click OK to save the configuration. This opens the Data Gathering Status dialog box, and data gathering starts automatically. 8. When data gathering finishes, click Close to complete the configuration.
1265

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Operations for Migrating to System Center 2012 Configuration Manager

For migration in System Center 2012 Configuration Manager, after you successfully gather data from a source site in a supported source hierarchy, you can start to migrate data and clients. Use the information in the following sections to create and run migration jobs to migrate data, clients, and to then complete the migration process. Create and Edit Migration Jobs for System Center 2012 Configuration Manager Run Migration Jobs in System Center 2012 Configuration Manager Upgrade or Reassign a Shared Distribution Point in System Center 2012 Configuration Manager Monitor Migration Activity in the Migration Workspace Migrate Clients in System Center 2012 Configuration Manager Complete Migration in System Center 2012 Configuration Manager

Create and Edit Migration Jobs for System Center 2012 Configuration Manager
Use the following procedures to create data migration jobs, edit the exclusion list for collectionbased migration jobs, configure shared distribution points, and edit migration job schedules. Note The following procedure for creating a migrating job that migrates by collections, applies only for source hierarchies that run a supported version of Configuration Manager 2007. The collection-based migration job type is not available when you migrate from a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy. To create a migration job to migrate by collections 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. On the Home tab, in the Create group, click Create Migration Job. 4. On the General page of the Create Migration Job Wizard configure the following, and then click OK: Specify a name for the migration job.
1266

In the Job type drop-down list, select Collection migration. Select the collections that you want to migrate. If you want to migrate collections only and not the objects that are associated with those collections, clear the Migrate objects that are associated with the specified collections option. If you clear this option, no associated objects are migrated in this job, and you can skip steps 6 and 7.

5. On the Select Collections page, configure the following, and then click Next:

6. On the Select Objects page, clear any object types, or specific available objects that you do not want to migrate. By default, all associated object types and available objects are selected. Then click Next. 7. On the Content Ownership page, assign the ownership of content from each listed source site to a site in the destination hierarchy, and then click Next. 8. On the Security Scope page, select one or more role-based administration security scopes to assign to the objects to migrate in this migration job, and then click Next. 9. On the Collection Limiting page, configure a collection from the destination hierarchy to limit the scope of each listed collection, and then click Next. Or, if no collections are listed, click Next. 10. On the Site Code Replacement page, assign a site code from the destination hierarchy to replace the Configuration Manager 2007 site code for each listed collection, and then click Next. Or, if no collections are listed, click Next. 11. On the Review Information page, click Save To File to save the displayed information for later viewing. When you are ready to continue, click Next. 12. On the Settings page, configure when the migration job will run and any additional settings that you need for this migration job, and then click Next. 13. Confirm the settings and complete the wizard. To create a migration Job to migrate by objects 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. On the Home tab, in the Create group, click Create Migration Job. 4. On the General page of the Create Migration Job Wizard, configure the following, and then click Next: Specify a name for the migration job. In the Job type drop-down list, select Object migration.

5. On the Select Objects page, select the object types that you want to migrate. By default, all available objects are selected for each object type that you select. 6. On the Content Ownership page, assign the ownership of content from each listed source site to a site in the destination hierarchy, and then click Next. Or, if no source sites are listed, click Next. 7. On the Security Scope page, select one or more role-based administration security scopes to assign to the objects in this migration job, and then click Next.
1267

8. On the Review Information page, click Save To File to save the displayed information for later viewing. When you are ready to continue, click Next. 9. On the Settings page, configure when the migration job will run and any additional settings that you need for this migration job. Then click Next. 10. Confirm the settings and complete the wizard. To create a migration job to migrate changed objects 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. On the Home tab, in the Create group, click Create Migration Job. 4. On the General page of the Create Migration Job Wizard, configure the following and then click Next: Specify a name for the migration job. In the Job type drop down list, select Objects modified after migration.

5. On the Select Objects page, select the object types that you want to migrate. By default, all available objects are selected for each object type that you select. 6. On the Content Ownership page, assign the ownership of content from each listed source site to a site in the destination hierarchy, and then click Next. Or, if no source sites are listed, click Next. 7. On the Security Scope page, select one or more role-based administration security scopes to assign to the objects in this migration job, and then click Next. 8. On the Review Information page, click Save To File to save the displayed information for later viewing. When you are ready to continue, click Next. 9. On the Settings page, configure when the migration job will run and any additional settings that you require for this migration job. Unlike the other migration job types, this migration job must overwrite the previously migrated objects in the System Center 2012 Configuration Manager database. Click Next. 10. Confirm the settings and then complete the wizard. To modify the exclusion list for migration 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Migration to gain access to the exclusion list. You can also access the exclusion list from the Source Hierarchy or Migration Jobs node. 3. On the Home tab, in the Migration group, click Edit Exclusion List. 4. On the Edit Exclusion List dialog box, select the excluded object that you want to remove from the exclusion list, and then click Remove. 5. Click OK to save the changes and complete the edit. To cancel current changes and restore all the objects that you have removed, click Cancel, and then click No. This will cancel the removal of the objects, and close the Edit Exclusion List dialog box.

1268

To share distribution points from the source hierarchy 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, click Source Hierarchy, and then select the source site that you want to configure. 3. On the Home tab, in the Source Site group, click Configure. Note In Configuration Manager with no service pack, this option is named Share Distribution Points. 4. On the Source Site Credentials dialog box, select Enable distribution point sharing for the source site server, and then click OK. 5. When data gathering finishes, click Close. To change the schedule of a migration job 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. Click the migration job that you want to modify. On the Home tab, in the Properties group, click Properties. 4. In the properties of the migration job, select the Settings tab, change the run time for the migration job, and then click OK.

Run Migration Jobs in System Center 2012 Configuration Manager

Use the following procedure to run a migration job that has not yet started. To run migration jobs in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. Click the migration job that you want to run. On the Home tab, in the Migration Job group, click Start. 4. Click Yes to start the migration job now.

Upgrade or Reassign a Shared Distribution Point in System Center 2012 Configuration Manager
You can upgrade a supported distribution point that is shared from a Configuration Manager 2007 source site, or reassign a supported distribution point that is shared from a System Center 2012

1269

Configuration Manager or System Center 2012 R2 Configuration Manager source site, to be a distribution point in the destination hierarchy. Important Before you upgrade a Configuration Manager 2007 branch distribution point, you must uninstall the Configuration Manager 2007 client software from the branch distribution point computer. If the Configuration Manager 2007 client software is installed when you attempt to upgrade the distribution point, the upgrade fails and content that was previously deployed to the branch distribution point is removed from the computer. Caution When you upgrade or reassign a shared distribution point, the distribution point site system role and site system computer is removed from the source site and added as a distribution point to the site in the destination hierarchy that you select. To upgrade or reassign a shared distribution point in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. Select the site that owns the distribution point you want to upgrade, click the Shared Distribution Points tab, and select the eligible distribution point that you want to upgrade or reassign. 4. On the Distribution Point tab, in the Distribution Point group, click Reassign (Prior to System Center 2012 R2 Configuration Manager, this button was named Upgrade). 5. Specify settings in the Reassign Shared Distribution Point Wizard as if you are installing a new distribution point for the destination hierarchy, with the following addition: On the Content Conversion page, review the guidance about the required space to convert the existing content. Then, on the Drive Settings page of the wizard, ensure that the drive of the distribution point computer that is selected contains the required amount of free disk space.

6. Confirm the settings and then complete the wizard.

Monitor Migration Activity in the Migration Workspace

Use the following procedure to use the Configuration Manager console to monitor migration. To monitor migration activity in the Migration workspace 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Migration Jobs. 3. Click the migration job that you want to monitor. 4. View details and status about the selected migration job on the tabs for Summary and
1270

Objects in Job.

Migrate Clients in System Center 2012 Configuration Manager

After you migrate data for clients between hierarchies but before you complete migration, plan to migrate clients to the destination hierarchy. The migration of clients between hierarchies involves uninstalling the Configuration Manager client software from computers that are assigned to the source hierarchy, and then installing the Configuration Manager client software from the destination hierarchy. When you install the client from the destination hierarchy you also assign the client to a primary site in that hierarchy. For more information about migrating clients, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager.

Complete Migration in System Center 2012 Configuration Manager

Use this procedure to complete migration from the source hierarchy. To complete migration in System Center 2012 Configuration Manager 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Migration, and then click Source Hierarchy. 3. For a Configuration Manager 2007 source hierarchy, select a source site that is at the bottom level of the source hierarchy. For a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy, select the available source site. 4. On the Home tab, in the Clean Up group, click Stop Gathering Data. 5. Click Yes to confirm the action. 6. For a Configuration Manager 2007 source hierarchy, before you continue to the next step, repeat steps 3, 4, and 5. Perform these steps at each site in the hierarchy, from the bottom of the hierarchy to the top. For a System Center 2012 Configuration Manager or System Center 2012 R2 Configuration Manager source hierarchy, continue to the next step. 7. On the Home tab, in the Clean Up group, click Clean Up Migration Data. 8. On the Clean Up Migration Data dialog box, from the Source hierarchy drop-down list, select the site code and site server of the top-level site of the source hierarchy, and then click OK. 9. Click Yes to complete the migration process for the source hierarchy.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager
1271

Security and Privacy for Migration to System Center 2012 Configuration Manager
This topic contains security best practices and privacy information for migration to your System Center 2012 Configuration Manager environment.

Security Best Practices for Migration

Use the following security best practice for migration.
Security best practice More information

Use the computer account for the Source Site SMS Provider Account and the Source Site SQL Server Account rather than a user account. Use IPsec when you migrate content from a distribution point in a source site to a distribution point in your destination site. Restrict and monitor the administrative users who can create migration jobs.

If you must use a user account for migration, remove the account details when migration is completed. Although the migrated content is hashed to detect tampering, if the data is modified while it is transferred, the migration will fail. The integrity of the database of the destination hierarchy depends upon the integrity of data that the administrative user chooses to import from the source hierarchy. In addition, this administrative user can read all data from the source hierarchy.

Security Issues for Migration

Migration has the following security issues: Clients that are blocked from a source site might successfully assign to the destination hierarchy before their client record is migrated. Although Configuration Manager retains the blocked status of clients that you migrate, the client can successfully assign to the destination hierarchy if assignment occurs before the migration of the client record is completed. Audit messages are not migrated. When you migrate data from a source site to a destination site, you lose any auditing information from the source hierarchy.

1272

Privacy Information for Migration

Migration discovers information from the site databases that you identify in a source infrastructure and stores this data to the database in the destination hierarchy. The information that System Center 2012 Configuration Manager and System Center 2012 R2 Configuration Manager can discover from a source site or hierarchy depends upon the features that were enabled in the source environment, as well as the management operations that were performed in that source environment. For more information about security and privacy information, see one of the following topics: For more information about the privacy information for Configuration Manager 2007, see Security and Privacy for Configuration Manager 2007 in the Configuration Manager 2007 documentation library. For more information about the privacy information for System Center 2012 Configuration Manager, see Security and Privacy for System Center 2012 Configuration Manager in the System Center 2012 Configuration Manager documentation library.

You can migrate some or all of the supported data from a source site to a destination hierarchy. Migration is not enabled by default and requires several configuration steps. Migration information is not sent to Microsoft. Before you migrate data from a source hierarchy, consider your privacy requirements.

See Also
Migrating Hierarchies in System Center 2012 Configuration Manager

Deploying Clients for System Center 2012 Configuration Manager

The Deploying Clients for Configuration Manager guide provides documentation to help you plan, install, configure, and manage client deployment in Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Deploying Clients Topics

Use the following topics to help you deploy clients in System Center 2012 Configuration Manager. Introduction to Client Deployment in Configuration Manager Planning for Client Deployment in Configuration Manager Configuring Client Deployment in Configuration Manager Operations and Maintenance for Client Deployment in Configuration Manager Security and Privacy for Clients in Configuration Manager
1273

Technical Reference for Client Deployment in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Introduction to Client Deployment in Configuration Manager

Client deployment refers to the planning, installation, and management of System Center 2012 Configuration Manager client computers and mobile devices in your enterprise. The types of devices that you have, your business requirements, and your preferences, determine the methods that you use to manage computers and mobile devices. This guide contains information about how to plan, configure, manage, and monitor client deployment in Configuration Manager to computers and mobile devices. Use the following sections for more information about how to deploy and monitor client deployment for computers and mobile devices: Deploying the Configuration Manager Client to Windows-Based Computers Deploying the Configuration Manager Client to Windows Embedded Devices Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) Deploying the Configuration Manager Client to Mac Computers Deploying the Configuration Manager Client to Linux and UNIX Servers Monitoring the Status of Client Computers in Configuration Manager Managing Mobile Devices by Using Configuration Manager

Deploying the Configuration Manager Client to Windows-Based Computers

The following table lists the various methods that you can use to install the Configuration Manager client software on computers. For information about how to decide which client installation method to use, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. For more information about how to install the client, see How to Install Clients on Windows-Based Computers in Configuration Manager.
Client installation method Description

Client push installation

Automatically installs the client to assigned resources and manually installs the client to
1274

Client installation method

Description

resources that are not assigned. Software update point installation Group Policy installation Logon script installation Manual installation Upgrade installation by using application management Installs the client by using the Configuration Manager software updates feature. Installs the client by using Windows Group Policy. Installs the client by using a logon script. Manually installs the client software. Upgrades clients to a newer version by using Configuration Manager application management. You can also use Configuration Manager 2007 software distribution to upgrade clients to System Center 2012 Configuration Manager. Configuration Manager with no service pack Automatically upgrades Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are earlier than version that you specify. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Automatically upgrades Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012 Configuration Manager version when they are earlier than the version of their System Center 2012 Configuration Manager assigned site. For more information, see the How to Automatically Upgrade the Configuration Manager Client section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager. Client imaging Prestages the client installation in an operating
1275

Automatic client upgrade

Client installation method

Description

system image. For information about how to install the Configuration Manager client on devices that run Windows Embedded operating systems, see the section Tasks for Managing Configuration Manager Clients on Windows Embedded Devices in the Configuration Manager 2007 Documentation Library. After the client is installed successfully, it attempts to assign to a site and find a management point from which to download policy. For more information about site assignment, see How to Assign Clients to a Site in Configuration Manager. Although the Configuration Manager console and reports provide some information about client installation and site assignment, you can use the fallback status point site system role to more closely track and monitor client installation and site assignment. For more information about the fallback status point, see Determine the Site System Roles for Client Deployment in Configuration Manager.

Whats New in Configuration Manager for Windows-Based Computers

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client deployment since Configuration Manager 2007: Clients are no longer configured for mixed mode or native mode, but instead use HTTPS together with public key infrastructure (PKI) certificates or HTTP together with self-signed certificates. Clients use HTTPS or HTTP according to the configuration of the site system roles that the clients connect to and whether they have a valid PKI certificate that performs client authentication. On the Configuration Manager client, in Properties, on the General tab, review the Client certificate value to determine the current client communication method. This value displays PKI certificate when the client communicates with a management point over HTTPS, and Self-signed when the client communicates with a management point over HTTP. Just as the client property value for the Connection type updates, depending on the current network status of the client, so the Client certificate client property value updates, depending on with which management point the client communicates. Because System Center 2012 Configuration Manager does not use mixed mode and native mode, the client installation property /native: [<native mode option>] is no longer used. Instead, use /UsePKICert to use a PKI certificate that has client authentication capability, if it is available, but fall back to an HTTP connection if no certificate is available. If /UsePKICert is not specified, the client does not attempt to communicate by using a PKI certificate, but communicates by using HTTP only. Additionally, use the new command /NoCRLCheck if you
1276

do not want a client to check the certificate revocation list (CRL) before it establishes an HTTPS communication. The client.msi property SMSSIGNCERT is still used but requires the exported self-signed certificate of the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. When you reassign a client from a Microsoft System Center 2012 Configuration Manager hierarchy to another System Center 2012 Configuration Manager hierarchy, the client can automatically replace the trusted root key, if the new site is published to Active Directory Domain Services and the client can access that information from a global catalog server. For this scenario in Configuration Manager 2007, you had to remove the trusted root key, manually replace the trusted root key, or uninstall and reinstall the client. The server locator point is no longer used for site assignment or to locate management points. This functionality is replaced by the management point. The CCMSetup Client.msi property SMSSLP remains supported, but only to specify the computer name of management points. You no longer install International Client Packs when you want to support different languages on the client. Instead, select the client languages that you want during Setup. Then, during the client installation, Configuration Manager automatically installs support for those languages on the client, enabling the display of information in a language that matches the users language preferences. If a matching language is not available, the client displays information in the default of English. For more information, see the Planning for Client Language Packs section in the Planning for Sites and Hierarchies in Configuration Manager topic. Decommissioned clients are no longer displayed in the Configuration Manager console, and they are automatically removed from the database by the Delete Aged Discovery Data task. The Client.msi property for CCMSetup, SMSDIRECTORYLOOKUP=WINSPROMISCUOUS, is no longer supported. This setting allowed the client to use Windows Internet Name Service (WINS) to find a management point without verifying the management point's self-signed certificate. To support the new 64-bit client, the location of the CCM folder for client-related files (such as the client cache and log files) has changed from %windir%\system32 to %windir%. If you reference the CCM folder for your own script files, update these references for the new folder location for System Center 2012 Configuration Manager clients. System Center 2012 Configuration Manager does not support the CCM folder on paths that support redirection (such as Program Files and %windir%\system32) on 64-bit operating systems. Automatic, site-wide client push now installs the Configuration Manager on existing computer resources if the client is not installed, and not just newly discovered computer resources. Client push installation starts and tracks the installation of the client by using the Configuration Manager database and no longer creates individual .CCR files. When you enable client push installation for a site, all discovered resources that are assigned to the site and that do not have a client installed are immediately added to the database, and client installation begins. Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the latest System Center 2012
1277

Configuration Manager version when they are below a version that you specify. For more information see the How to Automatically Upgrade the Configuration Manager Client section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager.

Whats New in Configuration Manager SP1 for Windows-Based Computers

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client deployment in Configuration Manager SP1: Configuration Manager can automatically upgrade Configuration Manager 2007 and System Center 2012 Configuration Manager clients to the version of their assigned System Center 2012 Configuration Manager site. For more information see the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the topic How to Install Clients on Windows-Based Computers in Configuration Manager. You can now specify the following CCMSetup.exe properties as installation options when you use client push: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Configuration Manager SP1 clients now use Microsoft Silverlight 5 for the Application Catalog. Configuration Manager automatically installs this version of Silverlight on clients if it is not already installed, and by default, configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. For more information, see the Certificates for Silverlight 5 and Elevated Trust Mode Required for the Application Catalog section in the Security and Privacy for Application Management in Configuration Manager topic. There is a new value that is now the default for the Computer Agent client setting PowerShell execution policy: All Signed. This new value restricts the Configuration Manager client to running Windows PowerShell scripts only if they are signed by a trusted publisher, regardless of the current Windows PowerShell configuration on the client computer. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization, by default, disables the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.
1278

Client notification in Configuration Manager enables some client operations to be performed as soon as possible, instead of during the usual client policy polling interval. For example, you can use the client management task Download Computer Policy to instruct computers to download policy as soon as possible. Additionally, you can initiate some actions for Endpoint Protection, such as a malware scan of a client. By default, client notification communication uses TCP port 10123, which is configurable as a site property for a primary site. You might have to configure Windows Firewall on the management point, clients, and any intervening firewalls for this new port communication. However, client notification can fall back to using the established client-to-management point communication of HTTP or HTTPS. Actions taken by client notification are displayed in the new Client Operations node in the Monitoring workspace. Note Client notification does not support role-based administration. All users of the Configuration Manager console can see notifications in the Client Operations node in the Monitoring workspace. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager and How to Manage Clients in Configuration Manager.

You can install the Configuration Manager client on computers that run Mac OS X. You can then manage this client by using compliance settings, deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Mac Computers in Configuration Manager. You can install the Configuration Manager client on servers that run a supported version of Linux or UNIX. You can then manage this client by using deploying software, and by collecting hardware inventory. For more information, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

Whats New in System Center 2012 R2 Configuration Manager for Windows-Based Computers
Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client deployment in System Center 2012 R2 Configuration Manager: You can now select Resultant Client Settings from the Configuration Manager console to view the effective client settings that will be applied to the selected device. The resultant client setting accounts for the prioritization or combination of attributes where multiple client settings have been deployed to the same device. For more information, see Viewing the Resultant Client Settings. You can now reassign Configuration Manager clients, including managed mobile devices, to another primary site in the hierarchy. Clients can be reassigned individually or can be multiselected and reassigned in bulk to a new site.
1279

If you use wake-up proxy, you no longer have to manually configure Windows Firewall on clients to allow TCP/IP ping commands when you specify the Power Management client setting, Firewall exception for wake-up proxy. A new property has been added for Ccmsetup.exe, /ExcludeFeatures:<feature>. This property prevents the specified feature from installing the client installation. For this release, the only supported feature is ClientUI, which prevents the Software Center from installing on the client. For more information, see CCMSetup.exe Command-Line Properties.

Deploying the Configuration Manager Client to Windows Embedded Devices

If your Windows Embedded device does not include the Configuration Manager client, you can use any of the client installation methods if the device meets the required dependencies. If the embedded device supports write filters, you must disable these filters before you install the client, and then re-enable the filters again after the client is installed and assigned to a site. Write filters control how the operating system on the embedded device is updated when you make changes, such as when you install software. When write filters are enabled, instead of making the changes directly to the operating system, these changes are redirected to a temporary overlay. If the changes are only written to the overlay, they are lost when the embedded device shuts downs. However, if the write filters are temporarily disabled, the changes can be made permanent so that you do not have to make the changes again (or reinstall software) every time that the embedded device restarts. However, temporarily disabling and then re-enabling the write filters requires one or more restarts, so that you typically want to control when this happens by configuring maintenance windows so that restarts occur outside business hours. When you install software on Windows Embedded devices with Configuration Manager with no service pack, you must always take additional steps to disable the write filters, install the software, and then re-enable the write filters. However, if the embedded client runs Configuration Manager SP1, you can configure options to automatically disable and re-enable the write filters when you deploy software such as applications, task sequences, software updates, and the Endpoint Protection client. The exception is for configuration baselines with configuration items that use automatic remediation. In this scenario, the remediation always occurs in the overlay so that it is available only until the device is restarted. The remediation is applied again at the next evaluation cycle, but only to the overlay, which is cleared at restart. To force Configuration Manager SP1 to commit the remediation changes, you can deploy the configuration baseline and then another software deployment that supports committing the change as soon as possible. If the write filters are disabled, you can install software on Windows Embedded devices by using Software Center. However, if the write filters are enabled, the installation fails and Configuration Manager displays an error message that you have insufficient permissions to install the application. Warning

1280

Even if you do not select the Configuration Manager SP1 options to commit the changes, the changes might be committed if another software installation or change is made that commits changes. In this scenario, the original changes will be committed in addition to the new changes. When Configuration Manager SP1 disables the write filters to make changes permanent, only users who have local administrative rights can log on and use the embedded device. During this period, low-rights users are locked out and see a message that the computer is unavailable because it is being serviced. This helps protect the device while it is in a state where changes can be permanently applied, and this servicing mode lockout behavior is another reason to configure a maintenance window for a time when users will not log on to these devices. Configuration Manager supports managing the following types of write filters: File-Based Write Filter (FBWF) (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only). For more information, see File-Based Write Filter on MSDN. Enhanced Write Filter (EWF) RAM (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only). For more information, see Enhanced Write Filter on MSDN. Unified Write Filter (UWF) (System Center 2012 R2 Configuration Manager only). For more information, see Unified Write Filter on MSDN.

Configuration Manager does not support write filter operations when the Windows Embedded device is in EWF RAM Reg mode. Important If you have the choice, use File-Based Write Filters with Configuration Manager SP1 for increased efficiency and higher scalability. When you have this configuration, configure the following exceptions to persist client state and inventory data between device restarts: CCMINSTALLDIR\*.sdf CCMINSTALLDIR\ServiceData HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\StateSystem

For an example scenario to deploy and manage write-filter-enabled Windows Embedded devices in Configuration Manager SP1, see Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices. For more information about how to build images for Windows Embedded devices and configure write filters, see your Windows Embedded documentation, or contact your OEM. Note When you select the applicable platforms for software deployments and configuration items, these display the Windows Embedded families rather than specific versions. Use the following list to map the specific version of Windows Embedded to the options in the list box: Embedded Operating Systems based on Windows XP (32-bit) includes the following: Windows XP Embedded Windows Embedded for Point of Service
1281

Windows Embedded Standard 2009 Windows Embedded POSReady 2009 Windows Embedded Standard 7 (32-bit) Windows Embedded POSReady 7 (32-bit) Windows ThinPC Windows Embedded Standard 7 (64-bit) Windows Embedded POSReady 7 (64-bit)

Embedded operating systems based on Windows 7 (32-bit) includes the following:

Embedded operating systems based on Windows 7 (64-bit) includes the following:

Whats New in System Center 2012 R2 Configuration Manager for Windows Embedded Devices
The following items are new or have changed for Windows Embedded Devices in System Center 2012 R2 Configuration Manager: Configuration Manager now supports the Unified Write Filter available in certain Windows Embedded operating systems.

Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI)
System Center 2012 Configuration Manager supports installing the Configuration Manager client on the following virtual desktop infrastructure (VDI) scenarios: Personal virtual machines Personal virtual machines are generally used when you want to make sure that user data and settings are maintained on the virtual machine between sessions. Remote Desktop Services sessions Remote Desktop Services enables a server to host multiple, concurrent client sessions. Users can connect to a session and then run applications on that server. Pooled virtual machines Pooled virtual machines are not persisted between sessions. When a session is closed, all data and settings are discarded. Pooled virtual machines are useful when Remote Desktop Services cannot be used because a required business application cannot run on the Windows Server that hosts the client sessions.

The following table lists considerations for managing the Configuration Manager client in a virtual desktop infrastructure.
Virtual machine type More information

Personal virtual machines

Configuration Manager treats personal virtual machines identically to a physical computer. The Configuration Manager
1282

Virtual machine type

More information

client can be preinstalled on the virtual machine image or deployed after the virtual machine is provisioned. Remote Desktop Services The Configuration Manager client is not installed for individual Remote Desktop sessions. Instead, the client is only installed one time on the Remote Desktop Services server. All Configuration Manager features can be used on the Remote Desktop Services server. When a pooled virtual machine is decommissioned, any changes that you make by using Configuration Manager are lost. Data returned from Configuration Manager features such as hardware inventory, software inventory and software metering might not be relevant to your needs as the virtual machine might only be operational for a short length of time. Consider excluding pooled virtual machines from inventory tasks.

Pooled virtual machines

Because virtualization supports running multiple Configuration Manager clients on the same physical computer, many client operations have a built-in randomized delay for scheduled actions such as hardware and software inventory, antimalware scans, software installations, and software update scans. This delay helps distribute the CPU processing and data transfer for a computer that has multiple virtual machines that run the Configuration Manager client. Note With the exception of Windows Embedded clients that are in servicing mode, Configuration Manager clients that are not running in virtualized environments also use this randomized delay. When you have many deployed clients, this behavior helps avoid peaks in network bandwidth and reduces the CPU processing requirement on the Configuration Manager site systems, such as the management point and site server. The delay interval varies according to the Configuration Manager capability. In Configuration Manager with no service pack, this behavior is not configurable in the Configuration Manager console. For Configuration Manager SP1 only, the randomization delay is disabled by default for required software updates and required application deployments by using the following client setting: Computer Agent: Disable deadline randomization.

1283

Deploying the Configuration Manager Client to Mac Computers

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can install the Configuration Manager client on Mac computers that run the Mac OS X operating system and use the following management capabilities:
Capability More Information

Hardware inventory

You can use Configuration Manager hardware inventory to collect information about the hardware and installed applications on Mac computers. This information can then be viewed in Resource Explorer in the Configuration Manager console and used to create collections, queries and reports. For more information, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. Configuration Manager collects the following hardware information from Mac computers: Processor Computer System Disk Drive Disk Partition Network Adapter Operating System Service Process Installed Software Computer System Product USB Controller USB Device CDROM Drive Video Controller Desktop Monitor Portable Battery Physical Memory Printer
1284

Capability

More Information

Important You cannot extend the hardware information that is collected from Mac computers during hardware inventory. Compliance settings You can use Configuration Manager compliance settings to view the compliance of and remediate Mac OS X preference (.plist) settings. For example, you could enforce settings for the home page in the Safari web browser or ensure that the Apple firewall is enabled. You can also use shell scripts to monitor and remediate settings in MAC OS X. Configuration Manager can deploy software to Mac computers. You can deploy the following software formats to Mac computers: Apple Disk Image (.DMG) Meta Package File (.MPKG) Mac OS X Installer Package (.PKG) Mac OS X Application (.APP)

Application management

When you install the Configuration Manager client on Mac computers, you cannot use the following management capabilities that are supported by the Configuration Manager client on Windows-based computers: Client push installation Operating system deployment Software updates Note You can use Configuration Manager application management to deploy required Mac OS X software updates to Mac computers. In addition, you can use compliance settings to make sure that computers have any required software updates. Maintenance windows Remote control Power management Client status client check and remediation

For more information about how to install and configure the Configuration Manager Mac client, see How to Install Clients on Mac Computers in Configuration Manager.

1285

Whats New in System Center 2012 R2 Configuration Manager for Mac Computers
Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for Mac computers in System Center 2012 R2 Configuration Manager: You can now install the client certificate and enroll Mac computers by using the new enrollment wizard for the Mac client as an alternative to using the CMEnroll tool commandline tool. You can now use the renew certificate wizard to renew the Mac client certificate.

Deploying the Configuration Manager Client to Linux and UNIX Servers

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can install the Configuration Manager client on computers that run Linux or UNIX. This client is designed for servers that operate as a workgroup computer, and the client does not support interaction with logged-on users. After you install the client software and the client establishes communication with the Configuration Manager site, you manage the client by using the Configuration Manager console and reports. You can use the following management capabilities when you install the Configuration Manager client on Linux and UNIX computers:
Functionality More information

Collections, queries, and maintenance windows Hardware inventory Software deployment Monitoring and reporting

See How to Manage Linux and UNIX Clients in Configuration Manager. See Hardware Inventory for Linux and UNIX in Configuration Manager. See Deploying Software to Linux and UNIX Servers in Configuration Manager. See How to Monitor Linux and UNIX Clients in Configuration Manager.

1286

When you install the Configuration Manager client on Linux and UNIX computers, you cannot use the following management capabilities that are supported by the Configuration Manager client on Windows-based computers: Client push installation Operating system deployment Application deployment; instead, deploy software by using packages and programs. Software inventory Software updates Compliance settings Remote control Power management Client status client check and remediation Internet-based client management

For information about the supported Linux and UNIX distributions and the hardware required to support the client for Linux and UNIX, see the Client Requirements for Linux and UNIX Servers section in the Supported Configurations for Configuration Manager topic. For more information about how to install and configure the Configuration Manager client for Linux and UNIX, see How to Install Clients on Linux and UNIX Computers in Configuration Manager.

Whats New in Cumulative Update 1 for the Client for Linux and UNIX
The following items are new or have changed for the client for Linux and UNIX with cumulative update 1: Cumulative update 1 adds support for several new Linux and UNIX operating systems. For more information see the Supported Distributions of Linux and UNIX section in the Supported Configurations for Configuration Manager topic. In addition, the following topics have received updates related to the new supported operating systems: The Prerequisites for Client Deployment to Linux and UNIX Servers section in the Planning for Client Deployment for Linux and UNIX Servers topic contains new information about the Linux and UNIX operating system and package file dependencies. The Technical Reference for the Configuration Manager Client for Linux and UNIX topic contains updated information about the component services of the client.

The Universal Agent is a new client installation package that simplifies the process to install the client on Linux computers. The Universal Agent replaces the use of a separate client installation package for each different version of Linux you use, with one installation package that you use to install the client on any of the supported versions of Linux. For more information see the About Client Installation Packages and the Universal Agent section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic.
1287

The CIM Server on the client now uses omiserver from the Open Group. The new CIM Server supports custom hardware inventory for Linux and UNIX computers. For more information see Hardware Inventory for Linux and UNIX in Configuration Manager. Clients support communication with fallback status points when you install the client using the new fsp command line option. For more information see the Command Line Properties for Installing the Client on Linux and UNIX Servers section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic. Clients support throttling to control the network bandwidth that is used to download software from the distribution point. For more information see the Manage Network Bandwidth for Software Downloads from Distribution Points section in the Deploying Software to Linux and UNIX Servers in Configuration Manager topic. The following are enhancements for client log files: You can view logs by using the Configuration Manager log file tool, CMTrace. Clients have improved support for log rotation. For more information see the Manage Log Files for the Client for Linux and UNIX Client section in the Technical Reference for Log Files in Configuration Manager topic.

Monitoring the Status of Client Computers in Configuration Manager

Use the Client Status node in the Monitoring workspace of the Configuration Manager console to monitor the health and activity of client computers in your hierarchy. Configuration Manager uses the following two methods to evaluate the overall status of client computers. Client Activity: You can configure thresholds to determine whether a client is active, for example: Whether the client requested policy during the last seven days. Whether Heartbeat Discovery found the client during the last seven days. Whether the client sent hardware inventory during the last seven days.

When all these thresholds are exceeded, the client is determined to be inactive. Client Check: A client evaluation engine is installed with the Configuration Manager client, which periodically evaluates the health of the Configuration Manager client and its dependencies. This engine can check or remediate some problems with the Configuration Manager client. You can configure remediation not to run on specific computers, for example, a business-critical server. In addition, if there are additional items that you want to evaluate, you can use System Center 2012 Configuration Manager compliance settings to provide a comprehensive solution to monitor the overall health, activity, and compliance of computers in your organization. For more information about compliance settings, see Compliance Settings in Configuration Manager. Client status uses the monitoring and reporting capabilities of Configuration Manager to provide information in the Configuration Manager console about the health and activity of the client. You can configure alerts to notify you when clients check results or client activity drops below a
1288

specified percentage of clients in a collection or when remediation fails on a specified percentage of clients. For information about how to configure client status, see How to Configure Client Status in Configuration Manager.

Checks and remediations made by client check

The following checks and remediations can be performed by client check.
Client check Remediation action More information

Verify that client check has recently run Verify that client prerequisites are installed

Run client check

Checks that client check has run at least one time in the past three days. Checks that client prerequisites are installed. Reads the file ccmsetup.xml in the client installation folder to discover the prerequisites. Checks that Configuration Manager client entries are present in WMI. No additional information Check whether the Configuration Manager related WMI event sink is lost No additional information

Install the client prerequisites

WMI repository integrity test Verify that the client service is running WMI Event Sink Test.

Reinstall the Configuration Manager client Start the client (SMS Agent Host) service Restart the client service

Verify that the Windows Management Instrumentation (WMI) service exists Verify that the client was installed correctly WMI repository read and write test

No remediation

Reinstall the client Reset the WMI repository and reinstall the Configuration Manager client Reset the service startup type to automatic

No additional information Remediation of this client check is only performed on computers that run Windows Server 2003, Windows XP (64-bit) or earlier versions. No additional information

Verify that the antimalware service startup type is automatic

1289

Client check

Remediation action

More information

Verify that the antimalware service is running Verify that the Windows Update service startup type is automatic or manual Verify that the client service (SMS Agent Host) startup type is automatic Verify that the Windows Management Instrumentation (WMI) service is running. Verify that the Microsoft SQL CE database is healthy Verify that the Microsoft Policy Platform service startup type is manual. Verify that the Background Intelligent Transfer Service exists Verify that the Background Intelligent Transfer Service startup type is automatic or manual Verify that the Network Inspection Service startup type is manual Verify that the Windows Management Instrumentation (WMI) service startup type is automatic Verify that the Windows Update service startup type on Windows 8 computers is

Start the antimalware service Reset the service startup type to automatic Reset the service startup type to automatic Start the Windows Management Instrumentation service Reinstall the Configuration Manager client Reset the service startup type to manual No Remediation

No additional information No additional information

No additional information

No additional information

No additional information

No additional information

No additional information

Reset the service startup type to automatic

No additional information

Reset the service startup type to manual if installed Reset the service startup type to automatic

No additional information

No additional information

Reset the service startup type to manual

No additional information

1290

Client check

Remediation action

More information

automatic or manual Verify that the client (SMS Agent Host) service exists. Verify that the Configuration Manager Remote Control service startup type is automatic or manual Verify that the Configuration Manager Remote Control service is running Verify that the client WMI provider is healthy No Remediation Reset the service startup type to automatic No additional information No additional information

Start the remote control service Restart the Windows Management Instrumentation service Start the ConfigMgr Wakeup Proxy service

No additional information

Remediation of this client check is only performed on computers that run Windows Server 2003, Windows XP (64-bit) or earlier. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: This client check is made only if the Power Management: Enable wake-up proxy client setting is set to Yes on supported client operating systems.

Verify that the wake-up proxy service (ConfigMgr Wake-up Proxy) is running

Verify that the wake-up Reset the ConfigMgr proxy service (ConfigMgr Wakeup Proxy service Wake-up Proxy) startup type startup type to automatic is automatic

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: This client check is made only if the Power Management: Enable wake-up proxy client setting is set to Yes on supported client operating systems.

Whats New in Configuration Manager for Client Status

Note
1291

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for client status since Configuration Manager 2007: Client check and client activity information is integrated into the Configuration Manager console. Typical client problems that are detected are automatically remediated. The Ping tool used by Configuration Manager 2007 R2 client status reporting is not used by System Center 2012 Configuration Manager.

Managing Mobile Devices by Using Configuration Manager

You can use the following solutions to manage mobile devices in Configuration Manager: In Configuration Manager SP1, you can use the Windows Intune connector to enroll mobile devices that run Windows Phone 8, Windows RT, and iOS. This solution uses the built-in management client and does not install the Configuration Manager client, but does automatically install PKI certificates on the mobile devices. This solution does not require you to have your own PKI, but does require a Windows Intune subscription. Configuration Manager can enroll mobile devices and deploy the Configuration Manager client on supported mobile operating systems when the mobile device and site system roles use PKI certificates. This solution automatically installs PKI certificates onto the mobile devices but requires you to run Active Directory Certificate Services and an enterprise certification authority. When the mobile devices run Windows CE or Windows Mobile 6.0, you must install the mobile device legacy client by using a package and program. This solution also requires PKI certificates that must be installed independently from Configuration Manager. If you cannot use the other mobile device management solutions, you can use the Configuration Manager Exchange Server connector to find and manage mobile devices that connect to Microsoft Exchange Server or Exchange Online. Because a management client is not installed, management is more limited for this solution than the others. For example, with the exception of Android devices that use the Windows Intune connector in Configuration Manager SP1, you cannot deploy applications to these mobile devices. However, you can retrieve some inventory information, define settings and access rules, and issue wipe commands for these mobile devices in Configuration Manager.

For more information about these mobile device management solutions, see Determine How to Manage Mobile Devices in Configuration Manager. For more information about how to install the mobile device legacy client for Windows CE mobile devices, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library.

1292

Whats New in Configuration Manager for Mobile Devices

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for mobile devices since Configuration Manager 2007: Enrollment for mobile devices in Configuration Manager is now natively supported by using the two new enrollment site system roles (the enrollment point and the enrollment proxy point) and a Microsoft enterprise certification authority. For more information about how to configure and enroll mobile devices in Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. New in Configuration Manager, the Exchange Server connector lets you find and manage devices that connect to Exchange Server, on-premise or hosted, by using the Exchange ActiveSync protocol. Use this mobile device management process when you cannot install the Configuration Manager client on the mobile device. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Exchange. If you have mobile devices that you managed with Configuration Manager 2007, and you cannot enroll them by using System Center 2012 Configuration Manager, you can continue to use them with System Center 2012 Configuration Manager. The installation for this mobile device client is still the same. However, whereas Configuration Manager 2007 did not require PKI certificates, System Center 2012 Configuration Manager requires PKI certificates on the mobile device and the management points and distribution points. File collection is no longer supported for these mobile device clients in Configuration Managerand, unlike the mobile devices that you can enroll with Configuration Manager or manage by using the Exchange Server connector, you cannot manage settings for these mobile devices. In addition, the mobile device management inventory extension tool (DmInvExtension.exe) is no longer supported. This functionality is replaced with the Exchange Server connector.

Whats New in Configuration Manager SP1 for Mobile Devices

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for mobile devices in Configuration Manager SP1: The client settings group to configure mobile device enrollment settings is no longer named Mobile Devices and is now named Enrollment. This change and associated changes, such as the change from the client setting of Mobile device enrollment profile to Enrollment profile, reflects that the enrollment functionality is now extended to Mac computers. Important The client certificates for mobile devices and Mac computers have different requirements. Therefore, if you configure client settings enrollment for mobile devices and Mac computers, do not configure the certificate templates to use the same user accounts.
1293

Mobile devices that are enrolled by Configuration Manager SP1 now use the client policy polling interval setting in the Client Policy client setting group and no longer use the polling interval in the renamed Enrollment client setting group. This change lets you configure different client policy intervals for mobile devices that are enrolled by Configuration Manager, by using custom device client settings. You cannot create custom device client settings for Enrollment. You can enroll mobile devices that run Windows Phone 8, Windows RT, and iOS when you use the Windows Intune connector. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. Users who have mobile devices that are enrolled by Windows Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices. The new Retire option for mobile devices in the Configuration Manager console is supported only for mobile devices that are enrolled by Windows Intune.

Whats New in System Center 2012 R2 Configuration Manager for Mobile Devices
Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new for mobile device management in System Center 2012 R2 Configuration Manager: Users can enroll Android devices by using the company portal app which will be available on Google Play. The company portal app is supported on Android devices as of Android 4.0. When users download the company portal app the installation includes the management agent. The management agent gives you the following management capabilities. You can manage compliance settings which include password, camera, and encryption settings. When you deploy apps to Android devices, you now have the option to install the apps directly to the device Users are prompted to take required actions, such as app installations or updating device passcodes by using Android notifications.

Users can enroll iOS devices by using the iOS company portal app which will be available in the App store. The company portal app can be installed on iOS devices as of iOS 6. The company portal app will allow users to perform the following actions: Change or reset passwords. Download and install company apps. Enroll, unenroll, or wipe company content from their devices.

Devices that run Windows RT, iOS and Android now support a deployment purpose of Required. This allows you to deploy apps automatically to devices according to a configured schedule.
1294

Wipe and retire functions now include the option to only remove company content from devices, see the table in Device Life-cycle Management for information about what company content is removed. You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on on all mobile devices. You can configure devices as personal-owned or company-owned by using the Change ownership action. Change ownership is only available for devices that are not domain-joined and do not have the Configuration Manager client installed.All mobile devices will report software inventory on company content when they are personal-owned or company-owned. iOS and Android will report a full software inventory on the device if they are set as Company-owned.You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on company content on all devices. You can use Windows Intune to manage Windows 8.1 devices that are not joined to the domain and do not have the Configuration Manager client installed.

See Also
Deploying Clients for System Center 2012 Configuration Manager

Planning for Client Deployment in Configuration Manager

Client deployment in System Center 2012 Configuration Manager provides various methods to deploy and configure the Configuration Manager client. Before you deploy the client, review the information in this section to help you plan for a successful deployment.

Planning Topics
Prerequisites for Windows Client Deployment in Configuration Manager Best Practices for Client Deployment in Configuration Manager Determine How to Manage Mobile Devices in Configuration Manager Planning for Client Deployment for Linux and UNIX Servers Determine the Site System Roles for Client Deployment in Configuration Manager Determine the Client Installation Method to Use for Windows Computers in Configuration Manager Determine Whether to Block Clients in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager
1295

Prerequisites for Windows Client Deployment in Configuration Manager

Deploying System Center 2012 Configuration Manager clients in your environment has the following external dependencies and dependencies within the product. Additionally, each client deployment method has its own dependencies that must be met for client installations to be successful. Use the following sections to determine the prerequisites to install the Configuration Manager client on computers and mobile devices: Prerequisites for Computer Clients Prerequisites for Mobile Device Clients

Make sure that you also review Supported Configurations for Configuration Manager to confirm that devices meet the minimum hardware and operating system requirements for the System Center 2012 Configuration Manager client. For information about the prerequisites for the Configuration Manager client for Linux and UNIX, see the Prerequisites for Client Deployment section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Prerequisites for Computer Clients

Use the following information to determine the prerequisites for when you install the Configuration Manager client on computers.

Dependencies External to Configuration Manager

Dependencies external to Configuration Manager More information

For Configuration Manager client computers with no service pack that will connect to the Application Catalog: Configure Internet Explorer to exclude the ActiveX control Microsoft.ConfigurationManager.SoftwareC atalog.Website.ClientBridgeControl.dll from ActiveX filtering and allow it to run in the browser.

If you run Configuration Manager with no service pack, the Application Catalog website uses an ActiveX control for Internet Explorer, which coordinates application installation and approval requests with the Configuration Manager client. The ActiveX control file is named Microsoft.ConfigurationManager.SoftwareC atalog.Website.ClientBridgeControl.dll and is automatically installed on the client when the Configuration Manager client is installed. You must configure Internet Explorer to exclude this ActiveX control from ActiveX filtering and allow it to run in the browser. You can manually
1296

Dependencies external to Configuration Manager

More information

configure Internet Explorer or use Group Policy settings. For more information, see your Windows documentation. Note This configuration is not required for Configuration Manager SP1, because Configuration Manager SP1 does not use an ActiveX control. Windows Installer version 3.1.4000.2435 Required to support the use of Windows Installer update (.msp) files for packages and software updates. The hotfix described in KB2552033 must be installed on site servers that run Windows Server 2008 R2 when client push installation is enabled. Microsoft Background Intelligent Transfer Service (BITS) is required to allow throttled data transfers between the client computer and System Center 2012 Configuration Manager site systems. BITS is not automatically downloaded during client installation. Note When BITS is installed on computers, a restart is typically required to complete the installation. Important Most operating systems include BITS, but if they do not (for example, Windows Server 2003 R2 SP2), you must install BITS before you install the System Center 2012 Configuration Manager client. Microsoft Task Scheduler service The Microsoft Task Scheduler service must be enabled on the client for the client installation to complete.

Install the hotfix described in KB2552033 on site servers that run Windows Server 2008 R2.

Microsoft Background Intelligent Transfer Service (BITS) version 2.5

Note
1297

The software version numbers only list the minimum version numbers.

Dependencies External to Configuration Manager and Automatically Downloaded During Installation

The System Center 2012 Configuration Manager client has some potential external dependencies. These dependencies depend on the operating system and the installed software on the client computer. If these dependencies are required to complete the installation of the client, they are automatically installed with the client software.
Dependencies automatically supplied during installation More information

Windows Update Agent version 7.0.6000.363 Microsoft Core XML Services (MSXML) version 6.20.5002 or later Microsoft Remote Differential Compression (RDC) Microsoft Visual C++ 2010 Redistributable version 10.0.40219.1 Microsoft Visual C++ 2005 Redistributable version 8.0.50727.42 Windows Imaging APIs 6.0.6001.18000 Microsoft Policy Platform 1.2.3514.0 Microsoft Silverlight 4.0.50524.0

Required by Windows to support update detection and deployment. Required to support the processing of XML documents in Windows. Required to optimize data transmission over the network. Required to support client operations. Required to support Microsoft SQL Server Compact operations. Required to allow Configuration Manager to manage Windows image (.wim) files. Required to allow clients to evaluate compliance settings. For Configuration Manager with no service pack only. Required to support the Application Catalog website user experience.

Microsoft Silverlight 5.1.10411.0

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Required to support the Application Catalog website user experience.

1298

Dependencies automatically supplied during installation

More information

Microsoft .NET Framework 4 Client Profile

Client computers require the .NET Framework to support client operations. If a client computer does not have one of the following installed versions, the Microsoft .NET Framework 4 Client Profile is installed automatically: Microsoft .NET Framework version 3.0. Microsoft .NET Framework version 3.5. Microsoft .NET Framework version 4.0. Note When the .NET Framework 4 is installed on computers, a restart might be required to complete the installation.

Microsoft SQL Server Compact 3.5 SP2 components Microsoft Windows Imaging Components

Required to store information related to client operations. Required by Microsoft .NET Framework 4.0 for Windows Server 2003 or Windows XP SP2 for 64-bit computers.

Note The software version numbers only list the minimum version numbers.

Configuration Manager Dependencies

For more information about the following site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system More information

Management point

Although a management point is not required to deploy the System Center 2012 Configuration Manager client, you must have a management point to transfer information between client computers and System Center 2012 Configuration Manager servers. Without a management point, you cannot manage client computers. The distribution point is an optional, but recommended site system role for client
1299

Distribution point

Configuration Manager site system

More information

deployment. All distribution points host the client source files, which lets computers find the nearest distribution point from which to download the client source files during client deployment. If the site does not have a distribution point, computers download the client source files from their management point. Fallback status point The fallback status point is an optional, but recommended site system role for client deployment. The fallback status point tracks client deployment and enables computers in the System Center 2012 Configuration Manager site to send state messages when they cannot communicate with a management point. The reporting services point is an optional, but recommended site system role that can display reports related to client deployment and management. For more information, see Reporting in Configuration Manager.

Reporting services point

Installation Method Dependencies

The following prerequisites are specific to the various methods of client installation.
Client installation method More information

Client push installation

Client push installation accounts are used to connect to computers to install the client and are specified on the Accounts tab of the Client Push Installation Properties dialog box. The account must be a member of the local administrators group on the destination computer. If you do not specify a client push installation account, the site server computer account will be used.

The computer on which you are installing the client must have been discovered by at least one System Center 2012
1300

Client installation method

More information

Configuration Manager discovery method. The computer has an ADMIN$ share. Enable client push installation to assigned resources must be selected in the Client Push Installation Properties dialog box if you want to automatically push the System Center 2012 Configuration Manager client to discovered resources. The client computer must be able to contact a distribution point or a management point to download the supporting files.

You must have the following security permissions to install the Configuration Manager client by using client push: To configure the Client Push Installation account: Modify and Read permission for the Site object. To use client push to install the client to collections, devices and queries: Modify Resource and Read permission for the Collection object.

The Infrastructure Administrator security role includes the required permissions to manage client push installation. For more information about how to configure the requirements in the Client Push Installation Properties dialog box, see the How to Install Configuration Manager Clients by Using Client Push section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. For more information about how to configure the discovery of computers, see Configuring Discovery in Configuration Manager. Software update point-based installation If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group
1301

Client installation method

More information

Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. The System Center 2012 Configuration Manager client must be published to the software update point. The client computer must be able to contact a distribution point or a management point in order to download supporting files.

For the security permissions required to manage Configuration Manager software updates, see Prerequisites for Software Updates in Configuration Manager. Group Policy-based installation If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. The client computer must be able to contact a management point in order to download supporting files. The client computer must be able to contact a distribution point or a management point in order to download supporting files unless, at the command prompt, you specified CCMSetup.exe with the command-line property ccmsetup /source. The client computer must be able to contact a distribution point or a management point in order to download supporting files unless, at the command
1302

Logon script-based installation

Manual installation

Client installation method

More information

prompt, you specified CCMSetup.exe with the command-line property ccmsetup /source. Workgroup computer installation In order to access resources in the System Center 2012 Configuration Manager site server domain, the Network Access Account must be configured for the site.

For more information about how to configure the Network Access Account, see the Configure the Network Access Account section in the Configuring Content Management in Configuration Manager topic. Software distribution-based installation (for upgrades only) If the Active Directory schema has not been extended, or you are installing clients from another forest, installation properties for CCMSetup.exe must be provisioned in the registry of the computer by using Group Policy. For more information, see the How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. The client computer must be able to contact a distribution point or a management point to download the supporting files.

For the security permissions required to upgrade the Configuration Manager client using application management, see Prerequisites for Application Management in Configuration Manager. Automatic client upgrades You must be a member of the Full Administrator security role to configure automatic client upgrades.

1303

Firewall Requirements
If there is a firewall between the site system servers and the computers onto which you want to install the Configuration Manager client, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

Prerequisites for Mobile Device Clients

Use the following information to determine the prerequisites for when you install the Configuration Manager client on mobile devices and use Configuration Manager to enroll them.

Dependencies External to Configuration Manager

Dependencies external to Configuration Manager More information

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for mobile devices. The issuing CA must automatically approve certificate requests from the mobile device users during the enrollment process. A security group that contains the users that can enroll their mobile devices.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

This security group is used to configure the certificate template that is used during mobile device enrollment. For more information, see the Deploying the Enrollment Certificate for Mobile Devices section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. This DNS alias is required to support automatic discovery for the enrollment service: If you do not configure this DNS record, users must manually specify the site system server name of the enrollment proxy point as part of the enrollment process. See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Optional but recommended: a DNS alias (CNAME record) named ConfigMgrEnroll that is configured for the site system server name on which you will install the enrollment proxy point. Site system role dependencies for the computers that will run the enrollment point and the enrollment proxy point site system roles.

1304

Configuration Manager Dependencies

For more information about the following site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system More information

Management point that is configured for HTTPS client connections and enabled for mobile devices

A management point is always required to install the System Center 2012 Configuration Manager client on mobile devices. In addition to the configuration requirements of HTTPS and enabled for mobile devices, the management point must be configured with an Internet FQDN and accept client connections from the Internet. An enrollment proxy point manages enrollment requests from mobile devices and the enrollment point completes the enrollment process. The enrollment point must be in the same Active Directory forest as the site server, but the enrollment proxy point can be in another forest. Configure client settings to allow users to enroll mobile devices and configure at least one enrollment profile. The reporting services point is an optional, but recommended site system role that can display reports related to mobile device enrollment and client management. For more information, see Reporting in Configuration Manager.

Enrollment point and enrollment proxy point

Client settings for mobile device enrollment

Reporting services point

To configure enrollment for mobile devices, you must have the following security permissions: To add, modify, and delete the enrollment site system roles: Modify permission for the Site object. To configure client settings for enrollment: Default client settings require Modify permission for the Site object, and custom client settings require Client agent permissions.

For more information about how to configure security permissions, see the Configure RoleBased Administration section in the Configuring Security for Configuration Manager topic.

The Full Administrator security role includes

1305

Configuration Manager site system

More information

the required permissions to configure the enrollment site system roles. To manage enrolled mobile devices, you must have the following security permissions: To wipe a mobile device: Delete resource for the Collection object. To cancel a wipe command: Modify resource for the Collection object. To allow and block mobile devices: Modify resource for the Collection object.

The Operations Administrator security role includes the required permissions to manage mobile devices.

Firewall Requirements
Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with mobile device enrollment: Between mobile devices and the enrollment proxy point: HTTPS (by default, TCP 443) Between the enrollment proxy point and the enrollment point: HTTPS (by default, TCP 443)

If you use a proxy web server, it must be configured for SSL tunneling; SSL bridging is not supported for mobile devices.

See Also
Planning for Client Deployment in Configuration Manager

Best Practices for Client Deployment in Configuration Manager

Use the following best practices information to help you deploy clients on computers in System Center 2012 Configuration Manager.

1306

Use software update-based client installation for Active Directory computers

This client deployment method has the benefit of using existing Windows technologies, integrates with your Active Directory infrastructure, requires the least configuration in Configuration Manager, is the easiest to configure for firewalls, and is the most secure. By using security groups and WMI filtering for the Group Policy configuration, you also have a lot of flexibility to control which computers install the Configuration Manager client. For more information about how to install clients by using software update-based installation, see the How to Install Configuration Manager Clients by Using Software Update-Based Installation section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

Extend the Active Directory schema and publish the site so that you can run CCMSetup without command-line options
When you extend the Active Directory schema for Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. Because this information is automatically generated, the risk of human error associated with manually entering installation properties is eliminated. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

When you have many clients to deploy, plan a phased rollout outside business hours
Minimize the effect of the CPU processing requirements on the site server by planning a phased rollout of clients over a period of time. Deploy clients outside business hours so that critical business services have more available bandwidth during the day and users are not disrupted if their computer slows down or requires a restart to complete the installation.

Enable automatic upgrade after your main client deployment has finished
Configuration Manager with no service pack only Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade
1307

deployment. You then use this method to upgrade the client on these computers when they are next active. Note Performance improvements in Configuration Manager SP1 can allow you to use automatic upgrades as a primary client upgrade method. However, performance will depend on your hierarchy infrastructure, such as the number of clients. For more information about client deployment method, the How to Automatically Upgrade the Configuration Manager Client for the Hierarchy section in the How to Install Clients on WindowsBased Computers in Configuration Manager topic.

Use SMSMP and FSP if you install the client with client.msi properties
The SMSMP property specifies the initial management point for the client to communicate with and removes the dependency on service location solutions such as Active Directory Domain Services, DNS, and WINS. Use the FSP property and install a fallback status point so that you can monitor client installation and assignment, and identify any communication problems. For more information about these options, see About Client Installation Properties in Configuration Manager.

If you want to use client languages other than English, install the client language packs before you install the clients
If you install client language packs on a site after you install clients, you must reinstall the clients before they can use the additional languages. For mobile device clients, this means you must wipe the mobile device and enroll it again. For more information about how to add support for additional client languages, see Install Sites and Create a Hierarchy for Configuration Manager.

Plan and prepare any required PKI certificates in advance for Internet-based client management, enrolled mobile devices, and Mac computers
To manage devices on the Internet, enrolled mobile devices, and Mac computers, you must have PKI certificates on site systems (management points and distribution points) and the client devices. For many customers, this requires advanced planning and preparation, especially if you have a separate team who manages your PKI. On production networks, you might require
1308

change management approval to use new certificates, restart site system servers, or users might have to logoff and logon for new group membership. In addition, you might have to allow sufficient time for replication of security permissions and for any new certificate templates. For more information about the PKI certificates that are required, see PKI Certificate Requirements for Configuration Manager. For an example deployment of the certificates that is suitable for a test environment, see Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority.

Before you install clients, configure any required client settings and maintenance windows
Although you can configure client settings and maintenance windows before or after clients are installed, configure any required settings before you install clients so that these settings are used as soon as the client is installed. Important Configuring maintenance windows is particularly important for servers and for Windows Embedded devices, to ensure business continuity for these often business-critical computers. For example, maintenance windows will ensure that required software updates and antimalware software do not restart the computer during business hours.

For Mac computers and mobile devices that are enrolled by Configuration Manager, plan your user enrollment experience
If users will enroll their own Mac computers and mobile devices by using Configuration Manager, plan and prepare the user experience. For example, you might script the installation and enrollment process by using a web page so users enter the minimum amount of information necessary, and you send them instructions with a link by email.

When you manage Windows Embedded devices on the Configuration Manager SP1 client, use FileBased Write Filters (FBWF) rather than Enhanced Write Filters (EWF) for higher scalability
Embedded devices that use Enhanced Write Filters (EWF) are likely to experience state message resynchronizations. If you have just a few embedded devices that use Enhanced Write Filters, you might not notice this. However, when you have a lot of embedded devices that resynchronize their information, such as sending full inventory rather than delta inventory, this can generate a noticeable increase in network packets and higher CPU processing on the site server.
1309

When you have a choice of which type of write filter to enable, choose File-Based Write Filters and configure exceptions to persist client state and inventory data between device restarts for network and CPU efficiency on the Configuration Manager SP1 client. For more information about write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. For more information about the maximum number of Windows Embedded clients that a primary site can support, see the Site and Site System Role Scalability section in the Supported Configurations for Configuration Manager topic.

See Also
Planning for Client Deployment in Configuration Manager

Determine How to Manage Mobile Devices in Configuration Manager

Use the following information to help you decide how to manage mobile devices in System Center 2012 Configuration Manager. You can use Configuration Manager to enroll mobile devices and install the Configuration Manager client, you can use the mobile device legacy client (for example, for Windows CE mobile operating systems), and you can use the Exchange Server connector. In addition, in Configuration Manager SP1, you can enroll devices that run Windows Phone 8, Windows RT, and iOS by using the Windows Intune connector. The following table lists these four mobile device management methods and provides information about the management functions that each method supports.
Management functionality Enrollment by Windows Intune Enrollment by Configuration Manager Mobile device legacy client Exchange Server connector

Public key infrastructure (PKI) security between the mobile device and Configuration Manager by using mutual authentication and SSL to encrypt data

Yes

Yes More information: Requires Active Directory Certificate Services and an enterprise certification authority (CA). The mobile device

Yes More information: Any PKI that meets the certificate requirements. The mobile device certificates must be installed independently from

No

1310

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

transfers

certificates are Configuration installed Manager. automatically by Configuration Manager during the enrollment process. No More information: Instead of a client the user installs or connects to a company portal. Yes More information: Installed by the user from the browser on the mobile device. Yes More information: Installed by an administrative user by deploying a package and program. Yes No Yes Yes Yes Yes More information: Limited by what Exchange Server collects. No

Client installation

Support over the Internet Discovery Hardware inventory

Yes No Yes

Yes No Yes More information: You can collect default information and create your own customized hardware inventory.

Software inventory

Yes

No

Yes More information: List of installed software only; you cannot

No

1311

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

inventory all files and you cannot collect files. Settings Yes Yes More information: Deploy configuration baselines that contain mobile device configuration items. You can configure default settings and create your own customized settings. Software deployment Yes More information: You can deploy available apps that users can download from the company portal. Yes More information: You can deploy required applications (install and uninstall), but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported Yes More information: You can deploy packages, but not applications or software updates. No Yes More information: Limited by the settings in the default Exchange ActiveSync mailbox policies.

No

1312

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

for mobile devices. Mobile devices also do not support simulated deployments. Monitor with the fallback status point Connections to management points No No Yes No

No

Yes More information: A single management point in the clients assigned (primary) site.

Yes More information: A single management point in primary sites and secondary sites. Yes More information: Distribution points in primary sites and secondary sites. Yes

No

Connections to distribution points

Yes More information: manage.microsoft.com is the only distribution point that is used.

Yes More information: Distribution points in the assigned (primary) site. Yes

No

Block from Configuration Manager Quarantine and block from Exchange Server (and Configuration Manager) Remote wipe

Yes

No

No

No

No

Yes

Yes

Yes

No

Yes
1313

Management functionality

Enrollment by Windows Intune

Enrollment by Configuration Manager

Mobile device legacy client

Exchange Server connector

More information: By Configuration Manager and by a user from the Configuration Manager Application Catalog.

More information: By Configuration Manager and by a user if supported by Exchange.

For more information about the mobile operating systems that System Center 2012 Configuration Manager supports, see Supported Configurations for Configuration Manager. Use Configuration Manager to enroll mobile devices when the mobile operating system is supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply: You have a Microsoft enterprise CA to issue and manage the required certificates. You want the additional management features or settings that are not supported by the Exchange Server connector, such as software installation and full hardware inventory. Important If the mobile device synchronizes with Exchange Server, set the Exchange flag AllowExternalDeviceManagement to ensure that the mobile device continues to receive email from Exchange after it is enrolled by Configuration Manager. If you install the Configuration Manager Exchange Server connector, you can set this flag by configuring the option External mobile device management in the Exchange Server connector properties. If you do not install the connector, you must set this flag by using the Exchange management tools. For example, use the PowerShell cmdlet Set-ActiveSyncMailPolicy with the parameter AllowExternalDeviceManagement. Use the mobile device legacy client when the mobile operating system is not supported by System Center 2012 Configuration Manager mobile device enrollment and when both of the following conditions apply: You can install the required PKI certificates on the mobile device and the Configuration Manager site systems (management point and distribution point). You want to install software packages on the mobile device and collect hardware inventory.

Manage mobile devices by using the Exchange Server connector when the mobile device can connect to Exchange Server by using ActiveSync and when either of the following conditions applies: You do not require the security that a PKI offers or you do not have a PKI.
1314

You do not require all the management functions and settings that enrollment provides.

Dual Management: Enrolled by Configuration Manager and Managed by Using the Exchange Server Connector
You can enroll a mobile device by using Configuration Manager and also manage it by using the Exchange Server connector. In this scenario, although you see only one mobile device in the Configuration Manager console, you have dual management for a mobile device and the following consequences: No settings are applied from the Exchange Server connector; you must configure the mobile device settings by deploying a configuration baseline. If you collect hardware inventory by enabling the client setting for hardware inventory and by using the Exchange Server connector, the hardware inventory information from the mobile device is consolidated by Configuration Manager.

See Also
Planning for Client Deployment in Configuration Manager

Planning for Client Deployment for Linux and UNIX Servers

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Use the information in the following sections to help you plan to deploy the Configuration Manager client for Linux and UNIX. Prerequisites for Client Deployment to Linux and UNIX Servers Dependencies External to Configuration Manager: Service Location by the client for Linux and UNIX About Certificates for use by Linux and UNIX Servers Configuring Certificates for Linux and UNIX Servers Planning for Communication across Forest Trusts for Linux and UNIX Servers Planning for Security and Certificates for Linux and UNIX Servers

About Linux and UNIX Operating Systems That do not Support SHA-256

1315

Planning for Client Deployment to Linux and UNIX Servers

Before you deploy the Configuration Manager client for Linux and UNIX, review the information in this section to help you plan for a successful deployment.

Prerequisites for Client Deployment to Linux and UNIX Servers

Use the following information to determine the prerequisites you must have in place to successfully install the client for Linux and UNIX.

Dependencies External to Configuration Manager:

The following tables describe the required UNIX and Linux operating systems and package dependencies. Red Hat Enterprise Linux ES Release 4
Required package Description Minimum version

glibc Openssl

C Standard Libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.3.4-2 0.9.7a-43.1

PAM

0.77-65.1

Red Hat Enterprise Linux Server release 5.1 (Tikanga)

Required package Description Minimum version

glibc Openssl

C Standard Libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.5-12 0.9.8b-8.3.el5

PAM

0.99.6.2-3.14.el5

Red Hat Enterprise Linux Server release 6

1316

Required package

Description

Minimum version

glibc Openssl

C Standard Libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.12-1.7 1.0.0-4

PAM

1.1.1-4

Solaris 9 SPARC
Required package Description Minimum version

Required operating system patch SUNWlibC SUNWlibms OpenSSL

PAM memory leak Sun Workshop Compilers Bundled libC (sparc) Forte Developer Bundled Shared libm (sparc) SMCosslg (sparc) Sun does not provide a version of OpenSSL for Solaris 9 SPARC. There is a version available from Sunfreeware.

112960-48 5.9,REV=2002.03.18 5.9,REV=2001.12.10 0.9.7g

PAM

Pluggable Authentication Modules SUNWcsl, Core Solaris, (Shared Libs) (sparc)

11.9.0,REV=2002.04.06.15.27

Solaris 10 SPARC
Required package Description Minimum version

Required operating system PAM memory leak patch SUNWlibC Sun Workshop Compilers Bundled libC (sparc)

117463-05 5.10, REV=2004.12.22

1317

Required package

Description

Minimum version

SUNWlibms SUNWlibmsr SUNWcslr SUNWcsl OpenSSL

Math & Microtasking Libraries (Usr) (sparc) Math & Microtasking Libraries (Root) (sparc) Core Solaris Libraries (Root) (sparc) Core Solaris Libraries (Root) (sparc) SUNopenssl-librararies (Usr) Sun provides the OpenSSL libraries for Solaris 10 SPARC. They are bundled with the operating system.

5.10, REV=2004.11.23 5.10, REV=2004.11.23 11.10.0, REV=2005.01.21.15.53 11.10.0, REV=2005.01.21.15.53 11.10.0,REV=2005.01.21.15.53

PAM

Pluggable Authentication Modules SUNWcsr, Core Solaris, (Root) (sparc)

11.10.0, REV=2005.01.21.15.53

Solaris 10 x86
Required package Description Minimum version

Required operating system patch SUNWlibC SUNWlibmsr SUNWcsl SUNWcslr OpenSSL

PAM memory leak Sun Workshop Compilers Bundled libC (i386) Math & Microtasking Libraries (Root) (i386) Core Solaris, (Shared Libs) (i386) Core Solaris Libraries (Root) (i386) SUNWopenssl-libraries; OpenSSL Libraries (Usr)

117464-04 5.10,REV=2004.12.20 5.10, REV=2004.12.18 11.10.0,REV=2005.01.21.16.34 11.10.0, REV=2005.01.21.16.34 11.10.0, REV=2005.01.21.16.34

1318

Required package

Description

Minimum version

(i386) PAM Pluggable Authentication Modules SUNWcsr Core Solaris, (Root)(i386) 11.10.0,REV=2005.01.21.16.34

Solaris 11 SPARC
Required package Description Minimum version

SUNWlibC SUNWlibmsr SUNWcslr SUNWcsl SUNWcsr SUNWopenssl-libraries

Sun Workshop Compilers Bundled libC Math & Microtasking Libraries (Root) Core Solaris Libraries (Root) Core Solaris, (Shared Libs) Core Solaris, (Root) OpenSSL Libraries (Usr)

5.11, REV=2011.04.11 5.11, REV=2011.04.11 11.11, REV=2009.11.11 11.11, REV=2009.11.11 11.11, REV=2009.11.11 11.11.0,REV=2010.05.25.01.00

Solaris 11 x86 Required package SUNWlibC SUNWlibmsr SUNWcslr SUNWcsl SUNWcsr Description Sun Workshop Compilers Bundled libC Math & Microtasking Libraries (Root) Core Solaris Libraries (Root) Core Solaris, (Shared Libs) Core Solaris, (Root) Minimum version 5.11, REV=2011.04.11 5.11, REV=2011.04.11 11.11, REV=2009.11.11 11.11, REV=2009.11.11 11.11, REV=2009.11.11

1319

SUNWopenssl-libraries

OpenSSL Libraries (Usr)

11.11.0,REV=2010.05.25.01.00

SUSE Linux Enterprise Server 9 (i586)

Required package Description Minimum version

Service Pack 4 OS Patch lib gcc-41.rpm OS Patch lib stdc++-41.rpm Openssl

SUSE Linux Enterprise Server 9 Standard shared library Standard shared library OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules 41-4.1.2_20070115-0.6 41-4.1.2_20070115-0.6 0.9.7d-15.35

PAM

0.77-221-11

SUSE Linux Enterprise Server 10 SP1 (i586)

Required package Description Minimum version

glibc-2.4-31.30 OpenSSL

C Standard shared library OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.4-31.30 0.9.8a-18.15

PAM

0.99.6.3-28.8

SUSE Linux Enterprise Server 11 (i586)

Required package Description Minimum version

glibc-2.9-13.2 PAM

C Standard shared library Pluggable Authentication Modules

2.9-13.2 pam-1.0.2-20.1

Universal Linux (Debian package) Debian, Ubuntu Server

1320

Required package

Description

Minimum version

libc6 OpenSSL

C Standard shared library OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.3.6 0.9.8 or 1.0

PAM

0.79-3

Universal Linux (RPM package) CentOS, Oracle Linux

Required package Description Minimum version

glibc OpenSSL

C Standard shared library OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

2.5-12 0.9.8 or 1.0

PAM

0.99.6.2-3.14

IBM AIX 5L 5.3

Required package Description Minimum version

OS version xlC.rte openssl.base

Version of the operating system XL C/C++ Runtime OpenSSL Libraries; Secure Network Communications Protocol

AIX 5.3, Technology Level 6, Service Pack 5 9.0.0.2 0.9.8.4

IBM AIX 6.1

Required package Description Minimum version

OS version

Version of operating system

AIX 6.1, any Technology Level and Service Pack

1321

Required package

Description

Minimum version

xlC.rte OpenSSL/openssl.base

XL C/C++ Runtime OpenSSL Libraries; Secure Network Communications Protocol

9.0.0.5 0.9.8.4

IBM AIX 7.1 (Power)

Required package Description Minimum version

OS version xlC.rte OpenSSL/openssl.base

Version of operating system XL C/C++ Runtime OpenSSL Libraries; Secure Network Communications Protocol

AIX 7.1, any Technology Level and Service Pack

HP-UX 11i v2 IA 64
Required package Description Minimum version

HPUXBaseOS HPUXBaseAux HPUXBaseAux.openssl

Base OS HP-UX Base OS Auxiliary OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

B.11.23 B.11.23.0706 A.00.09.07l.003

PAM

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

HP-UX 11i v2 PA-RISC

Required package Description Minimum version

HPUX11i-OE

HP-UX Foundation

B.11.23.0706

1322

Required package

Description

Minimum version

Operating Environment OS-Core.MinimumRuntime.CORESHLIBS HPUXBaseAux HPUXBaseAux.openssl Compatible development tools libraries HP-UX Base OS Auxiliary OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules B.11.23 B.11.23.0706 A.00.09.071.003

PAM

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

HP-UX 11i v3 PA-RISC

Required package Description Minimum version

HPUX11i-OE OS-Core.MinimumRuntime.CORE2SHLIBS openssl/Openssl.openssl

HP-UX Foundation Operating Environment Specific IA emulator libraries OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

B.11.31.0709 B.11.31 A.00.09.08d.002

PAM

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

HP-UX 11i v3 IA64

Required package Description Minimum version

HPUX11i-OE OS-Core.MinimumRuntime.CORESHLIBS

HP-UX Foundation Operating Environment Specific IA development libraries

B.11.31.0709 B.11.31

1323

Required package

Description

Minimum version

SysMgmtMin SysMgmtMin.openssl

Minimum Software Deployment Tools OpenSSL Libraries; Secure Network Communications Protocol Pluggable Authentication Modules

B.11.31.0709 A.00.09.08d.002

PAM

On HP-UX, PAM is part of the core operating system components. There are no other dependencies.

Configuration Manager Dependencies: The following table lists site system roles that support Linux and UNIX clients. For more information about these site system roles, see Determine the Site System Roles for Client Deployment in Configuration Manager.
Configuration Manager site system More information

Management point

Although a management point is not required to install a Configuration Manager client for Linux and UNIX, you must have a management point to transfer information between client computers and Configuration Manager servers. Without a management point, you cannot manage client computers. The distribution point is not required to install a Configuration Manager client for Linux and UNIX. However, the site system role is required if you deploy software to Linux and UNIX servers. Because the Configuration Manager client for Linux and UNIX does not support communications that use SMB, the distribution points you use with the client must support HTTP or HTTPS communication.

Distribution point

Fallback status point

Note Beginning with cumulative update 1, the Configuration Manager client for Linux and UNIX supports the use of fallback status points.
1324

Configuration Manager site system

More information

The fallback status point is not required to install a Configuration Manager client for Linux and UNIX. However, The fallback status point enables computers in the Configuration Manager site to send state messages when they cannot communicate with a management point. Client can also send their installation status to the fallback status point.

Firewall Requirements: Ensure that firewalls do not block communications across the ports you specify as client request ports. The client for Linux and UNIX communicates directly with management points, distribution points, and fallback status points. For information about client communication and request ports, see the Configure Request Ports for the Client for Linux and UNIX section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic.

Planning for Communication across Forest Trusts for Linux and UNIX Servers
Linux and UNIX servers you manage with Configuration Manager operate as workgroup clients and require similar configurations as Windows-based clients that are in a workgroup. For information about communications from computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Service Location by the client for Linux and UNIX

The task of locating a site system server that provides service to clients is referred to as service location. Unlike a Windows-based client, the client for Linux and UNIX does not use Active Directory for service location. Additionally, the Configuration Manager client for Linux and UNIX does not support a client property that specifies the domain suffix of a management point. Instead, the client learns about additional site system servers that provide services to clients from a known management point you assign when you install the client software. For more information about service location, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic.

1325

Planning for Security and Certificates for Linux and UNIX Servers
For secure and authenticated communications with Configuration Manager sites, the Configuration Manager client for Linux and UNIX uses the same model for communication as the Configuration Manager client for Windows. When you install the Linux and UNIX client, you can assign the client a PKI certificate that enables it to use HTTPS to communicate with Configuration Manager sites. If you do not assign a PKI certificate, the client creates a self-signed certificate and communicates only by HTTP. Clients that are provided a PKI certificate when they install use HTTPS to communicate with management points. When a client is unable to locate a management point that supports HTTPS, it will fall back to use HTTP with the provided PKI certificate. When a Linux or UNIX client uses a PKI certificate you do not have to approve them. When a client uses a self-signed certificate, review the hierarchy settings for client approval in the Configuration Manager console. If the client approval method is not Automatically approve all computers (not recommended), you must manually approve the client. For more information about how to manually approve the client, see the Managing Clients from the Devices Node section in the How to Manage Clients in Configuration Manager topic. For information about how to use certificates in Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

About Certificates for use by Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX uses a self-signed certificate or an X.509 PKI certificate just like Windows-based clients. There are no changes to the PKI requirements for Configuration Manager site systems when you manage Linux and UNIX clients. The certificates you use for Linux and UNIX clients that communicate to Configuration Manager site systems must be in a Public Key Certificate Standard (PKCS#12) format, and the password must be known so you can specify it to the client when you specify the PKI certificate. The Configuration Manager client for Linux and UNIX supports a single PKI certificate, and does not support multiple certificates. Therefore, the certificate selection criteria you configure for a Configuration Manager site does not apply.

Configuring Certificates for Linux and UNIX Servers

To configure a Configuration Manager client for Linux and UNIX servers to use HTTPS communications, you must configure the client to use a PKI certificate at the time you install the client. You cannot provision a certificate prior to installation of the client software. When you install a client that uses a PKI certificate, you use the command-line parameter UsePKICert to specify the location and name of a PKCS#12 file that contains the PKI certificate. Additionally you must use the command line parameter -certpw to specify the password for the certificate.

1326

If you do not specify -UsePKICert, the client generates a self-signed certificate and attempts to communicate to site system servers by using HTTP only.

About Linux and UNIX Operating Systems That do not Support SHA-256
The following Linux and UNIX operating systems that are supported as clients for Configuration Manager were released with versions of OpenSSL that do not support SHA-256: Red Hat Enterprise Linux Version 4 (x86/x64) Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86) SUSE Linux Enterprise Server Version 9 (x86) HP-UX Version 11iv2 (PA-RISH/IA64)

To manage these operating systems with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX with a command line switch that directs the client to skip validation of SHA-256. Configuration Manager clients that run on these operating system versions operate in a less secure mode than clients that support SHA-256. This less secure mode of operation has the following behavior: Clients do not validate the site server signature associated with policy they request from a management point. Clients do not validate the hash for packages that they download from a distribution point.

Security The ignoreSHA256validation option allows you to run the client for Linux and UNIX computers in a less secure mode. This is intended for use on older platforms that did not include support for SHA-256. This is a security override and is not recommended by Microsoft, but is supported for use in a secure and trusted datacenter environment. When the Configuration Manager client for Linux and UNIX installs, the install script checks the operating system version. By default, if the operating system version is identified as having released without a version of OpenSSL that supports SHA-256, the installation of the Configuration Manager client fails. To install the Configuration Manager client on Linux and UNIX operating systems that did not release with a version of OpenSSL that supports SHA-256, you must use the install command line switch ignoreSHA256validation. When you use this command line option on an applicable Linux or UNIX operating system, the Configuration Manager client will skip SHA-256 validation and after installation, the client will not use SHA-256 to sign data it submits to site systems by using HTTP. For information about configuring Linux and UNIX clients to use certificates, see Planning for Security and Certificates for Linux and UNIX Servers in this topic. For information about requiring SHA-256, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic. Note

1327

The command line option ignoreSHA256validation is ignored on computers that run a version of Linux and UNIX that released with versions of OpenSSL that support SHA256.

See Also
Planning for Client Deployment in Configuration Manager

Determine the Site System Roles for Client Deployment in Configuration Manager
Use the following sections to help you determine the site systems that you require to deploy System Center 2012 Configuration Manager clients: Determine Whether You Require a Management Point Determine Whether You Require a Fallback Status Point Determine Whether You Require an Enrollment Point and an Enrollment Proxy Point Determine Whether You Require a Distribution Point Determine Whether You Require an Application Catalog Website Point and an Application Catalog Web Services Point

For more information about where to install these site system roles in the hierarchy, see Planning Where to Install Sites System Roles in the Hierarchy. For more information about how to install and configure the site system roles that you require, see Install and Configure Site System Roles for Configuration Manager.

Determine Whether You Require a Management Point

By default, all Windows client computers use a distribution point to install the Configuration Manager client and can fall back to a management point when a distribution point is not available. However, you can install Windows clients on computers from an alternative source when you use the CCMSetup command-line property /source:<Path>. For example, this might be appropriate if you install clients on the Internet. Another scenario is when you want to avoid sending network packets between the computer and the management point during client installation, perhaps because a firewall blocks the ports required for your installation method or because you have a low-bandwidth connection. However, all clients must communicate with a management point to assign to a site, and to be managed by Configuration Manager. For more information about the CCMSetup command-line property /source:<Path>, see About Client Installation Properties in Configuration Manager.
1328

When you install more than one management point in the hierarchy, clients automatically connect to the most appropriate one, based on their forest membership and network location. You cannot install more than one management point in a secondary site. Mac computer clients (Configuration Manager SP1 only) and mobile device clients that you enroll with Configuration Manager always require a management point for client installation. This management point must be in a primary site, must be configured to support mobile devices, and must accept client connections from the Internet. These clients cannot use management points in secondary sites or connect to management points in other primary sites.

Determine Whether You Require a Fallback Status Point

You can use a fallback status point to monitor client deployment for Windows computers and identify the clients on these computers that are unmanaged because they cannot communicate with a management point. Mac computers (Configuration Manager SP1 only), mobile devices that are enrolled by Configuration Manager, and mobile devices that are managed by using the Exchange Server connector do not use a fallback status point. Note A fallback status point is not required to monitor client activity and client health. The fallback status point always communicates with clients by using HTTP, which uses unauthenticated connections and sends data in clear text. This makes the fallback status point vulnerable to attack, particularly when it is used with Internet-based client management. To help reduce the attack surface, always dedicate a server to running the fallback status point and do not install other site system roles on the same server in a production environment. Install a fallback status point if all the following conditions apply: You want client communication errors from Windows computers to be sent to the site, even if these client computers cannot communicate with a management point. You want to use the System Center 2012 Configuration Manager client deployment reports, which display the data that is sent by the fallback status point. You have a dedicated server for this site system role and have additional security measures to help protect the server from attack. The benefits of using a fallback status point outweigh any security risks associated with unauthenticated connections and clear text transfers over HTTP traffic. The security risks of running a website with unauthenticated connections and clear text transfers outweigh the benefits of identifying client communication problems.

Do not install a fallback status point if the following condition applies:

1329

Determine Whether You Require a Reporting Services Point

Configuration Manager provides many reports to help you monitor the installation, assignment, and management of clients in the Configuration Manager console. Some of the client deployment reports require that clients are assigned to a fallback status point. Although the reports are not required to deploy clients and you can see some deployment information in the Configuration Manager console or use the client log files for detailed information, the client reports provide valuable information to help monitor and troubleshoot client deployment.

Determine Whether You Require an Enrollment Point and an Enrollment Proxy Point
Configuration Manager requires the enrollment point and the enrollment proxy point to enroll mobile devices and to enroll certificates for Mac computers (Configuration Manager SP1 only). These site system roles are not required if you will manage mobile devices by using the Exchange Server connector, or if you install the mobile device legacy client (for example, for Windows CE), or if you request and install the client certificate on Mac computers independently from Configuration Manager.

Determine Whether You Require a Distribution Point

Although you dont require a distribution point to install Configuration Manager clients on Windows computers, by default, Configuration Manager uses a distribution point to install the client source files on Windows computers but can fall back to downloading these files from a management point. Distribution points are not used to install mobile device clients that are enrolled by Configuration Manager but are used if you install the mobile device legacy client. If you install the Configuration Manager client as part of an operating system deployment, the operating system image is stored and retrieved from a distribution point. Although you might not require distribution points to install most Configuration Manager clients, you will require distribution points to install software such as applications and software updates on the clients.

Determine Whether You Require an Application Catalog Website Point and an Application Catalog Web Services Point
The Application Catalog website point and the Application Catalog web service point are not required for client deployment. However, you might want to install them as part of your client
1330

deployment process, so that users can perform the following actions as soon as the Configuration Manager client is installed on Windows computers: Wipe their mobile devices. Search for and install applications from the Application Catalog. Deploy applications to users and devices with a deployment purpose of Available.

See Also
Planning for Client Deployment in Configuration Manager

Determine the Client Installation Method to Use for Windows Computers in Configuration Manager
You can use different methods to install the System Center 2012 Configuration Manager client software on devices in your enterprise. You can use one or any combination of these methods that suit your requirements. The following table outlines the advantages and disadvantages of each client installation method to help you determine which will work best in your organization. For information about using each installation method, see How to Install Clients on Windows-Based Computers in Configuration Manager.
Client installation method Advantage Disadvantage

Client push installation

Can be used to install the client on a single computer, a collection of computers, or to the results from a query. Can be used to automatically install the client on all discovered computers. Automatically uses client installation properties defined on the Client tab in the Client Push Installation Properties dialog box.

Can cause high network traffic when pushing to large collections. Can only be used on computers that have been discovered by System Center 2012 Configuration Manager. Cannot be used to install clients in a workgroup. A client push installation account must be specified that has administrative rights to the intended client computer. Windows Firewall must be configured on client
1331

Client installation method

Advantage

Disadvantage

computers with exceptions so that client push installation can be completed. You cannot cancel client push installation. When you use this client installation method for a site, Configuration Manager tries to install the client on all discovered resources and retries any failures for up to 7 days. Requires a functioning software updates infrastructure as a prerequisite. Must use the same server for client installation and software updates, and this server must reside in a primary site. To install new clients, you must configure an Group Policy Object (GDO) in Active Directory Domain Services with the client's active software update point and port. If the Active Directory schema is not extended for System Center 2012 Configuration Manager, you must use Group Policy settings to provision computers with client installation properties.

Software update pointbased installation

Can use your existing software updates infrastructure to manage the client software. Can automatically install the client software on new computers if Windows Server Update Services (WSUS) and Group Policy settings in Active Directory Domain Services are configured correctly. Does not require computers to be discovered before the client can be installed. Computers can read client installation properties that have been published to Active Directory Domain Services. Will reinstall the client software if it is removed. Does not require you to configure and maintain an installation account for the intended client computer r. Does not require computers to be discovered before the client can be installed.

Group Policy installation

Can cause high network traffic if a large number of clients are being installed.
1332

Client installation method

Advantage

Disadvantage

Can be used for new client installations or for upgrades. Computers can read client installation properties that have been published to Active Directory Domain Services. Does not require you to configure and maintain an installation account for the intended client computer. Does not require computers to be discovered before the client can be installed. Supports using commandline properties for CCMSetup.

If the Active Directory schema is not extended for System Center 2012 Configuration Manager, you must use Group Policy settings to add client installation properties to computers in your site.

Logon script installation

Can cause high network traffic if a large number of clients are being installed over a short time period. Can take a long time to install on all client computers if users do not frequently log on to the network. No automation, therefore time consuming.

Manual installation

Does not require computers to be discovered before the client can be installed. Can be useful for testing purposes. Supports using commandline properties for CCMSetup.

Upgrade installation (application management)

Can use System Center 2012 Configuration Manager to upgrade the client to a newer version of the System Center 2012 Configuration Manager client by collection, or to a defined timescale. Supports using commandline properties for CCMSetup.

Can cause high network traffic when distributing the client to large collections. Can only be used to upgrade the client software on computers that have been discovered and assigned to the site.

You cannot upgrade Configuration Manager 2007

1333

Client installation method

Advantage

Disadvantage

clients to System Center 2012 Configuration Manager by using this method. In this scenario, you can deploy the System Center 2012 Configuration Manager client as a package from the Configuration Manager 2007 site, or you can use automatic client upgrade which automatically creates and deploys a package that contains the latest version of the client. Automatic client upgrade Can be used to automatically keep clients in your site at the latest version. Requires minimal administration by the administrative user. Can be used to upgrade Configuration Manager 2007 clients to System Center 2012 Configuration Manager. A Configuration Manager 2007 client can assign to a System Center 2012 Configuration Manager site, but cannot perform any actions besides automatic client upgrade. Can only be used to upgrade the client software and cannot be used to install a new client. Not suitable for upgrading many clients simultaneously. Supplements rather than replaces other client installation or upgrade methods. Applies to all clients in the hierarchy that are assigned to a site. Cannot be scoped by collection. Limited scheduling options.

See Also
Planning for Client Deployment in Configuration Manager

1334

Determine Whether to Block Clients in Configuration Manager

If a client computer or client mobile device is no longer trusted, you can block the client in the System Center 2012 Configuration Manager console. Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages. In Configuration Manager SP1, Mac clients, Linux and UNIX clients, and mobile devices that are enrolled by Windows Intune support block and unblock. You must block and unblock a client from its assigned site rather than from a secondary site or a central administration site. Important Although blocking in Configuration Manager can help to secure the Configuration Manager site, do not rely on this feature to protect the site from untrusted computers or mobile devices if you allow clients to communicate with site systems by using HTTP, because a blocked client could rejoin the site with a new self-signed certificate and hardware ID. Instead, use the blocking feature to block lost or compromised boot media that you use to deploy operating systems, and when site systems accept HTTPS client connections. Clients that access the site by using the ISV Proxy certificate cannot be blocked. For more information about the ISV Proxy certificate, see the Microsoft System Center 2012 Configuration Manager Software Development Kit (SDK). If your site systems accept HTTPS client connections and your public key infrastructure (PKI) supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy. Use the following sections to help differentiate between blocking clients and using a certificate revocation list, and the implications of blocking AMT-based computers: Comparing Blocking Clients and Revoking Client Certificates Blocking AMT-Based Computers

Comparing Blocking Clients and Revoking Client Certificates

Use the following table to help differentiate between blocking a client and using certificate revocation in a PKI-supported environment.
Blocking Client Using Certificate Revocation

The option is available for HTTP and HTTPS

The option is available for HTTPS Windows

1335

Blocking Client

Using Certificate Revocation

client connections, but has limited security when clients connect to site systems by using HTTP.

client connections if the public key infrastructure supports a certificate revocation list (CRL). In Configuration Manager SP1, Mac clients always perform CRL checking and this functionality cannot be disabled. Although mobile device clients do not use certificate revocation lists to check the certificates for site systems, their certificates can be revoked and checked by Configuration Manager.

Configuration Manager administrative users have the authority to block a client, and the action is taken in the Configuration Manager console. Client communication is rejected from the Configuration Manager hierarchy only. Note The same client could register with a different Configuration Manager hierarchy. The client is immediately blocked from the Configuration Manager site.

Public key infrastructure administrators have the authority to revoke a certificate, and the action is taken outside the Configuration Manager console. Client communication can be rejected from any computer or mobile device that requires this client certificate.

There is likely to be a delay between revoking a certificate and site systems downloading the modified certificate revocation list (CRL). For many PKI deployments, this delay can be a day or longer. For example, in Active Directory Certificate Services, the default expiration period is one week for a full CRL, and one day for a delta CRL.

Helps to protect site systems from potentially compromised computers and mobile devices.

Helps to protect site systems and clients from potentially compromised computers and mobile devices. Note You can further protect site systems that run IIS from unknown clients by configuring a certificate trust list (CTL) in IIS.
1336

Blocking AMT-Based Computers

After you block an Intel AMT-based computer that is provisioned by System Center 2012 Configuration Manager, you will no longer be able to manage it out of band. When an AMT-based computer is blocked, the following actions automatically occur to help protect the network from the security risks of elevation of privileges and information disclosure: The site server revokes all certificates issued to the AMT-based computer with the revocation reason of Cease of Operation. The AMT-based computer might have multiple certificates if it is configured for 802.1X authenticated wired or wireless networks that support client certificates. The site server deletes the AMT account in Active Directory Domain Services.

The AMT provisioning information is not removed from the computer, but the computer can no longer be managed out of band because its certificate is revoked and its account is deleted. If you later unblock the client, you must take the following actions before you can manage the computer out of band: 1. Manually remove provisioning information from the computers BIOS extensions. You will not be able to perform this configuration remotely. 2. Reprovision the computer with Configuration Manager. If you think you might unblock the client later and you can verify a connection to the AMT-based computer before you block the client, you can remove the AMT provisioning information with Configuration Manager and then block the client. This sequence of actions saves you from having to manually configure the BIOS extensions after you unblock the client. However, this option relies on a successful connection to the untrusted computer to complete the removal of provisioning information. This is particularly risky when the AMT-based computer is a laptop and might be disconnected from the network or on a wireless connection. Note To verify that the AMT-based computer successfully removed provisioning information, confirm that the AMT status has changed from Provisioned to Not Provisioned. However, if the provisioning information was not removed before the client was blocked, the AMT status remains at Provisioned but you will be unable to manage the computer out of band until you reconfigure the BIOS extensions and reprovision the computer for AMT. For more information about the AMT status, see About the AMT Status and Out of Band Management in Configuration Manager.

See Also
Planning for Client Deployment in Configuration Manager

1337

Configuring Client Deployment in Configuration Manager

There are various configuration tasks that must be completed before you can install or upgrade the System Center 2012 Configuration Manager client software. The links in this section provide the necessary information to complete each task associated with configuring Configuration Manager client deployment.

Configuring Topics
How to Configure Client Communication Port Numbers in Configuration Manager How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager How to Configure Client Settings in Configuration Manager How to Install Clients on Windows-Based Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager How to Install Clients on Mac Computers in Configuration Manager How to Install Clients on Linux and UNIX Computers in Configuration Manager How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager How to Configure Client Status in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

How to Configure Client Communication Port Numbers in Configuration Manager

You can change the request port numbers that System Center 2012 Configuration Manager clients use to communicate with site systems that use HTTP and HTTPS for communication. For Configuration Manager SP1 only, you can also specify a client notification port if you do not want to use HTTP or HTTPS. Although HTTP or HTTPS is more likely to be already configured for firewalls, client notification that uses HTTP or HTTPS requires more CPU usage and memory on the management point computer than if you use a custom port number. For all versions of Configuration Manager, you can also specify the site port number to use if you wake up clients by using traditional wake-up packets.
1338

When you specify HTTP and HTTPS request ports, you can specify both a default port number and an alternative port number. Clients automatically try the alternative port after communication fails with the default port. You can specify settings for HTTP and HTTPS data communication. The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic. Change them only if you do not want to use these default values. A typical scenario for using custom ports is when you use a custom website in IIS rather than the default website. If you change the default port numbers for the default website in IIS and other applications also use the default website, they are likely to fail. Important Do not change the port numbers in Configuration Manager without understanding the consequences. Examples: If you change the port numbers for the client request services as a site configuration and existing clients are not reconfigured to use the new port numbers, these clients will become unmanaged. Before you configure a non-default port number, make sure that firewalls and all intervening network devices can support this configuration and reconfigure them as necessary. If you will manage clients on the Internet and change the default HTTPS port number of 443, routers and firewalls on the Internet might block this communication.

To make sure that clients do not become unmanaged after you change the request port numbers, clients must be configured to use the new request port numbers. When you change the request ports on a primary site, any attached secondary sites automatically inherit the same port configuration. Use the procedure in this topic to configure the request ports on the primary site. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about how to configure the request ports for clients on computers that run Linux and UNIX, see Configure Request Ports for the Client for Linux and UNIX. When the Configuration Manager site is published to Active Directory Domain Services, new and existing clients that can access this information will automatically be configured with their site port settings and you do not need to take further action. Clients that cannot access this information published to Active Directory Domain Services include workgroup clients, clients from another Active Directory forest, clients that are configured for Internet-only, and clients that are currently on the Internet. If you change the default port numbers after these clients have been installed, reinstall them and install any new clients by using one of the following methods: Reinstall the clients by using the Client Push Installation Wizard. Client push installation automatically configures clients with the current site port configuration. For more information about how to use the Client Push Installation Wizard, see How to Install Configuration Manager Clients by Using Client Push. Reinstall the clients by using CCMSetup.exe and the client.msi installation properties of CCMHTTPPORT and CCMHTTPSPORT. For more information about these properties, see How to Install Configuration Manager Clients by Using Client Push.
1339

Reinstall the clients by using a method that searches Active Directory Domain Services for Configuration Manager client installation properties. For more information, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.

To reconfigure the port numbers for existing clients, you can also use the script PORTSWITCH.VBS that is provided with the installation media in the SMSSETUP\Tools\PortConfiguration folder. Important For existing and new clients that are currently on the Internet, you must configure the non-default port numbers by using the CCMSetup.exe client.msi properties of CCMHTTPPORT and CCMHTTPSPORT. After changing the request ports on the site, new clients that are installed by using the site-wide client push installation method will be automatically configured with the current port numbers for the site. To configure the client communication port numbers for a site 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure. 3. On the Home tab, click Properties, and then click the Ports tab. 4. Select any of the items and click the Properties icon to display the Port Detail dialog box. 5. In the Port Detail dialog box, specify the port number and description for the item, and then click OK. 6. Select Use custom web site if you will use the custom website name of SMSWeb for site systems that run IIS. 7. Click OK to close the properties dialog box for the site. Repeat this procedure for all primary sites in the hierarchy.

See Also
Configuring Client Deployment in Configuration Manager

How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager
Clients in System Center 2012 Configuration Manager must locate a management point to complete site assignment and as an on-going process to remain managed. Active Directory
1340

Domain Services provides the most secure method for clients on the intranet to find management points. However, if clients cannot use this service location method (for example, you have not extended the Active Directory schema, or clients are from a workgroup), use DNS publishing as the preferred alternative service location method. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you install the client for Linux and UNIX, you must specify a management point to use as an initial point of contact. For information about how to install the client for Linux and UNIX, see the Install the Client on Linux and UNIX Servers section in the How to Install Clients on Linux and UNIX Computers in Configuration Manager topic. Before you use DNS publishing for management points, make sure that DNS servers on the intranet have service location resource records (SRV RR) and corresponding host (A or AAA) resource records for the site's management points. The service location resource records can be created automatically by Configuration Manager or manually, by the DNS administrator who creates the records in DNS. For more information about DNS publishing as a service location method for Configuration Manager clients, see the Planning for Service Location by Clients section in the Planning for Communications in Configuration Manager topic. By default, clients search DNS for management points in their DNS domain. However, if there are no management points published in the clients domain, you must manually configure clients with a management point DNS suffix. You can configure this DNS suffix on clients either during or after client installation: To configure clients for a management point suffix during client installation, configure the CCMSetup Client.msi properties. To configure clients for a management point suffix after client installation, in Control Panel, configure the Configuration Manager Properties. To configure clients for a management point suffix during client installation Install the client with the following CCMSetup Client.msi property: DNSSUFFIX=<management point domain> If the site has more than one management point and they are in more than one domain, specify just one domain. When clients connect to a management point in this domain, they download a list of available management points, which will include the management points from the other domains. For more information about the CCMSetup command-line properties, see About Client Installation Properties in Configuration Manager. To configure clients for a management point suffix after client installation 1. In Control Panel of the client computer, navigate to Configuration Manager, and then
1341

double-click Properties. 2. On the Site tab, specify the DNS suffix of a management point, and then click OK. If the site has more than one management point and they are in more than one domain, specify just one domain. When clients connect to a management point in this domain, they download a list of available management points, which will include the management points from the other domains.

See Also
Configuring Client Deployment in Configuration Manager

How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager
You can edit the Windows registry to prevent the System Center 2012 Configuration Manager client from installing on specific computers when you use the site-wide automatic client push installation method. The registry of each Configuration Manager primary site server contains a list of computers to exclude from site-wide automatic client push installation. When you exclude these computers, they can still be found by using Configuration Manager discovery methods. In addition, this registry entry does not prevent the client from installing when you use other client installation methods, such as the Client Push Wizard or by manually running CCMSetup.exe. Important If you use the Registry Editor incorrectly, you might cause serious problems that might require you to reinstall the operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk. When you add a computer to the ExcludeServers list, Configuration Manager sets the installed flag in the resource record for this computer. During standard operation, the installed flag prevents Configuration Manager from reinstalling the client when automatic site-wide client push installation is enabled. When you add a computer name to the exclude list, it also prevents Configuration Manager from installing the client on that computer when it is discovered and automatic site-wide client push installation is enabled. If you later remove the computer from the exclude list because you want to install the client, the installed flag remains. To clear this flag so that the client will install, you must also run the Clear Install Flag maintenance task. To verify whether the installed flag is set for a computer, view the properties of the resource in the Administration workspace. The item Client in the Discovery data list displays Yes when the installed flag is set and No when the install flag is not set.

1342

Use the following procedures to add computers to the exclude list and to run the Clear Install Flag task if this task is necessary. To add computers to the exclude list to prevent client software from being installed when automatic site-wide client push is enabled 1. Open the Windows Registry Editor on the System Center 2012 Configuration Manager site server for the site that you want to exclude a computer from joining. 2. Locate the SMS_DISCOVERY_DATA_MANAGER sub-key by browsing to the following path: For a 32-bit operating system: HKEY_LOCAL_MACHINE/Software/Wow6432Node/Microsoft/SMS/Components/ SMS_DISCOVERY_DATA_MANAGER For a 64-bit operating system: HKEY_LOCAL_MACHINE/Software/Microsoft/SMS/Components/SMS_DISCOVE RY_DATA_MANAGER

3. To enter the name of the computers that you want to exclude, double-click the key ExcludeServers to open the Edit Multi-String window. 4. In the Edit Multi-String window, specify the NetBIOS name of each computer that you want to exclude. Press the Enter key after you type each computer name to ensure that each computer name appears on a separate line. 5. After you have entered all the computer names of computers to exclude, click OK. Close the Registry Editor window. To clear the install flag so that client software will install when automatic site-wide client push is enabled 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site that automatically installs the client software. 3. On the Home tab, in the Settings group, click Site Maintenance. 4. In the Site Maintenance dialog box, select Clear Install Flag, and then click Edit. 5. In the Clear Install Flag Properties dialog box, specify the following: Select Enable this task to enable the clear install flag task. Configure the schedule to control how often the task runs.

6. Click OK to close the Clear Install Flag Properties dialog box. After this task runs at the specified schedule, any computers that you remove from the exclude list can now be installed by using automatic site-wide client push installation.

See Also
Configuring Client Deployment in Configuration Manager

1343

How to Configure Client Settings in Configuration Manager

You manage all client settings in System Center 2012 Configuration Manager from the Client Settings node in the Administration workspace of the Configuration Manager console. Modify the default settings when you want to configure settings for all users and devices in the hierarchy that do not have any custom settings applied. If you want to apply different settings to just some users or devices, create custom settings and deploy these to collections. Note You can also use configuration items to manage clients to assess, track, and remediate the configuration compliance of devices. For more information, see Compliance Settings in Configuration Manager. Use one of the following procedures to configure client settings: How to Configure the Default Client Settings How to Create and Deploy Custom Client Settings How to View Resultant Client Settings (System Center 2012 R2 Configuration Manager Only)

How to Configure the Default Client Settings

Use the following procedure to configure the default client settings for all clients in the hierarchy. To configure the default client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then select Default Client Settings. 3. On the Home tab, click Properties. 4. View and configure the client settings for each group of settings in the navigation pane. For more information about each setting, see About Client Settings in Configuration Manager. 5. Click OK to close the Default Client Settings dialog box. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

How to Create and Deploy Custom Client Settings

Use the following procedure to configure and deploy custom settings for a selected collection of users or devices. When you deploy these custom settings, they override the default client settings.
1344

Note Before you begin this procedure, ensure that you have a collection that contains the users or devices that require these custom client settings. To configure and deploy custom client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. On the Home tab, in the Create group, click Create Custom Client Settings, and then click one of the following options depending on whether you want to create custom client settings for devices or for users: Create Custom Client Device Settings Create Custom Client User Settings

4. In the Create Custom Device Settings or Create Custom User Settings dialog box, specify a unique name for the custom settings, and an optional description. 5. Select one or more of the available check boxes that display a group of settings. 6. Click the first group settings from the navigation pane, and then view and configure the available custom settings. Repeat this process for any remaining group settings. For information about each client setting, see About Client Settings in Configuration Manager. 7. Click OK to close the Create Custom Device Settings or Create Custom User Settings dialog box. 8. Select the custom client setting that you have just created. On the Home tab, in the Client Settings group, click Deploy. 9. In the Select Collection dialog box, select the collection that contains the devices or users to be configured with the custom settings, and then click OK. You can verify the selected collection if you click the Deployments tab in the details pane. 10. View the order of the custom client setting that you have just created. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings. To change the order number, on the Home tab, in the Client Settings group, click Move Item Up or Move Item Down. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

How to View Resultant Client Settings (System Center 2012 R2 Configuration Manager Only)
When multiple client settings have been deployed to the same device, user, or user group, the prioritization and combination of settings can be complex. Use the following procedure to view the calculated resultant client settings.
1345

To view the resultant client settings 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices, Users, or User Collections. 3. Select a device, user, or user group and in the Client Settings group, select Resultant Client Settings. Alternately, you can right click the device, user, or user group, select Client Settings, and click Resultant Client Settings. 4. Select a client setting from the left pane, and the resultant settings are displayed. Note To view the resultant client settings, the logged on user must have read access to Client Settings. Note The displayed resultant settings are read only. To modify any settings, use the above procedures.

See Also
Configuring Client Deployment in Configuration Manager

How to Install Clients on Windows-Based Computers in Configuration Manager

You can use different client deployment methods to install the System Center 2012 Configuration Manager client software on computers. To help you decide which deployment method to use, see Determine the Client Installation Method to Use for Windows Computers in Configuration Manager. Before you install System Center 2012 Configuration Manager clients, ensure that all the prerequisites are in place and that you have completed all required deployment configurations. For more information, see Prerequisites for Windows Client Deployment in Configuration Manager and Configuring Client Deployment in Configuration Manager. Use the following procedures to install clients in System Center 2012 Configuration Manager.

How to Install Configuration Manager Clients by Using Client Push

Use client push installation to install the System Center 2012 Configuration Manager client software on computers that Configuration Manager discovered. You can configure client push installation for a site, and client installation will automatically run on the computers that are
1346

discovered within the site's configured boundaries when those boundaries are configured as a boundary group. Or, you can initiate a client push installation by running the Client Push Installation Wizard for a specific collection or resource within a collection. Note Configuration Manager SP1 does not support client push installation for Windows Embedded devices that have write filters that are enabled. You can also use the Client Push Installation Wizard to install the System Center 2012 Configuration Manager client to the results that are obtained from running a query. For installation to succeed in this scenario, one of the items returned by the selected query must be the attribute ResourceID from the attribute class System Resource. For more information about queries, see Queries in Configuration Manager. If the site server cannot contact the client computer or start the setup process, it automatically repeats the installation attempt every hour for up to 7 days until it succeeds. To help track the client installation process, install a fallback status point site system before you install the clients. When a fallback status point is installed, it is automatically assigned to clients when they are installed by the client push installation method. View the client deployment and assignment reports to track client installation progress. Additionally, the client log files provide more detailed information for troubleshooting and do not require the installation of a fallback status point. For example, the CCM.log file on the site server records any problems that the site server has connecting to the computer, and the CCMSetup.log file on the client records the installation process. Important For client push to succeed, ensure that all the prerequisites are in place. These are listed in the section Installation Method Dependencies in Prerequisites for Windows Client Deployment in Configuration Manager. To configure the site to automatically use client push for discovered computers 1. If there are specific computers that are assigned to the site and that must not install the Configuration Manager client, configure the ExcludeServers list. For more information, see How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager. 2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Site Configuration, and then click Sites. 4. In the Sites list, select the site for which you want to configure automatic site-wide client push installation. 5. On the Home tab, in the Settings group, click Client Installation Settings, and then click Client Push Installation. 6. On the General tab of the Client Push Installation Properties dialog box, select Enable automatic site-wide client push installation. Select the system types to which System Center 2012 Configuration Manager should push the client software by selecting Servers, Workstations, or Configuration Manager site system servers . The default
1347

selection is Servers and Workstations. 7. Select whether you want automatic site-wide client push installation to install the System Center 2012 Configuration Manager client software on domain controllers. 8. On the Accounts tab, specify one or more accounts for System Center 2012 Configuration Manager to use when connecting to the computer to install the client software. Click the Create icon, enter the User name and Password, confirm the password, and then click OK. If you do not specify at least one client push installation account, System Center 2012 Configuration Manager tries to use the site system computer account. The account must have local administrator rights on every computer on which you want to install the client. Important The password for the client push installation account is limited to 38 characters or less. Note If you intend to use the client push installation method from a secondary site, the account must be specified at the secondary site that initiates the client push. For more information about the client push installation account, see the next procedure,To use the Client Push Installation Wizard. 9. On the Installation Properties tab, specify any installation properties to use when installing the System Center 2012 Configuration Manager client: For Configuration Manager with no service pack: You can specify only installation properties for the Windows Installer package (Client.msi) in this tab; you cannot specify properties for CCMSetup.exe. For Configuration Manager SP1: You can specify installation properties for the Windows Installer package (Client.msi) in this tab and the following CCMSetup.exe properties: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Client installation properties that are specified in this tab are published to Active Directory Domain Services if the schema is extended for System Center 2012 Configuration Manager and read by client installations where CCMSetup is run without installation properties. For more information about client installation properties, see About Client Installation Properties in Configuration Manager. Note If you enable client push installation on a secondary site, ensure that the SMSSITECODE property is set to the System Center 2012
1348

Configuration Manager site name of its parent primary site. If the Active Directory schema is extended for System Center 2012 Configuration Manager, you can also set this to AUTO to automatically find the correct site assignment. To use the Client Push Installation Wizard 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site for which you want to configure automatic site-wide client push installation. 4. On the Home tab, in the Settings group, click Client Installation Settings, and then click Client Push Installation. 5. On the Installation Properties tab, specify any installation properties to use when installing the System Center 2012 Configuration Manager client: For Configuration Manager with no service pack: You can specify only installation properties for the Windows Installer package (Client.msi) in this tab; you cannot specify properties for CCMSetup.exe. For Configuration Manager SP1: You can specify installation properties for the Windows Installer package (Client.msi) in this tab and the following CCMSetup.exe properties: /forcereboot /skipprereq /logon /BITSPriority /downloadtimeout /forceinstall

Client installation properties that are specified in this tab are published to Active Directory Domain Services if the schema is extended for System Center 2012 Configuration Manager and read by client installations where CCMSetup is run without installation properties. For more information about client installation properties, see About Client Installation Properties in Configuration Manager. 6. In the Configuration Manager console, click Assets and Compliance. 7. In the Assets and Compliance workspace, select one or more computers, or a collection of computers. 8. On the Home tab, choose one of the following: If you want to install the client to a single computer or multiple computers, in the Device group, click Install Client. If you want to install the client to a collection of computers, in the Collection group, click Install Client.

9. On the Before You Begin page of the Install Client Wizard, review the information, and then click Next. 10. On the Installation options page, configure whether the client can be installed on
1349

domain controllers, whether the client will be reinstalled, upgraded, or repaired on computers with an existing client, and the name of the site that will install the client software. Click Next. 11. Review the installation settings, and then close the wizard. Note You can use the wizard to install clients even if the site is not configured for client push.

How to Install Configuration Manager Clients by Using Software Update-Based Installation

Software update-based client installation publishes the System Center 2012 Configuration Manager client to a software update point as an additional software update. This method of client installation can be used to install the System Center 2012 Configuration Manager client on computers that do not already have the client installed or to upgrade existing System Center 2012 Configuration Manager clients. If a computer has the System Center 2012 Configuration Manager client installed, Configuration Manager provides the client with the software update point server name and port from which to obtain software updates. This information is included in the client policy. Important To use software update-based installation, you must use the same Windows Server Update Services (WSUS) server for client installation and software updates. This server must be the active software update point in a primary site. For more information, see Configuring Software Updates in Configuration Manager. If a computer does not have the System Center 2012 Configuration Manager client installed, you must configure and assign a Group Policy Object (GPO) in Active Directory Domain Services to specify the software update point server name from which the computer will obtain software updates. You cannot add command-line properties to a software update-based client installation. If you have extended the Active Directory schema for System Center 2012 Configuration Manager, client computers automatically query Active Directory Domain Services for installation properties when they install. If you have not extended the Active Directory schema, you can use Group Policy to provision client installation settings to computers in your site. These settings are automatically applied to any software update-based client installations. For more information, see How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation) and How to Assign Clients to a Site in Configuration Manager. Use the following procedures to configure computers without a System Center 2012 Configuration Manager client to use the software update point for client installation and software

1350

updates, and to publish the System Center 2012 Configuration Manager client software to the software update point. To configure a Group Policy Object in Active Directory Domain Services to specify the software update point for client installation and software updates 1. Use the Group Policy Management Console to open a new or existing Group Policy Object. 2. In the console, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 3. Open the properties of the setting Specify intranet Microsoft update service location, and then click Enabled. 4. In the box Set the intranet update service for detecting updates, specify the name of the software update point server that you want to use and the port. These must match exactly the server name format and the port being used by the software update point: If the Configuration Manager site system is configured to use a fully qualified domain name (FQDN), specify the server name by using FQDN format. If the Configuration Manager site system is not configured to use a fully qualified domain name (FQDN), specify the server name by using a short name format. Note To determine the port number that is being used by the software update point, see How to Determine the Port Settings Used by WSUS. Example: http://server1.contoso.com:8530 5. In the box Set the intranet statistics server, specify the name of the intranet statistics server that you want to use. There are no specific requirements for specifying this server. It does not have to be the same computer as the software update point server, and the format does not have to match if it is the same server. 6. Assign the Group Policy Object to the computers on which you want to install the Configuration Manager client and receive software updates. To publish the Configuration Manager client to the software update point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site for which you want to configure software update-based client installation. 4. On the Home tab, in the Settings group, click Client Installation Settings, and then click Software Update-Based Client Installation. 5. In the Software Update Point Client Installation Properties dialog box, select Enable software update-based client installation to enable this client installation method. 6. If the client software on the System Center 2012 Configuration Manager site server is a later version than the client version stored on the software update point, the Later Version of Client Package Detected dialog box opens. Click Yes to publish the most
1351

recent version of the client software to the software update point. Note If the client software has not been previously published to the software update point, this box will be blank. 7. To finish configuring the software update point client installation, click OK. Note The software update for the Configuration Manager client is not automatically updated when there is a new version. If you upgrade the site, which includes a new client version, you must repeat this procedure and click Yes for step 6.

How to Install Configuration Manager Clients by Using Group Policy

You can use Group Policy in Active Directory Domain Services to publish or assign the System Center 2012 Configuration Manager client to install on computers in your enterprise. When you assign the Configuration Manager client to computers by using Group Policy, the client installs when the computer first starts. When you publish the System Center 2012 Configuration Manager client to users by using Group Policy, the client displays in the Control Panel Add or Remove Programs for the computer for the user to install. Use the Windows Installer package (CCMSetup.msi) for Group Policy-based installations. This file is found in the folder <ConfigMgr installation directory>\bin\i386 on the System Center 2012 Configuration Manager site server. You cannot add properties to this file to modify installation behavior: Important You must have Administrator permissions to the folder to access the client installation files. If the Active Directory schema is extended for System Center 2012 Configuration Manager and Publish this site in Active Directory Domain Services is selected in the Advanced tab of the Site Properties dialog box, client computers automatically search Active Directory Domain Services for installation properties. For more information about the installation properties that are published, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager. If the Active Directory schema has not been extended, you can use the following procedure in this topic to store installation properties in the registry of computers: How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation). These installation properties are then used when the System Center 2012 Configuration Manager client is installed.

For information about how to use Group Policy in Active Directory Domain Services to install software, refer to your Windows Server documentation.

1352

How to Install Configuration Manager Clients Manually

You can manually install the System Center 2012 Configuration Manager client software on computers in your enterprise by using the CCMSetup.exe program. This program and its supporting files can be found in the Client folder of the System Center 2012 Configuration Manager installation folder on the site server and on management points in your site. This folder is shared to the network as <Site Server Name>\SMS_<Site Code>\Client. Important You must have Administrator permissions to the folder to access the client installation files. CCMSetup.exe copies all necessary installation prerequisites to the client computer and calls the Windows Installer package (Client.msi) to perform the client installation. Important You cannot run Client.msi directly. You can specify command-line properties for both CCMSetup.exe and Client.msi to modify the behavior of the client installation. Make sure that you specify CCMSetup properties (the properties that begin with / ) before you specify Client.msi properties. For example, you could specify the following command line CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=AUTO FSP=SMSFP01 and the client installs by using the following properties:
Property Description

/mp:SMSMP01

This CCMSetup property specifies the management point SMSMP01 to download the required client installation files. This CCMSetup property specifies that the installation should stop if an existing System Center 2012 Configuration Manager or Configuration Manager 2007 client is found on the computer. This Client.msi property specifies that the client tries to locate the System Center 2012 Configuration Manager site code to use, for example, by using Active Directory Domain Services. This Client.msi property specifies that the fallback status point named SMSFP01 will be used to receive state messages sent from the client computer.
1353

/logon

SMSSITECODE=AUTO

FSP=SMSFP01

Examples for Installing Configuration Manager Clients Manually

In the following examples for Active Directory clients on the intranet, a management point is installed on a computer named MPSERVER, a fallback status point is installed on FSPSERVER, the site is named ABC, and the domain is contoso.com. All site system servers are configured with an intranet FQDN and the site is published to the clients Active Directory forest. On the client computer, you log on as a local administrator, map a drive to \\MPSERVER\SMS_ABC\Client, and then run one of the following commands. Example 1: CCMSetup.exe Note This example installs the client with no additional properties so that the client is automatically configured by using the client installation properties published to Active Directory Domain Services. For example, the client is automatically configured for the site code (requires the clients network location to be included in a boundary group that is configured for client assignment), a management point, the fallback status point, and whether the client must communicate by using HTTPS only. For more information about the client installation properties that can be automatically configured for Active Directory clients, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager. Example 2: CCMSetup.exe /MP:mpserver.contoso.com /UsePKICert SMSSITECODE=ABC CCMHOSTNAME=server05.contoso.com CCMFIRSTCERT=1 FSP=server06.constoso.com Note This example overrides the automatic configuration that Active Directory Domain Services can provide and does not require that the clients network location is included in a boundary group that is configured for client assignment. Instead, the installation specifies the site, an intranet management point and an Internet-based management point, a fallback status point that accepts connections from the Internet, and to use a client PKI certificate (if available) that has the longest validity period.

How to Install Configuration Manager Clients by Using Logon Scripts

System Center 2012 Configuration Manager supports logon scripts to install the System Center 2012 Configuration Manager client software. You can use the program file CCMSetup.exe in a logon script to trigger the client installation. Logon script installation uses the same methods as manual client installation. You can specify the /logon installation property for CCMSsetup.exe, which prevents the client from installing if any version of the client already exists on the computer. This prevents reinstallation of the client from taking place each time the logon script runs.
1354

If no installation source is specified that is using the /Source property and no management point from which to obtain installation is specified by using the /MP property, CCMSetup.exe can locate the management point by searching Active Directory Domain Services if the schema has been extended for System Center 2012 Configuration Manager and the site is published to Active Directory Domain Services. Alternatively, the client can use DNS or WINS to locate a management point.

How to Upgrade Configuration Manager Clients by Using a Package and Program

You can use Configuration Manager to create and deploy a package and program that upgrades the client software for selected computers in your hierarchy. A package definition file is supplied with Configuration Manager that populates the package properties with typically used values. You can customize the behavior of the client installation by specifying additional command line properties. You cannot upgrade Configuration Manager 2007 clients to System Center 2012 Configuration Manager by using this method. In this scenario, use automatic client upgrade, which automatically creates and deploys a package that contains the latest version of the client. For more information about how to migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, see Planning a Client Migration Strategy in System Center 2012 Configuration Manager. Use the following procedure to create a Configuration Manager package and program that you can deploy to System Center 2012 Configuration Manager client computers to upgrade the client software. To create a package and program for the client software 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. On the Home tab, in the Create group, click Create Package from Definition. 4. On the Package Definition page of the Create Package from Definition Wizard , select Microsoft from the Publisher drop-down list, select Configuration Manager Client Upgrade from the Package definition list, and then click Next. 5. On the Source Files page of the wizard, select Always obtain files from a source folder, and then click Next. 6. On the Source Folder page of the Create Package from Definition Wizard, select Network path (UNC Name) and enter the network path to the computer and folder that contains the Configuration Manager client installation files. Note The computer on which the Configuration Manager deployment runs must have access to the network folder that you specify. If the computer does not have
1355

access, the installation will fail. 7. Click Next and complete the wizard. 8. If you want to change any of the client installation properties, you can modify the CCMSetup.exe command line parameters on the General tab of the Configuration Manager agent silent upgrade Properties program dialog box. The default installation properties are /noservice SMSSITECODE=AUTO. 9. Distribute the package to all distribution points that you want to host the client upgrade package. You can then deploy the package to computer collections that contain System Center 2012 Configuration Manager clients that you want to upgrade.

How to Automatically Upgrade the Configuration Manager Client for the Hierarchy
You can configure Configuration Manager to automatically upgrade the client software to the latest System Center 2012 Configuration Manager client version when Configuration Manager identifies that a client that is assigned to the System Center 2012 Configuration Manager hierarchy is lower than the version used in the hierarchy. This scenario includes upgrading the Configuration Manager 2007 client to the latest System Center 2012 Configuration Manager client when it attempts to assign to a System Center 2012 Configuration Manager site. A client can be automatically upgraded in the following scenarios: The client version is lower that the version being used in the hierarchy. The client on the central administration site has a language pack installed and the existing client does not. A client prerequisite in the hierarchy is a different version than the one installed on the client. One or more of the client installation files are a different version.

Configuration Manager creates an upgrade package by default that is automatically sent to all distribution points in the hierarchy. If you make changes to the client package on the central administration site, for example, add a client language pack, Configuration Manager automatically updates the package, and distributes it to all distribution points in the hierarchy. If automatic client upgrade is enabled, every client will install the new client language package automatically. Note Configuration Manager does not automatically send the client upgrade package to Configuration Manager SP1 cloud-based distribution points. Automatic client upgrades are useful when you want to upgrade a small number of client computers that might have been missed by your main client installation method. For example, you have completed an initial client upgrade, but some clients were offline during the upgrade deployment. You then use this method to upgrade the client on these computers when they are next active. Note

1356

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The performance improvements in Configuration Manager SP1 let you use automatic client upgrades as the main method to upgrade clients. However, the performance of this method might be affected by the infrastructure of your hierarchy, such as the number of clients that you have. Use the following procedure to configure automatic client upgrade. Automatic client upgrade must be configured at a central administration site and this configuration applies to all clients in your hierarchy. To configure automatic client upgrades (Configuration Manager with no service pack) 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. In the Client Installation Settings tab of the Site Settings Properties dialog box, configure the following options: Upgrade client automatically when new client updates are available Enables or disables automatic client upgrades. Allow clients to use a fallback source location for content Allows clients to use a fallback source location to retrieve the client installation files. Do not run program when a client is within a slow or unreliable network boundary or when the client uses a fallback source location for content Select this option to ensure that clients do not retrieve client installation files from distribution points that are on a slow or unreliable network from the client location and only use distribution points that are in a boundary group with a fast connection. Automatically upgrade clients within days Specify the number of days in which client computers must upgrade the client after they receive client policy. The client will be upgraded at a random interval within this number of days. This prevents scenarios where a large number of client computers are upgraded simultaneously. Automatically upgrade clients that are this version or earlier Specify the minimum client version to upgrade on client computers. Note You can run the report Count of Configuration Manager clients by client versions in the report folder Site Client Information to identify the different versions of the Configuration Manager client in your hierarchy. 5. Click OK to save the settings and close the Site Settings Properties dialog box. Clients will receive these settings when they next download policy. To configure automatic client upgrades (Configuration Manager SP1) 1. In the Configuration Manager console, click Administration.

1357

2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. On the Home tab, in the Sites group, click Hierarchy Settings. 4. In the Automatic Client Upgrade tab of the Site Settings Properties dialog box, configure the following options: Upgrade client automatically when new client updates are available Enables or disables automatic client upgrades. Automatically upgrade clients within days Specify the number of days in which client computers must upgrade the client after they receive client policy. The client will be upgraded at a random interval within this number of days. This prevents scenarios where a large number of client computers are upgraded simultaneously. Automatically distribute client installation package to distribution points that are enabled for prestaged content You must enable this option if you want the client installation package to be copied to distribution points that have been enabled for prestaged content. Note You can run the report Count of Configuration Manager clients by client versions in the report folder Site Client Information to identify the different versions of the Configuration Manager client in your hierarchy. 5. Click OK to save the settings and close the Site Settings Properties dialog box. Clients receive these settings when they next download policy.

How to Install Configuration Manager Clients by Using Computer Imaging

You can preinstall the System Center 2012 Configuration Manager client software on a master image computer that will be used to build computers in your enterprise. To install the client on a master computer, do not specify a site code for the client. When computers are imaged from this master image, they will contain the System Center 2012 Configuration Manager client and must complete site assignment when installation is complete. Important The imaged computers cannot function as System Center 2012 Configuration Manager clients until the System Center 2012 Configuration Manager clients are assigned to a System Center 2012 Configuration Manager site. You must remove any computer-specific certificates that are installed on the master image computer. For example, if you use public key infrastructure (PKI) certificates, you must remove the certificates in the Personal store for Computer and User before you image the computer. If clients cannot query Active Directory Domain Services to locate a management point, they use the trusted root key to determine trusted management points. If all imaged clients will be deployed in the same hierarchy as the master computer, leave the trusted root key in place. If the clients will be deployed in different hierarchies, remove the trusted root key and as a best
1358

practice, preprovision these clients with the new trusted root key. For more information, see Planning for the Trusted Root Key. To prepare the client computer for imaging 1. Manually install the System Center 2012 Configuration Manager client software on the master image computer. For more information, see How to Install Configuration Manager Clients Manually. Important Do not specify a System Center 2012 Configuration Manager site code for the client in the CCMSetup.exe command-line properties. 2. At a command prompt, type net stop ccmexec to ensure that the SMS Agent Host service (Ccmexec.exe) is not running on the master image computer. 3. Remove any certificates that are stored in the local computer store on the master image computer. 4. If the clients will be installed in a different System Center 2012 Configuration Manager hierarchy than the master image computer, remove the Trusted Root Key from the master image computer. 5. Use your imaging software to capture the image of the master computer. 6. Deploy the image to destination computers.

How to Install Configuration Manager Clients on Workgroup Computers

System Center 2012 Configuration Manager supports client installation for computers in workgroups. Install the client on workgroup computers by using the method specified in How to Install Configuration Manager Clients Manually. The following prerequisites must be met in order to install the System Center 2012 Configuration Manager client on workgroup computers: The client must be installed manually on each workgroup computer. During installation, the logged-on user must have local administrator rights on the workgroup computer. In order to access resources in the System Center 2012 Configuration Manager site server domain, the Network Access Account must be configured for the site. You specify this account as a software distribution component property. For more information, see Configuring Site Components in Configuration Manager. Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point. Global roaming is not supported, because clients cannot query Active Directory Domain Services for site information. Active Directory discovery methods cannot discover computers in workgroups.
1359

There are a number of limitations to supporting workgroup computers:

You cannot deploy software to users of workgroup computers. You cannot use the client push installation method to install the client on workgroup computers. Workgroup clients cannot use Kerberos for authentication and so might require manual approval. A workgroup client cannot be configured as a distribution point. System Center 2012 Configuration Manager requires that distribution point computers be members of a domain. To install the client on workgroup computers 1. Ensure that the computers on which you want to install the client meet the above prerequisites. 2. Follow the directions in the section How to Install Configuration Manager Clients Manually. Example 1: CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=constoso.com Note This example installs the client for intranet client management and specifies the site code and DNS suffix to locate a management point. Example 2: CCMSetup.exe FSP=fspserver.constoso.com Note This example requires the client to be on a network location that is configured in a boundary group so that automatic site assignment can succeed. The command includes a fallback status point on server FSPSERVER, to help track client deployment and to identify any client communication issues.

How to Install Configuration Manager Clients for Internet-based Client Management

When the System Center 2012 Configuration Manager site supports Internet-based client management for clients that are sometimes on the intranet, and sometimes on the Internet, you have two options when you install clients on the intranet: You can include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the Internetbased management point> when you install the client, for example by using manual installation or client push. When you use this method, you must also directly assign the client to the site and cannot use automatic site assignment. The How to Install Configuration Manager Clients Manually section in this topic provides an example of this configuration method. You can install the client for intranet client management, and then assign an Internet-based client management point to the client by using the Configuration Manager client properties in Control Panel, or by using a script. When you use this method, you can use automatic client assignment. For more information, see the How to Configure Clients for Internet-based Client Management after Client Installation section in this topic.
1360

If you must install clients that are on the Internet either because they are Internet-only clients, or because you must install them before they come back into the intranet, choose one of the following supported methods: Provide a mechanism for these clients to temporarily connect to the intranet by using a virtual private network (VPN), and then install them by using any appropriate client installation method. Use an installation method that is independent from Configuration Manager, such as packaging the client installation source files onto removable media that you can send to users to install with instructions. The client installation source files are located in the <InstallationPath>\Client folder on the System Center 2012 Configuration Manager site server and management points. Include on the media a script to manually copy over the client folder and from this folder, install the client by using CCMSetup.exe and all the appropriate CCMSetup command-line properties. Note Configuration Manager does not support installing a client directly from the Internetbased management point or from the Internet-based software update point. Because clients that are managed over the Internet must communicate with Internet-based site systems, ensure that these clients also have public key infrastructure (PKI) certificates installed before you install them. You must install these certificates independently from System Center 2012 Configuration Manager. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. To install clients on the Internet by specifying CCMSetup command-line properties 1. Follow the directions in the section How to Install Configuration Manager Clients Manually and always include the following: CCMSetup command-line property /source:<local path to the copied Client folder> CCMSetup command-line property /UsePKICert Client.msi property CCMHOSTNAME=<FQDN of Internet-based management point> Client.msi property SMSSIGNCERT=<local path to exported site server signing certificate> Client.msi property SMSSITECODE=<site code of Internet-based management point> Note If the site has more than one Internet-based management point, it does not matter which Internet-based management point you specify for the CCMHOSTNAME property. When a Configuration Manager client connects to the specified Internet-based management point, the management point sends the client a list of available Internet-based management points in the site, and the client selects one from the list. The selection is nondeterministic. 2. If you do not want the client to check the certificate revocation list (CRL), specify the CCMSetup command-line property /NoCRLCheck.
1361

3. If you are using an Internet-based fallback status point, specify the Client.msi property FSP=<Internet FQDN of the Internet-based fallback status point>. 4. If you are installing the client for Internet-only client management, specify the Client.msi property CCMALWAYSINF=1. 5. Verify whether you have to specify any additional CCMSetup command-line properties. For example, you might have to specify a certificate selection criteria if the client has more than one valid PKI certificate. For a list of available properties, see About Client Installation Properties in Configuration Manager. Example: CCMSetup.exe /source: D:\Clients /UsePKICert CCMHOSTNAME=server1.contoso.com SMSSIGNCERT=siteserver.cer SMSSITECODE=ABC FSP=server2.contoso.com CCMALWAYSINF=1 CCMFIRSTCERT=1 Note This example installs the client source files from a folder on the D drive with settings to use a client PKI certificate and select the certificate with the longest validity period for Internet-only client management, assigns the client to use the Internet-based management point named SERVER1 and the Internet-based fallback status point in the contoso.com domain, and assigns the client to the ABC site.

How to Configure Clients for Internet-based Client Management after Client Installation
To assign the Internet-based management point after the client is installed, use one of the following procedures. The first procedure requires manual configuration so it is appropriate for a few clients, whereas the second procedure is more appropriate if you have many clients to configure. To configure clients for Internet-based client management after client installation by assigning the Internet-based management point in Configuration Manager Properties 1. Navigate to Configuration Manager in the Control Panel of the client computer, and then double-click to open its properties. 2. On the Internet tab, enter the fully qualified domain name of the Internet-based management point in the Internet FQDN text box. Note The Internet tab is only available if the client has a client PKI certificate. 3. Enter proxy server settings if the client will access the Internet by using a proxy server. 4. Click OK. To configure clients for Internet-based client management after client installation by using a script
1362

1. Open a text editor, such as Notepad. 2. Copy and insert the following into the file: on error resume next

' Create variables. Dim newInternetBasedManagementPointFQDN Dim client

newInternetBasedManagementPointFQDN = "mp.contoso.com"

' Create the client COM object. Set client = CreateObject ("Microsoft.SMS.Client")

' Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method. client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN

' Clear variables. Set client = Nothing Set internetBasedManagementPointFQDN = Nothing

3. Replace mp.contoso.com with the Internet FQDN of your Internet-based management point. Note If you have to delete a specified Internet-based management point so that the client is not configured to use an Internet-based management point, remove the value inside the quotation marks so that this line becomes newInternetBasedManagementPointFQDN = "". 4. Save the file with a .vbs extension. 5. Use cscript to run the script on client computers, by using one of the following methods: Deploy the file to existing Configuration Manager clients by using a package and a program. Run the file locally on existing Configuration Manager clients by double-clicking the
1363

script file in Windows Explorer. You might have to restart the client for the new setting in this script to take effect.

How to Provision Client Installation Properties (Group Policy and Software Update-Based Client Installation)
You can use Windows Group Policy to provision computers in your enterprise with System Center 2012 Configuration Manager client installation properties. These properties are stored in the registry of the computer and read when the client software is installed. This procedure would not normally be required for System Center 2012 Configuration Manager. However, this might be required for some client installation scenarios, such as the following: You are using the Group Policy settings or software update-based client installation methods, and you have not extended the Active Directory schema for System Center 2012 Configuration Manager. You want to override client installation properties on specific computers. Note If any installation properties are supplied on the CCMSetup.exe command line, installation properties provisioned on computers will not be used. A Group Policy administrative template named ConfigMgrInstallation.adm is supplied on the System Center 2012 Configuration Manager installation media, which can be used to provision client computers with installation properties. Use the following procedure to configure and assign this template to computers in your organization. To configure and assign client installation properties by using a Group Policy Object 1. Import the administrative template ConfigMgrInstallation.adm into a new or existing Group Policy Object, by using an editor such as Windows Group Policy Object Editor. Note This file can be found in the folder TOOLS\ConfigMgrADMTemplates on the System Center 2012 Configuration Manager installation media. 2. Open the properties of the imported setting Configure Client Deployment Settings. 3. Click Enabled. 4. In the CCMSetup box, enter the required CCMSetup command-line properties. For a list of all CCMSetup command-line properties and examples of their use, see About Client Installation Properties in Configuration Manager. 5. Assign the Group Policy Object to the computers that you want to provision with System Center 2012 Configuration Manager client installation properties. For information about Windows Group Policy, refer to your Windows Server documentation.

1364

See Also
Configuring Client Deployment in Configuration Manager

How to Assign Clients to a Site in Configuration Manager

After a System Center 2012 Configuration Manager client is installed, it must join a System Center 2012 Configuration Manager primary site before it can be managed. The site that a client joins is referred to as its assigned site. Clients cannot be assigned to a central administration site or to a secondary site. The assignment process occurs after the client is successfully installed and determines which site manages the client computer. When you install the mobile device client during Configuration Manager enrollment, this process always automatically assigns the mobile device to a site. When you install the client on a computer, you can also assign the client to a site or you can just install the client without assigning it to a site. However, when the client is installed but not assigned, the client is unmanaged until site assignment is successful. For more information about how to install a client on computers, see How to Install Clients on Windows-Based Computers in Configuration Manager. To assign a client computer, you can either directly assign the client to a site, or you can use automatic site assignment where the client automatically finds an appropriate site based on its current network location or a fallback site that has been configured for the hierarchy. After the client is assigned to a site, it remains assigned to that site, even if the client changes its IP address and roams to another site. Only an administrator can later manually assign the client to another site or remove the client assignment. Warning An exception to a client remaining assigned to a site is if you assign the client on a Windows Embedded device when the write filters are enabled. If you do not first disable write filters before you assign the client, the site assignment status of the client reverts to its original state when the device next restarts. For example, if the client is configured for automatic site assignment, it will reassign on startup and might be assigned to a different site. If the client is not configured for automatic site assignment but requires manual site assignment, you must manually reassign the client after startup before you can manage this client again by using Configuration Manager. To avoid this behavior, disable the write filters before you assign the client on embedded devices, and then enable the write filters after you have verified that site assignment was successful. If the client fails to assign to a site, the client software remains installed, but will be unmanaged.
1365

Note A client is considered unmanaged when it is installed but not assigned to a site, or is assigned to a site but cannot communicate with a management point. If you reassign an Intel AMT-based computer to another Configuration Manager site, you must remove the AMT provisioning information, and then provision the computer again in the new site. Until you do this, you cannot manage the computer out of band in the new site. In this scenario, the AMT Status displays Detected. For more information, see Reassigning AMT-Based Computers to Another Configuration Manager Site. Use the following sections for more information about client site assignment: Using Manual Site Assignment for Computers Using Automatic Site Assignment for Computers Completing Site Assignment by Checking Site Compatibility Locating Management Points Downloading Site Settings Verifying Site Assignment Roaming to Other Sites Whats New in Configuration Manager

Using Manual Site Assignment for Computers

You can manually assign client computers to a site by using the following two methods: Use a client installation property that specifies the site code. In Control Panel, in Configuration Manager, specify the site code. Note If you manually assign a client computer to a System Center 2012 Configuration Manager site code that does not exist, the site assignment fails. The client remains installed but unmanaged until it is assigned to a valid System Center 2012 Configuration Manager site.

Using Automatic Site Assignment for Computers

Automatic site assignment can occur during client deployment, or when you click Find Site in the Advanced tab of the Configuration Manager Properties in the Control Panel. The Configuration Manager client compares its own network location with the boundaries that are configured in the System Center 2012 Configuration Manager hierarchy. When the network location of the client falls within a boundary group that is enabled for site assignment, or the hierarchy is configured for a fallback site, the client is automatically assigned to that site without your having to specify a site code. You can configure boundaries by using one or more of the following: IP subnet
1366

Active Directory site IP v6 prefix IP address range Note If a System Center 2012 Configuration Manager client has multiple network adapters (possibly a LAN network adapter and a dial-up modem), and therefore has multiple IP addresses, the IP address used to an evaluate client site assignment is nondeterministic.

For information about how to configure boundary groups for site assignment and how to configure a fallback site for automatic site assignment, see the Create and Configure Boundary Groups for Configuration Manager section in the Configuring Boundaries and Boundary Groups in Configuration Manager. System Center 2012 Configuration Manager clients that use automatic site assignment attempt to find site boundary groups that are published to Active Directory Domain Services. If this method fails (for example, the Active Directory schema is not extended for System Center 2012 Configuration Manager, or clients are workgroup computers), clients can find boundary group information from a management point. You can specify a management point for client computers to use when they are installed, or clients can locate a management point by using DNS publishing or WINS. If the client cannot find a site that is associated with a boundary group that contains its network location, and the hierarchy does not have a fallback site, the client retries every 10 minutes until it can be assigned to a site. System Center 2012 Configuration Manager client computers cannot be automatically assigned to a site if any of the following scenarios apply, and instead, they must be manually assigned: They are currently assigned to a site. They are on the Internet or configured as Internet-only clients. Their network location does not fall within one of the configured boundary groups in the Configuration Manager hierarchy, and there is no fallback site for the hierarchy.

Completing Site Assignment by Checking Site Compatibility

After a client has found its assigned site, the version and operating system of the client is checked to ensure that a System Center 2012 Configuration Manager site can manage it. For example, System Center 2012 Configuration Manager cannot manage Configuration Manager 2007 clients or clients that are running Windows 2000. Whereas site assignment fails if you assign a client that runs Windows 2000 to a System Center 2012 Configuration Manager site, when you assign a Configuration Manager 2007 client to a System Center 2012 Configuration Manager, site assignment succeeds to support automatic client upgrade. However, until the Configuration Manager 2007 client is upgraded to a

1367

System Center 2012 Configuration Manager client, Configuration Manager cannot manage this client by using client settings, applications, or software updates. Note To support the site assignment of a Configuration Manager 2007 client to a System Center 2012 Configuration Manager site, you must configure automatic client upgrade for the hierarchy. For more information, see the How to Automatically Upgrade the Configuration Manager Client procedure in the How to Install Clients on WindowsBased Computers in Configuration Manager topic. Configuration Manager also checks that you have assigned the System Center 2012 Configuration Manager client to a site that supports the Configuration Manager client version, as shown in the following table. These scenarios might occur during a migration period when you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager.
Assignment scenario Assignment outcome

You have used automatic site assignment and your System Center 2012 Configuration Manager boundaries overlap with Configuration Manager 2007 boundaries.

The client automatically tries to find a System Center 2012 Configuration Manager site. The client first checks Active Directory Domain Services and if it finds a System Center 2012 Configuration Manager site published, site assignment succeeds. If this is not successful (for example, the System Center 2012 Configuration Manager sites is not published or the computer is a workgroup client), the client then checks for site information from its assigned management point. Note You can assign a management point to the client during client installation by using the Client.msi property SMSMP=<server_name>. If both these methods fail, site assignment fails and you must manually assign the client.

You have assigned the System Center 2012 Configuration Manager client by using a specific site code rather than automatic site assignment, and mistakenly specified a site code for a Configuration Manager 2007 site.

Site assignment fails and you must manually reassign the client to a System Center 2012 Configuration Manager site.

The site compatibility check requires one of the following conditions:

1368

The client can access site information published to Active Directory Domain Services. The client can communicate with a management point in the site.

If the site compatibility check fails to finish successfully, the site assignment fails, and the client remains unmanaged until the site compatibility check finishes successfully when it is run again. The exception to performing the site compatibility check occurs when a client is configured for an Internet-based management point. In this scenario, no site compatibility check is made. If you are assigning clients to a site that contains Internet-based site systems, and you specify an Internetbased management point, ensure that you are assigning the client to the correct site. If you mistakenly assign the client to a Configuration Manager 2007 site or to a System Center 2012 Configuration Manager site that does not have Internet-based site system roles, the client will be unmanaged.

Locating Management Points

After a client is successfully assigned to a site, it locates a management point in the site. Client computers download a list of management points in the site that they can connect to. This process happens whenever the client restarts, every 25 hours, and if the client detects a network change, such as the computer disconnects and reconnects on the network or it receives a new IP address. The list includes management points on the intranet and whether they accept client connections over HTTP or HTTPS. When the client computer is on the Internet and the client doesnt yet have a list of management points, it connects to the specified Internet -based management point to obtain a list of management points. When the client has a list of management points for its assigned site, it then selects one to connect to: When the client is on the intranet and it has a valid PKI certificate that it can use, the client chooses HTTPS management points before HTTP management points. It then locates the closest management point, based on its forest membership. When the client is on the Internet, it non-deterministically chooses one of the Internet-based management points.

Mobile device clients that are enrolled by Configuration Manager only connect to one management point in their assigned site and never connect to management points in secondary sites. These clients always connect over HTTPS and the management point must be configured to accept client connections over the Internet. When there is more than one management point for mobile device clients in the primary site, Configuration Manager non-deterministically chooses one of these management points during assignment and the mobile device client continues to use the same management point. When the client has downloaded client policy from a management point in the site, the client is then a managed client.

Downloading Site Settings

After site assignment succeeds, and the client has found a management point, a client computer that uses Active Directory Domain Services for its site compatibility check downloads client1369

related site settings for its assigned site. These settings include the client certificate selection criteria, whether to use a certificate revocation list, and the client request port numbers. The client continues to check these settings on a periodic basis. When client computers cannot obtain site settings from Active Directory Domain Services, they download them from their management point. Client computers can also obtain the site settings when they are installed by using client push, or you specify them manually by using CCMSetup.exe and client installation properties. For more information about the client installation properties, see About Client Installation Properties in Configuration Manager.

Downloading Client Settings

All clients download the default client settings policy and any applicable custom client settings policy. Software Center relies on these client configuration policies for Windows computers and will notify users that Software Center cannot run successfully until this configuration information is downloaded. Depending on the client settings that are configured, the initial download of client settings might take a while, and some client management tasks might not run until this process is complete.

Verifying Site Assignment

You can verify that site assignment is successful by using any of the following methods: For clients on Windows computers, use Configuration Manager in the Control Panel and verify that the site code is correctly displayed on the Site tab. For client computers, in the Assets and Compliance workspace, use the Devices node to verify that the computer displays Yes for the Client column and the correct primary site code for the Site Code column. For mobile device clients, in the Assets and Compliance workspace, use the All Mobile Devices collection to verify that the mobile device displays Yes for the Client column and the correct primary site code for the Site Code column. Use the reports for client assignment and mobile device enrollment. For client computers, use the LocationServices.log file on the client.

Roaming to Other Sites

When client computers on the intranet are assigned to a primary site but change their network location so that it falls within a boundary group that is configured for another site, they have roamed to another site. When this site is a secondary site for their assigned site, clients can use a management point in the secondary to download client policy and upload client data, which avoids sending this data over a potentially slow network. However, if these clients roam into the boundaries for another primary site or a secondary that is not a child site of their assigned site, these clients always use a management point in their assigned site to download client policy and to upload data to their site.
1370

These client computers that roam to other sites (all primary sites and all secondary sites) can always use management points in other sites for content location requests. Management points in the current site can give clients a list of distribution points that have the content that clients request. For client computers that are configured for Internet-only client management, and for Mac computers and mobile devices that are enrolled by Configuration Manager, these clients only communicate with management points in their assigned site. These clients never communicate with management points in secondary sites or with management points in other primary sites.

Whats New in Configuration Manager

The following have changed for site assignment since Configuration Manager 2007: For automatic site assignment to succeed with boundary information, the boundary must be configured in a boundary group that is configured for site assignment. In Configuration Manager 2007, automatic site assignment would fail if the client was not in a specified boundary. New in System Center 2012 Configuration Manager, if you specify a fallback site (an optional setting for the hierarchy) and the clients network location is not in a boundary group, automatic site assignment succeeds, and the client is assigned to the specified fallback site. Clients can now download site settings from the management point after they have assigned to the site if they cannot locate these settings from Active Directory Domain Services. Although clients continue to download policy and upload client data to management points in their assigned site or in a secondary site that is a child site of their assigned site, all clients that are configured for intranet client management can now use any management point in the hierarchy for content location requests. There is no longer a requirement to extend the Active Directory schema to support this capability, and there is no longer a concept of regional and global roaming. DNS publishing no longer requires you to configure a DNS suffix on the client if there is a management point published to DNS in the same domain as the client. In this scenario, automatic site assignment works by default when you publish to DNS at least one management point, even if this management point is in a different Configuration Manager site to the clients final assigned site.

Whats New in System Center 2012 R2 Configuration Manager

You can now reassign Configuration Manager clients, including managed mobile devices, to another primary site in the hierarchy. Clients can be reassigned individually or can be multiselected and reassigned in bulk to a new site.

See Also
Configuring Client Deployment in Configuration Manager
1371

How to Install Clients on Mac Computers in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Client installation and management for Mac computers in System Center 2012 Configuration Manager requires public key infrastructure (PKI) certificates. Configuration Manager can request and install a user client certificate by using Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. Or, you can request and install a computer certificate independently from Configuration Manager if the certificate meets the requirements for Configuration Manager. PKI certificates secure the communication between the Mac computers and the Configuration Manager site by using mutual authentication and encrypted data transfers. Important Configuration Manager Mac clients always perform certificate revocation checking; unlike Configuration Manager clients that run on Windows, you cannot disable this certificate revocation list (CRL) checking function. If Mac clients cannot confirm the certificate revocation status for a server certificate because they cannot locate the CRL, they will not be able to successfully connect to Configuration Manager site systems, such as management points and distribution points. Especially for Mac clients in a different forest to the issuing certification authority, check your CRL design to ensure that Mac clients can locate and connect to a CRL distribution point (CDP) for connecting site system servers. Before you install the Configuration Manager client on a Mac computer, decide how to install the client certificate: Use Configuration Manager enrollment by using the CMEnroll tool and follow the steps in the next section of this topic. The enrollment process does not support automatic certificate renewal so you must re-enroll Mac computers before the installed certificate expires. Use a certificate request and installation method that is independent from Configuration Manager. For this installation method, see the Use a Certificate Request and Installation Method that is Independent from Configuration Manager section in this topic. Note For more information about the Mac client certificate requirement and other PKI certificates that are required to support Mac computers, see PKI Certificate Requirements for Configuration Manager. Mac clients are automatically assigned to the Configuration Manager site that manages them. Mac clients install as Internet-only clients, even if communication is restricted to the intranet. This client configuration means that they will communicate with the site system roles (management
1372

points and distribution points) in their assigned site when you configure these site system roles to allow client connections from the Internet. Mac computers do not communicate with site system roles outside their assigned site. Use the following sections to install, configure, and manage Mac computers for Configuration Manager: Steps to Install and Configure the Client for Mac Computers Supplemental Procedures to Install and Configure the Client for Mac Computers Steps to Upgrade the Client for Mac Computers Use a Certificate Request and Installation Method that is Independent from Configuration Manager

Steps to Install and Configure the Client for Mac Computers

Use the following table for the steps, details, and more information about how to install and configure the client for Mac computers. Important Before you perform these steps, make sure that your Mac computer meets the prerequisites listed in the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic.
Steps Details More information

Step 1: Deploy a web server certificate to site system servers.

These site systems might already have this certificate for other Configuration Manager clients. If not, deploy a web server certificate to the following computers that hold the following site system roles: Management point Distribution point Enrollment point Enrollment proxy point Important The web server certificate must contain the Internet FQDN that is specified in the site system properties.

For an example deployment that creates and installs this web server certificate, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Important Make sure that you specify the site systems Internet FQDN value in the web server certificate
1373

Steps

Details

More information

This does not mean that the server must be accessible from the Internet to support Mac computers. If you do not require Internet-based client management, you can specify the intranet FQDN value for the Internet FQDN. Step 2: Deploy a client authentication certificate to site system servers. These site systems might already have this certificate for Configuration Manager functionality. If not, deploy a client authentication certificate to the following computers that hold the following site system roles: Management point Distribution point

for the management point, the distribution point, and the enrollment proxy point.

For an example deployment that creates and installs the client certificate for management points, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the Client Certificate for Distribution Points section in the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Step 3: Prepare the client certificate template for Mac computers. Note To run the Configuration

The certificate template must have Read and Enroll permissions for the user account that will enroll the certificate on the Mac computer.

See the Deploying the Client Certificate for Mac Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager:
1374

Steps

Details

More information

Manager enrollment tool, you must have an Active Directory user account. Step 4: Configure the management point and distribution point. Configure management points for the following options: HTTPS Allow client connections from the Internet Note This configuration value is required to manage Mac computers. However, it does not mean that site system servers must be accessible from the Internet. Allow mobile devices and Mac computers to use this management point

Windows Server 2008 Certification Authority topic.

See the following procedure in this topic: Step 4: Configuring Management Points and Distribution Points to support Mac Computers.

Although distribution points are not required to install the client on Mac computers, you must configure distribution points to allow client connections from the Internet if you want to deploy software to these Mac computers after the Configuration Manager client is installed. Step 5: Configure the You must install both these site enrollment proxy point and the system roles in the same site enrollment point. but you do not have to install them on the same site system server, or in the same Active Directory forest. For more information about site system role placement and considerations, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in
1375

Steps

Details

More information

Configuration Manager topic. To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Step 5: Installing and Configuring the Enrollment Site Systems. Step 6: Optional: Install the reporting services point Install the reporting services point if you want to run reports for Mac computers. For more information about how to install and configure the reporting services point, see Configuring Reporting in Configuration Manager. For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings, see the following procedure in this topic: Step 7: Configuring the Client Settings for Enrollment. Step 8: Download the client source files for Mac clients. Download the installation files See the following procedure and then install them on the Mac in this topic: Step 8: computer. Download and Install the Mac Client Files. When you use Configuration Manager enrollment, you must first install the client by using the Ccmsetup application, and then enroll the client certificate by using the CMEnroll tool. See the following procedure in this topic: Step 9: Installing the Client and Enrolling the Certificate by using the CMEnroll Tool on the Mac computer.

Step 7: Configure client settings for enrollment.

You must use the default client settings to configure enrollment for Mac computers; you cannot use custom client settings.

Step 9: Install the client and then enroll the client certificate on the Mac computer.

Supplemental Procedures to Install and Configure the Client for Mac Computers
Use the following information when the steps in the preceding table require supplemental procedures.
1376

Step 4: Configuring Management Points and Distribution Points to support Mac Computers
This procedure configures existing management points and distribution points to support Mac computers. Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. If these site system servers will not support Internet-based client management, you can specify the intranet FQDN as the Internet FQDN value. In addition, these site system roles must be in a primary site. To configure management points and distribution points to support Mac computers 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that holds the site system roles to configure. 3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK: a. Select HTTPS. b. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties, even if the site system server will not be accessible from the Internet. c. Select Allow mobile devices and Mac computers to use this management point . 4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK: Select HTTPS. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties, even if the site system server will not be accessible from the Internet. Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.

5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with Mac computers.

Step 5: Installing and Configuring the Enrollment Site Systems

These procedures configure the site system roles to support Mac computers. Choose one of these procedures, depending on whether you will install a new site system server to support Mac computers or use an existing site system server: To install and configure the enrollment site systems: New site system server To install and configure the enrollment site systems: Existing site system server

1377

To install and configure the enrollment site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify a value for the Internet FQDN, even if the site system server will not be accessible from the Internet. If you do not have an Internet FQDN because the site system server will not be accessible from the Internet, you can specify the intranet FQDN value as the Internet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard. To install and configure the enrollment site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use to support Mac computers. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify a value for the Internet FQDN, even if the site system server will not be accessible from the Internet. If you do not have an Internet FQDN because the site system server will not be accessible from the Internet, you can specify the intranet FQDN value as the Internet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.
1378

7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard.

Step 7: Configuring the Client Settings for Enrollment

This step is required for Configuration Manager to request and install the certificate on the Mac computer. To configure the default client settings for Configuration Manager to enroll certificates for Mac computers 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. Important You cannot use a custom client setting for the enrollment configuration; you must use the default client settings. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Enrollment section, and then configure the following user settings: a. Allow users to enroll mobile devices and Mac computers: Yes b. Enrollment profile: Click Set Profile. 6. In the Mobile Device Enrollment Profile dialog box, click Create. 7. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile, and then configure the Management site code. Select the Configuration Manager SP1 primary site that contains the management points that will manage the Mac computers. Note If you cannot select the site, check that at least one management point in the site is configured to support mobile devices. 8. Click Add. 9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK. 10. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created in Step 3, and then click OK. 11. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box. Tip If you want to change the client policy interval, use the Client policy polling interval client setting in the Client Policy client setting group. All users will be configured with these settings when they next download client policy. To
1379

initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic. In addition to the enrollment client settings, ensure that you have configured the following Configuration Manager client device settings: Hardware inventory: Enable and configure this client setting if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to Configure Hardware Inventory in Configuration Manager. Compliance settings: Enable and configure this client setting if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Configuring Compliance Settings in Configuration Manager. Note For more information about Configuration Manager client settings, see How to Configure Client Settings in Configuration Manager.

Step 8: Download and Install the Mac Client Files

You must download and install the following programs before you can install and manage the Configuration Manager client on Mac computers: Ccmsetup: Use this application to install the Configuration Manager client on Mac computers in your organization. CMDiagnostics: Use this tool to collect diagnostic information related to the Configuration Manager client on Mac computers in your organization. CMUninstall: Use this tool to uninstall the Configuration Manager client from Mac computers in your organization. CMAppUtil: Use this tool to convert Apple application packages into a format that can be deployed as a Configuration Manager application. CMEnroll: Use this tool to request and install the client certificate for a Mac computer so that you can then install the Configuration Manager client.

These programs are contained in a Windows Installer file named ConfigmgrMacClient.msi. This file is not supplied on the Configuration Manager installation media. You can download this file from the Microsoft Download Center for Configuration Manager SP1, and the Microsoft Download Center for System Center 2012 R2 Configuration Manager. To download and install the Mac OS X client files 1. Download the Mac OS X client file package, ConfigmgrMacClient.msi from the Microsoft Download Center, and save this file to a computer that runs Windows. 2. On the Windows computer, run the ConfigmgrMacClient.msi file that you just downloaded to extract the Mac client package, Macclient.dmg to a folder on the local disk (by default C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client\). 3. Copy the Macclient.dmg file to a folder on the Mac computer. 4. On the Mac computer, run the Macclient.dmg file that you just downloaded to extract the
1380

files to a folder on the local disk. 5. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools.

Step 9: Installing the Client and Enrolling the Certificate by using the CMEnroll Tool on the Mac computer
This procedure installs the client and then uses the CMEnroll tool to request and install the client certificate for a Mac computer so that you can then manage this computer by using Configuration Manager. For System Center 2012 R2 Configuration Manager only: You can enroll the client by using the Mac Computer Enrollment wizard without having to use the CMEnroll tool. For more information, see the procedure below. To install the client and enroll the certificate by using the CMEnroll tool 1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file that you downloaded from the Microsoft Download Center. 2. Enter the following command-line: sudo ./ccmsetup 3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, do not restart now but continue to the next step. 4. From the Tools folder on the Mac computer, type the following: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <'user name'> Note In System Center 2012 R2 Configuration Manager, after the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. To enroll the client by this method, see To enroll the client by using the Mac Computer Enrollment Wizard (System Center 2012 R2 Configuration Manager only) in this topic. You are then prompted to type the password for the Active Directory user account. Important When you enter this command, you are actually prompted for two passwords: The first prompt is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence. The user name can be in the following formats: 'domain\name. For example: 'contoso\mnorth' 'user@domain'. For example: '[email protected]'

The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate
1381

template. Example: If the enrollment proxy point server is named server02.contoso.com, and a user name of contoso\mnorth has been granted permissions for the Mac client certificate template, type the following: sudo ./CMEnroll -s server02.contoso.com ignorecertchainvalidation -u 'contoso\mnorth' Note For a more seamless user experience, you can script the installation steps and commands so that users only have to supply their user name and password. 5. Wait until you see the Successfully enrolled message. 6. For Configuration Manager SP1 only: To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes: a. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access b. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys. c. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.

d. On the Access Control tab, select Confirm before allowing access. e. Browse to /Library/Application Support/Microsoft/CCM , select CCMClient, and then click Add. f. Click Save Changes and close the Keychain Access dialog box. 7. Restart the Mac computer. Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client. Tip To help troubleshoot any problems with the Mac client, you can use the CMDiagnostics program that is included with the Mac OS X client package to collect the following diagnostic information: A list of running processes The Mac OS X operating system version Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash. The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation. The contents of the folder /Library/Application Support/Microsoft/CCM/Logs. The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<date and time>.zip.
1382

To enroll the client by using the Mac Computer Enrollment Wizard (System Center 2012 R2 Configuration Manager only) 1. After you have finished installing the client the Computer Enrollment wizard opens. Click Next to continue past the welcome page. Note If the wizard does not open, or if you accidentally close the wizard, click Enroll from the Configuration Manager preference page to open the wizard. 2. On the next page of the wizard, specify the following information: User name - The user name can be in the following formats: 'domain\name. For example: 'contoso\mnorth' 'user@domain'. For example: '[email protected]' Important When you use an email address to populate the User name field, Configuration Manager automatically uses the domain name of the email address and the default name of the enrollment proxy point server to populate the Server name field. If this domain name and server name do not match the name of the enrollment proxy point server, you must advise your users of the correct name to use, so that they can enter this when enrolling their Mac computers. The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template. Password Enter a corresponding password for the user name specified. Server name Enter the name of the enrollment proxy point server.

3. Click Next to continue, and then complete the wizard. Uninstalling the Mac Client If you want to uninstall the Mac client, use the CMUninstall script that is provided with the Mac client files you downloaded from the web. Use the following procedure to help you uninstall the Configuration Manager client from Mac computers. To uninstall the Mac client 1. On a Mac computer, open a terminal window and navigate to the folder where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center. 2. Navigate to the Tools folder and enter the following command-line: ./CMUninstall -c Note
1383

The c property instructs the client uninstall to also remove and client crash logs and log files. This is optional, but a best practice to help avoid confusion if you later reinstall the client. 3. If required, manually remove the client authentication certificate that Configuration Manager was using, or revoke it. CMUnistall does not remove or revoke this certificate. Renewing the Mac Client Certificate Use one of the following methods to renew the Mac client certificate: Renewing the Mac Client Certificate by Using the Renew Certificate Wizard (System Center 2012 R2 Configuration Manager only) Renewing the Mac Client Certificate Manually

Renewing the Mac Client Certificate by Using the Renew Certificate Wizard (System Center 2012 R2 Configuration Manager only) Use the following procedure to configure and use the Renew Certificate Wizard in System Center 2012 R2 Configuration Manager. To renew the Mac client certificate by Using the Renew Certificate Wizard 1. Configure the following values in the ccmclient.plist file that control when the Renew Certificate Wizard opens: Important You must configure these values as strings. If you configure the values as integer data types (by using the int property), they will not be read. RenewalPeriod1 Specifies, in seconds, the first renewal period in which users can renew the certificate. The default value is 3,888,000 seconds (45 days). Note If RenewalPeriod1 is configured and is greater than or equal to 300 seconds, the configured value will be used. If the configured value is greater than 0 and less than 300 seconds, the default value of 45 days will be used. RenewalPeriod2 Specifies, in seconds, the second renewal period in which users can renew the certificate. The default value is 259,200 seconds (3 days). Note If RenewalPeriod2 is configured and is greater than or equal to 300 seconds and is less than or equal to RenewalPeriod1, the configured value will be used. If RenewalPeriod1 is greater than 3 days, a value of 3 days will be used for RenewalPeriod2. If RenewalPeriod1 is less than 3 days, then RenewalPeriod2 is set to the same value as RenewalPeriod1. RenewalReminderInterval1 Specifies, in seconds, the frequency at which the Renew Certificate Wizard will be displayed to users during the first renewal period. The default value is 86,400 seconds (1 day).

1384

Note If RenewalReminderInterval1 is greater than 300 seconds and less than the value configured for RenewalPeriod1, then the configured value will be used. Otherwise, the default value of 1 day will be used. RenewalReminderInterval2 Specifies, in seconds the frequency at which the Renew Certificate Wizard will be displayed to users during the second renewal period. The default value is 28,800 seconds (8 hours). Note If RenewalReminderInterval2 is greater than 300 seconds, less than or equal to RenewalReminderInterval1 and less than or equal to RenewalPeriod2, then the configured value will be used. Otherwise, a value of 8 hours will be used. Example: If the values are left as their defaults, 45 days before the certificate expires, the wizard will open every 24 hours. Within 3 days of the certificate expiring, the wizard will open every 8 hours. Example: Use the following command line, or a script, to set the first renewal period to 20 days.
sudo defaults write com.microsoft.ccmclient RenewalPeriod1 1728000

2. When the Renew Certificate Wizard opens, the User name and Server name fields will typically be pre-populated and the user will only need to enter a password to renew the certificate. Note If the wizard does not open, or if you accidentally close the wizard, click Renew from the Configuration Manager preference page to open the wizard. Renewing the Mac Client Certificate Manually A typical validity period for the Mac client certificate is 1 year. Configuration Manager does not automatically renew the user certificate that it requests during enrollment, so you must use the following procedure to renew the certificate manually. Important If the certificate expires, you must uninstall, reinstall and then re-enroll the Mac client. This procedure removes the SMSID, which is required to request a new certificate for the same Mac computer. After the new certificate is requested, it is automatically used by Configuration Manager. Important When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. To renew the Mac client certificate manually
1385

1. Create a device collection for the Mac computers that must renew the user certificates, and then add the Mac computers to the collection. Warning Configuration Manager does not monitor the validity period of the certificate that it enrolls for Mac computers. You must monitor this independently from Configuration Manager to identify the Mac computers to add to this collection. 2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard. 3. On the General page of the wizard, specify the following information: Name: Remove SMSID for Mac Type: Mac OS X

4. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected. 5. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information: Name: Remove SMSID for Mac Setting type: Script Data type: String

6. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured. 7. In the Edit Discovery Script dialog box, enter the following Shell Script: defaults read com.microsoft.ccmclient SMSID 8. Click OK to close the Edit Discovery Script dialog box. 9. In the Create Setting dialog box, for Remediation script (optional), click Add script to specify a script that removes the SMSID when it is found on Mac computers. 10. In the Create Remediation Script dialog box, enter the following Shell Script: defaults delete com.microsoft.ccmclient SMSID 11. Click OK to close the Create Remediation Script dialog box. 12. On the Compliance Rules page of the wizard, click New, and then in the Create Rule dialog box, specify the following information: Name: Remove SMSID for Mac Selected setting: Click Browse and then select the discovery script that you specified previously. In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist. Enable the option Run the specified remediation script when this setting is noncompliant.

13. Complete the Create Configuration Item Wizard. 14. Create a configuration baseline that contains the configuration item that you have just
1386

created and deploy this to the device collection that you created in step 1. For more information about how to create and deploy configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager. 15. On Mac computers that have the SMSID removed, run the following command to install a new certificate: sudo ./CMEnroll -s <enrollment_proxy_server_name> ignorecertchainvalidation -u <'user name'> When prompted, provide the password for the super user account to run the command and then the password for the Active Directory user account. 16. For Configuration Manager SP1 only: To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes: a. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access b. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys. c. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.

d. On the Access Control tab, select Confirm before allowing access. e. Browse to /Library/Application Support/Microsoft/CCM , select CCMClient, and then click Add. f. Click Save Changes and close the Keychain Access dialog box. 17. Restart the Mac computer.

Steps to Upgrade the Client for Mac Computers

For System Center 2012 R2 Configuration Manager only: Use the following table for the steps, details, and more information about how to upgrade the client for Mac computers by using a Configuration Manager application. Alternatively, you can also download the Mac client installation file, copy it to a shared network location or a local folder on the Mac computer and then instruct users to run the installation manually. Note Before you perform these steps, make sure that your Mac computer meets the prerequisites listed in the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic.
Steps Details More Information

Step 1: Download the latest Mac client installation file

The Mac client for Configuration Manager is not supplied on the

For more information, see the Microsoft Download

1387

Steps

Details

More Information

from the Microsoft Download Center

Configuration Manager installation media and must be downloaded from the Microsoft Download Center. The Mac client installation files are contained in a Windows Installer file named ConfigmgrMacClient.msi. On a computer that runs Windows, run the ConfigmgrMacClient.msi that you downloaded to unpack the Mac client installation file, named Macclient.dmg. This file can be found, by default, in the C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client folder on the Windows computer after you have unpacked the files.

Center.

Step 2: Run the downloaded installation file to create the Mac client installation file.

No additional information.

Step 3: Extract the client installation files.

Copy the Macclient.dmg file to a No additional information. network share, or a local folder on a Mac computer. Then, from the Mac computer, mount and then open the Macclient.dmg file and copy the files to a folder on the Mac computer. Use the CMAppUtil tool (found in the Tools folder of the Mac client installation files) to create a .cmmac file from the client installation package. This file will be used to create the Configuration Manager application. Copy the new file CMClient.pkg.cmmac file to a location that is available to the computer that is running the Configuration Manager console. For more information, see the Step 1: Prepare Mac Applications for Configuration Manager section in the How to Create and Deploy Applications for Mac Computers in Configuration Manager topic.

Step 4: Create a .cmmac file that can be used to create an application.

Step 5: Create and deploy a In the Configuration Manager

For more information, see

1388

Steps

Details

More Information

Configuration Manager application containing the Mac client files.

console, create an application from the CMClient.pkg.cmmac file that contains the client installation files. Deploy this application to Mac computers in your hierarchy.

How to Create and Deploy Applications for Mac Computers in Configuration Manager.

Step 6: Users install the latest client.

Users of Mac clients will be prompted that an update to the Configuration Manager client is available and must be installed. After users install the client, they must restart their Mac computer.

After the computer restarts, the Computer Enrollment wizard automatically runs to request a new user certificate. If you do not use Configuration Manager enrollment but install the client certificate independently from Configuration Manager, see Upgrading the Client in the Use a Certificate Request and Installation Method that is Independent from Configuration Manager section of this topic.

Use a Certificate Request and Installation Method that is Independent from Configuration Manager
When you do not use Configuration Manager enrollment but instead, request and install the client certificate independently from Configuration Manager, the configuration steps are slightly different: 1. Perform steps 1, 2, 4, 6 (optional), and 8. 2. Do not perform steps 3, 5, 7, and 9. 3. Install the client by using the following instructions. To install the client certificate independently from Configuration Manager and install the client 1. To install the client certificate independently from Configuration Manager, use the instructions that accompany your chosen certificate deployment method to request and install the client certificate on the Mac computer. 2. To make sure that this certificate is accessible to Configuration Manager, on the Mac
1389

computer, open a terminal window and make the following changes: a. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access b. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys. c. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.

d. On the Access Control tab, select Confirm before allowing access. e. Browse to /Library/Application Support/Microsoft/CCM , select CCMClient, and then click Add. f. Click Save Changes and close the Keychain Access dialog box. 3. Navigate to the folder where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center. 4. Enter the following command-line: sudo ./ccmsetup MP <management point Internet FQDN> -SubjectName <certificate subject value> Important The certificate subject value is case-sensitive, so type it exactly as it appears in the certificate details. Example: If the Internet FQDN in the site system properties is server03.contoso.com and the Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject, type: sudo ./ccmsetup MP server03.contoso.com SubjectName mac12.contoso.com 5. Wait until you see the Completed installation message and then restart the Mac computer.

6. If you have more than one certificate that contains the same subject value, you must specify the certificate serial number to identify the certificate that you want to use for the Configuration Manager client. To do this, use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data "<serial number>". For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data "17D4391A00000003DB" 7. To limit this certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes: a. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access b. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys. c. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.

d. On the Access Control tab, select Confirm before allowing access. e. Browse to /Library/Application Support/Microsoft/CCM , select CCMClient, and then click Add.
1390

f.

Click Save Changes and close the Keychain Access dialog box.

Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client.

Renewing the Mac Client Certificate

Use the following procedure before you renew the computer certificate on Mac computers. This procedure removes the SMSID, which is required for the client to use a new or renewed certificate on the Mac computer. Important When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. To renew the Mac client certificate 1. Create a device collection for the Mac computers that must renew the computer certificates, and then add the Mac computers to the collection. 2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard. 3. On the General page of the wizard, specify the following information: Name: Remove SMSID for Mac Type: Mac OS X

4. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected. 5. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information: Name: Remove SMSID for Mac Setting type: Script Data type: String

6. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured. 7. In the Edit Discovery Script dialog box, enter the following Shell Script: defaults read com.microsoft.ccmclient SMSID 8. Click OK to close the Edit Discovery Script dialog box. 9. In the Create Setting dialog box, for Remediation script (optional), click Add script to specify a script that removes the SMSID when it is found on Mac computers. 10. In the Create Remediation Script dialog box, enter the following Shell Script: defaults delete com.microsoft.ccmclient SMSID

1391

11. Click OK to close the Create Remediation Script dialog box. 12. On the Compliance Rules page of the wizard, click New, and then in the Create Rule dialog box, specify the following information: Name: Remove SMSID for Mac Selected setting: Click Browse and then select the discovery script that you specified previously. In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist. Enable the option Run the specified remediation script when this setting is noncompliant.

13. Complete the Create Configuration Item Wizard. 14. Create a configuration baseline that contains the configuration item that you have just created and deploy this to the device collection that you created in step 1. For more information about how to create and deploy configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager. 15. After you have installed a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate: sudo defaults write com.microsoft.ccmclient SubjectName string <Subject_Name_of_New_Certificate> 16. If you have more than one certificate that contains the same subject value, you must then specify the certificate serial number to identify the certificate that you want to use for the Configuration Manager client. To do this, use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data "<serial number>". For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data "17D4391A00000003DB" 17. Restart the Mac computer.

Upgrading the Client

For System Center 2012 R2 Configuration Manager only: Follow the Steps to Upgrade the Client for Mac Computers. After you upgrade the client, run the following procedure to prevent the Computer Enrollment Wizard from running and to configure the upgraded client to use an existing client certificate. To configure the upgraded client to use an existing certificate 1. In the Configuration Manager console, create a configuration item of the type Mac OS X. 2. Add a setting to this configuration item with the setting type Script. 3. Add the following script to the setting: #!/bin/sh
1392

echo "Starting script\n" echo "Changing directory to MAC Client\n" cd /Users/Administrator/Desktop/'MAC Client'/ echo "Import root cert\n" /usr/bin/sudo /usr/bin/security import /Users/Administrator/Desktop/'MAC Client'/Root.pfx -A -k /Library/Keychains/System.Keychain -P ROOT echo "Using openssl to convert pfx to a crt\n" /usr/bin/sudo openssl pkcs12 -in /Users/Administrator/Desktop/'MAC Client'/Root.pfx -out Root1.crt -nokeys -clcerts -passin pass:ROOT echo "Adding trust to root cert\n" /usr/bin/sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.Keychain Root1.crt echo "Import client cert\n" /usr/bin/sudo /usr/bin/security import /Users/Administrator/Desktop/'MAC Client'/MacClient.pfx -A -k /Library/Keychains/System.Keychain -P MAC echo "Executing ccmclient with MP\n" sudo ./ccmsetup -MP https://SCCM34387.SCCM34387DOM.NET/omadm/cimhandler.ashx echo "Editing Plist file\n" sudo /usr/libexec/Plistbuddy -c 'Add:SubjectName string CMMAC003L' /Library/'Application Support'/Microsoft/CCM/ccmclient.plist echo "Changing directory to CCM\n" cd /Library/'Application Support'/Microsoft/CCM/ echo "Making connection to the server\n" sudo open ./CCMClient echo "Ending Script\n" exit

4. Add the configuration item to a configuration baseline, and then deploy the configuration baseline to all Mac computers that install a certificate independently from Configuration Manager.
1393

For more information about how to create and deploy configuration items for Mac computers, see How to Create Mac Computer Configuration Items in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager.

See Also
Configuring Client Deployment in Configuration Manager

How to Install Clients on Linux and UNIX Computers in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Before you can manage a Linux or UNIX server with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX on each Linux or UNIX computer. You can accomplish the installation of the client manually on each computer, or use a shell script that installs the client remotely. Configuration Manager does not support the use of client push installation for Linux or UNIX servers. Optionally you can configure a Runbook for System Center 2012 Orchestrator to automate the install of the client on the Linux or UNIX server. Regardless of the installation method you use, the install process requires the use of a script named install to manage the install process. This script is included when you download the Client for Linux and UNIX. The install script for the Configuration Manager client for Linux and UNIX supports command line properties. Some command line properties are required, while others are optional. For example, when you install the client, you must specify a management point from the site that is used by the Linux or UNIX server for its initial contact with the site. For the complete list of command line properties, see Command Line Properties for Installing the Client on Linux and UNIX Servers. After you install the client, you specify Client Settings in the Configuration Manager console to configure the client agent in the same way you would windows-based clients. For more information, see the Client Settings for Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic. Use the following sections to help you install the client for Linux and UNIX: About Client Installation Packages and the Universal Agent Install the Client on Linux and UNIX Servers To install the Configuration Manager Client on Linux and UNIX servers Command Line Properties for Installing the Client on Linux and UNIX Servers Upgrade the Client on Linux and UNIX Servers Uninstalling the Client from Linux and UNIX Servers
1394

Configure Request Ports for the Client for Linux and UNIX Configure the Client for Linux and UNIX to Locate Management Points

About Client Installation Packages and the Universal Agent

To install the client for Linux and UNIX on a specific platform, you must use the applicable client installation package for the computer where you install the client. Applicable client installation packages are included as part of each client download from the Microsoft Download Center. In addition to client installation packages, the client download includes the install script that manages the installation of the client on each computer. Prior to cumulative update 1, each operating system and platform requires the use of an operating system and platform specific client installation package. The operating system and platform are identified in the name of each client installation package. Beginning with cumulative update 1, the installation packages from the Universal Agent replace the separate client installation packages for several Linux operating systems. However, not all supported operating systems are supported by the Universal Agent. Versions of Linux that are not supported by the Universal Agent and all versions of UNIX continue to require the use of client installation packages that are specific to each operating system and platform.

When you install a client, you can use the same process and command line properties regardless of the client installation package you use. For information about the operating systems, platforms, and client installation packages that are supported by each release of the Configuration Manager client for Linux and UNIX, see the Client Requirements for Linux and UNIX Servers section in the Supported Configurations for Configuration Manager topic.

Install the Client on Linux and UNIX Servers

To install the client for Linux and UNIX, you run a script on each Linux or UNIX computer. The script is named install and supports command line properties that modify the installation behavior and reference the client installation package. The install script and client installation package must be located on the client. The client installation package contains the Configuration Manager client files for a specific Linux or UNIX operating system and platform. Each client installation package contains all the necessary files to complete the client installation and unlike Windows-based computers, does not download additional files from a management point or other source location. After you install the Configuration Manager client for Linux and UNIX, you do not need to reboot the computer. As soon as the software installation is complete, the client is operational. If you reboot the computer, the Configuration Manager client restarts automatically. The installed client runs with root credentials. Root credentials are required to collect hardware inventory and perform software deployments.
1395

Following is the command format: ./install -mp <computer> -sitecode <sitecode> <property #1> <property #2> <client installation package>
Command line Actions

./install mp smsmp.contoso.com -sitecode S01 ccm-Universal-x64.<build>.tar

install is the name of the script file that installs the client for Linux and UNIX. This file is provided with the client software. -mp smsmp.contoso.com specifies the initial management point that is used by the client. -sitecode S01 specifies the client is assigned to the site with the site code of S01. ccm-Universal-x64.<build>.tar is the name of the client installation .tar package for this computer operating system, version, and CPU architecture.

You can insert additional command line properties before the command line property that specifies the client installation .tar file. The client installation .tar file must be specified last. For a list of command line options, see Command Line Properties for Installing the Client on Linux and UNIX Servers. Use the following procedure as an example of how to install the client for Linux and UNIX. Note The following example procedure installs the client from the cumulative update 1 release of the client for Linux and UNIX on a Red Hat Enterprise Linux 5 (RHEL5) x64 computer. To adjust this procedure for the operating systems that you use, replace the client installation file (ccm-Universal-x64.<build>.tar) with the applicable package for the computer where you are installing the client. Also plan to use additional command line properties to meet your requirements. To install the Configuration Manager Client on Linux and UNIX servers 1. Copy the install script and the client installation .tar file to a folder on the RHEL 5 x64 based computer. 2. On the RHEL5 computer, run the following command to enable the script to run as a program: chmod +x install Important You must use root credentials to install the client. 3. Next, run the following command to install the Configuration Manager client: ./install mp <hostname> -sitecode <code> ccm-Universal-x64.<build>.tar
1396

When you enter this command, use additional command-line properties you require. 4. After the script runs, validate the install by reviewing the /var/opt/microsoft/scxcm.log file. Additionally, you can confirm that the client is installed and communicating with the site by viewing details for the client in the Devices node of the Assets and Compliance workspace in the Configuration Manager console.

Command Line Properties for Installing the Client on Linux and UNIX Servers
When you install the client for Linux and UNIX on a Linux or UNIX computer, you run the install script with command-line properties that specify the following: The clients assigned site. The management point with which the client initially communicates The client installation .tar file for the computers operating system Additional configurations you require

The properties described in the following table are available to modify the installation behavior. Note Use the property -h to display this list of supported properties.
Property Required or optional More information

-mp <server FQDN>

Required

Specifies by FQDN, the management point server that the client will use as an initial point of contact. Important This property does not specify the management point to which the client will become assigned after installation. Note When you use the -mp property to specify a management point that is configured to accept only HTTPS client connections, you must also use the UsePKICert property.
1397

Property

Required or optional

More information

Specify the management point by FQDN. -sitecode <sitecode> Required Specifies the Configuration Manager primary site to assign the Configuration Manager client to. Example: -sitecode S01 -fsp <server_FQDN> Optional Note Beginning with cumulative update 1, the Configuration Manager client for Linux and UNIX supports the use of fallback status points. Specifies by FQDN, the fallback status point server that the client uses to submit state messages. For more information about the fallback status point, see the Determine Whether You Require a Fallback Status Point section in the Determine the Site System Roles for Client Deployment in Configuration Manager topic. -dir <directory> Optional Specifies an alternate location to install the Configuration Manager client files. By default, the client installs to the following location: /opt/microsoft. -nostart Optional Prevents the automatic start of the Configuration Manager client service, ccmexec.bin, after the client installation completes. After the client installs, you must start the client service manually. By default, the client service starts after the client installation
1398

Property

Required or optional

More information

completes, and each time the computer restarts. -clean Optional Specifies the removal of all client files and data from a previously installed client for Linux and UNIX, before the new installation starts. This removes the clients database and certificate store. Specifies that the local client database is retained, and reused when you reinstall a client. By default, when you reinstall a client this database is deleted. Specifies the full path and file name to a X.509 PKI certificate in the Public Key Certificate Standard (PKCS#12) format. This certificate is used for client authentication. When you use -UsePKICert, you must also supply the password associated with the PKCS#12 file by use of the certpw command line parameter. If the certificate is not valid, or cannot be found, the client falls back to use HTTP and a selfsigned certificate. If you do not use this property to specify a PKI certificate, the client uses a self-signed certificate and all communications to site systems are over HTTP. Note You must specify this property when you install a client and use
1399

-keepdb

Optional

-UsePKICert <parameter>

Optional

Property

Required or optional

More information

the -mp property to specify a management point that is configured to accept only HTTPS client connections. Example: -UsePKICert <Full path and filename> -certpw <password> -certpw <parameter> Optional Specifies the password associated with the PKCS#12 file that you specified by use of the -UsePKICert property. Example: -UsePKICert <Full path and filename> -certpw <password> -NoCRLCheck Optional Specifies that a client should not check the certificate revocation list (CRL) when it communicates over HTTPS by use of a PKI certificate. When this option is not specified, the client checks the CRL before establishing an HTTPS connection by use of PKI certificates. For more information about client CRL checking, see Planning for PKI Certificate Revocation. Example: -UsePKICert <Full path and filename> -certpw <password> -NoCRLCheck -rootkeypath <file location> Optional Specifies the full path and file name to the Configuration Manager trusted root key. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key. Example: -rootkeypath <Full
1400

Property

Required or optional

More information

path and filename> -httpport Optional Specifies the port that is configured on management points that the client uses when communicating to management points over HTTP. If the port is not specified, the default value of 80 is used. Example: -httpport 80 -httpsport Optional Specifies the port that is configured on management points that the client uses when communicating to management points over HTTPS. If the port is not specified, the default value of 443 is used. Example: -UsePKICert <Full path and certificate name> httpsport 443 -ignoreSHA256validation Optional Specifies that client installation skips SHA-256 validation. Use this option when installing the client on operating systems that did not release with a version of OpenSSL that supports SHA256. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic. Specifies the full path and .cer file name of the exported selfsigned certificate on the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name
1401

-signcertpath <file location>

Optional

Property

Required or optional

More information

Site Server Signing Certificate. This certificate is used by the client for all HTTP and HTTPS communications with management points and distribution points. Example: -signcertpath=<Full path and file name> -rootcerts Optional If multiple root certificates exist in the Configuration Manager environment, you can specify additional root certificates that the client might need to validate site system servers. Example: -rootcerts=<Full path and file name>,<Full path and file name>

Upgrade the Client on Linux and UNIX Servers

You can upgrade the version of the client for Linux and UNIX on a computer to a newer client version without first uninstalling the current client. To do so, install the new client installation package on the computer while using the -keepdb command line property. When the client for Linux and UNIX installs, it overwrites existing client data with the new client files. However, the keepdb command line property directs the install process to retain the clients unique identifier (GUID), local database of information, and certificate store. This information is then used by the new client installation. For example, you have a RHEL5 x64 computer that runs the client from the original release of the Configuration Manager client for Linux and UNIX. To upgrade this client to the client version from cumulative update 1, you manually run the install script to install the applicable client package from cumulative update 1, with the addition of the keepdb command line switch. The command line you use resembles the following: ./install mp <hostname> -sitecode <code> -keepdb ccm-Universal-x64.<build>.tar

How to use a Software Deployment to Upgrade the Client on Linux and UNIX Servers
You can use a software deployment to upgrade the client for Linux and UNIX to a new client version. However, the Configuration Manager client cannot directly run the installation script to install the new client because the installation of a new client must first uninstall the current client.
1402

This would end the Configuration Manager client process that runs the installation script before the installation of the new client begins. To successfully use a software deployment to install the new client, you must schedule the installation to start at a future time and to be run by the operating systems built-in scheduling capabilities. To accomplish this, use a software deployment to first copy the files for the new client installation package to the client computer, and then deploy and run a script to schedule the client installation process. The script uses the operating systems built-in at command to delay its start. Then, when the script runs, its operation is managed by the client operating system and not the Configuration Manager client on the computer. This allows the command line called by the script to first uninstall the Configuration Manager client and then install the new client, completing the process of upgrade of the client on the Linux or UNIX computer. After the upgrade completes, the upgraded client remains managed by Configuration Manager. Use the following procedure to help you configure a software deployment to upgrade the client for Linux and UNIX. The following steps and examples upgrade a RHEL5 x64 computer that runs the initial release of the client to the cumulative update 1 client version. To use a software deployment to upgrade the client on Linux and UNIX servers 1. Copy the new client installation package file to the computer that runs the Configuration Manager client that you plan to upgrade. For example, you might place the client installation package and install script for cumulative update 1 in the following location on the client computer: /tmp/PATCH 2. Create a script to manage the upgrade of the Configuration Manager client, and then place a copy of the script in the same folder on the client computer as the client installation files from step 1. The script does not require a specific name, but must contain command lines sufficient to use the client installation files from a local folder on the client computer, and to install the client installation package by using the keepdb command line property. You use the keepdb command line property to maintain the unique identifier of the current client for use by the new client you are installing. For example, you create a script named upgrade.sh that contains the following lines, and then copy it to the /tmp/PATCH folder on the client computer: #!/bin/sh # /tmp/PATCH/install -sitecode <code> -mp <hostname> -keepdb /tmp/PATCH/ccm-Universal-x64.<build>.tar 3. Use software deployment to have each client use the computers built-in at command to run the upgrade.sh script with a short delay before the script runs. For example, use the following command line to run the script: at f /tmp/upgrade.sh m now + 5 minutes
1403

After the client successfully schedules the upgrade.sh script to run, the client submits a status message indicating the software deployment completed successfully. However, the actual client installation is then managed by the computer, after the delay. After the client upgrade completes, validate the install by reviewing the /var/opt/microsoft/scxcm.log file on the client computer. Additionally, you can confirm that the client is installed and communicating with the site by viewing details for the client in the Devices node of the Assets and Compliance workspace in the Configuration Manager console.

Uninstalling the Client from Linux and UNIX Servers

To uninstall the Configuration Manager client for Linux and UNIX you use the uninstall utility, uninstall. By default, this file is located in the /opt/microsoft/configmgr/bin/ folder on the client computer. This uninstall command does not support any command line parameters and will remove all files related to the client software from the server. To uninstall the client, use the following command line: /opt/microsoft/configmgr/bin/uninstall You do not have to reboot the computer after you uninstall the Configuration Manager client for Linux and UNIX.

Configure Request Ports for the Client for Linux and UNIX
Similar to Windows-based clients, the Configuration Manager client for Linux and UNIX uses HTTP and HTTPS to communicate with Configuration Manager site systems. The ports that the Configuration Manager client uses to communicate are referred to as a request ports. When you install the Configuration Manager client for Linux and UNIX, you can change the clients default request ports by specifying the -httpport and -httpsport installation properties. When you do not specify the installation property and a custom value, the client uses the default values. The default values are 80 for HTTP traffic and 443 for HTTPS traffic. After you install the client, you cannot change its request port configuration. Instead, to change the port configuration you must reinstall the client and specify the new port configuration. When you reinstall the client to change the request port numbers, run the install command similar to the new client install, but use the additional command line property of -keepdb. This switch instructs the installation to retain the client database and files including the clients GUID and certificate store. For more information about client communication port numbers, see How to Configure Client Communication Port Numbers in Configuration Manager.

1404

Configure the Client for Linux and UNIX to Locate Management Points
When you install the Configuration Manager client for Linux and UNIX, you must specify a management point to use as an initial point of contact. The Configuration Manager client for Linux and UNIX contacts this management point at the time the client installs. If the client fails to contact the management point, the client software continues to retry until successful. For more information about how clients locate management points, see the section Locating Management Points section in the How to Assign Clients to a Site in Configuration Manager topic.

How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager
When you enroll mobile devices by using System Center 2012 Configuration Manager, this action installs the System Center 2012 Configuration Manager client to provide management capabilities that include hardware inventory, software deployment for required applications, settings, and remote wipe. Mobile device clients are automatically assigned to the Configuration Manager site that enrolls them. These mobile device clients install as Internet-only clients, which means that they will communicate with the site system roles (management points and distribution points) in their assigned site when you configure these site system roles to allow client connections from the Internet. They do not communicate with site system roles outside their assigned site. To enroll these mobile devices, you must use Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. During and after enrollment, public key infrastructure (PKI) certificates secure the communication between the mobile device and the Configuration Manager site. When the certificate on the mobile device is due for renewal, users are automatically prompted to renew their certificate. When they confirm the prompt, Configuration Manager automatically re-enrolls their mobile device. Note If you no longer want a mobile device to be enrolled for System Center 2012 Configuration Manager, you must wipe the mobile device. You can also block the client from communicating with the Configuration Manager hierarchy. If you remove the enrollment site system roles, any mobile devices that were enrolled continue to be managed by Configuration Manager, unless they are wiped. Use the following steps and the supplemental procedures to install the client and enroll mobile devices in Configuration Manager. After you complete these steps, you can monitor the mobile

1405

devices that are enrolled by viewing the collections that display mobile devices, and by using the reports for mobile devices. To manage the settings for these mobile devices, create mobile device configuration items and deploy them in a configuration baseline. For more information, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

Steps to Install the Client and Enroll Mobile Devices

Use the following table for the steps, details, and more information about how to install the client and enroll mobile devices. Important Before you perform these steps, make sure that you have all the prerequisites to install and enroll clients on mobile devices. For more information, see Prerequisites for Windows Client Deployment in Configuration Manager.
Steps Details More information

Step 1: Deploy a web server certificate to site system servers.

Deploy a web server certificate to the computers that host the following site system roles: Management point Distribution point Enrollment point Enrollment proxy point

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment that creates and installs this web server certificate, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. Important Make sure that you specify the Internet FQDN in the web server certificate for the management point, the distribution point, and the enrollment proxy
1406

Additionally, if you want to allow users to wipe their own mobile devices, configure Internet Information Services (IIS) with a web server certificate on the computers that host the Application Catalog website point and the Application Catalog web service point. Important The web server certificate must contain the Internet FQDN that is specified in the site

Steps

Details

More information

system properties. Step 2: Deploy a client authentication certificate to site system servers. Deploy a client authentication certificate to the following computers that host the following site system roles: Management point Distribution point

point. For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment that creates and installs the client certificate for management points, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Step 3: Create and issue a certificate template for mobile device enrollment.

The certificate template must have Read and Enroll permissions for the users that have mobile devices to enroll.

See the Deploying the Enrollment Certificate for Mobile Devices section in the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For more information about how to create a DNS alias, consult your DNS documentation.

Step 4: Optional but recommended: Configure automatic discovery for the enrollment service.

Create a DNS alias (CNAME record) named configmgrenroll that references the site system server on which you will install the enrollment proxy point.

1407

Steps

Details

More information

Step 5: Configure the management point and distribution point.

Configure management points for the following options: HTTPS Allow client connections from the Internet Allow mobile devices

See the following procedure in this topic: Step 5: Configuring Management Points and Distribution Points for Mobile Devices.

Although distribution points are not required during the enrollment process, you must configure them to allow client connections from the Internet if you want to deploy software to these mobile devices after they are enrolled by Configuration Manager. Step 6: Configure the enrollment proxy point and the enrollment point. You must install both these site system roles in the same site but you do not have to install them on the same site system server, or in the same Active Directory forest. For more information about site system role placement and considerations, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Step 6: Installing and Configuring the Enrollment Site Systems. Step 7: Optional: Install the Application Catalog web service point and the Application Catalog website point. Step 8: Optional: Install the reporting services point. Install the Application Catalog web service point and the Application Catalog website point if you want to allow users to wipe their own mobile devices. Install the reporting services point if you want to run reports for mobile devices. For more information about how to install and configure these site system roles, see Configuring the Application Catalog and Software Center in Configuration Manager. For more information about how to install and configure the reporting services point, see Configuring Reporting in Configuration Manager.
1408

Steps

Details

More information

Step 9: Configure client settings for mobile device enrollment.

Configure the default client settings if you want all users to be able to enroll mobile devices. Or, as a best practice, configure custom client settings to restrict the users who can enroll mobile devices. If required, change the default values for the client polling schedule and hardware inventory client settings.

For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings, see the following procedure in this topic: Step 9: Configuring the Client Settings for Mobile Device Enrollment. See the following procedure in this topic: Step 10: Enrolling Mobile Devices.

Step 10: Enroll mobile devices.

Use the web browser on the mobile device to start enrollment.

Supplemental Procedures to Install the Client and Enroll Mobile Devices

Use the following information when the steps in the preceding table require supplemental procedures.

Step 5: Configuring Management Points and Distribution Points for Mobile Devices
This procedure configures existing management points and distribution points to support mobile devices that are enrolled by Configuration Manager. Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. In addition, these site system roles must be in a primary site. To configure management points and distribution points for mobile devices 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that hosts the site system roles to configure. 3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK: a. Select HTTPS. b. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the
1409

site system properties. c. Select Allow mobile devices to use this management point (Configuration Manager with no service pack) or Allow mobile devices and Mac computers to use this management point (Configuration Manager SP1).

4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK: a. Select HTTPS. b. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties. c. Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.

5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with mobile devices.

Step 6: Installing and Configuring the Enrollment Site Systems

These procedures configure the site system roles for mobile device enrollment. Choose one of these procedures, depending on whether you will install a new site system server for mobile device enrollment or use an existing site system server: To install and configure the enrollment site systems: New site system server To install and configure the enrollment site systems: Existing site system server To install and configure the enrollment site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.
1410

8. Complete the wizard. To install and configure the enrollment site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for mobile device enrollment. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. Important Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mobile devices that are enrolled by Configuration Manager always connect to the Internet FQDN, even when they are on the intranet. 5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next. 6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next. 7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next. 8. Complete the wizard.

Step 9: Configuring the Client Settings for Mobile Device Enrollment

The first procedure in this step configures the default client settings for mobile device enrollment and will apply to all users in hierarchy. If you want these settings to apply to only some users, create a custom user setting and assign it to a collection that contains users who you will allow to enroll their mobile devices. The second procedure in this step configures the default client settings for the mobile device polling interval and hardware inventory to apply to all mobile devices in the hierarchy that Configuration Manager enrolls. The hardware inventory settings also apply to client computers. If you want these settings to apply to only mobile devices or to selected mobile devices, create a custom device setting and assign it to a collection that contains the enrolled mobile devices that you want to configure with these settings. For more information about how to create custom client settings, see How to Create and Assign Custom Client Settings. To configure the default client settings for mobile device enrollment 1. In the Configuration Manager console, click Administration.
1411

2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Mobile Devices (Configuration Manager with no service pack) or Enrollment (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager) section, and then configure the following user settings: For Configuration Manager with no service pack: i. ii. i. ii. Allow users to enroll mobile devices: True Mobile device enrollment profile: Click Set Profile. Allow users to enroll mobile devices and Mac computers: Yes Enrollment profile: Click Set Profile.

For Configuration Manager SP1 and System Center 2012 R2 Configuration Manager:

6. In the Mobile Device Enrollment Profile dialog box or Enrollment Profile, click Create. 7. In the dialog box, enter a name for this mobile device enrollment profile, and then configure the Management site code. Select the System Center 2012 Configuration Manager primary site that contains the management points that will manage these mobile devices. Note If you cannot select the site, check that at least one management point in the site is configured to support mobile devices. 8. Click Add. 9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to mobile devices, and then click OK. 10. In the Create Mobile Device Enrollment Profile dialog box (Configuration Manager with no service pack) or Create Enrollment Profile dialog box (Configuration Manager SP1), select the mobile device certificate template that you created in Step 3, and then click OK. 11. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box. Devices will be configured with these user settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic. To configure the default client settings for the mobile device polling interval and hardware inventory 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings.
1412

4. On the Home tab, in the Properties group, click Properties. 5. To configure the client polling interval: For Configuration Manager with no service pack: Select the Mobile Devices section, and configure the device setting for the polling interval. For Configuration Manager SP1: Select the Client Policy section, and configure the device setting for the client policy polling interval.

6. Select the Hardware Inventory section, and then configure the following device settings that apply to mobile devices that are enrolled by Configuration Manager: a. Enable hardware inventory on clients b. Hardware inventory schedule c. Hardware inventory classes Note For more information about hardware inventory, see Hardware Inventory in Configuration Manager 7. Click OK to close the Default Client Settings dialog box.

Step 10: Enrolling Mobile Devices

This procedure installs the Configuration Manager client on a mobile device, requests and installs a certificate for the mobile device, and assigns the client to the enrollment site in Configuration Manager. To enroll mobile devices To install the client and enroll a mobile device, open a web browser on the mobile device, and then type the following, where the FQDN is the Internet FQDN of a site system server that runs the enrollment proxy point: https://<FQDN>/EnrollmentServer Note You can provide this hyperlink to users in an email message or on a web page. If you have created the DNS alias of configmgrenroll, you can use this in your link instead of the server name. The benefit of using the alias in the link is that if the server changes, you must only update DNS rather than the link that you provided to users, and when you have more than one enrollment proxy server, DNS round robin provides some fault tolerance and load balancing. The mobile device enrollment process prompts to enter a company email address and password. These credentials are required to authenticate the user to Active Directory Domain Services, which then authorizes the user to access the mobile device enrollment certificate template. Tip If the user does not have a company email account that is integrated with Active Directory Domain Services (for example, in a test environment), you can enter
1413

the UPN for the email address (or use domain\user name) format, and enter the password for the Active Directory account. However, the initial page does not accept the domain\user name format. To use this format, enter any value that is in the [email protected] format, wait for this to fail the validation check, and then you can use the domain\user name format. To verify that enrollment succeeded, update and view the collections that display mobile devices in the Assets and Compliance workspace, and view the reports for mobile devices.

See Also
Configuring Client Deployment in Configuration Manager

How to Configure Client Status in Configuration Manager

Before you can monitor System Center 2012 Configuration Manager client status and remediate problems that are found, you must configure your site to specify the parameters that are used to mark clients as inactive and configure options to alert you if client activity falls below a specified threshold. You can also disable computers from automatically remediating any problems that client status finds. Use the procedures in this topic to help you configure client status in System Center 2012 Configuration Manager. To Configure Client Status To Configure the Schedule for Client Status To Configure Alerts for Client Status To Exclude Computers from Automatic Remediation To Configure Client Status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Client Status, then, in the Home tab, in the Client Status group, click Client Status Settings. 3. In the Client Status Settings Properties dialog box, specify the following values to determine client activity: Note If none of the settings are met, the client will be marked as inactive. Client policy requests during the following days: Specify the number of days since a client requested policy. The default value is 7 days. Heartbeat discovery during the following days: Specify the number of days since the client computer sent a heartbeat discovery record to the site database. The
1414

default value is 7 days. Hardware inventory during the following days: Specify the number of days since the client computer has sent a hardware inventory record to the site database. The default value is 7 days. Software inventory during the following days: Specify the number of days since the client computer has sent a software inventory record to the site database. The default value is 7 days. Status messages during the following days: Specify the number of days since the client computer has sent status messages to the site database. The default value is 7 days.

4. In the Client Status Settings Properties dialog box, specify the following value to determine how long client status history data is retained: Retain client status history for the following number of days: Specify how long you want the client status history to remain in the site database. The default value is 31 days.

5. Click OK to save the properties and to close the Client Status Settings Properties dialog box. To Configure the Schedule for Client Status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Client Status, then, in the Home tab, in the Client Status group, click Schedule Client Status Update. 3. In the Schedule Client Status Update dialog box, configure the interval at which you want client status to update and then click OK. Note When you change the schedule for client status updates, the update will not take effect until the next scheduled client status update (for the previously configured schedule). To Configure Alerts for Client Status 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure alerts and then, in the Home tab, in the Properties group, click Properties. Note You cannot configure alerts for user collections. 4. On the Alerts tab of the <Collection Name> Properties dialog box, click Add. Note The Alerts tab is only visible if the security role you are associated with has
1415

permissions for alerts. 5. In the Add New Collection Alerts dialog box, choose the alerts that you want generated when client status thresholds fall below a specific value, then click OK. 6. In the Conditions list of the Alerts tab, select each client status alert and then specify the following information. Alert Name Accept the default name or enter a new name for the alert. Alert Severity From the drop-down list, choose the alert level that will be displayed in the Configuration Manager console. Raise alert Specify the threshold percentage for the alert.

7. Click OK to close the <Collection Name> Properties dialog box. To Exclude Computers from Automatic Remediation 1. Open the registry editor on the client computer for which you want to disable automatic remediation. Warning If you use the Registry Editor incorrectly, you might cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk. 2. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\CCM\CcmEval\NotifyOnly. 3. Enter one of the following values for this registry key: True The client computer will not automatically remediate any problems that are found. However, you will still be alerted in the Monitoring workspace about any problems with this client. False The client computer will automatically remediate problems when they are found and you will be alerted in the Monitoring workspace. This is the default setting.

4. Close the registry editor. You can also install clients using the CCMSetup NotifyOnly installation property to exclude them from automatic remediation. For more information about this client installation property, see About Client Installation Properties in Configuration Manager.

See Also
Configuring Client Deployment in Configuration Manager

1416

Operations and Maintenance for Client Deployment in Configuration Manager

Use the following information to help you manage and monitor devices in the System Center 2012 Configuration Manager hierarchy.

Operations and Maintenance Topics

How to Manage Mobile Devices by Using Configuration Manager and Exchange How to Manage Mobile Devices by Using Configuration Manager and Windows Intune How to Manage Clients in Configuration Manager How to Monitor Clients in Configuration Manager How to Manage Linux and UNIX Clients in Configuration Manager How to Monitor Linux and UNIX Clients in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

How to Manage Mobile Devices by Using Configuration Manager and Exchange

Use the Exchange Server connector in System Center 2012 Configuration Manager when you want to manage mobile devices that connect to Exchange Server (on-premises or online) by using the Microsoft Exchange ActiveSync protocol, and you cannot enroll them by using Configuration Manager. When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices. Some management functions are therefore limited. For example, you cannot install software on these devices or use configuration items to configure these devices. For more information about the various management capabilities that you can use with Configuration Manager for mobile devices, see Determine How to Manage Mobile Devices in Configuration Manager. Important Before you install the Exchange Server connector, confirm that Configuration Manager supports the version of Microsoft Exchange that you are using. For more information, see Supported Configurations for Configuration Manager. When you use the Exchange Server connector, the mobile devices can be managed by the settings that you configure in Configuration Manager instead of being managed by the default Exchange ActiveSync mailbox policies. Define the settings that you want to use in the following
1417

group settings: General, Password, Email Management, Security, and Application. For example, in the Password group setting, you can configure whether mobile devices require a password, the minimum password length, password complexity, and whether password recovery is allowed. When you configure at least one setting in the group, Configuration Manager manages all settings in the group for mobile devices. If you do not configure any setting in a group, Exchange continues to manage the mobile devices for those settings. Any Exchange ActiveSync mailbox policies that are configured on the Exchange Server and assigned to users will still be applied. You can also configure the Exchange Server connector to manage the Exchange access rules and allow, block, or quarantine mobile devices. You can remotely wipe mobile devices by using the Configuration Manager console, and users can remotely wipe their mobile devices by using the Application Catalog. A users mobile device appears in the Application Catalog automatically when the Exchange Server connector manages it and the Exchange Server is on-premises. When you configure the Exchange Server connector for Microsoft Exchange Online, you must manually configure user device affinity for the users mobile device to appear in the Application Catalog. For more information about how to manually configure user device affinity, see How to Manage User Device Affinity in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide. Tip If you manage a mobile device by using the Exchange Server connector and the mobile device is transferred to another user, delete the mobile device from the Configuration Manager console before the new owner of the mobile device configures his or her Exchange account on this transferred mobile device.

Required Security Permissions

You must have the following security permissions to configure the Exchange Server connector: To add, modify, and delete the Exchange Server connector: Modify permission for the Site object. To configure the mobile device settings: ModifyConnectorPolicy permission for the Site object.

The Full Administrator security role includes the required permissions to configure the Exchange Server connector. You must have the following security permissions to manage mobile devices: To wipe a mobile device: Delete resource for the Collection object. To cancel a wipe command: Modify resource for the Collection object. To allow and block mobile devices: Modify resource for the Collection object.

The Operations Administrator security role includes the required permissions to manage mobile devices by using the Exchange Server connector.
1418

For more information about how to configure security permissions, see Configure Role-Based Administration.

Installing and Configuring an Exchange Server Connector

Use the following procedure to install and configure an Exchange Server connector to manage mobile devices. Configuration Manager supports only one connector in an Exchange organization. After you complete these steps, you can monitor the mobile devices that are found and managed by the connector when you view the collections that display mobile devices, and by using the reports for mobile devices. Note Configuration Manager generates names for the mobile devices that it finds by using the format UserName_DeviceType. If a user has more than one mobile device that has the same device type, Configuration Manager displays the same name for these mobile devices in the console and in reports. To install and configure an Exchange Server connector 1. Decide which account will connect to the Exchange Client Access server to manage the mobile devices. The account can be the computer account of the site server or a Windows user account. Then, configure this account to run the following Exchange Server cmdlets: Clear-ActiveSyncDevice Get-ActiveSyncDevice Get-ActiveSyncDeviceAccessRule Get-ActiveSyncDeviceStatistics Get-ActiveSyncMailboxPolicy Get-ActiveSyncOrganizationSettings Get-ExchangeServer Get-Recipient Set-ADServerSettings Set-ActiveSyncDeviceAccessRule Set-ActiveSyncMailboxPolicy Set-CASMailbox New-ActiveSyncDeviceAccessRule New-ActiveSyncMailboxPolicy Remove-ActiveSyncDevice Note The following Exchange Server management roles include these cmdlets:
1419

Recipient Management, View-Only Organization Management, and Server Management. For more information about management role groups in Microsoft Exchange Server 2010, see Understanding Management Role Groups. Tip If you try to install or use the Exchange Server connector without the required cmdlets, you will see an error logged with the message Invoking cmdlet <cmdlet> failed in the EasDisc.log file on the site server computer. 2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Hierarchy Configuration, and then click Exchange Server Connectors. 4. On the Home tab, in the Create group, click Add Exchange Server. 5. Complete the Add Exchange Server wizard: If you use an on-premises instance of Exchange Server and specify a Client Access Server, you can specify a single server or a Client Access Server array for each Active Directory site. If the server or the array is offline, Configuration Manager tries to discover a Client Access Server to use. If that fails, Configuration Manager falls back to using a mailbox server to make a connection to a Client Access Server. Retries are logged as warnings in the EasDisc.log file on the site server computer. For example, search for Failed to open runspace for site <site_name>. For the Exchange Server Connector Account, specify the account that you configured in step 1. If you also enroll mobile devices by using Configuration Manager, enable the option External mobile device management to ensure that these mobile devices continue to receive email from Exchange after Configuration Manager enrolls them.

6. You can verify the installation of the Exchange Server connector by using status messages and by reviewing the log files: To confirm that Site Component Manager successfully installed the Exchange Server connector, look for the status ID 1015 for the SMS_EXCHANGE_CONNECTOR component. If Configuration Manager cannot successfully install the connector (for example, because the specified Client Access Server computer is offline), Configuration Manager retries the installation every 60 minutes until the installation succeeds or you remove the Exchange Server connector. On the site server computer, search for the SiteComp.log file, and then in the log file, search for Component SMS_EXCHANGE_CONNECTOR flagged for installation. A successful installation is then logged with the following text: STATMSG: ID=1015.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

1420

How to Manage Mobile Devices by Using Configuration Manager and Windows Intune
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This walkthrough shows you step-by-step how to configure Configuration Manager so that you can manage Windows Phone 8, Windows RT, iOS, and Android devices by using the Windows Intune service over the Internet. Although you use the Windows Intune service, management tasks are completed by using the Windows Intune connector site system role available through the Configuration Manager console. System Center 2012 R2 Configuration Manager also gives you option of managing Windows 8.1 devices, in the same manner of mobile devices, that do not have the Configuration Manager client installed. You can configure Configuration Manager to enable mobile device management to let users access company resources in a secure, managed way. By using device management, you protect company data while letting users enroll their personal or company-owned mobile devices and giving them access to company data. When you use Configuration Manager with Windows Intune, you have the following management capabilities: You can retire and wipe devices. You can configure compliance settings on devices. These include settings for passwords, security, roaming, encryption, and wireless communication. You can deploy line of business apps to devices. You can deploy apps from the store that the device connects to, Windows Store, Windows Phone Store, App Store, or Google Play. You can collect hardware inventory. You can collect software inventory by using built-in reports.

This document assumes that you are using Configuration Manager to manage computers, and that you are interested in extending the Configuration Manager console to manage mobile devices. After you complete this walkthrough, users will be able to enroll their devices for management. We will show you: How to configure the Windows Intune subscription for mobile device management. How to install the Windows Intune connector site system role that lets you use Windows Intune in the Configuration Manager console.

1421

Use the following sections to help you manage mobile devices by using the Windows Intune connector. Prerequisites Configuring the Windows Intune Subscription The Windows Intune Connector Site System Role Mobile Device Enrollment Next Steps Wiping Company Content from Mobile Devices

Prerequisites
Use the following information to determine the prerequisites for managing mobile devices.

Dependencies External to Configuration Manager

For a checklist about how to configure Configuration Manager to manage mobile devices, see Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune.
External dependencies More information

Sign up for a Windows Intune organizational account.

You can sign up for an account at Windows Intune. For more information, see Windows Intune organizational account and Acceptable Use Policy for Windows Intune in the Documentation Library for Windows Intune.

Add a public company domain.

All user accounts must have a publicly verifiable domain name that can be verified by Windows Intune. Before you synchronize the Active Directory user account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library.

Verify users have a public domain UPN.

Deploy and configure directory synchronization. Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized users and security groups are added to Windows Intune. For more information, see Configure directory
1422

External dependencies

More information

synchronization in the Active Directory documentation library. For single sign-on you must deploy AD FS. For more information, see Configure single sign-on in the Active Directory documentation library. Create a DNS alias. Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company domain name>.com to manage.microsoft.com. For example, if Melissa's email address is [email protected], you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process. Obtain certificates or keys. For more information, see Obtain Certificates or Keys to Meet Prerequisites per Platform in this topic.

Obtain Certificates or Keys to Meet Prerequisites per Platform

The following table lists the certificates or keys that you must have to enroll mobile platforms.
Platform Certificates or keys How you obtain certificates or keys

Windows Phone 8

Code signing certificate: All sideloaded apps must be code-signed. Sideloading keys: Devices have to be provisioned with sideloading keys to enable the installation of sideloaded apps. All sideloaded apps must be code-signed.

Buy a code signing certificate from Symantec. Buy sideloading keys from Microsoft. All apps must be code-signed by using your companys certification authority or an external certification authority. Request an Apple Push Notification service certificate
1423

Windows RT, Windows RT 8.1, or Windows 8.1 devices that are not joined to the domain.

iOS

Apple Push Notification service certificate.

Platform

Certificates or keys

How you obtain certificates or keys

from Apple. For more information, see the Prerequisites for Enrolling iOS Devices in this topic. Android None. Not applicable.

Prerequisites for Enrolling Windows Phone 8 Devices

To manage Windows Phone 8 devices, you have to deploy the Windows Phone 8 company portal app. The company portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone 8 devices. 1. Join the Windows Phone Dev Center by visiting the Windows Phone Dev Center. You must use a corporate account. 2. Locate your Symantec ID by clicking Dashboard in the Windows Phone Dev Center and locate the numeric ID under Symantec Id. 3. Purchase a certificate from the Symantec website by using your Symantec ID. 4. After you purchase the certificate, the corporate approver that you designated in your Windows Phone Developer account will receive an email asking for approval of the certificate request. Once the request has been approved, you will receive an email that contains the instructions for importing the certificates. 5. Read the instructions in the email carefully and import the certificates. 6. To verify that the certificates have been imported correctly, go to the Certificates snap-in, right-click Certificates, and select Find Certificates. In the Contains field, enter Symantec, and click Find Now. The certificates that you imported should be listed as part of the results. 7. Now that you have verified that the certificates have been imported, you can export the .pfx file so that you can sign the company portal. Using the results from the previous step, you must select the Symantec certificate with the Intended purpose as code-signing. Then, right-click the code-signing certificate and select Export. In the Certificate Export Wizard, select Yes, export the private key and click Next. Select Personal Information Exchange PKCS #12 (.PFX) and check Include all the certificates in the certification path if possible. Complete the wizard. For more information, see How to Export a Certificate with the Private Key. 8. Download the Windows Phone 8 company portal app. 9. Before you can deploy the company portal app, it must be signed by a certification authority that is trusted by Windows Phone 8 devices. Use the XAPSignTool app that comes with the Windows Phone 8 SDK to sign the company portal with the .pfx file you created from the
1424

Symantec certificate. For more information, see How to sign a company app by using XapSignTool 10. Create an application using the signed company portal app, for more information, see Create an application for Windows Phone 8 devices. 11. Deploy the Windows Phone 8 company portal application to the manage.microsoft.com distribution point. For more information, see How to deploy an application to mobile devices. Note If you have already deployed the company portal app and want to deploy the latest version see the Supercedence section in How to Create and Deploy Applications for Mobile Devices in Configuration Manager.

Prerequisites for Enrolling Windows RT Devices, Windows RT 8.1, or Windows 8.1 devices
To configure app management on a mobile device that runs Windows RT or on a Windows 8.1 device, you must follow these steps. 1. Obtain sideloading keys. Before you can run sideloaded line-of-business apps on Windows RT, you must obtain and activate sideloading keys from Microsoft. For more information about sideloading product activation keys, see Microsoft Volume Licensing. 2. Sign all apps. For sideloaded apps to run on Windows RT, you must use a certificate to sign all apps.

Prerequisites for Enrolling iOS Devices

To enroll iOS devices, you must follow these steps. 1. Download a certificate signing request from Windows Intune. This certificate signing request lets you apply to for an Apple Push Notification service certificate from the Apple certification authority. 2. Request an Apple Push Notification service certificate from the Apple website. To Download a Certificate Signing Request from Windows Intune 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. 3. On the Home tab, in the Create group, click Create APNs certificate request. 4. In the Request Apple Push Notification Service Certificate Signing Request dialog box, click Browse to specify a location to download the Certificate Signing Request, specify your choice of file name, and then click Download. 5. On the Windows Intune sign in page, enter your organizational account and password. After you sign in, the certificate signing request is downloaded to the location that you specified.
1425

To Request an Apple Push Notification Service Certificate 1. Connect to the Apple Push Certificates Portal. 2. Sign in and complete the wizard. Note Make sure that you use a company account to obtain the Apple Push Notification service certificate. When you return to the Apple site to renew the certificate, make sure that you use the same account. 3. Upload the Certificate Signing Request that you downloaded from Windows Intune.

Prerequisites for Enrolling Android devices

For System Center 2012 R2 Configuration Manager, users can download the Android company portal app from Google Play that lets them enroll Android devices. With the Android company portal app, you can manage compliance setting, wipe or delete Android devices, deploy apps, and collect software and hardware inventory. If the Android company portal app is not installed on Android devices or if you are using Configuration Manager SP1, then you will not have all the management capabilities, such as inventory and compliance settings, but you can still deploy apps to Android devices.

Dependencies within Configuration Manager

Dependencies in Configuration Manager More information

Create the Windows Intune subscription. Add the Windows Intune connector.

For more information, see Configuring the Windows Intune Subscription in this topic. For more information, see The Windows Intune Connector Site System Role in this topic.

Configuring the Windows Intune Subscription

The Windows Intune subscription lets you specify your configuration settings for the Windows Intune service. This includes specifying which users can enroll their devices and defining which mobile device platforms to manage. When you have created your subscription, you can then install the Windows Intune connector site system role that lets you connect to the Windows Intune service. This connector site system role will push settings and applications to the Windows Intune service. The Windows Intune subscription performs the following: Retrieves the certificate that the Windows Intune connector requires to connect to the Windows Intune service. Defines the user collection that enables users to enroll mobile devices.
1426

Defines and configures the mobile platforms that you want to support. To create the Windows Intune subscription 1. In the Configuration Manager console, click Administration. 2. For System Center 2012 Configuration Manager SP1: In the Administration workspace, expand Hierarchy Configuration, and click Windows Intune Subscriptions. For System Center 2012 R2 Configuration Manager: In the Administration workspace, expand Cloud Services, and click Windows Intune Subscriptions. 3. For System Center 2012 Configuration Manager SP1: On the Home tab, in the Create group, click Create Windows Intune Subscription. System Center 2012 R2 Configuration Manager: On the Home tab, click Add Windows Intune Subscription. 4. On the Introduction page of the Create Windows Intune Subscription Wizard, review the text and click Next. 5. On the Subscription page, click Sign in and sign in by using your Windows Intune organizational account. Select the Allow the Configuration Manager console to manage this subscription check box. When you select this setting, you will only be able to manage mobile devices by using the Configuration Manager console. To continue with your subscription, you must select this option. Important Once you select Configuration Manager as your management authority, you cannot change the management authority to Windows Intune in the future. 6. Click the privacy links to review them, and then click Next. 7. On the General page, specify the following options, and then click Next. Collection: Specify a user collection that contains users who will enroll their mobile devices. Note If a user is removed from the collection, the users device will continue to be managed for up to 24 hours when the user record is removed from the user database. Company name: Specify your company name. URL to company privacy documentation: If you publish your company privacy information to a link that is accessible from the Internet, provide a link that users can access from the company portal. Privacy information can clarify what information users are sharing with your company. Color scheme for company portal: Optionally, change the default color of blue for the company portals. Configuration Manager site code: Specify a site code for a primary site to manage the mobile devices. Note
1427

Changing the site code affects only new enrollments and does not affect existing enrolled devices. 8. On the Platforms page, select the device types that you want to manage and review the platform requirements, and then click Next. For each device type that you selected, you must configure additional options. Use the procedures that follow for more information about those options. After you have configured these additional options, click Next and complete the wizard.

iOS Devices
On the iOS page, click Browse to specify the Apple Push Notification service certificate that you received from Apple. For more information about how to obtain an Apple Push Notification service certificate, see the Prerequisites for Enrolling iOS Devices section in this topic.

Windows Phone 8 Devices

On the Windows Phone 8 Configuration page, specify the .pfx file or Application Enrollment token that you received when you satisfied the Windows Phone 8 prerequisites in the prerequisites section of this walkthrough. Specify the location of the signed Windows Phone 8 company portal app that you created in the prerequisites section of this walkthrough.

For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows Phone 8 Devices section in this topic.

Windows Devices
Windows RT, Windows RT 8.1 and Windows 8.1 devices require that all sideloaded apps be signed with a trusted code-signing certificate. 1. On the Windows RT Configuration page, if you have a certificate from your companys certification authority, click Browse to specify the code-signing certificate that you want to use for all Windows 8 apps. Note All apps must be code-signed. The certificate field is for your companys certificate. If you have purchased a certificate from an external certification authority, you can leave this field blank. 2. Click Add to enter your sideloading keys. For more information about how to obtain the certificate, see the Prerequisites for Enrolling Windows RT Devices, Windows RT 8.1, or Windows 8.1 devices section in this topic.

1428

Android Devices
Android devices have no prerequisites. For System Center 2012 R2 Configuration Manager, Android users can download the Android company portal app from Google Play that will allow them to enroll Android devices.

The Windows Intune Connector Site System Role

The Windows Intune connector sends settings and software deployment information to Windows Intune and retrieves status and inventory messages from mobile devices. The Windows Intune service acts as a gateway that communicates with mobile devices and stores settings. Note The Windows Intune connector site system role may only be installed on a central administration site or stand-alone primary site.

To configure the Windows Intune Connector role 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the Windows Intune Connector role to a new or existing site system server by using the associated step: New site system server: On the Home tab, in the Create group, click Create Site System Server to start the Create Site System Server Wizard. Existing site system server: Click the server on which you want to install the Windows Intune connector role. Then, on the Home tab, in the Server group, click Add Site System Roles to start the Add Site system Roles Wizard.

4. On the System Role Selection page, select Windows Intune Connector, and click Next. 5. Complete the wizard.

Mobile Device Enrollment

Enrollment establishes a relationship between the user, the device, and the Windows Intune service. Users enroll their own mobile devices. Android devices are not enrolled, but can be managed by using the Exchange Server connector. The following sections describe enrollment for Windows Phone 8, Windows RT, and iOS. Note If your subscription to Windows Intune is going to expire, you must unenroll all devices prior to expiration in order to ensure company content is removed from devices.
1429

Windows Phone 8 Enrollment

For Windows Phone 8, users start enrollment from the Windows Phone 8 device by going to system settings and selecting company apps. The following processes then occur when users enroll their own mobile devices. 1. Users are asked to provide their credentials. When authentication is successful, Windows Intune establishes a relationship between the user and the Windows Phone 8 device. 2. A certificate is installed on the device for authentication between the device and the Windows Intune service. 3. Users must select Install company app or Hub to let their device be managed. Important If users do not select this option to install the company app or hub, they cannot download the company portal. If the Windows Phone 8 company portal is not installed during enrollment, or if users uninstall the company portal, users must retire their mobile device and enroll again. Or, you can make the company portal file available by sending users a link in an email. 4. The company portal is installed on the device. Inventory is collected; management settings are applied, and users now have access to line-of-business apps that you make available to them.

Windows RT, Windows RT 8.1, and Windows 8.1 Enrollment

For Windows RT, users start enrollment from the Windows RT device. The users must complete the following tasks: 1. On the Windows RT device, users select Start, and type System Configuration, and click the dialog box to open the Company Apps. 2. The users enter their company credentials and are authenticated. This establishes a relationship between the user, the Windows RT device, and the Windows Intune service. 3. Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal. For Windows 8.1 and Windows RT 8.1, the user enrolls through the device. 1. On the Windows 8.1 device, the user selects Settings, clicks PC Settings, then clicks Network, and finally, clicks Workplace. 2. The user enters their user ID in the (ID) field. 3. The user clicks Turn on and provides their password. 4. The user agrees to the Allow apps and services from IT admin dialog box, and clicks Turn on.

1430

iOS Enrollment
For System Center 2012 R2 Configuration Manager only: Users can enroll iOS devices by using the iOS company portal app, Windows Intune Company Portal, available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later. For System Center 2012 Configuration Manager SP1 iOS enrollment, users must complete the following tasks: 1. The user begins enrollment by going to m.manage.microsoft.com. 2. The users are asked for their company credentials to begin the enrollment process. 3. As soon as authentication is successful, a relationship is established between the user, the iOS device and the Windows Intune service. 4. Windows Intune collects inventory and applies management settings. The user now has access to line-of-business apps and direct links to the app store through the company portal. For System Center 2012 R2 Configuration Manager only: Users can enroll iOS devices by using the iOS company portal app that is available in the App store. The company portal app can be installed on iOS devices running iOS 6 or later.

Android Enrollment
For System Center 2012 R2 Configuration Manager only: Android devices can be enrolled by using the Android company portal app, Windows Intune Company Portal, available on Google Play.

Next Steps
Now that you have configured Configuration Manager for mobile device management and users can enroll their devices, use the following links to manage devices. Wiping Company Content from Mobile Devices Compliance Settings for Mobile Devices in Configuration Manager How to Create and Deploy Applications for Mobile Devices in Configuration Manager How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager Introduction to Software Inventory in Configuration Manager Introduction to Wi-Fi Profiles in Configuration Manager Introduction to Certificate Profiles in Configuration Manager Introduction to VPN Profiles in Configuration Manager

Wiping Company Content from Mobile Devices

You can do a full wipe on Windows Phone 8, iOS, and Android devices with the Android company portal app installed on them. A full wipe will restore the device to factory settings.

1431

For System Center 2012 R2 Configuration Manager only: you have the option to do a selective wipe that only removes company content. For a selective wipe, you can use Retire/wipe and select the option Wipe company content and retire the mobile device from Configuration Manager to remove company content from devices. The following table lists what company content is wiped from devices.
Content removed when retiring a device Windows 8.1 and Windows RT 8.1 Windows RT Windows Phone 8 iOS Android company portal app

Company apps and associated data installed by using Configuration Manager and Windows Intune .

Apps are uninstalled and sideloading keys are removed. Apps using Windows Selective Wipe will have the encryption key revoked and data will no longer be accessible. Removed.

Sideloading keys are removed but apps remain installed.

Apps are uninstalled. Company app data is removed.

Apps are uninstalled. Company app data is removed.

Apps and data remain installed.

VPN and Wifi profiles

Not applicable.

Not applicable.

Removed.

VPN: Not applicable. Wi-Fi: Not removed

Certificates Settings Management Agent

Removed and revoked. Requirement s removed. Not applicable. Management agent is builtin. Exchange email

Not applicable. Requirement s removed.

Not applicable. Requirements removed.

Removed and revoked. Requirement s removed. Management profile is removed.

Revoked. Requirement s removed. Device Administrator privilege is revoked. Not applicable.

1432

Not Not applicable. applicable. Management Management agent is built-in. agent is builtin. Exchange email Not applicable.

Email

Not applicable.

Content removed when retiring a device

Windows 8.1 and Windows RT 8.1

Windows RT

Windows Phone 8

iOS

Android company portal app

removed from device. Email profiles Not applicable.

removed from device. Not applicable. Not applicable. Removed Not applicable.

To retire or wipe a mobile device 1. In the Configuration Manager console, click Assets and Compliance and select Devices. 2. Select a device and then select the action that you want to take.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

How to Manage Clients in Configuration Manager

When a System Center 2012 Configuration Manager client is installed and successfully assigned to a Configuration Manager site, you will see the device in the Assets and Compliance workspace in the Devices node, and in one or more collections in the Device Collections node. When you select the device or collection that contains the device, you can select various management operations. However, there are also other ways to manage the client, which might involve other workspaces in the console, or tasks that dont use the Configuration Manager console. Use this topic for overview information for the tasks that can manage a Configuration Manager client from the Assets and Compliance workspace, as well as more detailed information about additional tasks to help you manage the Configuration Manager client. For information about how to configure the client, see How to Configure Client Settings in Configuration Manager. Managing the Client from the Assets and Compliance Workspace Managing Clients from the Devices Node Managing Clients from the Device Collections Node Configure the Client Cache for Configuration Manager Clients Uninstall the Configuration Manager Client
1433

Additional Tasks for Managing the Client

Manage Conflicting Records for Configuration Manager Clients Initiate Policy Retrieval for a Configuration Manager Client

Managing the Client from the Assets and Compliance Workspace

Use the information in the following tables for an overview of the management tasks that you can perform for client devices in the Assets and Compliance workspace: Managing Clients from the Devices Node Managing Clients from the Device Collections Node Note A Configuration Manager client might be installed but not displayed in the Configuration Manager console. This scenario can happen if the client hasnt yet successfully assigned to a site, or the console must be refreshed or a collection membership updated. Additionally, a device can also display in the console when the Configuration Manager client is not installed. This scenario can happen if the device is discovered but the Configuration Manager client is not installed and assigned. Mobile devices that are managed by using the Exchange Server connector do not install the Configuration Manager client. Additionally, devices that are enrolled by Windows Intune do not install the Configuration Manager client. Use the Client column in the Configuration Manager console to determine whether the Configuration Manager client is installed so that you can manage it from the Configuration Manager console.

Managing Clients from the Devices Node

Use the following procedure and table to manage one or more devices from the Devices node in the Assets and Compliance workspace. Important Depending on the device type, some of these options might not be available. To manage clients from the Devices node 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices. 3. Select one or more devices, and then select one of the available client management tasks from the ribbon, or by right-clicking the device.
Task More information

Manage user device affinity information

Allows you to configure the associations

1434

between users and devices, which enables you to efficiently deploy software to users. See How to Manage User Device Affinity in Configuration Manager Add the device to a new or existing collection Use these collection-related actions to quickly add the selected device to a collection, by using a direct rule. Operations and Maintenance for Collections in Configuration Manager Install and reinstall the client by using the Client Push wizard The Client Push wizard offers an efficient way to install and reinstall the Configuration Manager client to repair it or to reconfigure it on computers that run Windows with site configuration options and with any additional client.msi properties that you have specified for client push installation. Tip There are many different ways to install (and reinstall) the Configuration Manager client. Although the Client Push wizard offers a convenient client installation method because you can run it from the console, this client installation method has many dependencies and is not suitable for all environments. If you cannot successfully install the client by using client push, there are many other client installation methods that you can use. For more information about the dependencies, see Prerequisites for Computer Clients. For more information about the other client installation methods, see Determine the Client Installation Method to Use for Windows Computers in
1435

Configuration Manager. See How to Install Configuration Manager Clients by Using Client Push. Reassign Site Reassign one or more clients, including managed mobile devices, to another primary site in the hierarchy. Clients can be reassigned individually or can be multiselected and reassigned in bulk to a new site. You can run Resource Explorer to see the hardware and software inventory information from a Windows client, and remotely administer it by using Remote Control, Remote Assistance, or Remote Desktop. See How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. See How to Remotely Administer a Client Computer by Using Configuration Manager. Approve a client When the client communicates with site systems by using HTTP and a self-signed certificate, you must approve these clients to identify them as trusted computers. By default, the site configuration automatically approves clients from the same Active Directory forest and trusted forests so you do not have to manually approve each client. However, you must manually approve workgroup computers that you trust and any other computers that you trust but are not approved. Warning Although some management functions might work for unapproved clients, this is an unsupported scenario for Configuration Manager. You do not have to approve clients that always communicate to site systems by
1436

Remotely administer the client

using HTTPS rather than HTTP, or clients that use a PKI certificate when they communicate to site systems by using HTTP. These clients establish trust with Configuration Manager by using the PKI certificates. Block or unblock a client Block a client that you no longer trust, to prevent it from receiving client policy and to prevent Configuration Manager site systems from communicating with it. Warning Blocking a client only prevents communication from the client to Configuration Manager site systems and does not prevent communication to other devices. In addition, when the client communicates to site systems by using HTTP instead of HTTPS, there are some security limitations. If you later change your mind, you can unblock a client that has been blocked. However, if you unblock an Intel AMTbased computer that was provisioned for AMT when it was blocked, you must take additional steps before you can manage that computer again out of band. See Determine Whether to Block Clients in Configuration Manager. Manage the client out of band For Intel AMT-based computers that are provisioned by Configuration Manager, you can manage these computers out of band by using power actions from the console and by connecting to them by using the Out of Band Management console. See How to Manage AMT-based Computers Out of Band in Configuration Manager. Clear a required PXE deployment Use this option to redeploy any required
1437

PXE deployments for the selected computer. See How to Deploy Operating Systems by Using PXE in Configuration Manager Manage the client properties You can view the discovery data and deployments targeted for the client. You can also configure any variables that task sequences use to deploy an operating system to the device. Warning Do not delete a client if you want to uninstall the Configuration Manager client or remove it from a collection. The Delete action manually deletes the client record from the Configuration Manager database and typically, you should not use this action unless it is for troubleshooting scenarios. If you delete the client record and the Configuration Manager client is still installed and communicating with Configuration Manager, Heartbeat Discovery will recreate the client record and it will reappear in the Configuration Manager console, although the client history and any previous associations will be lost. Note When you delete a mobile device client that was enrolled by Configuration Manager, this action also revokes the PKI certificate that was issued to the mobile device and this certificate is then rejected by the management point, even if IIS does not check the CRL. Certificates on mobile device legacy clients are not revoked when you delete these clients.

Delete the client

1438

To uninstall the client, see Uninstall the Configuration Manager Client. To assign the client to a new primary site, see How to Assign Clients to a Site in Configuration Manager. To remove the client from a collection, reconfigure the collection properties. See How to Manage Collections in Configuration Manager. Wipe a mobile device You can wipe mobile devices that support the wipe command. This action permanently removes all data on the mobile device, which includes personal settings and personal data. Typically, this action resets the mobile device back to factory defaults. Wipe a mobile device when the mobile device is no longer trusted; for example, it has been lost or stolen. Tip Check the manufacturers documentation for more information about how the mobile device processes a remote wipe command. When you send a wipe request, there is often a delay until the mobile device receives the wipe command: If the mobile device is enrolled by Configuration Manager or by Windows Intune, the client receives the wipe command when it next downloads its client policy. If the mobile device is managed by the Exchange Server connector, the mobile device receives the wipe command when it next synchronizes with Exchange.

You can use the Wipe Status column to monitor when the mobile device receives the wipe command. Until the mobile device
1439

sends a wipe acknowledgment to Configuration Manager, you can cancel the wipe command. Retire a mobile device For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Retire option is supported only by mobile devices that are enrolled by Windows Intune. For more information, see the Device Lifecycle Management section in How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. Change the ownership of a device For System Center 2012 R2 Configuration Manager only: You can change the ownership of devices to Company or Personal if a device is not domain-joined and does not have the Configuration Manager client installed. You can use this value in application requirements to control deployments and you can also use this configuration to control how much inventory is collected from users devices. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.

Managing Clients from the Device Collections Node

Use the following procedure and table to manage devices in a collection from the Device Collections node in the Assets and Compliance workspace. Many of the client management tasks that you can perform when you select a single device or multiple devices from the Devices node can also be performed at the collection level. This has the advantage of automatically applying the management task to all eligible devices in the collection. Although this can be a convenient method to manage multiple clients at the same time, it can also generate a lot of network packets and increase the CPU usage on the site server. There are also some client management tasks that can only be performed at the collection level, which are listed in the following table.
1440

Before you perform collection-level client management tasks, consider how many devices are in the collection, whether they are connected by low-bandwidth network connections, and how long the task will take to complete for all the devices. When you perform a client management task, you cannot stop it from the console. To manage clients from the Device Collections node 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. Select a collection, and then select one of the available client management tasks from the ribbon, or by right-clicking the collection.
Task More information

Scan computers for malware and download antimalware definition files. Deploy software, configuration baselines, and task sequences.

See Operations and Maintenance for Endpoint Protection in Configuration Manager. For more information about deploying software and configuration baselines, see the following: Deploying Software and Operating Systems in System Center 2012 Configuration Manager Compliance Settings in Configuration Manager

Configure power management settings.

See How to Create and Apply Power Plans in Configuration Manager. Power plans can only be used with computers that run Windows. Configure this option when the site has been configured to provision Intel AMT-based computers so that you can manage them out of band. See Displaying the AMT Status and Enabling AMT provisioning

Enable AMT provisioning.

Notify computers to download policy as soon as possible.

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2
1441

Configuration Manager only: Use client notification to notify the selected Windows clients to download computer policy as soon as possible outside the configured client policy polling interval. Client notification tasks are displayed in the Client Operations node in the Monitoring workspace.

Additional Tasks for Managing the Client

In addition to the management tasks that are available in the Assets and Compliance workspace, you can also manage the Configuration Manager client by using the following tasks: Configure the Client Cache for Configuration Manager Clients Uninstall the Configuration Manager Client Manage Conflicting Records for Configuration Manager Clients Initiate Policy Retrieval for a Configuration Manager Client

Configure the Client Cache for Configuration Manager Clients

You can configure the location and amount of disk space that Windows Configuration Manager clients use to store temporary files for when they install applications and programs. Software updates also use the client cache, but software updates are not restricted by the configured cache size and will always attempt to download to the cache. You can configure the client cache settings when you install the Configuration Manager client manually, when you use client push installation, or after the client is installed. The default location for the Configuration Manager client cache is %windir%\ccmcache and the default disk space is 5120 MB. Important Do not encrypt the folder used for the client cache. Configuration Manager cannot download content to an encrypted folder. Note More information about the client cache: The Configuration Manager client downloads the content for required software soon after it receives the deployment but waits to run it until the deployment scheduled time. At the scheduled time, the Configuration Manager client checks to see whether the content is available in the cache. If content is in the cache and it is the correct version, the client always uses this cached content. However, when the required version of the content has
1442

changed or if the content was deleted to make room for another package, the content is downloaded to the cache again. If the client attempts to download content for a program or application that is greater than the size of the cache, the deployment fails because of insufficient cache size and Configuration Manager generates status message ID 10050. If the cache size is increased later, the download retry behavior is different for a required program and a required application: For a required program: The client does not automatically retry to download the content. You must redeploy the package and program to the client. For a required application: Because an application deployment is state-based, the client automatically retries to download the content when it next downloads its client policy. If the client attempts to download a package that is less than the size of the cache but the cache is currently full, all required deployments keep retrying until the cache space is available, until the download times out, or until the retry limit is reached for the cache space failure. If the cache size is increased later, the Configuration Manager client attempts to download the package again during the next retry interval. The client tries to download the content every four hours until it has tried 18 times. Cached content is not automatically deleted but remains in the cache for at least one day after the client used that content. If you configure the package properties with the option to persist content in the client cache, the client does not automatically delete the package content from the cache. If the client cache space is used by packages that have been downloaded within the last 24 hours and the client must download new packages, you can either increase the client cache size or choose the delete option to delete persisted cache content. Use the following procedures to configure the client cache during manual client installation, or after the client is installed. To configure the client cache when you install clients by using manual client installation Run the CCMSetup.exe command from the install source location and specify the following properties that you require, and separated by spaces: DISABLECACHEOPT: SMSCACHEDIR: SMSCACHEFLAGS: SMSCACHESIZE: Note For more information about these command line properties for CCMSetup.exe, see About Client Installation Properties in Configuration Manager. To configure the client cache folder when you install clients by using client push installation
1443

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site for which you want to configure automatic site-wide client push installation. 4. On the Home tab, in the Settings group, click Client Installation Settings, and then click the Installation Properties tab. 5. On the Installation Properties tab, specify the following properties that you require, and separate them by using spaces: DISABLECACHEOPT: SMSCACHEDIR: SMSCACHEFLAGS: SMSCACHESIZE: Note For more information about these command line properties for CCMSetup.exe, see About Client Installation Properties in Configuration Manager. 6. Click OK to save the properties that you have specified. To configure the client cache folder without reinstalling the client 1. On the client computer, navigate to Configuration Manager in Control Panel, and then double-click to open the properties. 2. Click the Cache tab. 3. Specify the disk space to reserve for the client cache. 4. To change the location of the client cache folder, click Change Location, and then specify the new location. The default location is %windir%\ccmcache. 5. To delete the files currently stored in the client cache folder, click Delete Files. 6. Click OK to close Configuration Manager Properties.

Uninstall the Configuration Manager Client

You can uninstall the Windows Configuration Manager client software from a computer by using CCMSetup.exe with the /Uninstall property. Run CCMSetup.exe on an individual computer from the command prompt or deploy a package and program to uninstall the client for a collection of computers. Warning You cannot uninstall the Configuration Manager client from a mobile device. If you must remove the Configuration Manager client from a mobile device, you must wipe the device, which deletes all data on the mobile device. Use the following procedure to uninstall the Configuration Manager client from computers.
1444

To uninstall the Configuration Manager client from the command prompt 1. Open a Windows command prompt and change the folder to the location in which CCMSetup.exe is located. 2. Type Ccmsetup.exe /uninstall, and then press Enter. Note The uninstall process is silent and displays no results on the screen. To verify that client uninstallation has succeeded, examine the log file CCMSetup.log in the folder %windir%\ ccmsetup folder on the client computer.

Manage Conflicting Records for Configuration Manager Clients

Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you reinstall a computer, the hardware ID would be the same but the GUID used by Configuration Manager might be changed. When Configuration Manager can resolve a conflict by using Windows authentication of the computer account or a PKI certificate from a trusted source, the conflict is automatically resolved for you. However, when Configuration Manager cannot resolve the conflict, it uses a hierarchy setting that either automatically merges the records when it detects duplicate hardware IDs (the default setting), or allows you to decide when to merge, block, or create new client records. If you decide to manually manage duplicate records, you must manually resolve the conflicting records by using the Configuration Manager console. To change the hierarchy setting for managing conflicting records 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites group, click Hierarchy Settings, and then click the Client Approval and Conflicting Records tab. 4. Click either Automatically resolve conflicting records to automatically merge conflicting records, or click Manually resolve conflicting records, and then click OK. Note When Configuration Manager can resolve the conflict by using the computer account or a PKI certificate, this setting is ignored and the conflict is automatically resolved. To manually resolve conflicting records 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, and then click Conflicting Records.
1445

3. In the results pane, select one or more conflicting records, and then click Conflicting Record. 4. In the Conflicting Record dialog box, select one of the following, and then click OK: Merge to combine the newly detected record with the existing client record, creating one unified record. New to create a new record for the conflicting client record. Block to create a new record for the conflicting client record, but mark it as blocked.

Initiate Policy Retrieval for a Configuration Manager Client

A Windows Configuration Manager client downloads its client policy on a schedule that you configure as a client setting. However, there might be occasions when you want to initiate ad-hoc policy retrieval from the clientfor example, in a troubleshooting scenario or when you are testing. Use the following procedures to initiate ad-hoc policy retrieval from the client outside its scheduled polling interval, either by using the Actions tab on the Configuration Manager client or by running a script on the computer. You must be logged on to the client computer with local administrative rights to perform these procedures. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can use client notification to initiate client policy retrieval outside the scheduled client policy polling interval. You can manage clients that run Linux and UNIX. For information about policy retrieval for clients that run Linux and UNIX, see the Computer Policy for Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic. To initiate client policy retrieval by using client notification (Configuration Manager SP1 only) 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. Select the device collection containing the computers that you want to download policy and then, in the Home tab, in the Collections group, click Client Notification and then click Download Computer Policy. Note You can also use client notification to initiate policy retrieval for one of more selected devices that are displayed in a temporary collection node under the Devices node.

1446

To manually initiate client policy retrieval by using the Actions tab on the Configuration Manager client 1. Select Configuration Manager in the Control Panel of the computer. 2. Click the Actions tab. 3. Click Machine Policy Retrieval & Evaluation Cycle to initiate the computer policy, and then click Run Now. 4. Click OK to confirm the prompt. 5. Repeat steps 3 and 4 for any other actions that you require, such as User Policy Retrieval & Evaluation Cycle for user client settings. 6. Click OK to close Configuration Manager Properties. To manually initiate client policy retrieval by using a script 1. Open a text editor, such as Notepad. 2. Copy and insert the following into the file: on error resume next

dim oCPAppletMgr 'Control Applet manager object. dim oClientAction 'Individual client action. dim oClientActions 'A collection of client actions.

'Get the Control Panel manager object. set oCPAppletMgr=CreateObject("CPApplet.CPAppletMgr")

if err.number <> 0 then Wscript.echo "Couldn't create control panel application manager" WScript.Quit end if

'Get a collection of actions. set oClientActions=oCPAppletMgr.GetClientActions if err.number<>0 then wscript.echo "Couldn't get the client actions" set oCPAppletMgr=nothing WScript.Quit end if
1447

'Display each client action name and perform it. For Each oClientAction In oClientActions

if oClientAction.Name = "Request & Evaluate Machine Policy" then wscript.echo "Performing action " + oClientAction.Name oClientAction.PerformAction end if next

set oClientActions=nothing set oCPAppletMgr=nothing 3. Save the file with a .vbs extension. 4. On the client computer, run the file using one of the following methods: Navigate to the file by using Windows Explorer, and double-click the script file. Open a command prompt, and type: cscript <path\filename.vbs>.

5. Click OK in the Windows Script Host dialog box.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

How to Monitor Clients in Configuration Manager

There are various tasks that you can use to verify that System Center 2012 Configuration Manager clients have been successfully installed and assigned to a site. There are further tasks that you can use to ensure that clients remain managed. Use the following procedures to help you monitor Configuration Manager clients and devices: To use reports to verify Configuration Manager client deployment To use client status to monitor Configuration Manager client computers that run Windows

For information about how to configure client status, see How to Configure Client Status in Configuration Manager. Important
1448

Some client reports require that clients are assigned to a fallback status point. For more information about the fallback status point, see Determine Whether You Require a Fallback Status Point. Client status information is updated, by default, one time a day. You can modify this interval in the Schedule Client Status Update dialog box. For more information, see How to Configure Client Status in Configuration Manager. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about using reports to view information clients that run Linux and UNIX, see the How to use Reports to View Information for Linux and UNIX Servers section in the How to Monitor Linux and UNIX Clients in Configuration Manager topic. To use reports to verify Configuration Manager client deployment 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the Reports pane, click the Category heading to order the reports by type: For client deployment, use the Client Information and Client Push folders For client status, use the Client Status folder. For mobile devices, use the Mobile Devices folder

4. Click the report that you want to run, and then on the Home tab, in the Report Group group, click Run. 5. In the report name pane, click View Report. To use client status to monitor Configuration Manager client computers that run Windows 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Client Status. 3. In the Client Status node, review the following information: Overall Client Status Displays high-level information about computers in your hierarchy that might be experiencing problems. You can click any item on the list to create a temporary collection under the Devices node of the Assets and Compliance workspace. When you click the temporary collection, a list of computers with the status you selected is displayed together with further information that can help you to troubleshoot problems. Most Frequent Client Check Errors Displays a graph that shows the most frequent reasons why client computers failed client checks. Client activity for all devices Displays a chart showing active computers, inactive computers and computers with no Configuration Manager client installed. Click a
1449

4. In the Client Activity node, review the following information:

section of the pie chart to create a temporary collection under the Devices node of the Assets and Compliance workspace. When you click the temporary collection, a list of computers with the status you selected is displayed together with further information that can help you to troubleshoot problems. Client activity trend for all clients Displays a graph showing client activity over a specified period. You can configure the time period to display from the Client activity period drop-down list. Note If you want to build an accurate Trends graph, do not configure the client status update recurrence interval to be longer than 1 day. 5. In the Client Check node, review the following information: Client check results for all devices Displays a chart showing computers that passed client check, computers that failed client check, computers that have not reported results and computers with no Configuration Manager client installed. Click a section of the pie chart to create a temporary collection under the Devices node of the Assets and Compliance workspace. When you click the temporary collection, a list of computers with the status you selected is displayed together with further information that can help you to troubleshoot problems and you can click the Client Check Detail tab in the details pane to discover any remediation actions that Configuration Manager took. Note Client status does not summarize or display data for computers that have been marked as obsolete in the Configuration Manager database. Client check trend for all active clients Displays a graph showing client computers that passed client check over a specified period. You can configure the time period to display from the Client check period drop-down list.

Additionally, you can use Configuration Manager reports to find out more information about the status of clients in your hierarchy. Client status reports have the category of Client Status. For more information about how to run reports, see Reporting in Configuration Manager.

See Also
Operations and Maintenance for Client Deployment in Configuration Manager

How to Manage Linux and UNIX Clients in Configuration Manager

Note
1450

The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. When you manage Linux and UNIX servers with System Center 2012 Configuration Manager, you can configure collections, maintenance windows, and client settings to help manage the servers. In addition, although the Configuration Manager client for Linux and UNIX does not have a user interface, you can force the client to manually poll for client policy. The following sections provide more information about these configurations. Collections of Linux and UNIX Servers Maintenance Windows for Linux and UNIX Servers Client Settings for Linux and UNIX Servers Computer Policy for Linux and UNIX Servers How to Manage Certificates on the Client for Linux and UNIX

Collections of Linux and UNIX Servers

You use collections to manage groups of Linux and UNIX servers in the same way you use collections to manage other client types. Collections can be direct membership collections or query based collections that identify client operating systems, hardware configurations, or other details about the client that are stored in the site database. For example, you can use collections that include Linux and UNIX servers to manage the following: Client settings Software deployments Enforce maintenance windows

Before you can identify a Linux or UNIX client by its operating system or distribution, you must successfully collect hardware inventory from the client. For information about collecting hardware inventory, see Hardware Inventory for Linux and UNIX in Configuration Manager. The default client settings for hardware inventory include information about a client computers operating system. You can use the Caption property of the Operating System class to identify the operating system of a Linux or UNIX server. You can view details about computers that run the Configuration Manager client for Linux and UNIX in the Devices node of the Assets and Compliance workspace in the Configuration Manager console. In the Asset and Compliance workspace of the Configuration Manager console, you can view the name of each computers operating system in the Operating System column. By default, Linux and UNIX servers are members of the All Systems collection. It is recommended that you build custom collections that include only Linux and UNIX servers, or a subset of them. This enables you to manage operations such as deploying software or assigning client settings to groups of applicable computers. For example, if you deploy software for RHEL6 x64 computers to a collection that contains both Windows and Linux computers, the status for the deployment will show partial success. Instead, when you deploy software to a

1451

collection that contains only RHEL6 x64 computers, you can use status messages and reports to accurately identify the success of the deployment. When you build a custom collection for Linux and UNIX servers, include membership rule queries that include the Caption attribute for the Operating System attribute. For information about creating collections, see How to Create Collections in Configuration Manager.

Maintenance Windows for Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX servers supports the use of maintenance windows. This support is unchanged from that for Windows-based clients. For more information about how to use maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

Client Settings for Linux and UNIX Servers

You can configure client settings that apply to Linux and UNIX servers the same way you configure settings for other clients. By default, the Default Client Agent Settings apply to Linux and UNIX servers. You can also create custom client settings and deploy them to collections that contain specific client operating systems, or a mix of client operating systems. There are no additional client settings that apply only to Linux and UNIX clients. However, there are default client settings that do not apply to Linux and UNIX clients. The client for Linux and UNIX only applies settings for functionality that it supports, and any configurations for unsupported functionality are ignored. For example, you create custom client device setting that specify a hardware inventory schedule and then assign it to a collection that includes Linux computers. The result is that the hardware inventory schedule is enforced on the Linux and UNIX servers. Next, you create a custom client device setting that enables and configures remote control settings, and assign it to that same collection. The result is that the remote control settings are ignored by the Linux and UNIX servers. This is because the client for Linux and UNIX does not support remote control in Configuration Manager. For information about configuring client settings, see How to Configure Client Settings in Configuration Manager.

Computer Policy for Linux and UNIX Servers

The Configuration Manager client for Linux and UNIX servers periodically polls its site for computer policy to learn about requested configurations, and to check for deployments. You can also force the client on a Linux or UNIX server to immediately poll for computer policy. To poll immediately, use root credentials on the server to run the following command: /opt/microsoft/configmgr/bin/ccmexec -rs policy Details about the computer policy poll are entered into the shared client log file, scxcm.log.
1452

Note The Configuration Manager client for Linux and UNIX never requests nor processes user policy.

How to Manage Certificates on the Client for Linux and UNIX

After you install the client for Linux and UNIX, you can use the certutil tool to update the client with a new PKI certificate, and to import a new Certificate Revocation list (CRL). When you install the client for Linux and UNIX, this tool is placed in the following location: /opt/microsoft/configmgr/bin/certutil To manage certificates, on each client run the following commands: To update the certificate on a client: certutil -importPFX <Path to the PKCS#12 certificate> -password <Certificate password> [-rootcerts <comma-separated list of certificates>] To update the CRL on the client: certutil -importcrl <comma separated CRL file paths>

How to Monitor Linux and UNIX Clients in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. You can view information from Linux and UNIX servers in the Configuration Manager console using the same methods you use to view information from Windows-based clients. The information you can view includes: Status details from clients, in the Configuration Manager console dashboards Details about clients in the default Configuration Manager reports Inventory details in the Resource Explorer

The following sections provide information about using the resource explorer and reports to view details about your Linux and UNIX servers.

How to use Resource Explorer to View Inventory for Linux and UNIX Servers
You can view hardware and installed software details on Linux and UNIX servers by using Resource Explorer.

1453

After a Configuration Manager client submits hardware inventory to the Configuration Manager site, you can use Resource Explorer to view this information. The Configuration Manager client for Linux and UNIX does not add new classes or views for inventory to the Resource Explorer. The Linux and UNIX inventory data maps to existing WMI classes. You can view the inventory details for your Linux and UNIX servers in the Windows-based classifications using Resource Explorer. For example, you can collect the list of all natively installed programs found on your Linux and UNIX servers. Examples of natively installed programs include .rpms in Linux or .pkgs in Solaris. After inventory has been submitted by a Linux or UNIX client, you can view the list of all the natively installed Linux or UNIX programs in Resource Explorer in the Configuration Manager console. For information about how to use Resource Explorer, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

How to use Reports to View Information for Linux and UNIX Servers
Reports for Configuration Manager include information from Linux and UNIX servers along with information from Windows-based computers. No additional configurations are required to integrate the Linux and UNIX data in the reports. For example, if you run the report named Count of Operating System Versions, it displays the list of the different operating systems and the number of clients that are running each operating system. The report is based on the hardware inventory information that was sent by the different Configuration Manager clients that run on the different operating systems. It is also possible to create custom reports that are specific to Linux and UNIX server data. The Caption property of the hardware inventory class Operating System is a useful attribute that you can use to identify specific Operating Systems in the report query. For information about reports in Configuration Manager, see Reporting in Configuration Manager.

Security and Privacy for Clients in Configuration Manager

Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for clients in System Center 2012 Configuration Manager and for mobile devices that are managed by the Exchange Server connector:
1454

Security Best Practices for Configuration Manager Clients and for Mobile Devices that are Managed by the Exchange Server Connector Security Issues for Configuration Manager Clients Privacy Information for Configuration Manager Clients Privacy Information for Mobile Devices that are Managed by Using the Exchange Server Connector

Security Best Practices for Configuration Manager Clients and for Mobile Devices that are Managed by the Exchange Server Connector
When Configuration Manager accepts data from devices that run the Configuration Manager client, this introduces the risk that the clients could attack the site. For example, they could send malformed inventory, or attempt to overload the site systems. Deploy the Configuration Manager client only to devices that you trust. In addition, use the following security best practices to help protect the site from rogue or compromised devices:
Security best practice More information

Use public key infrastructure (PKI) certificates for client communications with site systems that run IIS: As a site property, configure Site system settings for HTTPS only. Install clients with the /UsePKICert CCMSetup property Use a certificate revocation list (CRL) and make sure that clients and communicating servers can always access it.

These certificates are required for mobile device clients and for client computer connections on the Internet, and, with the exception of distribution points, are recommended for all client connections on the intranet. For more information about the PKI certificate requirements and how they are used to help protect Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

Automatically approve client computers from trusted domains and manually check and approve other computers

Approval identifies a computer that you trust to be managed by Configuration Manager when you cannot use PKI authentication. You can configure approval for the hierarchy as manual, automatic for computers in trusted domains, or automatic for all computers. The most secure approval method is to automatically approve clients that are members of trusted domains, and then manually check and approve all other computers. Automatically approving all clients is not recommended unless you have other access controls to prevent untrustworthy computers from
1455

Security best practice

More information

accessing your network. For more information about how to manually approve computers, see Managing Clients from the Devices Node. Do not rely on blocking to prevent clients from accessing the Configuration Manager hierarchy Blocked clients are rejected by the Configuration Manager infrastructure so that they cannot communicate with site systems to download policy, upload inventory data, or send state or status messages. However, do not rely on blocking to protect the Configuration Manager hierarchy from untrusted computers when site systems accept HTTP client connections. In this scenario, a blocked client could re-join the site with a new self-signed certificate and hardware ID. Blocking is designed to be used to block lost or compromised boot media when you deploy an operating system to clients and when all site systems accept HTTPS client connections. If you use a public key infrastructure (PKI) and it supports a certificate revocation list (CRL), always consider certificate revocation to be the primary line of defense against potentially compromised certificates. Blocking clients in Configuration Manager offers a second line of defense to protect your hierarchy. For more information, see Determine Whether to Block Clients in Configuration Manager. Use the most secure client installation methods that are practical for your environment: For domain computers, Group Policy client installation and software updatebased client installation methods are more secure than client push installation. Of all the client installation methods, client push installation is the least secure because of the many dependencies it has, which includes local administrative permissions, the Admin$ share, and many firewall exceptions. These dependencies increase your attack surface.

For more information about the different client installation methods, see Determine the Client Imaging and manual installation can be Installation Method to Use for Windows Computers very secure if you apply access in Configuration Manager. controls and change controls. In addition, wherever possible, select a client installation method that requires the least security permissions in Configuration Manager, and restrict the administrative users that are assigned security
1456

Security best practice

More information

roles that include permissions that can be used for purposes other than client deployment. For example, automatic client upgrade requires the Full Administrator security role, which grants an administrative user all security permissions. For more information about the dependencies and security permissions required for each client installation method, see Installation Method Dependencies in the Prerequisites for Computer Clients section in the Prerequisites for Windows Client Deployment in Configuration Manager topic. If you must use client push installation, take additional steps to secure the Client Push Installation Account Although this account must be a member of the local Administrators group on each computer that will install the Configuration Manager client software, never add the Client Push Installation Account to the Domain Admins group. Instead, create a global group and add that global group to the local Administrators group on your client computers. You can also create a Group Policy object to add a Restricted Group setting to add the Client Push Installation Account to the local Administrators group. For additional security, create multiple Client Push Installation Accounts, each with administrative access to a limited number of computers so that if one account is compromised, only the client computers to which that account has access are compromised. Remove certificates prior to imaging client computer If you plan to deploy clients by using imaging technology, always remove certificates such as PKI certificates that include client authentication and self-signed certificates prior to capturing the image. If you do not remove these certificates, clients might impersonate each other and you would not be able to verify the data for each client. For more information about using Sysprep to prepare a computer for imaging, see your Windows deployment documentation.. Ensure that the Configuration Manager computer clients get an authorized copy of Trusted root key:
1457

Security best practice

More information

these certificates: The Configuration Manager trusted root key The site server signing certificate

If you have not extended the Active Directory schema for Configuration Manager, and clients do not use PKI certificates when they communicate with management points, clients rely on the Configuration Manager trusted root key to authenticate valid management points. In this scenario, clients have no way to verify that the management point is a trusted management point for the hierarchy unless they use the trusted root key. Without the trusted root key, a skilled attacker could direct clients to a rogue management point. When clients cannot download the Configuration Manager trusted root key from the Global Catalog or by using PKI certificates, preprovision the clients with the trusted root key to make sure that they cannot be directed to a rogue management point. For more information, see the Planning for the Trusted Root Key section in the Planning for Security in Configuration Manager topic. Site server signing certificate: Clients use the site server signing certificate to verify that the site server signed the client policy that they download from a management point. This certificate is self-signed by the site server and published to Active Directory Domain Services. When clients cannot download the site server signing certificate from the Global Catalog, by default they download it from the management point. When the management point is exposed to an untrusted network (such as the Internet), manually install the site server signing certificate on clients to make sure that they cannot run client policies that have been tampered with from a compromised management point. To manually install the site server signing certificate, use the CCMSetup client.msi property SMSSIGNCERT. For more
1458

Security best practice

More information

information, see About Client Installation Properties in Configuration Manager. Do not use automatic site assignment if the This security best practice is linked to the preceding client will download the trusted root key entry. To avoid the risk of a new client downloading from the first management point it contacts the trusted root key from a rogue management point, use automatic site assignment in the following scenarios only: The client can access Configuration Manager site information that is published to Active Directory Domain Services. You pre-provision the client with the trusted root key. You use PKI certificates from an enterprise certification authority to establish trust between the client and the management point.

For more information about the trusted root key, see the Planning for the Trusted Root Key section in the Planning for Security in Configuration Manager topic. Install client computers with the CCMSetup The most secure service location method for clients Client.msi option to find sites and management points is to use Active SMSDIRECTORYLOOKUP=NoWINS Directory Domain Services. If this is not possible, for example, because you cannot extend the Active Directory schema for Configuration Manager, or because clients are in an untrusted forest or a workgroup, you can use DNS publishing as an alternative service location method. If both these methods fail, clients can fall back to using WINS when the management point is not configured for HTTPS client connections. Because publishing to WINS is less secure than the other publishing methods, configure client computers to not fall back to using WINS by specifying SMSDIRECTORYLOOKUP=NoWINS. If you must use WINS for service location, use SMSDIRECTORYLOOKUP=WINSSECURE (the default setting), which uses the Configuration Manager trusted root key to validate the self-signed certificate of the management point.

1459

Security best practice

More information

Note When the client is configured for SMSDIRECTORYLOOKUP=WINSSECURE and finds a management point from WINS, the client checks its copy of the Configuration Manager trusted root key that is in WMI. If the signature on the management point certificate matches the clients copy of the trusted root key, the certificate is validated, and the client communicates with the management point that it found by using WINS. If the signature on the management point certificate does not match the clients copy of the trusted root key, the certificate is not valid and the client will not communicate with the management point that it found by using WINS.

Make sure that maintenance windows are large enough to deploy critical software updates

You can configure maintenance windows for device collections to restrict the times that Configuration Manager can install software on these devices. If you configure the maintenance window to be too small, the client might not be able to install critical software updates, which leaves the client vulnerable to the attack that is mitigated by the software update. When write filters are enabled on Windows Embedded devices, any software installations or changes are made to the overlay only and do not persist after the device restarts. If you use Configuration Manager to temporarily disable the write filters to persist software installations and changes, during this period, the embedded device is vulnerable to changes to all volumes, which includes shared folders. Although Configuration Manager locks the computer during this period so that only local administrators can log on, whenever possible, take additional security precautions to help protect the computer.
1460

For Windows embedded devices that have write filters, take additional security precautions to reduce the attack surface if Configuration Manager disables the write filters to persist software installations and changes

Security best practice

More information

For example, enable additional restrictions on the firewall and disconnect the device from the network. If you use maintenance windows to persist changes, plan these windows carefully to minimize the time that write filters might be disabled but long enough to allow software installations and restarts to complete. If you use software update-based client installation and install a later version of the client on the site, update the software update that is published on the software update point so that clients receive the latest version If you install a later version of the client on the site, for example, you upgrade the site, the software update for client deployment that is published to the software update point is not automatically updated. You must republish the Configuration Manager client to the software update point and click Yes to update the version number. For more information, see the procedure To publish the Configuration Manager client to the software update point in the How to Install Configuration Manager Clients by Using Software Update-Based Installation section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic. Configure the Computer Agent client device setting Suspend BitLocker PIN entry on restart to be Always only for computers that you trust and that have restricted physical access When you set this client setting to Always, Configuration Manager can complete the installation of software to help to ensure that critical software updates are installed and that services are resumed. However, if an attacker intercepts the restart process, she could take control of the computer. Use this setting only when you trust the computer and when physical access to the computer is restricted. As an example, this setting might be appropriate for servers in a data center. This client setting allows the Configuration Manager client to run unsigned PowerShell scripts, which could allow malware to run on client computers. If you must select this option, use a custom client setting and assign it to only the client computers that must run unsigned PowerShell scripts. This role separation helps to protect the enrollment point from attack. If the enrollment point is
1461

Do not configure the Computer Agent client device setting PowerShell execution policy to be Bypass.

For mobile devices that you enroll with Configuration Manager and will supported

Security best practice

More information

on the Internet: Install the enrollment proxy point in a perimeter network and the enrollment point in the intranet For mobile devices: Configure the password settings to help protect mobile devices from unauthorized access

compromised, an attacker could obtain certificates for authentication and steal the credentials of users who enroll their mobile devices. For mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the password complexity to be the PIN and at least the default length for the minimum password length. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Password Settings for the Exchange Server connector such that the password complexity is the PIN and specify at least the default length for the minimum password length.

For mobile devices: Help prevent tampering of inventory information and status information by allowing applications to run only when they are signed by companies that you trust and do not allow unsigned files to be installed

For more mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the security setting Unsigned applications as Prohibited and configure Unsigned file installations to be a trusted source. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Application Settings for the Exchange Server connector such that Unsigned file installation and Unsigned applications are configured as Prohibited.

For mobile devices: Help prevent elevation of privilege attacks by locking the mobile device when it is not used

For more mobile devices that are enrolled by Configuration Manager: Use a mobile device configuration item to configure the password setting Idle time in minutes before mobile device is locked. For mobile devices that do not have the Configuration Manager client installed but that are managed by the Exchange Server connector: Configure the Password Settings for the Exchange Server connector to configure Idle time in minutes before mobile device is locked.
1462

Security best practice

More information

For mobile devices: Help prevent elevation of privileges by restricting the users who can enroll their mobile devices. For mobile devices: Do not deploy applications to users who have mobile devices enrolled by Configuration Manager or Windows Intune in the following scenarios: When the mobile device is used by more than one person. When the device is enrolled by an administrator on behalf of a user. When the device is transferred to another person without retiring and then re-enrolling the device.

Use a custom client setting rather than default client settings to allow only authorized users to enroll their mobile devices. A user device affinity relationship is created during enrollment, which maps the user who performs enrollment to the mobile device. If another user uses the mobile device, they will be able to run the applications that you deploy to the original user, which might result in an elevation of privileges. Similarly, if an administrator enrolls the mobile device for a user, applications deployed to the user will not be installed on the mobile device and instead, applications that are deployed to the administrator might be installed. Unlike user device affinity for Windows computers, you cannot manually define the user device affinity information for mobile devices that are enrolled by Windows Intune. If you transfer ownership of a mobile device that is enrolled by Windows Intune, retire the mobile device from Windows Intune to remove the user device affinity, and then ask the current user to enroll the device again.

For mobile devices: Make sure that users enroll their own mobile devices for Windows Intune

Because a user device affinity relationship is created during enrollment, which maps the user who performs enrollment to the mobile device, if an administrator enrolls the mobile device for a user, applications deployed to the user will not be installed on the mobile device and instead, applications that are deployed to the administrator might be installed. Use IPsec if the Exchange Server is on-premise; hosted Exchange automatically secures the connection by using SSL. For a list of the minimum cmdlets that the Exchange Server connector requires, see How to Manage Mobile Devices by Using Configuration Manager and Exchange.
1463

For the Exchange Server connector: Make sure that the connection between the Configuration Manager site server and the Exchange Server computer is protected For the Exchange Server connector: Use the principle of least privileges for the connector

Security best practice

More information

For Mac computers: Store and access the client source files from a secured location.

Configuration Manager does not verify whether these client source files have been tampered with before installing or enrolling the client on Mac computer. Download these files from a trustworthy source and store and access them securely. To ensure business continuity, monitor and track the validity period of the certificates that you use for Mac computers. Configuration Manager SP1 does not support automatic renewal of this certificate or warn you that the certificate is about to expire. A typical validity period is 1 year. For information about how to renew the certificate, see the Renewing the Mac Client Certificate sections in the How to Install Clients on Mac Computers in Configuration Manager topic.

For Mac computers: Independently from Configuration Manager, monitor and track the validity period of the certificate that enrolled to users.

For Mac computers: Consider configuring the trusted root CA certificate such that it is trusted for the SSL protocol only, to help protect against elevation of privileges.

When you enroll Mac computers, a user certificate to manage the Configuration Manager client is automatically installed, together with the trusted root certificate that the user certificate chains to. If you want to restrict the trust of this root certificate to the SSL protocol only, you can use the following procedure. After you complete this procedure, the root certificate would not be trusted to validate protocols other than SSL for example, Secure Mail (S/MIME), Extensible Authentication (EAP), or code signing. Note You can also use this procedure if you installed the client certificate independently from Configuration Manager. To restrict the root CA certificate to the SSL protocol only: 1. On the Mac computer, open a terminal window. 2. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access 3. In the Keychain Access dialog box, in the
1464

Security best practice

More information

Keychains section, click System, and then, in the Category section, click Certificates. 4. Locate and then double-click the root CA certificate for the Mac client certificate. 5. In the dialog box for the root CA certificate, expand the Trust section, and then make the following changes: a. For the When using this certificate setting, change the Always Trust default setting to Use System Defaults. b. For the Secure Sockets Layer (SSL) setting, change the no value specified to Always Trust. 6. Close the dialog box, and when prompted, enter the administrators password, and then click Update Settings.

Security Issues for Configuration Manager Clients

The following security issues have no mitigation: Status messages are not authenticated No authentication is performed on status messages. When a management point accepts HTTP client connections, any device can send status messages to the management point. If the management point accepts HTTPS client connections only, a device must obtain a valid client authentication certificate from a trusted root certification authority, but could also then send any status message. If a client sends an invalid status message it will be discarded. There are a few potential attacks against this vulnerability. An attacker could send a bogus status message to gain membership in a collection that is based on status message queries. Any client could launch a denial of service against the management point by flooding it with status messages. If status messages are triggering actions in status message filter rules, an attacker could trigger the status message filter rule. An attacker could also send status message that would render reporting information inaccurate. Policies can be retargeted to non-targeted clients There are several methods that attackers could use to make a policy targeted to one client apply to an entirely different client. For example, an attacker at a trusted client could send false inventory or discovery information to have the computer added to a collection it should not belong to, and then receive all the deployments to that collection. While controls exist to help prevent attackers from modifying policy directly, attackers could take an existing policy to reformat and redeploy an operating system and send it to a different computer, creating a
1465

denial of service. These types of attacks would require precise timing and extensive knowledge of the Configuration Manager infrastructure. Client logs allow user access All the client log files allow users Read access and Interactive Users Write access. If you enable verbose logging, attackers might read the log files to look for information about compliance or system vulnerabilities. Processes such as software installation that are performed in a user's context must be able to write to logs with a low-rights user account. This means an attacker could also write to the logs with a low rights account. The most serious risk is that an attacker could remove information in the log files that an administrator might need for auditing and intruder detection. A computer could be used to obtain a certificate that is designed for mobile device enrollment When Configuration Manager process an enrollment request, it cannot verify that the request originated from a mobile device rather than from a computer. If the request is from a computer, it can install a PKI certificate that then allows it to register with Configuration Manager. To help prevent an elevation of privilege attack in this scenario, only allow trusted users to enroll their mobile devices and carefully monitor enrollment activities. The connection from a client to the management point is not dropped if you block a client and the blocked client could continue to send client notification packets to the management point, as keep-alive messages For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you block a client that you no longer trust, and it has established a client notification communication, Configuration Manager does not disconnect the session. The blocked client can continue to send packets to its management point until the client disconnects from the network. These packets are only small, keep-alive packets and these clients cannot be managed by Configuration Manager until they are unblocked. When you use automatic client upgrade and the client is directed to a management point to download the client source files, the management point is not verified as a trusted source For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: If you use automatic client upgrade in a Configuration Manager hierarchy where some sites run Configuration Manager SP1 and some site run Configuration Manager with no service pack, a client in a Configuration Manager site with no service pack is directed to download the client source files from its assigned management point rather than from distribution points. This ensures that clients that are assigned to sites that run Configuration Manager with no service pack do not install Configuration Manager SP1 client source files, which would result in the client being unmanaged. In this scenario, the management point is not verified by the clients as a trusted source and it is possible to redirect clients to a rogue management point for the client installation files. However, this risk is low because clients will reject any client installation files that are not signed by Microsoft. Clients always verify trust before they download client policy from management points.
1466

When users first enroll Mac computers, they are at risk from DNS spoofing When the Mac computer connects to the enrollment proxy point during enrollment, it is unlikely that the Mac computer will already have the root CA certificate. At this point, the server is untrusted by the Mac computer and prompts the user to continue. If the fully qualified name of the enrollment proxy point is resolved by a rogue DNS server, it could direct the Mac computer to a rogue enrollment proxy point, and install certificates from an untrusted source. To help reduce this risk, follow best practices to avoid DNS spoofing in your environment.

Mac enrollment does not limit certificate requests Users can re-enroll their Mac computers, each time requesting a new client certificate. Configuration Manager does not check for multiple requests or limit the number of certificates requested from a single computer. A rogue user could run a script that repeats the commandline enrollment request, causing a denial of service on the network or on the issuing certification authority (CA). To help reduce this risk, carefully monitor the issuing CA for this type of suspicious behavior. A computer that shows this pattern of behavior should be immediately blocked from the Configuration Manager hierarchy.

A wipe acknowledgment does not verify that the device has been successfully wiped When you initiate a wipe action for a mobile device and Configuration Manager displays the wipe status to be acknowledged, the verification is that Configuration Manager successfully sent the message and not that the device acted on it. In addition, for mobile devices that are managed by the Exchange Server connector, a wipe acknowledgment verifies that the command was received by Exchange, not by the device.

If you use the options to commit changes on Windows Embedded devices in Configuration Manager SP1, accounts might be locked out sooner than expected If the Windows Embedded device is running an operating system that is prior to Windows 7 and a user attempts to log on while the write filters are disabled to commit changes made by Configuration Manager SP1, the number of incorrect logon attempts that are allowed before the account is locked out is effectively halved. For example, if the Account Lockout Threshhold is configured as 6 and a user mistypes their password 3 times, the account is locked out, effectively creating a denial of service situation. If users must log on to embedded devices in this scenario, caution them about the potential for a reduced lockout threshold.

Privacy Information for Configuration Manager Clients

When you deploy the Configuration Manager client, you enable client settings so you can use Configuration Manager management features. The settings that you use to configure the features can apply to all clients in the Configuration Manager hierarchy, regardless of whether they are directly connected to the corporate network, connected through a remote session, or connected to the Internet but supported by Configuration Manager.
1467

Client information is stored in the Configuration Manager database and is not sent to Microsoft. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval. Before you configure the Configuration Manager client, consider your privacy requirements.

Privacy Information for Mobile Device Clients that are Enrolled by Configuration Manager
For privacy information for when you enroll a mobile device by Configuration Manager, see Microsoft System Center 2012 Configuration Manager Privacy Statement - Mobile Device Addendum.

Client Status
Configuration Manager monitors the activity of clients and periodically evaluates and can remediate the Configuration Manager client and its dependencies. Client status is enabled by default, and it uses server-side metrics for the client activity checks, and client-side actions for self-checks, remediation, and for sending client status information to the Configuration Manager site. The client runs the self-checks according to a schedule that you can configure. The client sends the results of the checks to the Configuration Manager site. This information is encrypted during transfer. Client status information is stored in the Configuration Manager database and is not sent to Microsoft. The information is not stored in encrypted format in the site database. This information is retained in the database until it is deleted according to the value that is configured for the Retain client status history for the following number of days client status setting. The default value for this setting is every 31 days. Before you install the Configuration Manager client with client status checking, consider your privacy requirements.

Privacy Information for Mobile Devices that are Managed by Using the Exchange Server Connector
The Exchange Server Connector finds and manages devices that connect to Exchange Server (on-premise or hosted) by using the ActiveSync protocol. The records found by the Exchange Server Connector are stored in the Configuration Manager database. The information is collected from Exchange Server. It does not contain any additional information from what the mobile devices send to Exchange Server. The mobile device information is not sent to Microsoft. The mobile device information is stored in the Configuration Manager database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Discovery Data every 90 days. You can configure the deletion interval.
1468

Before you install and configure the Exchange Server connector, consider your privacy requirements.

See Also
Deploying Clients for System Center 2012 Configuration Manager

Technical Reference for Client Deployment in Configuration Manager

This section contains technical reference information for client deployment in System Center 2012 Configuration Manager.

Technical Reference Topics

About Client Settings in Configuration Manager About Client Installation Properties in Configuration Manager About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager Administrator Checklist: Deploying Clients in Configuration Manager Windows Firewall and Port Settings for Client Computers in Configuration Manager Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices Technical Reference for the Configuration Manager Client for Linux and UNIX Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Clients for System Center 2012 Configuration Manager

About Client Settings in Configuration Manager

All client settings in System Center 2012 Configuration Manager are managed in the Configuration Manager console from the Client Settings node in the Administration workspace. A set of default settings is supplied with Configuration Manager. When you modify the default client settings, these settings are applied to all clients in the hierarchy. You can also configure
1469

custom client settings, which override the default client settings when you assign these to collections. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. Many of the client settings are self-explanatory. Use the following sections for more information about the client settings that might require some information before you configure them. Client settings for devices: Background Intelligent Transfer Client Policy Compliance Settings Computer Agent Computer Restart Endpoint Protection Hardware Inventory Metered Internet Connections Network Access Protection (NAP) Power Management Remote Tools Software Deployment Software Inventory Software Updates User and Device Affinity Mobile Devices Enrollment User and Device Affinity

Client settings for users:

Client Settings for Devices

Use the following sections for information about client device settings.

Background Intelligent Transfer

Setting name More information

Limit the maximum network bandwidth for BITS background transfers Throttling window start time

If this option is configured as True or Yes, BITS bandwidth throttling will be used by Configuration Manager clients. Specify the start time in local time that the BITS throttling window will begin.
1470

Setting name

More information

Throttling window end time

Specify the end time in local time that the BITS throttling window will end. If this value is the same as the Throttling window start time, BITS throttling is always enabled. Specify the maximum transfer rate in (Kbps) that can be used by Configuration Manager clients during the specified BITS throttling window. Select this option to allow BITS downloads outside of the throttling window. This option allows Configuration Manager clients to use separate BITS settings outside of the specified window. Specify the maximum transfer rate in (Kbps) that will be used by Configuration Manager clients when outside of the specified BITS throttling window. This option can be configured only when you have selected to allow BITS throttling outside of the specified window.

Maximum transfer rate during throttling window (Kbps)

Allow BITS downloads outside the throttling window

Maximum transfer rate outside the throttling window (Kbps)

Client Policy
Setting name More information

Client policy polling interval (minutes)

For Configuration Manager with no service pack: Specify how frequently client computers download client policy. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify how frequently the following Configuration Manager clients download client policy: Windows computers (for example, desktops, servers, laptops) Mobile devices that are enrolled by Configuration Manager Mac computers Computers that run Linux or UNIX
1471

Setting name

More information

Enable user policy polling on clients

When you configure this setting as True or Yes, and Configuration Manager has discovered the user, Configuration Manager clients on computers receive applications and programs that are targeted to the logged on user. For more information about how to discover users, see the Configure Active Directory Discovery for Computers, Users, or Groups section in the Configuring Discovery in Configuration Manager topic. Because the Application Catalog receives the list of available software for users from the site server, this setting does not have to be configured as True or Yes for users to see and request applications from the Application Catalog. However, if this setting is False or No, the following will not work when users use the Application Catalog: In System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only, users cannot install the applications that they see in the Application Catalog. Users will not see notifications about their application approval requests. Instead, they must refresh the Application Catalog and check the approval status. Users will not receive revisions and updates for applications that are published to the Application Catalog. However, they will see changes to application information in the Application Catalog. If you remove an application deployment after the client has installed the application from the Application Catalog, clients continue to check that the application is installed for up to 2 days.

In addition, when this setting is False or No, users will not receive required applications that you deploy to users or any other management operations that are contained in user policies.
1472

Setting name

More information

This setting applies to users when their computer is on the intranet and the Internet; it must be configured as True or Yes if you also want to enable user policies on the Internet. Enable user policy requests from Internet clients When the client and site is configured for Internet-based client management and you configure this option as True or Yes and both of the following conditions apply, users receive user policy when their computer is on the Internet: The Enable user policy polling on clients client setting is configured as True or Enable user policy on clients is configured as Yes. The Internet-based management point successfully authenticates the user by using Windows authentication (Kerberos or NTLM).

If you leave this option as False or No, or if either of the conditions fails, a computer on the Internet will receive computer policies only. In this scenario, users can still see, request, and install applications from an Internet-based Application Catalog. If this setting is False or No but the Enable user policy polling on clients is configured as True or Enable user policy on clients is configured as Yes, users will not receive user policies until the computer is connected to the intranet. For more information about managing clients on the Internet, see the Planning for InternetBased Client Management section in the Planning for Communications in Configuration Manager topic. Note Application approval requests from users do not require user policies or user authentication.

1473

Compliance Settings
Setting name More information

Schedule compliance evaluation

Click Schedule to create the default schedule that will be displayed to users when they deploy a configuration baseline. This value can be configured for each baseline in the Deploy Configuration Baseline dialog box. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Select Yes if you want to deploy user data and profiles configuration items to Windows 8 computers in your hierarchy. For more information about user data and profiles, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Enable User Data and Profiles

Computer Agent
Setting name More information

Default Application Catalog website point

Configuration Manager uses this setting to connect users to the Application Catalog from Software Center. You can specify a server that hosts the Application Catalog website point by its NetBIOS name or FQDN, specify automatic detection, or specify a URL for customized deployments. In most cases, automatic detection is the best choice because it offers the following benefits: Clients are automatically given an Application Catalog website point from their site, if their site contains an Application Catalog website point. Protection against a rogue server because Application Catalog website points on the intranet that are configured for HTTPS are
1474

Setting name

More information

given preference over Application Catalog website points that are not configured for HTTPS. When clients are configured for intranet and Internet-based client management, they will be given an Internet-based Application Catalog website point when they are on the Internet and an intranet-based Application Catalog website point when they are on the intranet.

Automatic detection does not guarantee that clients will be given an Application Catalog website point that is closest to them. You might decide not to use Automatically detect for the following reasons: You want to manually configure the closest server for clients or ensure that they do not connect to a server across a slow network connection. You want to control which clients connect to which server. This might be for testing, performance, or business reasons. You do not want to wait up to 25 hours or for a network change for clients to be configured with a different Application Catalog website point.

If you specify the Application Catalog website point rather than use automatic detection, specify the NetBIOS name rather than the intranet FQDN to help reduce the likelihood that users will be prompted for credentials when they connect to the Application Catalog on the intranet. To use the NetBIOS name, the following conditions must apply: The NetBIOS name is specified in the Application Catalog website point properties. You use WINS or all clients are in the same domain as the Application Catalog website point. The Application Catalog website point is configured for HTTP client connections or it
1475

Setting name

More information

is configured for HTTPS client connections and the web server certificate contains the NetBIOS name. Typically, users are prompted for credentials when the URL contains an FQDN but not when the URL is a NetBIOS name. Expect users to be always prompted when they connect from the Internet, because this connection must use the Internet FQDN. When users are prompted for credentials when they are on the Internet, ensure that the server that runs the Application Catalog website point can connect to a domain controller for the users account so that the user can be authenticated by using Kerberos. Note How automatic detection works: The client makes a service location request to a management point. If there is an Application Catalog website point in the same site as the client, this server is given to the client as the Application Catalog server to use. When there is more than one available Application Catalog website point in the site, an HTTPS-enabled server takes precedence over a server that is not enabled for HTTPS. After this filtering, all clients are given one of the servers to use as the Application Catalog; Configuration Manager does not loadbalance between multiple servers. When the clients site does not contain an Application Catalog website point, the management point nondeterministically returns an Application Catalog website point from the hierarchy. When the client is on the intranet, if the selected Application Catalog website point is configured with a NetBIOS
1476

Setting name

More information

name for the Application Catalog URL, clients are given this NetBIOS name instead of the intranet FQDN. When the client is detected to be on the Internet, only the Internet FQDN is given to the client. The client makes this service location request every 25 hours or whenever it detects a network change. For example, if the client moves from the intranet to the Internet, and the client can locate an Internet-based management point, the Internet-based management point gives Internetbased Application Catalog website point servers to clients. Add default Application Catalog website to Internet Explorer trusted sites zone If this option is configured as True or Yes, the current default Application Catalog website URL is automatically added to the trusted sites zone in Internet Explorer on clients. This setting ensures that the Internet Explorer setting for Protected Mode is not enabled. If Protected Mode is enabled, the Configuration Manager client might not be able to install applications from the Application Catalog. By default, the trusted sites zone also supports user logon for the Application Catalog, which requires Windows authentication. If you leave this option as False, Configuration Manager clients might not be able to install applications from the Application Catalog unless these Internet Explorer settings are configured in another zone for the Application Catalog URL that clients use. Note Whenever Configuration Manager adds a default Application Catalog to the trusted sites zone, Configuration Manager removes a previous default Application Catalog URL that
1477

Setting name

More information

Configuration Manager added before it adds a new entry. Configuration Manager cannot add the URL if it is already specified in one of the security zones. In this scenario, you must either remove the URL from the other zone, or manually configure the required Internet Explorer settings. Allow Silverlight applications to run in elevated trust mode Applies to System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager SP1 only: This setting must be configured as Yes if users run the Configuration Manager SP1 or System Center 2012 R2 Configuration Manager client and use the Application Catalog. If you change this setting, it takes effect when users next load their browser or refresh their currently opened browser window. For more information about this setting, see the Certificates for Silverlight 5 and Elevated Trust Mode Required for the Application Catalog section in the Security and Privacy for Application Management in Configuration Manager topic. Organization Name displayed in Software Center Install Permissions Type the name that users see in Software Center. This branding information helps users to identify this application as a trusted source. Warning This setting applies to the Application Catalog and Software Center. This setting has no effect when users use the company portal. Configure how users can initiate the installation of software, software updates, and task sequences: All Users: Users logged on to a client computer with any permission except Guest can initiate the installation of software,
1478

Setting name

More information

software updates, and task sequences. Only Administrators: Users logged on to a client computer must be a member of the local Administrators group to initiate the installation of software, software updates, and task sequences. Only Administrators and primary users: Users logged on to a client computer must be a member of the local Administrators group or a primary user of the computer to initiate the installation of software, software updates, and task sequences. No Users: No users logged on to a client computer can initiate the installation of software, software updates, and task sequences. Required deployments for the computer are always installed at the deadline and users cannot initiate the installation of software from the Application Catalog or Software Center.

Suspend BitLocker PIN entry on restart

If the BitLocker PIN entry is configured on computers, this option can bypass the requirement to enter a PIN when the computer restarts after a software installation. Always: Configuration Manager temporarily suspends the BitLocker requirement to enter a PIN on the next computer startup after it has installed software that requires a restart and initiated a restart of the computer. This setting applies only to computer restarts that are initiated by Configuration Manager and does not suspend the requirement to enter the BitLocker PIN when the user restarts the computer. The BitLocker PIN entry requirement is resumed after Windows startup. Never: Configuration Manager does not suspend the BitLocker requirement to enter a PIN on the next computer startup after it has installed software that requires a restart. In this scenario, the software installation cannot finish until the user
1479

Setting name

More information

enters the PIN to complete the standard startup process and load Windows. Agent extensions manage the deployment of applications and software updates (Configuration Manager with no service pack) Additional software manages the deployment of applications and software updates (System Center 2012 R2 Configuration Manager and Configuration Manager SP1) Enable this option only if one of the following conditions apply: You use a vendor solution that requires this setting to be enabled. You use the System Center 2012 Configuration Manager software development kit (SDK) to manage client agent notifications and the installation of applications and software updates. Warning If you select this option when neither of these conditions apply, software updates and required applications will not install on clients. This setting does not prevent users from installing applications from the Application Catalog, or prevent packages and programs, and task sequences from being installed on client computers. PowerShell execution policy Configure how Configuration Manager clients can run Windows PowerShell scripts. These scripts are often used for detection in configuration items for compliance settings, but can also be sent in a deployment as a standard script. Bypass: The Configuration Manager client bypasses the Windows PowerShell configuration on the client computer so that unsigned scripts can run. Restricted: the Configuration Manager client uses the current Windows PowerShell configuration on the client computer, which determines whether unsigned scripts can run. All Signed (System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager SP1 only): The
1480

Setting name

More information

Configuration Manager client runs scripts only if they are signed by a trusted publisher. This restriction applies independently from the current Windows PowerShell configuration on the client computer. This option requires at least Windows PowerShell version 2.0 and the default is Restricted in Configuration Manager with no service pack, and All Signed in System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager SP1. Tip If unsigned scripts fail to run because of this client setting, Configuration Manager reports this error in the following ways: Error ID 0X87D00327 and the description of Script is not signed as a deployment status error in the Monitoring workspace of the Configuration Manager console. Error codes and descriptions of 0X87D00327 and Script is not signed or 0X87D00320 and The script host has not been installed yet with the error type of Discovery Error in reports, such as Details of errors of configuration items in a configuration baseline for an asset. The message Script is not signed (Error: 87D00327; Source: CCM) in the DcmWmiProvider.log file.

Disable deadline randomization

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only. This setting determines whether the client uses an activation delay of up to two hours to install required software updates and required applications when the deadline is reached. By default, the activation delay is disabled. For virtual desktop infrastructure (VDI)
1481

Setting name

More information

scenarios, this delay can help to distribute the CPU processing and data transfer for a computer that has multiple virtual machines that run the Configuration Manager client. Even if you do not use VDI, if many clients install the same software at the same time, this can negatively increase CPU usage on the site server, slow down distribution points, and significantly reduce the available network bandwidth. If required software updates and required applications must install without delay when the configured deadline is reached, select Yes for this setting.

Computer Restart
When you specify these computer restart settings, ensure that the value for the restart temporary notification interval and the value for the final countdown interval are shorter in duration than the shortest maintenance window that is applied to the computer. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

Endpoint Protection
Setting name More information

Manage Endpoint Protection client on client computers

Select True or Yes if you want to manage existing Endpoint Protection clients on computers in your hierarchy. Select this option if you have already installed the Endpoint Protection client and want to manage it with Configuration Manager. Additionally, select this option if you want to create a script to uninstall an existing antimalware solution, install the Endpoint Protection client, and deploy this script by using a Configuration Manager application or package and program.

Install Endpoint Protection client on client

Select True or Yes to install and enable the

1482

Setting name

More information

computers

Endpoint Protection client on client computers where it is not already installed. Note If the Endpoint Protection client is already installed, selecting False or No will not uninstall the Endpoint Protection client. To uninstall the Endpoint Protection client, set the Manage Endpoint Protection client on client computers client setting to False or No, and then deploy a package and program to uninstall the Endpoint Protection client.

Automatically remove previously installed antimalware software before Endpoint Protection is installed

Select True or Yes to attempt to uninstall existing antimalware software. Note Endpoint Protection attempts to uninstall the following antimalware software only: Symantec AntiVirus Corporate Edition version 10 Symantec Endpoint Protection version 11 Symantec Endpoint Protection Small Business Edition version 12 McAfee VirusScan Enterprise version 8 Trend Micro OfficeScan Microsoft Forefront Codename Stirling Beta 2 Microsoft Forefront Codename Stirling Beta 3 Microsoft Forefront Client Security v1 Microsoft Security Essentials v1 Microsoft Security Essentials 2010 Microsoft Forefront Endpoint Protection 2010 Microsoft Security Center Online v1

If you try to install the Endpoint Protection client on a computer and the uninstall of an existing
1483

Setting name

More information

antimalware solution is not supported, then the Endpoint Protection client installation will fail. In this case, you can use application management to uninstall the existing antimalware solution, install the Endpoint Protection client and then use the Manage Endpoint Protection client on client computers client setting to let Configuration Manager manage the newly installed Endpoint Protection client. For Windows Embedded devices with write filters, commit Endpoint Protection client installation (requires restart) For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only. Select Yes to disable the write filter on the Windows Embedded device and restart the device. This commits the installation on the device. If No is specified, the client is installed on a temporary overlay that is cleared when the device is restarted. In this scenario, the Endpoint Protection client is not committed until another installation commits changes to the device. This is the default setting. Suppress any required computer restarts after the Endpoint Protection client is installed Select True or Yes to suppress a computer restart if it is required after the Endpoint Protection client is installed. Important If the Endpoint Protection client requires a computer restart and this setting is configured as False, the restart will occur regardless of any maintenance windows that have been configured. Allowed period of time users can postpone a required restart to complete the Endpoint Protection installation (hours) Specify the number of hours that users can postpone a computer restart if this is required after the Endpoint Protection client is installed. This option can only be configured if the Suppress any required computer restarts after the Endpoint Protection client is installed option is set to False.
1484

Setting name

More information

Disable alternate sources (such as Windows Update, Microsoft Windows Server Update Services or UNC shares) for the initial definition update on client computers

Select True or Yes if you want Configuration Manager to only install the initial definition update on client computers. This setting can be helpful to avoid unnecessary network connections and reduce network bandwidth during the initial installation of the definition update.

Hardware Inventory
Setting name More information

Maximum custom MIF file size (KB)

Specify the maximum size, in kilobyte (KB), allowed for each custom Management Information Format (MIF) file that will be collected from a client during a hardware inventory cycle. If any MIF files exceed this size, they will not be processed by Configuration Manager hardware inventory. You can specify a size between 1 and 5,000 KB. By default, this value is set to 250 KB. This setting does not affect the size of the regular hardware inventory data file. Note This setting is only available in the default client settings.

Hardware inventory classes

In System Center 2012 Configuration Manager, you can extend the hardware information that you collect from clients without manually editing the sms_def.mof file. Click Set Classes if you want to extend Configuration Manager hardware inventory. For more information, see How to Extend Hardware Inventory in Configuration Manager. Use this setting to specify whether to collect Managed Information Format (MIF) files from System Center 2012 Configuration Manager
1485

Collect MIF files

Setting name

More information

clients during hardware inventory. For a MIF file to be collected by hardware inventory, it must be located in the correct location on the client computer. By default, the files should be located as follows: IDMIF files should be located in the Windows\System32\CCM\Inventory\Idmif folder. NOIDMIF files should be located in the Windows\System32\CCM\Inventory\Noidmif folder. Note This setting is only available in the default client settings.

Metered Internet Connections

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager, you can manage how Windows 8 client computers communicate with Configuration Manager sites when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note The configured client setting is not applied to Windows 8 client computers in the following scenarios: The computer is on a roaming data connection: The Configuration Manager client does not perform any operations that require data to be transferred to Configuration Manager sites. The Windows network connection properties is configured as non-metered: The Configuration Manager client behaves as if this is a non-metered Internet connection and so transfers data to the Configuration Manager sites.
More information

Setting name

Specify how clients communicate on metered network connections (Configuration Manager SP1) Client communication on metered Internet connections (System Center 2012 R2 Configuration Manager)

From the drop-down list, choose one of the following for Windows 8 client computers: Allow: All client communications are allowed over the metered Internet connection unless the client device is using a roaming data connection.
1486

Setting name

More information

Limit: Only the following client communications are allowed over the metered Internet connection: Client policy retrieval Client state messages to send to the site Software installation requests by using the Application Catalog Required deployments (when the installation deadline is reached) Important If a user initiates a software installation from Software Center or the Application Catalog, these are always permitted, regardless of the metered Internet connection settings. If the data transfer limit is reached for the metered Internet connection, the client no longer attempts to communicate with Configuration Manager sites.

Block: The Configuration Manager client does not attempt to communicate with Configuration Manager sites when it is on a metered Internet connection. This is the default value.

Network Access Protection (NAP)

Setting name More information

Enable Network Access Protection on clients

When you set this option to True or Yes, Configuration Manager clients that support Network Access Protection (NAP) evaluate software updates for their statement of health and send the results to a System Health Validator point. Tip Before you set this option to True or
1487

Setting name

More information

Yes, make sure that clients have the Windows Network Access Protection Agent service started and set to automatic, and that the Windows Network Access Protection infrastructure is in place. The default setting is False or No. Require a new scan for each evaluation When you set this option to True or Yes, this is the most secure configuration, but it will result in a delay for connecting clients as they wait for their NAP evaluation to complete. If this option is set to False or No, clients return the cached results from their most recent NAP evaluation. How current that cached information is depends on the NAP re-evaluation schedule client setting. The default setting is False or No. By default, NAP-capable clients re-evaluate their statement of health with a simple schedule of every day. You can change this behavior if you click Schedule and configure the frequency and interval or a custom schedule. Important If you do change the default schedule, make sure that you configure a value that is lower than the configured statement of health validity period on the System Health Validator point. If the compliance evaluation on the client occurs less frequently than the validity period, clients will be found noncompliant by the System Health Validator point. In this scenario, remediation will instruct clients to re-evaluate their compliance and produce a current statement of health. This process might take a few minutes to complete, so if you configure the NAP health policy server to enforce compliance with
1488

NAP re-evaluation schedule

Setting name

More information

limited network access, computers will not be able to access network resources during this re-evaluation time.

Power Management
Setting Name More Information

Allow users to exclude their device from power management

From the drop down list, select True or Yes to allow users of Software Center to exclude their computer from any configured power management settings. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify Yes to supplement the sites Wake On LAN setting when it is configured for unicast packets. For more information about wake-up proxy, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic. Warning Do not enable wake-up proxy in a production network without first understanding how it works and evaluating it in a test environment.

Enable wake-up proxy

Wake-up proxy port number (UDP)

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Keep the default value for the port number that manager computers use to send wake-up packets to sleeping computers, or change the number to a value of your choice. The port number specified here is automatically
1489

Setting Name

More Information

configured for clients that run Windows Firewall when you configure the Windows Firewall exception for wake-up proxy option. If clients run a different firewall, you must manually configure it to allow the UDP port number that is specified for this setting. Wake On LAN port number (UDP) For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Keep the default value of 9, unless you have changed the Wake On LAN (UDP) port number in the site Properties, Ports tab. Important This number must match the number in the site Properties. If you change this number in one place, it does not automatically update in the other place.

Remote Tools
Setting Name More Information

Enable Remote Control on clients Firewall exception profiles

Select whether Configuration Manager remote control is enabled for all client computers that receive these client settings. Click Configure to enable remote control and optionally configure firewall settings to allow remote control to work on client computers. Important If firewall settings are not configured, remote control might not work correctly. Note Remote control is disabled by default.

Users can change policy or notification settings in Software Center Allow Remote Control of an unattended

Select whether users can change remote control options from within Software Center. Select whether an administrator can use
1490

Setting Name

More Information

computer

remote control to access a client computer that is logged off or locked. Only a logged-on and unlocked computer can be remote controlled when this setting is disabled. Select whether the client computer will display a message asking for the user's permission before allowing a remote control session. Select whether local administrators on the server initiating the remote control connection can establish remote control sessions to client computers. Specify the level of remote control access that will be allowed. Click Set Viewers to open the Configure Client Setting dialog box and specify the names of the Windows users who can establish remote control sessions to client computers. Select this option to display an icon on the taskbar of client computers to indicate that a remote control session is active. Select this option to display a high-visibility session connection bar on client computers to indicate that a remote control session is active. Select this option to use sound to indicate when a remote control session is active on a client computer. You can play a sound when the session connects or disconnects, or you can play a sound repeatedly during the session. Select this option to let Configuration Manager manage unsolicited remote assistance sessions. Unsolicited remote assistance sessions are those where the user at the client computer does not request assistance to initiate a session.

Prompt user for Remote Control permission

Grant Remote Control permission to local Administrators group

Access level allowed Permitted viewers

Show session notification icon on taskbar

Show session connection bar

Play a sound on client

Manage unsolicited Remote Assistance settings

Manage solicited Remote Assistance settings

Select this option to let Configuration Manager manage solicited remote assistance sessions.
1491

Setting Name

More Information

Solicited remote assistance sessions are those where the user at the client computer sends a request to the administrator for remote assistance. Level of access for Remote Assistance Select the level of access to assign to remote assistance sessions that are initiated in the Configuration Manager console. Note The user at the client computer must always grant permission for a Remote Assistance session to occur. Manage Remote Desktop settings Select this option to let Configuration Manager manage Remote Desktop sessions for computers. Select this option to let users specified in the permitted viewer list to be added to the Remote Desktop local user group on client computers. Select this more secure option if you want to use network-level authentication to establish Remote Desktop connections to client computers that run Windows Vista or later. Network-level authentication requires fewer remote computer resources initially because it completes user authentication before it establishes a Remote Desktop connection. This method is more secure because it can help protect the computer from malicious users or software, and it reduces the risk from denial-ofservice attacks.

Allow permitted viewers to connect by using Remote Desktop connection Require network level authentication on computers that run Windows Vista operating system and later versions

Software Deployment
Setting name More information

Schedule re-evaluation for deployments

Configure a schedule for when Configuration Manager re-evaluates the requirement rules for all deployments. The default value is every 7
1492

Setting name

More information

days. Important We recommend that you do not change this value to a lower value than the default as this may negatively affect the performance of your network and client computers. You can also initiate this action from a Configuration Manager client computer by selecting the action Application Deployment Evaluation Cycle from the Actions tab of Configuration Manager in Control Panel.

Software Inventory
Setting name More information

Inventory reporting detail

Specify the level of file information to inventory. You can inventory details about the file only, details about the product associated with the file or you can inventory all information about the file. If you want to specify the types of file to inventory, click Set Types and then configure the following in the Configure Client Setting dialog box: Note If multiple custom client settings are applied to a computer, the inventory returned by each setting will be merged. Click the New icon to add a new file type to inventory, then specify the following information in the Inventoried File Properties dialog box: Name Provide a name for the file you want to inventory. You can use the * character to represent any string of text and the ?
1493

Inventory these file types

Setting name

More information

character to represent any single character. For example, if you want to inventory all files with the extension .doc, specify the filename *.doc. Location Click Set to open the Path Properties dialog box. You can configure software inventory to search all client hard disks for the specified file, search a specified path (for example C:\Folder) or a specified variable (for example %windir%) and you can also search all subfolders under the specified path. Exclude encrypted and compressed files When you select this option, any files that have been compressed or encrypted will not be inventoried. Exclude files in the Windows folder When you select this option, any files in the Windows folder and its subfolders will not be inventories. Click OK to close the Inventoried File Properties dialog box. Add all of the files you want to inventory and then, click OK to close the Configure Client Setting dialog box.

Collect files

If you want to collect files from client computers, click Set Files and then configure the following: Note If multiple custom client settings are applied to a computer, the inventory returned by each setting will be merged. In the Configure Client Setting dialog box, click the new icon to add a file to be collected. In the Collected File Properties dialog box, provide the following information: Name Provide a name for the file you want to collect. You can use the * character to represent any string of text and the ? character to represent any single character. Location Click Set to open the Path
1494

Setting name

More information

Properties dialog box. You can configure software inventory to search all client hard disks for the file you want to collect, search a specified path (for example C:\Folder) or a specified variable (for example %windir%) and you can also search all subfolders under the specified path. Exclude encrypted and compressed files When you select this option, any files that have been compressed or encrypted will not be collected. Stop file collection when the total size of the files exceeds (KB) Specify the file size (in KB) after which no more of the files specified under Name will be collected. Note The site server collects the five most recently changed versions of collected files and stores them in the <ConfigMgr installation directory>\Inboxes\Sinv.box\Filecol directory. If a file has not changed since the last software inventory was collected, the file will not be collected again. Files larger than 20 MB are not collected by software inventory. The value Maximum size for all collected files (KB) in the Configure Client Setting dialog box displays the maximum size for all collected files. When this size is reached, file collection will stop. Any files already collected are retained and sent to the site server. Important If you configure software inventory to collect many large files, this might negatively affect the performance of your network and site server.
1495

Setting name

More information

For information about how to view collected files, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager. Click OK to close the Collected File Properties dialog box. Add all of the files you want to collect and then, click OK to close the Configure Client Setting dialog box.

Set Names

During software inventory, manufacturer names and product names are retrieved from the header information of files installed on clients in the site. Because these names are not always standardized in the file header information, when you view software inventory information in Resource Explorer or run queries, different versions of the same manufacturer or product name can sometimes appear. If you want to standardize these display names, click Set Names and then configure the following in the Configure Client Setting dialog box: Name type: Software inventory collects information about both manufacturers and products. From the drop-down list, select whether you want to configure display names for a Manufacturer or a Product. Display name: Specifies the display name you want to use in place of the names in the Inventoried names list. You can click the New icon to specify a new display name. Inventoried names: - Click the New icon to add a new inventoried name which will be replaced in software inventory by the name selected in the Display name list. You can add multiple names that will be replaced.

Software Updates

1496

Setting name

More information

Enable software updates on clients

Use this setting to enable software updates on Configuration Manager clients. If you clear this setting, Configuration Manager removes existing deployment policies from client. When you re-enable this setting, the client downloads the current deployment policy. Important When you clear this setting, NAP and compliance settings policies that rely on the software updates device setting will no longer function.

Software update scan schedule

Use this setting to specify how often the client initiates a software update compliance assessment scan. The compliance assessment scan determines the state for software updates on the client (for example, required or installed). For more information about compliance assessment, see the Software Updates Compliance Assessment section in the Introduction to Software Updates in Configuration Manager topic. By default a simple schedule is used and the compliance scan initiates every 7 days. You can choose to create a custom schedule to specify an exact start day and time, choose whether to use UTC or the local time, and configure the recurring interval for a specific day of the week. Note If you can specify an interval of less than 1 day, Configuration Manager will automatically default to 1 day. Warning The actual start time on client computers is the start time plus a random amount of time up to 2 hours. This prevents client computers from initiating the scan and connecting to Windows Server Update Services
1497

Setting name

More information

(WSUS) on the active software update point server at the same time. Schedule deployment re-evaluation Use this setting to configure how often the Software Updates Client Agent re-evaluates software updates for installation status on Configuration Manager client computers. When software updates that have been previously installed are no longer found on client computers, and still required, they are reinstalled. The deployment re-evaluation schedule should be adjusted based on company policy for software update compliance, whether users have the ability to uninstall software updates, and so on, and with the consideration that every deployment reevaluation cycle results in some network and client computer CPU activity. By default, a simple schedule is used and the deployment reevaluation scan initiates every 7 days. Note Although you can specify an interval of less than 1 day, Configuration Manager will automatically default to 1 day.

When any software update deadline is reached, install all other software update deployments with deadline coming within a specified period of time

Use this setting to install all software updates in required deployments that have deadlines that will occur within a specified period of time. When a deadline is reached for a required software update deployment, installation initiates on clients for the software updates in the deployment. This setting determines whether to also initiate the installation for software updates defined in other required deployments that have a configured deadline within the specified period of time. Use this setting to expedite software update installation for required software updates, potentially increase security, potentially decrease display notifications, and potentially
1498

Setting name

More information

decrease system restarts on client computers. By default, this setting is not enabled. Period of time for which all pending deployments with deadline in this time will also be installed Use this setting to specify the timeframe for the previous setting. You can enter a value from 1 to 23 hours and from 1 to 365 days. By default, this setting is configured for 7 days.

User and Device Affinity

Setting name More information

User device affinity usage threshold (minutes) User device affinity usage threshold (days)

Specify the number of minutes before Configuration Manager creates a user device affinity mapping. Specify the number of days over which the usage based affinity threshold is measured. Note For example, if User device affinity usage threshold (minutes) is specified as 60 minutes and User device affinity usage threshold (days) is specified at 5 days, the user must use the device for 60 minutes over a period of 5 days to automatically create a user device affinity.

Automatically configure user device affinity from usage data

Select True or Yes to enable Configuration Manager to automatically create user device affinities based on the usage information that is collected.

Client Settings for Users

Use the following sections for information about user settings on clients.

Mobile Devices
This section applies to Configuration Manager with no service pack only.
1499

Setting name

More information

Mobile device enrollment profile

Before you can configure this setting, you must first set to True the mobile device user setting Allow users to enroll mobile devices. Then you can click Set Profile to specify an enrollment profile that contains information about the certificate template to use during the enrollment process, the site that contains an enrollment point and enrollment proxy point, and the site that will manage the device after the enrollment. Important Ensure that you have configured a certificate template to use for mobile device enrollment before you configure this option. For more information about how to enroll mobile devices by using Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager.

Enrollment
This section applies to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only.
Setting name More information

Mobile device enrollment profile

Before you can configure this setting, you must first set to Yes the enrollment user setting Allow users to enroll mobile devices and Mac computers. Then you can click Set Profile to specify an enrollment profile that contains information about the certificate template to use during the enrollment process, the site that contains an enrollment point and enrollment proxy point, and the site that will manage the device after the enrollment. Important
1500

Setting name

More information

Ensure that you have configured a certificate template to use for mobile device enrollment or for Mac client certificate enrollment before you configure this option. For more information about how to enroll mobile devices by Configuration Manager, see How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager. For more information about how to install Mac clients and enroll their certificates, see How to Install Clients on Mac Computers in Configuration Manager.

User and Device Affinity

Setting name More information

Allow user to define their primary devices

Specify whether users are allowed to identify their own primary devices from the Application Catalog, My Devices tab.

See Also
Technical Reference for Client Deployment in Configuration Manager

About Client Installation Properties in Configuration Manager

Use the System Center 2012 Configuration Manager CCMSetup.exe command to manually install the System Center 2012 Configuration Manager client software on computers in your enterprise. The CCMSetup program downloads all the necessary files to complete the client installation from a specified management point or from a specified source location. These files might include the following:

1501

The Windows Installer package Client.msi that installs the System Center 2012 Configuration Manager client software. Microsoft Background Intelligent Transfer Service (BITS) installation files, if required. Windows Installer installation files, if required. Updates and fixes for the System Center 2012 Configuration Manager client, if required. Note In System Center 2012 Configuration Manager, you cannot run the Client.msi file directly.

CCMSetup.exe provides several command-line properties to customize the installation behavior. Additionally, you can also specify properties to modify the behavior of Client.msi at the CCMSetup.exe command line. Important You must specify all required CCMSetup properties before you specify properties for Client.msi. CCMSetup.exe and its supporting files are located on the System Center 2012 Configuration Manager site server in the Client folder of the System Center 2012 Configuration Manager installation folder. This folder is shared to the network as <Site Server Name>\SMS_<Site Code>\Client. At the command prompt, the CCMSetup.exe command uses the following format: CCMSetup.exe [Ccmsetup properties] [client.msi setup properties] For example, CCMSetup.exe /mp:SMSMP01 /logon SMSSITECODE=S01 FSP=SMSFSP01 performs the following actions: Specifies the management point named SMSMP01 to request a list of distribution points to download the client installation source files. Specifies that installation should stop if a version of the System Center 2012 Configuration Manager or Configuration Manager 2007 client already exists on the computer. Instructs client.msi to assign the client to the site code S01. Instructs client.msi to use the fallback status point named SMSFP01. Note If a property contains spaces, surround it by quotation marks (""). The properties described in the following table are available to modify the installation behavior of CCMSetup.exe. Important If you have extended the Active Directory schema for System Center 2012 Configuration Manager, many client installation properties are published in Active Directory Domain Services and read automatically by the System Center 2012 Configuration Manager client. For a list of the client installation properties published in Active Directory Domain Services, see About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager.
1502

CCMSetup.exe Command-Line Properties

Property More information

/?

Opens the CCMSetup dialog box showing command-line properties for ccmsetup.exe. Example: ccmsetup.exe /?

/source:<Path>

Specifies the location from which to download installation files. You can use a local or UNC installation path. Files are downloaded by using the server message block (SMB) protocol. Note You can use the /source property multiple times at the command line to specify alternative locations from which to download installation files. Important To use the /source command-line property, the Windows user account that is used for client installation must have Read permissions to the installation location. Example: ccmsetup.exe /source:"\\computer\folder"

/mp:<Computer>

Specifies a source management point for computers to connect to so that they can find the nearest distribution point to download the client installation files. If there are no distribution points or computers cannot download the files from the distribution points after 4 hours, clients download the files from the specified management point. Computers download the files over an HTTP or HTTPS connection, depending on the site system role configuration for client connections. The download uses BITS throttling, if BITS throttling is configured. If all distribution points and management points are configured for HTTPS client connections only, you must verify that the client computer has a valid public key infrastructure (PKI) client certificate. Note You can use the /mp command-line property to specify multiple management points so that if the computer fails to connect to the first one, the next is tried, and so on. When you specify multiple
1503

Property

More information

management points, separate the values by using commas. Important This property is used only to specify an initial management point for computers to find the closes source to download the client installation files. It does not specify the management point to which the client will become assigned after installation. You can specify any System Center 2012 Configuration Manager management point in any site to provide computers with a list of distribution points from which they can download the client installation files. Example for when you use the computer name: ccmsetup.exe /mp:SMSMP01 Example for when you use the FQDN: ccmsetup.exe /mp:smsmp01.contoso.com Tip If the client connects to a management point by using HTTPS, typically, you must specify the FQDN for this option rather than the computer name. The value that you specify must be included in the management points PKI certificate Subject or Subject Alternative Name. Although Configuration Manager supports a computer name only in this PKI certificate for connections on the intranet, as a security best practice, an FQDN is recommended. /retry:<Minutes> Specifies the retry interval if CCMSetup.exe fails to download installation files. The default value is 10 minutes. CCMSetup continues to retry until it reaches the limit specified in the downloadtimeout installation property. Example: ccmsetup.exe /retry:20 /noservice Prevents CCMSetup from running as a service. When CCMSetup runs as a service, it runs in the context of the Local System account of the computer, which might not have sufficient rights to access network resources that are required for the installation process. When you specify the /noservice option, CCMSetup.exe runs in the context of the user account that you use to start the installation process. Additionally, if
1504

Property

More information

you are use a script to run CCMSetup.exe with the /service property, CCMSetup.exe exits after the service starts and might not report installation details correctly because the CCMSetup service performs the client installation. If this command-line property is not specified, by default, /service will be used. Example: ccmsetup.exe /noservice /service Specifies that CCMSetup should run as a service that uses the local system account. Example: ccmsetup.exe /service /uninstall Specifies that the System Center 2012 Configuration Manager client software should be uninstalled. For more information, see How to Manage Clients in Configuration Manager. Example: ccmsetup.exe /uninstall /logon Specifies that the client installation should stop if any version of the System Center 2012 Configuration Manager or the Configuration Manager client is already installed. Example: ccmsetup.exe /logon /forcereboot Specifies that CCMSetup should force the client computer to restart if this is necessary to complete the client installation. If this option is not specified, CCMSetup exits when a restart is necessary, and then continues after the next manual restart. Example: CCMSetup.exe /forcereboot /BITSPriority:<Priority> Specifies the download priority when client installation files are downloaded over an HTTP connection. Possible values are as follows: FOREGROUND HIGH NORMAL LOW

The default value is NORMAL. Example: ccmsetup.exe /BITSPriority:HIGH /downloadtimeout:<Minutes> Specifies the length of time in minutes that CCMSetup attempts to download the client installation files before it gives up. The default value is 1440 minutes (1 day).
1505

Property

More information

Example: ccmsetup.exe /downloadtimeout:100 /UsePKICert When specified, the client uses a PKI certificate that includes client authentication, if one is available. If a valid certificate cannot be found, the client falls back to using an HTTP connection and a self-signed certificate. When this option is not specified, the client uses a self-signed certificate and all communications to site systems are over HTTP. Note There are some scenarios where you do not have to specify this property when you are installing a client to use a PKI client certificate. These scenarios include installing a client by using client push and software update pointbased client installation. However, you must specify this property whenever you manually install a client and use the /mp property to specify a management point that is configured to accept only HTTPS client connections. You also must specify this property when you install a client for Internet-only communication, by using the CCMALWAYSINF=1 property (together with the properties for the Internet-based management point and the site code). For more information about Internet-based client management, see Planning for Internet-Based Client Management. Example: CCMSetup.exe /UsePKICert /NoCRLCheck Specifies that a client should not check the certificate revocation list (CRL) when it communicates over HTTPS by using a PKI certificate. When this option is not specified, the client checks the CRL before establishing an HTTPS connection by using PKI certificates. For more information about client CRL checking, see Planning for PKI Certificate Revocation. Example: CCMSetup.exe /UsePKICert /NoCRLCheck /config:<configuration file> Specifies the name of a text file containing client installation properties. Unless you also specify the /noservice CCMSetup property, this file must be located in the CCMSetup folder, which is <%Windir%>\Ccmsetup for 32-bit and 64-bit operating systems. If you specify the /noservice
1506

Property

More information

property, this file must be located in the same folder from which you run CCMSetup.exe. Example: CCMSetup.exe /config:<Configuration File Name.txt> Use the mobileclienttemplate.tcf file in the <Configuration Manager directory>\bin\<platform> folder on the site server computer to provide the correct format of the file. This file also contains information in comment form about the sections and how they are used. Specify the client installation properties in the [Client Install] section, after the following text: Install=INSTALL=ALL. Example [Client Install] section entry: Install=INSTALL=ALL SMSSITECODE=ABC SMSCACHESIZE=100 /skipprereq:<filename> Specifies that CCMSetup.exe must not install the specified prerequisite program when the Configuration Manager client is installed. Examples: CCMSetup.exe /skipprereq:silverlight.exe or CCMSetup.exe /skipprereq:dotnetfx40_client_x86_x64.exe;Silverlight.exe Note This property supports entering multiple values. Use the semicolon character (;) to separate each value. /forceinstall For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify that any existing client will be uninstalled and then a new client will be installed. /ExcludeFeatures:<feature> Specifies that CCMSetup.exe will not install the specified feature when the Configuration Manager client is installed. Example: CCMSetup.exe /ExcludeFeatures:ClientUI will not install the Software Center on the client. Note For this release, ClientUI is the only value supported with the /ExcludeFeatures property.

1507

Client.msi Properties
The properties described in the following table can modify the installation behavior of client.msi. If you use the client push installation method, you can also specify the properties in the Client tab of the Client Push Installation Properties dialog box.
Property More information

CCMALWAYSINF

Set to 1 to specify that the client will always be Internet-based and will never connect to the intranet. The client's connection type displays Always Internet. This property should be used in conjunction with CCMHOSTNAME, which specifies the FQDN of the Internet-based management point. It should also be used in conjunction with the CCMSetup property /UsePKICert and with the site code. For more information about Internet-based client management, see Planning for Internet-Based Client Management. Example: CCMSetup.exe /UsePKICert CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC

CCMCERTISSUERS

Specifies the certificate issuers list, which is a list of trusted root certification (CA) certificates that the Configuration Manager site trusts. For more information about the certificate issuers list and how clients use it during the certificate selection process, see Planning for PKI Client Certificate Selection. This is a case-sensitive match for subject attributes that are in the root CA certificate. Attributes can be separated by a comma (,) or semi-colon (;). Multiple root CA certificates can be specified by using a separator bar. Example: CCMCERTISSUERS=CN=Contoso Root CA; OU=Servers; O=Contoso, Ltd; C=US | CN=Litware Corporate Root CA; O=Litware, Inc. Tip Reference the mobileclient.tcf file in the <Configuration Manager
1508

Property

More information

directory>\bin\<platform> folder on the site server computer to copy the CertificateIssuers=<string> that is configured for the site. CCMCERTSEL Specifies the certificate selection criteria if the client has more than one certificate that can be used for HTTPS communication (a valid certificate that includes client authentication capability). You can search for an exact match in the Subject Name or Subject Alternative Name (use Subject:) or a partial match (use SubjectStr:), in the Subject Name or Subject Alternative Name. Examples: CCMCERTSEL="Subject:computer1.contoso.com" searches for a certificate with an exact match to the computer name "computer1.contoso.com" in either the Subject Name, or the Subject Alternative Name. CCMCERTSEL="SubjectStr:contoso.com" searches for a certificate that contains "contoso.com" in either the Subject Name, or the Subject Alternative Name. You can also use Object Identifier (OID) or distinguished name attributes in the Subject Name or Subject Alternative Name attributes, for example: CCMCERTSEL="SubjectAttr:2.5.4.11 = Computers" searches for the organizational unit attribute expressed as an object identifier, and named Computers. CCMCERTSEL="SubjectAttr:OU = Computers" searches for the organizational unit attribute expressed as a distinguished name, and named Computers. Important If you use the Subject Name box, the matching process for the Subject: selection criteria value is case-sensitive, and the matching process for the SubjectStr: selection criteria value is case-insensitive. If you use the Subject Alternative Name box, the matching process for both the Subject:
1509

Property

More information

selection criteria value and the SubjectStr: selection criteria value is case-insensitive. The complete list of attributes that you can use for certificate selection is listed in Supported Attribute Values for the PKI Certificate Selection Criteria. If more than one certificate matches the search, and the property CCMFIRSTCERT has been set to 1, the certificate with the longest validity period is selected. CCMCERTSTORE Specifies an alternate certificate store name if the client certificate to be used for HTTPS communication is not located in the default certificate store of Personal in the Computer store. Example: CCMSetup.exe /UsePKICert CCMCERTSTORE="ConfigMgr" CCMFIRSTCERT If set to 1, this property specifies that the client should select the PKI certificate with the longest validity period. This setting might be required if you are using Network Access Protection with IPsec enforcement. Example: CCMSetup.exe /UsePKICert CCMFIRSTCERT=1 CCMHOSTNAME Specifies the FQDN of the Internet-based management point, if the client is managed over the Internet. Do not specify this option with the installation property of SMSSITECODE=AUTO. Internet-based clients must be directly assigned to their Internet-based site. Example: CCMSetup.exe /UsePKICert/ CCMHOSTNAME="SMSMP01.corp.contoso.com" CCMHTTPPORT Specifies the port that the client should use when communicating over HTTP to site system servers. If the port is not specified, the default value of 80 will be used. Example: CCMSetup.exe CCMHTTPPORT=80 CCMHTTPSPORT Specifies the port that the client should use when communicating over HTTPS to site system servers. If the port is not specified, the default value of 443 will be used.
1510

Property

More information

Example: CCMSetup.exe /UsePKICert CCMHTTPSPORT=443 SMSPUBLICROOTKEY Specifies the Configuration Manager trusted root key where it cannot be retrieved from Active Directory Domain Services. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key. Example: CCMSetup.exe SMSPUBLICROOTKEY=<key> SMSROOTKEYPATH Used to reinstall the Configuration Manager trusted root key. Specifies the full path and file name to a file containing the trusted root key. This property applies to clients that use HTTP and HTTPS client communication. For more information, see Planning for the Trusted Root Key. Example: CCMSetup.exe SMSROOTKEYPATH=<Full path and filename> RESETKEYINFORMATION If a System Center 2012 Configuration Manager client has the wrong Configuration Manager trusted root key and cannot contact a trusted management point to receive a valid copy of the new trusted root key, you must manually remove the old trusted root key by using this property. This situation commonly occurs when you move a client from one site hierarchy to another. This property applies to clients that use HTTP and HTTPS client communication. Example: CCMSetup.exe RESETKEYINFORMATION=TRUE CCMDEBUGLOGGING Enables debug logging. Values can be set to 0 (off) or 1 (on). The default value is 0. This causes the client to log low-level information that might be useful for troubleshooting problems. As a best practice, avoid using this property in production sites because excessive logging can occur, which might make it difficult to find relevant information in the log files. CCMENABLELOGGING must be set to TRUE to enable debug logging. Example: CCMSetup.exe CCMDEBUGLOGGING=1
1511

Property

More information

CCMENABLELOGGING

Enables logging if this property is set to TRUE. By default, logging is enabled. The log files are stored in the Logs folder in the Configuration Manager Client installation folder. By default, this folder is %Windir%\CCM\Logs. Example: CCMSetup.exe CCMENABLELOGGING=TRUE

CCMLOGLEVEL

Specifies the amount of detail to write to System Center 2012 Configuration Manager log files. Specify an integer ranging from 0 to 3, where 0 is the most verbose logging and 3 logs only errors. The default is 1. Example: CCMSetup.exe CCMLOGLEVEL=3

CCMLOGMAXHISTORY

When a System Center 2012 Configuration Manager log file reaches 250000 bytes in size (or the value specified by the property CCMMAXLOGSIZE), it is renamed as a backup, and a new log file is created. This property specifies how many previous versions of the log file to retain. The default value is 1. If the value is set to 0, no old log files are kept. Example: CCMSetup.exe CCMLOGMAXHISTORY=0

CCMLOGMAXSIZE

Specifies the maximum log file size in bytes. When a log grows to the size that is specified, it is renamed as a history file, and a new file is created. This property must be set to at least 10000 bytes. The default value is 250000 bytes. Example: CCMSetup.exe CCMLOGMAXSIZE=300000

CCMALLOWSILENTREBOOT

Specifies that the computer is allowed to restart following the client installation, if this is required. Important The computer will restart without warning even if a user is currently logged on. Example: CCMSetup.exe CCMALLOWSILENTREBOOT

DISABLESITEOPT

If set to TRUE, disables the ability of end users with administrative credentials on the client computer to
1512

Property

More information

change the Configuration Manager Client assigned site by using Configuration Manager in Control Panel of the client computer. Example: CCMSetup.exe DISABLESITEOPT=TRUE DISABLECACHEOPT If set to TRUE, disables the ability of end users with administrative credentials on the client computer to change the client cache folder settings for the Configuration Manager Client by using Configuration Manager in Control Panel of the client computer. Example: CCMSetup.exe DISABLECACHEOPT=TRUE SMSCACHEDIR Specifies the location of the client cache folder on the client computer, which stores temporary files. By default, the location is %Windir \ccmcache. Example: CCMSetup.exe SMSCACHEDIR="C:\Temp" This property can be used in conjunction with the SMSCACHEFLAGS property to further control the client cache folder location. Example: CCMSetup.exe SMSCACHEDIR=Cache SMSCACHEFLAGS=MAXDRIVE installs the client cache folder on the largest available disk drive on the client. SMSCACHEFLAGS Configures the System Center 2012 Configuration Manager cache folder, which stores temporary files. You can use SMSCACHEFLAGS properties individually or in combination, separated by semicolons. If this property is not specified, the client cache folder is installed according to the SMSCACHEDIR property, the folder is not compressed, and the SMSCACHESIZE value is used as the size in MB of the folder. Specifies further installation details for the client cache folder. The following properties can be specified: PERCENTDISKSPACE: Specifies the folder size as a percentage of the total disk space. If you specify this property, you must also specify the property SMSCACHESIZE as the percentage value to use.
1513

Property

More information

PERCENTFREEDISKSPACE: Specifies the folder size as a percentage of the free disk space. If you specify this property, you must also specify the property SMSCACHESIZE as the percentage value to use. For example, if the disk has 10 MB free and SMSCACHESIZE is specified as 50, the folder size is set to 5 MB. You cannot use this property with the PERCENTDISKSPACE property. MAXDRIVE: Specifies that the folder should be installed on the largest available disk. This value will be ignored if a path has been specified with the SMSCACHEDIR property. MAXDRIVESPACE: Specifies that the folder should be installed on the disk drive that has the most free space. This value will be ignored if a path has been specified with the SMSCACHEDIR property. NTFSONLY: Specifies that the folder can be installed only on disk drives formatted with the NTFS file system. This value will be ignored if a path has been specified with the SMSCACHEDIR property. COMPRESS: Specifies that the folder should be held in a compressed form. FAILIFNOSPACE: Specifies that the client software should be removed if there is insufficient space to install the folder. Note Multiple properties for this property can be specified by separating each with a semicolon.

If this property is not specified, the client cache folder will be created according to the SMSCACHEDIR property, will not be compressed and will be the size specified in the SMSCACHESIZE property. Example: CCMSetup.exe SMSCACHEFLAGS=NTFSONLY;COMPRESS Note This setting is ignored when you upgrade an
1514

Property

More information

existing client. SMSCACHESIZE Specifies the size of the client cache folder in megabyte (MB) or as a percentage when used with the PERCENTDISKSPACE or PERCENTFREEDISKSPACE property. If this property is not set, the folder defaults to a maximum size of 5120 MB. The lowest value that you can specify is 1 MB. Note If a new package that must be downloaded would cause the folder to exceed the maximum size, and if the folder cannot be purged to make sufficient space available, the package download fails, and the program or application will not run. This setting is ignored when you upgrade an existing client and when the client downloads software updates. Example: CCMSetup.exe SMSCACHESIZE=100 Note If you reinstall a client, you cannot use the SMSCACHESIZE or SMSCACHEFLAGS installation properties to set the cache size to be smaller than it was previously. If you try to do this, your value is ignored and the cache size is automatically set to the last size it was previously. For example, if you install the client with the default cache size of 5120 MB, and then reinstall the client with a cache size of 100 MB, the cache folder size on the reinstalled client is set to 5120 MB. SMSCONFIGSOURCE Specifies the location and order that the Configuration Manager Installer checks for configuration settings. The property is a string containing one or more characters, each defining a specific configuration source. Use the character values R, P, M, and U, alone or in combination, as shown in the following
1515

Property

More information

examples: R: Check for configuration settings in the registry. P: Check for configuration settings in the installation properties provided at the command prompt. M: Check for existing settings when upgrading an older client with the System Center 2012 Configuration Manager client software. U: Upgrade the installed client to a newer version (and use the assigned site code).

By default, the client installation uses PU to check first the installation properties and then the existing settings. Example: CCMSetup.exe SMSCONFIGSOURCE=RP SMSDIRECTORYLOOKUP Specifies whether the client can use Windows Internet Name Service (WINS) to find a management point that accepts HTTP connections. Clients use this method when they cannot find a management point in Active Directory Domain Services or in DNS. This property is independent from whether the client uses WINS for name resolution. You can configure two different modes for this property: NOWINS: This is the most secure setting for this property and prevents clients from finding a management point in WINS . When you use this setting, clients must have an alternative method to locate a management point on the intranet, such as Active Directory Domain Services or by using DNS publishing. WINSSECURE: In this mode, a client that uses HTTP communication can use WINS to find a management point. However, the client must have a copy of the trusted root key before it can successfully connect to the management point. For more information, see Planning for the Trusted Root Key.

If this property is not specified, the default value of WINSSECURE is used. Example: CCMSetup.exe
1516

Property

More information

SMSDIRECTORYLOOKUP=NOWINS SMSSIGNCERT Specifies the full path and .cer file name of the exported self-signed certificate on the site server. This certificate is stored in the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate. Example: CCMSetup.exe /UsePKICert SMSSIGNCERT=<Full path and file name> SMSMP Specifies an initial management point for the Configuration Manager client to use. Important For Configuration Manager with no service pack: If the management point accepts client connections over HTTPS only (does not allow HTTP client connections), you must prefix the management point name with https:// Example: CCMSetup.exe SMSMP=smsmp01.contoso.com Example: CCMSetup.exe SMSMP=smsmp01.contoso.com Example: CCMSetup.exe SMSMP=https://smsmp01.contoso.com SMSSITECODE Specifies the Configuration Manager site to assign the Configuration Manager client to. This can either be a three-character site code or the word AUTO. If AUTO is specified, or if this property is not specified, the client attempts to determine its Configuration Manager site assignment from Active Directory Domain Services or from a specified management point. Note Do not use AUTO if you also specify the Internet-based management point (CCMHOSTNAME). In this scenario, you must directly assign the client to its site. Example: CCMSetup.exe SMSSITECODE=XZY CCMINSTALLDIR Identifies the folder where the Configuration Manager client files are installed. If this property is not set, the
1517

Property

More information

client software is installed in the %Windir%\CCM folder. Regardless of where these files are installed, the Ccmcore.dll file is always installed in the %Windir%\System32 folder. In addition, on 64-bit operating systems, a copy of the Ccmcore.dll file is always installed in the %Windir%\SysWOW64 folder to support 32-bit applications that use the 32-bit version of the Configuration Manager client APIs from the Configuration Manager software developer kit (SDK). Example: CCMSetup.exe CCMINSTALLDIR="C:\ConfigMgr" CCMADMINS Specifies one or more Windows user accounts or groups to be given access to client settings and policies. This is useful where the System Center 2012 Configuration Manager administrator does not have local administrative credentials on the client computer. You can specify a list of accounts that are separated by semi-colons. Example: CCMSetup.exe CCMADMINS="Domain\Account1;Domain\Group1" FSP Specifies the fallback status point that receives and processes state messages sent by Configuration Manager client computers. For more information about the fallback status point, see Determine Whether You Require a Fallback Status Point. Example: CCMSetup.exe FSP=SMSFP01 DNSSUFFIX Specifies a DNS domain for clients to locate management points that are published in DNS. When a management point is located, it informs the client about other management points in the hierarchy. This means that the management point that is located by using DNS publishing does not have to be from the clients site, but can be any management point in the hierarchy. Note You do not have to specify this property if the client is in the same domain as a published
1518

Property

More information

management point. In this scenario, the clients domain is automatically used to search DNS for management points. For more information about DNS publishing as a service location method for Configuration Manager clients, see Planning for Service Location by Clients. Note By default, DNS publishing is not enabled in Configuration Manager. Example: CCMSetup.exe SMSSITECODE=ABC DNSSUFFIX=contoso.com CCMEVALINTERVAL Specifies the frequency when the client health evaluation tool (ccmeval.exe) runs. You can specify a value from 1 through 1440 minutes. If you do not specify this property, or specify an incorrect value, the evaluation will run once a day. Specify the hour when the client health evaluation tool (ccmeval.exe) runs. You can specify a value between 0 (midnight) and 23 (11pm). If you do not specify this property, or specify and incorrect value, the evaluation will run at midnight. Specifies that the existence of the minimum required version of Microsoft Application Virtualization (App-V) is not checked before the client is installed. Important If you install the Configuration Manager client without installing App-V, you cannot deploy virtual applications. Example: CCMSetup.exe IGNOREAPPVVERSIONCHECK=TRUE NOTIFYONLY Specifies that client status will report, but not remediate problems that are found with the Configuration Manager client. For more information, see How to Configure Client Status in Configuration Manager.

CCMEVALHOUR

IGNOREAPPVVERSIONCHECK

1519

Supported Attribute Values for the PKI Certificate Selection Criteria

Configuration Manager supports the following attribute values for the PKI certificate selection criteria:
OID attribute Distinguished Name attribute Attribute definition

0.9.2342.19200300.100.1.25 1.2.840.113549.1.9.1 2.5.4.3 2.5.4.4 2.5.4.5 2.5.4.6 2.5.4.7 2.5.4.8 2.5.4.9 2.5.4.10 2.5.4.11 2.5.4.12 2.5.4.42 2.5.4.43 2.5.29.17

DC E or E-mail CN SN SERIALNUMBER C L S or ST STREET O OU T or Title G or GN or GivenName I or Initials (no value)

Domain component Email address Common name Subject name Serial number Country code Locality State or province name Street address Organization name Organizational unit Title Given name Initials Subject Alternative Name

See Also
Technical Reference for Client Deployment in Configuration Manager

About Client Installation Properties Published to Active Directory Domain Services in Configuration Manager
When you extend the Active Directory schema for System Center 2012 Configuration Manager and the site is published to Active Directory Domain Services, many client installation properties

1520

are published to Active Directory Domain Services. If a computer can locate these client installation properties, it can use them during Configuration Manager client deployment. The advantages of using Active Directory Domain Services to publish client installation properties include the following: Software update point-based client installation and Group Policy client installations do not require setup parameters to be provisioned on each computer. Because this information is automatically generated, the risk of human error associated with manually entering installation properties is eliminated. Note For more information about how to extend the Active Directory schema for Configuration Manager and how to publish a site, see Prepare the Windows Environment for Configuration Manager and Configuring Sites to Publish to Active Directory Domain Services. Client installation (CCMSetup) uses the client installation properties that are published to Active Directory Domain Services only if no other properties are specified by using any of the following methods: Manual installation Provisioning client installation properties by using Group Policy Note The client installation properties are used to install the client and might be overwritten with new settings from its assigned site after the client is installed and has successfully assigned to a Configuration Manager site. Use the following table to determine which Configuration Manager client installation methods use Active Directory Domain Services to obtain client installation properties.
Installation Method Comments

Client push installation

Client push installation does not use Active Directory Domain Services to obtain installation properties. Instead, you can specify client.msi installation properties in the Client tab of the Client Push Installation Properties dialog box. These options and client-related site settings are stored in a file that the client reads during client installation. Note You do not have to specify any CCMSetup properties for client push installation, or the fallback status point,
1521

Installation Method

Comments

or the trusted root key in the Client tab. These settings are automatically supplied to clients when they are installed by using client push installation. Any client.msi properties that you specify in the Client tab are published to Active Directory Domain Services if the site is published to Active Directory Domain Services. These settings are read by client installations where CCMSetup is run with no installation properties. Software update point-based installation The software update point-based installation method does not support the addition of installation properties to the CCMSetup command line. If no command line properties have been provisioned on the client computer by using Group Policy, CCMSetup searches Active Directory Domain Services for installation properties. Group Policy installation The Group Policy installation method does not support the addition of installation properties to the CCMSetup command line. If no command line properties have been provisioned on the client computer, CCMSetup searches Active Directory Domain Services for installation properties. Manual installation CCMSetup searches Active Directory Domain Services for installation properties under the following circumstances: No command line properties are specified after the CCMSetup.exe command. The computer has not been provisioned with installation properties by using Group Policy.

Logon script installation

CCMSetup searches Active Directory Domain Services for installation properties under the following circumstances: No command line properties are specified
1522

Installation Method

Comments

after the CCMSetup.exe command. The computer has not been provisioned with installation properties by using Group Policy.

Software distribution installation

CCMSetup searches Active Directory Domain Services for installation properties under the following circumstances: No command line properties are specified after the CCMSetup.exe command. The computer has not been provisioned with installation properties by using Group Policy.

Installations for clients that cannot access Active Directory Domain Services for published information: Workgroup computers Clients that are assigned to a Configuration Manager site that is not published to Active Directory Domain Services Clients that are installed when they are on the Internet

These client computers cannot read installation properties from Active Directory Domain Services, and so will not be able to access the published installation properties.

The following client installation properties are published by Configuration Manager to Active Directory Domain Services. For more information about each item, see About Client Installation Properties in Configuration Manager. The Configuration Manager site code. The site server signing certificate. The trusted root key. The client communication ports for HTTP and HTTPS. The fallback status point. If the site has multiple fallback status points, only the first one that was installed will be published to Active Directory Domain Services. A setting to indicate that the client must communicate by using HTTPS only. Settings related to PKI certificates: Whether to use a client PKI certificate. The selection criteria for certificate selection, if this is required because the client has more than one valid PKI certificate that can be used for Configuration Manager. A setting to determine which certificate to use if the client has multiple valid certificates after the certificate selection process. The certificate issuers list that contains a list of trusted root CA certificates.
1523

Client.msi installation properties that are specified in the Client tab of the Client Push Installation Properties dialog box.

See Also
Technical Reference for Client Deployment in Configuration Manager

Administrator Checklist: Deploying Clients in Configuration Manager

Use the following checklist for Configuration Manager client deployment to help you plan, configure, deploy, and manage Configuration Manager clients in your organization.
Step More information

Review the introductory information for client deployment and if applicable, changes since Configuration Manager 2007 Review the prerequisites for installing Configuration Manager clients and make any required changes Plan for any changes you must make for client deployment and make any required changes Configure your Configuration Manager hierarchy and infrastructure to prepare for client deployment

Introduction to Client Deployment in Configuration Manager Prerequisites for Windows Client Deployment in Configuration Manager Planning for Client Deployment in Configuration Manager How to Configure Client Communication Port Numbers in Configuration Manager How to Configure Client Computers to Find Management Points by using DNS Publishing in Configuration Manager How to Prevent the Client Software from Installing on Specific Computers in Configuration Manager

Configure the client settings that will manage the devices when the client is installed Deploy the Configuration Manager client to devices

How to Configure Client Settings in Configuration Manager For Windows computers: How to Install Clients on Windows-Based Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager

For Mac computers (Configuration

1524

Step

More information

Manager SP1): How to Install Clients on Mac Computers in Configuration Manager

For Linux and UNIX computers (Configuration Manager SP1): How to Install Clients on Linux and UNIX Computers in Configuration Manager How to Install Clients on Mobile Devices and Enroll Them by Using Configuration Manager

For mobile devices:

Configure client status to monitor clients on Windows computers

How to Configure Client Status in Configuration Manager

For System Center 2012 How to Manage Mobile Devices by Using Configuration Manager SP1 and Configuration Manager and Windows Intune System Center 2012 R2 Configuration Manager only: For mobile devices that you want to enroll by using Windows Intune: Configure a Windows Intune subscription and then install the Windows Intune connector How to Manage Mobile Devices by Using Configuration Manager and Exchange

For mobile devices that you want to manage but cannot enroll by using Configuration Manager or Windows Intune: Install and configure the Exchange Server connector

Manage devices Monitor Configuration Manager clients to ensure that they remain managed

How to Manage Clients in Configuration Manager How to Monitor Clients in Configuration Manager

See Also
Technical Reference for Client Deployment in Configuration Manager

1525

Windows Firewall and Port Settings for Client Computers in Configuration Manager
Client computers in System Center 2012 Configuration Manager that run Windows Firewall often require you to configure exceptions to allow communication with their site. The exceptions that you must configure depend on the management features that you use with the Configuration Manager client. Use the following sections to identify these management features and for more information about how to configure Windows Firewall for these exceptions.

Modifying the Ports and Programs Permitted by Windows Firewall

Use the following procedure to modify the ports and programs on Windows Firewall for the Configuration Manager client. To modify the ports and programs permitted by Windows Firewall 1. On the computer that runs Windows Firewall, open Control Panel. 2. Right-click Windows Firewall, and then click Open. 3. Configure any required exceptions and any custom programs and ports that you require.

Programs and Ports that Configuration Manager Requires

The following Configuration Manager features require exceptions on the Windows Firewall:

Queries
If you run the Configuration Manager console on a computer that runs Windows Firewall, queries fail the first time that they are run and the operating system displays a dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future queries will run without errors. You can also manually add Statview.exe to the list of programs and services on the Exceptions tab of the Windows Firewall before you run a query.

Client Push Installation

To use client push to install the System Center 2012 Configuration Manager client, add the following as exceptions to the Windows Firewall: Outbound and inbound: File and Printer Sharing Inbound: Windows Management Instrumentation (WMI)
1526

Client Installation by Using Group Policy

To use Group Policy to install the Configuration Manager client, add File and Printer Sharing as an exception to the Windows Firewall.

Client Requests
For client computers to communicate with Configuration Manager site systems, add the following as exceptions to the Windows Firewall: Outbound: TCP Port 80 (for HTTP communication) Outbound: TCP Port 443 (for HTTPS communication) Important These are default port numbers that can be changed in Configuration Manager. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager. If these ports have been changed from the default values, you must also configure matching exceptions on the Windows Firewall.

Client Notification
For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For the management point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan, add the following as an exception to the Windows Firewall: Outbound: TCP Port 10123 If this communication does not succeed, Configuration Manager automatically falls back to using the existing client-to-management point communication port of HTTP, or HTTPS: Outbound: TCP Port 80 (for HTTP communication) Outbound: TCP Port 443 (for HTTPS communication) Important These are default port numbers that can be changed in Configuration Manager. For more information, see How to Configure Client Communication Port Numbers in Configuration Manager. If these ports have been changed from the default values, you must also configure matching exceptions on the Windows Firewall.

Network Access Protection

For client computers to successfully communicate with the System Health Validator point, allow the following ports: Outbound: UDP 67 and UDP 68 for DHCP Outbound: TCP 80/443 for IPsec
1527

Remote Control
To use Configuration Manager remote control, allow the following port: Inbound: TCP Port2701

Remote Assistance and Remote Desktop

To initiate Remote Assistance from the Configuration Manager console, add the custom program Helpsvc.exe and the inbound custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the client computer. You must also permit Remote Assistance and Remote Desktop. If you initiate Remote Assistance from the client computer, Windows Firewall automatically configures and permits Remote Assistance and Remote Desktop.

Wake-Up Proxy
For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: If you enable the wake-up proxy client setting, a new service named ConfigMgr Wake-up Proxy uses a peer-to-peer protocol to check whether other computers are awake on the subnet and to wake them up if necessary. This communication uses the following ports: Outbound: UDP Port 25536 Outbound: UDP Port 9 These are the default port numbers that can be changed in Configuration Manager by using the Power Management clients settings of Wake-up proxy port number (UDP) and Wake On LAN port number (UDP). If you specify the Power Management: Windows Firewall exception for wake-up proxy client setting, these ports are automatically configured in Windows Firewall for clients. However, if clients run a different firewall, you must manually configure the exceptions for these port numbers. In addition to these ports, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client computer to another client computer. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. System Center 2012 Configuration Manager SP1 does not configure Windows Firewall for these TCP/IP ping commands and unless you are running System Center 2012 R2 Configuration Manager, you must manually permit this ICMP traffic for wake-up proxy communication to succeed. If you have System Center 2012 Configuration Manager SP1 rather than System Center 2012 R2 Configuration Manager, use the following procedure to help you configure Windows Firewall with a custom inbound rule that allows inbound TCP/IP ping commands for wake-up proxy. To configure Windows Firewall to allow TCP/IP ping commands 1. In the Windows Firewall with Advanced Security console, create a new inbound rule. 2. In the New Inbound Rule Wizard, on the Rule Type page, select Custom, and then click
1528

Next. 3. On the Program page, keep the default of All programs, and then click Next. 4. On the Protocols and Ports page, click the drop-down for Protocol type, select ICMPv4, and then click the Customize button. 5. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK. 6. In the New Inbound Rule Wizard, click Next. 7. On the Scope page, keep the default settings for any local or remote IP address, and click Next. 8. On the Action page, make sure that Allow the connection is selected, and then click Next. 9. On the Profile page, select the profiles that will use wake-up proxy (for example, Domain), and then click Next. 10. On the Name page, specify a name for this custom rule, and optionally, type a description to help identify that this rule is required for wake-up proxy communication. Then click Finish to close the wizard. For more information about wake-up proxy, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic

Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics

To access Windows Event Viewer, Windows Performance Monitor, and Windows Diagnostics from the Configuration Manager console, enable File and Printer Sharing as an exception on the Windows Firewall.

Ports Used During Configuration Manager Client Deployment

The following tables list the ports that are used during the client installation process. Important If there is a firewall between the site system servers and the client computer, confirm whether the firewall permits traffic for the ports that are required for the client installation method that you choose. For example, firewalls often prevent client push installation from succeeding because they block Server Message Block (SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client installation method, such as manual installation (running CCMSetup.exe) or Group Policy-based client installation. These alternative client installation methods do not require SMB or RPC. For information about how to configure Windows Firewall on the client computer, see Modifying the Ports and Programs Permitted by Windows Firewall.

1529

Ports that are used for all installation methods

Description UDP TCP

Hypertext Transfer Protocol -(HTTP) from the client computer to a fallback status point, when a fallback status point is assigned to the client.

80 (See note 1, Alternate Port Available)

Ports that are used with client push installation

In addition to the ports listed in the following table, client push installation also uses Internet Control Message Protocol (ICMP) echo request messages from the site server to the client computer to confirm whether the client computer is available on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any intervening network devices, such as firewalls, must permit ICMP traffic for client push installation to succeed.
Description UDP TCP

Server Message Block (SMB) between the site server and client computer. RPC endpoint mapper between the site server and the client computer. RPC dynamic ports between the site server and the client computer. Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP.

--

445

135

135

--

DYNAMIC

--

80 (See note 1, Alternate Port Available)

Secure Hypertext Transfer -Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS.

443 (See note 1, Alternate Port Available)

1530

Ports that are used with software update point-based installation

Description UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to the software update point. Secure Hypertext Transfer Protocol (HTTPS) from the client computer to the software update point. Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup commandline property /source:<Path>.

--

80 or 8530 (See note 2, Windows Server Update Services) 443 or 8531 (See note 2, Windows Server Update Services) 445

--

--

Ports that are used with Group Policy-based installation

Description UDP TCP

Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP. Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS.

--

80 (See note 1, Alternate Port Available)

--

443 (See note 1, Alternate Port Available)

Server Message Block (SMB) -between the source server and the client computer when you specify the CCMSetup commandline property /source:<Path>.

445

Ports that are used with manual installation and logon scriptbased installation
1531

Description

UDP

TCP

Server Message Block (SMB) between the client computer and a network share from which you run CCMSetup.exe. Note When you install System Center 2012 Configuration Manager, the client installation source files are copied and automatically shared from the <InstallationPath>\Client folder on management points. However, you can copy these files and create a new share on any computer on the network. Alternatively, you can eliminate this network traffic by running CCMSetup.exe locally, for example, by using removable media. Hypertext Transfer Protocol (HTTP) from the client computer to a management point when the connection is over HTTP, and you do not specify the CCMSetup commandline property /source:<Path>. Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a management point when the connection is over HTTPS, and you do not specify the CCMSetup commandline property /source:<Path>. Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:<Path>.

--

445

--

80 (See note 1, Alternate Port Available)

--

443 (See note 1, Alternate Port Available)

--

445

1532

Ports that are used with software distribution-based installation

Description UDP TCP

Server Message Block (SMB) between the distribution point and the client computer. Hypertext Transfer Protocol (HTTP) from the client to a distribution point when the connection is over HTTP. Secure Hypertext Transfer Protocol (HTTPS) from the client to a distribution point when the connection is over HTTPS.

--

445

--

80 (See note 1, Alternate Port Available)

--

443 (See note 1, Alternate Port Available)

Notes
1 Alternate Port Available In Configuration Manager, you can define an alternate port for this value. If a custom port has been defined, substitute that custom port when you define the IP filter information for IPsec policies or for configuring firewalls. 2 Windows Server Update Services You can install Windows Server Update Service (WSUS) either on the default Web site (port 80) or a custom Web site (port 8530). After installation, you can change the port. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higher for example, 8530 and 8531.

See Also
Technical Reference for Client Deployment in Configuration Manager

1533

Example Scenario for Deploying and Managing Configuration Manager Clients on Windows Embedded Devices
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Note This topic appears in the Deploying Clients for System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This scenario demonstrates how you can manage write-filter-enabled Windows Embedded devices by using System Center 2012 Configuration Manager SP1. If you have Configuration Manager with no service pack, Configuration Manager cannot automatically disable and reenable the write filters and you must take additional steps to do this before and after you install software. If your embedded devices do not support write filters, they behave as standard Configuration Manager clients and you do not have to take the steps in this scenario that are required to manage write filters. Coho Vineyard & Winery is opening a visitor center and is interested in kiosks that run Windows Embedded to run interactive presentations. The building for the new visitor center is not close to the IT department, so it is important that the kiosks can be managed remotely. In addition to installing the software that runs the interactive presentations, these devices must run up-to-date antimalware protection software to comply with the company security policies. To make sure that the interactive presentations are always available for visitors, the kiosks must run 7 days a week, with no downtime while the visitor center is open. Coho Vineyard & Winery already runs Configuration Manager SP1 to manage devices on their network. Configuration Manager is configured to run Endpoint Protection, and install software updates and applications. However, because the IT team has not managed Windows Embedded devices before, Jane, the Configuration Manager administrator, runs a pilot to manage two kiosks that are in the companys reception lobby. If the pilot is successful in remotely managing these devices, the purchase order for the visitor center kiosks can be approved. To manage these Windows Embedded devices that are write-filter-enabled, Jane performs the following steps to install the Configuration Manager client, protect the client by using Endpoint Protection, and install the interactive presentation software.
Process Reference

Jane reads how Windows Embedded devices uses write filters, and how Configuration Manager SP1 can make this easier by

The Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in
1534

Process

Reference

automatically disabling and then re-enabling the Configuration Manager topic writer filters, to persist a software installation. Before she installs the Configuration Manager client, Jane creates a new query-based device collection for the Windows Embedded devices. Because the company uses standard naming formats to identify their computers, Jane can uniquely identify Windows Embedded devices by the first six letters of the computer name: WEMDVC. She uses the following WQL query to create this collection: select SMS_R_System.NetbiosName from SMS_R_System where SMS_R_System.NetbiosName like "WEMDVC%" This collection allows her to manage the Windows Embedded devices with different configuration options from the other devices. She will use this collection to control restarts, deploy Endpoint Protection with client settings, and deploy the interactive presentation application. Jane configures the collection for a How to Use Maintenance Windows in maintenance window to ensure that restarts Configuration Manager that might be required for installing the presentation application and any upgrades do not occur during opening hours for the visitor center. Opening hours will be 09:00 through 18:00, Monday through Sunday. She configures the maintenance window for every day, 18:30 through 06:00. Jane then configures a custom device client setting to install the Endpoint Protection client by selecting Yes for the following settings, and then deploys this custom client setting to the Windows Embedded device collection: Install Endpoint Protection client on client computers For Windows Embedded devices with write filters, commit Endpoint Protection
1535

How to Create Collections in Configuration Manager

Step 5: Configure Custom Client Settings for Endpoint Protection in How to Configure Endpoint Protection in Configuration Manager

Process

Reference

client installation (requires restart) Allow Endpoint Protection client installation and restart to be performed outside maintenance windows

When the Configuration Manager client is installed, these settings install the Endpoint Protection client and ensure that it is persisted in the operating system as part of the installation, rather than written to the overlay only. The company security policies require that the antimalware software is always installed and Jane does not want to run the risk of the kiosks being unprotected for even a short period of time if they restart. Note The restarts that are required to install the Endpoint Protection client are a one-time occurrence, which happen during the setup period for the devices and before the visitor center is operational. Unlike the periodic deployment of applications or software definition updates, the next time the Endpoint Protection client is installed on the same device will probably be when the company upgrades to the next version of Configuration Manager. With the configuration settings for the client now in place, Jane prepares to install the Configuration Manager clients. Before she can install the clients, she must manually disable the write filter on the Windows Embedded devices. She reads the OEM documentation that accompanies the kiosks and follows their instructions to disable the write filters. Jane renames the device so it uses the company standard naming format, and then installs the client manually by running CCMSetup with the following command from a mapped drive that holds the client source files:
1536

How to Install Clients on Windows-Based Computers in Configuration Manager How to Assign Clients to a Site in Configuration Manager

Process

Reference

CCMSetup.exe /MP:mpserver.cohovineyardandwinery.com SMSSITECODE=CO1 This command installs the client, assigns the client to the management point that has the intranet FQDN of mpserver.cohovineyardandwinery.com, and assigns the client to the primary site named CO1. Jane knows that it always takes a while for clients to install and send back their status to the site. So she waits before she confirms that the clients successfully install, assign to the site, and appear as clients in the collection that she created for Windows Embedded devices. As additional confirmation, on the Windows Embedded devices, she checks the properties of Configuration Manager in Control Panel and compares them to standard Windows computers that are managed by the site. For example, on the Components tab, the Hardware Inventory Agent displays Enabled, and on the Actions tab, there are 11 available actions, which include Application Deployment Evaluation Cycle and Discovery Data Collection Cycle. Confident that the clients are successfully installed, assigned, and receiving client policy from the management point, Jane then manually enables the write filters by following the instructions from the OEM. Now that the Configuration Manager client is How to Manage Clients in Configuration installed on the Windows Embedded devices, Manager Jane confirms that she can manage them in the same way as she manages the standard Windows clients. For example, from the Configuration Manager console, she can remotely manage them by using remote control, initiate client policy for them, and view client properties and hardware inventory.
1537

Process

Reference

Because these devices are joined to an Active Directory domain, she does not have to manually approve them as trusted clients and confirms from the Configuration Manager console that they are approved. To install the interactive presentation software, Jane runs the Deploy Software Wizard and configures a required application. On the User Experience page of the wizard, in the Write filter handling for Windows Embedded devices section, she accepts the default option that selects Commit changes at deadline or during a maintenance window (requires restarts). Jane keeps this default option for write filters to ensure that the application persists after a restart, so that it is always available to the visitors using the kiosks. The daily maintenance window provides a safe period during which the restarts for installation and any updates can occur. Jane deploys the application to the Windows Embedded devices collection. To configure definition updates for Endpoint Protection, Jane uses software updates and runs the Create Automatic Deployment Rule Wizard. She selects the Definition Updates template to prepopulate the wizard with settings that are appropriate for Endpoint Protection. These settings include the following on the User Experience page of the wizard: Deadline behavior: The Software Installation check box is not selected. Write filter handling for Windows Embedded devices: The Commit changes at deadline or during a maintenance window (requires restarts) check box is not selected. Step 3: Configure Configuration Manager Software Updates to Deliver Definition Updates to Client Computers in How to Configure Endpoint Protection in Configuration Manager How to Deploy Applications in Configuration Manager

Jane keeps these default settings. Together, these two options with this configuration allow
1538

Process

Reference

any software update definitions for Endpoint Protection to be installed in the overlay during the day and not wait to be installed and committed during the maintenance window. This configuration best meets the company security policy for computers to run up-to-date antimalware protection. Note Unlike software installations for applications, software update definitions for Endpoint Protection can occur very frequently, even multiple times a day. They are often small files. For these types of security-related deployments, it can often be beneficial to always install to the overlay rather than wait until the maintenance window. The Configuration Manager client will quickly re-install the software definition updates if the device restarts because this action initiates an evaluation check and does not wait until the next scheduled evaluation. Jane selects the Windows Embedded devices collection for the automatic deployment rule. Jane decides to configure a maintenance task that periodically commits all changes on the overlay. This task is to support the software update definitions deployment, to reduce the number of updates that accumulate and must be installed again, each time the device restarts. In her experience, this helps the antimalware programs run more efficiently. Note These software update definitions would be automatically committed to the image if the embedded devices ran another management task that supported committing the changes. For
1539

How to Manage Task Sequences in Configuration Manager

Process

Reference

example, installing a new version of the interactive presentation software would also commit the changes for software update definitions. Or, installing standard software updates every month that install during the maintenance window could also commit the changes for software update definitions. However, in this scenario, where standard software updates do not run and the interactive presentation software is unlikely to be updated very often, it might be months before the software definition updates are automatically committed to the image. Jane first creates a custom task sequence that has no settings other than the name. She runs the Create Task Sequence Wizard: 1. On the Create a New Task Sequence page, she selects Create a new custom task sequence, and then clicks Next. 2. On the Task Sequence Information page, she enters Maintenance task to commit changes on embedded devices for the task sequence name, and then clicks Next. 3. On the Summary page, she selects Next, and completes the wizard. Jane then deploys this custom task sequence to the Windows Embedded devices collection, and configures the schedule to run every month. As part of the deployment settings, she selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. To configure this deployment, she selects the custom task sequence that she just created, and then on the Home tab, in the Deployment group, she clicks Deploy to start the Deploy Software Wizard: 1. On the General page, she selects the Windows Embedded devices collection,
1540

Process

Reference

and then clicks Next. 2. On the Deployment Settings page, she selects the Purpose of Required, and then clicks Next. 3. On the Scheduling page, she clicks New to specify a weekly schedule during the maintenance window, and then clicks Next. 4. She completes the wizard without any further changes. For the kiosks to run automatically, Jane writes a script to configure the devices for the following settings: Automatically log on, using a guest account that has no password. Automatically run the interactive presentation software on startup. Packages and Programs in Configuration Manager

Jane uses packages and programs to deploy this script to the Windows Embedded devices collection. When she runs the Deploy Software Wizard, she again selects the Commit changes at deadline or during a maintenance window (requires restarts) check box to persist the changes after a restart. The following morning, Jane checks the Windows Embedded devices. She confirms the following: The kiosk is automatically logged on by using the guest account. The interactive presentation software is running. The Endpoint Protection client is installed and has the latest software update definitions. That the device restarted during the maintenance window. How to Monitor Endpoint Protection in Configuration Manager How to Monitor Applications in Configuration Manager

Jane monitors the kiosks and reports the successful management of them to her manager. As a result, 20 kiosks are ordered for the visitor center. To avoid the manual installation of the Configuration Manager client, which requires manually disabling and then enabling the write filters, Jane ensures that the order includes a customized
1541

image that already includes the installation and site assignment of the Configuration Manager SP1 client. In addition, the devices are named according to the company naming format. The kiosks are delivered to the visitor center a week before it opens. During this time, the kiosks are connected to the network, all device management for them is automatic, and no local administrator is required. Jane confirms that the kiosks are functioning as required: The clients on the kiosks complete site assignment and download the trusted root key from Active Directory Domain Services. The clients on the kiosks are automatically added to the Windows Embedded devices collection and configured with the maintenance window. The Endpoint Protection client is installed and has the latest software update definitions for antimalware protection. The interactive presentation software is installed and runs automatically, ready for visitors.

After this initial setup, any restarts that might be required for updates occur only when the visitor center is closed.

See Also
Technical Reference for Client Deployment in Configuration Manager

Technical Reference for the Configuration Manager Client for Linux and UNIX
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. This topic contains technical information for the Configuration Manager client for Linux and UNIX.

Component Services of the Configuration Manager Client for Linux and UNIX
The following table identifies the client component services of the Configuration Manager client for Linux and UNIX. Note Beginning with cumulative update 1, the client for Linux and UNIX replaces the CIM Server in use on the client with the open source omiserver, version 1.0.6 from the Open Group.

1542

When you use the initial release of the client for Linux and UNIX and reference the documentation in this section, replace each reference of omiserver.bin with nwserver.bin.
File name More information

ccmexec.bin

This service is equivalent to the ccmexc service on a Windows-based client. It is responsible for all communications with Configuration Manager site system roles, and also communicates with the omiserver.bin service to collect hardware inventory from the local computer. For a list of supported command line arguments, run ccmexec -h

omiserver.bin

This service is the CIM server. The CIM server provides a framework for pluggable software modules called providers. Providers interact with Linux and UNIX computer resources and collect the hardware inventory data. For example, the process provider for a Linux computer collects data associated with the Linux operating system processes.

The following tables list commands that you can use to start, stop, or restart the client services (ccmexec.bin and omiserver.bin) on each version of Linux or UNIX. When you start or stop the ccmexec service, the omiserver service also starts or stops. Commands for the initial release of the Configuration Manager client for Linux and UNIX:
Operating system Commands

Red Hat Enterprise Linux (RHEL)

Start: /etc/init.d/ccmexecd start Stop: /etc/init.d/ccmexecd stop Restart: /etc/init.d/ccmexecd restart

Solaris 9

Start: /etc/init.d/ccmexecd start Stop: /etc/init.d/ccmexecd stop Restart: /etc/init.d/ccmexecd restart

Solaris 10

Start: svcadm enable -s svc:/application/management/ccmexecd Stop: svcadm disable -s svc:/application/management/ccmexecd

1543

Operating system

Commands

SUSE Linux Enterprise Server (SLES)

Start: /etc/init.d/ccmexecd start Stop: /etc/init.d/ccmexecd stop Restart: /etc/init.d/ccmexecd restart

Commands for the cumulative update 1 release of the Configuration Manager client for Linux and UNIX:
Operating system Commands

Universal Agent RHEL 4 and SLES 9

Start: /etc/init d/ccmexecd start Stop: /etc/init d/ccmexecd stop Restart: /etc/init d/ccmexecd restart

Solaris 9

Start: /etc/init d/ccmexecd start Stop: /etc/init d/ccmexecd stop Restart: /etc/init d/ccmexecd restart

Solaris 10

Start: svcadm enable s svc:/application/management/omiserver svcadm enable s svc:/application/management/ccmexecd Stop: svcadm disable s svc:/application/management/ccmexecd svcadm disable s svc:/application/management/omiserver

Solaris 11

Start: svcadm enable s svc:/application/management/omiserver svcadm enable s svc:/application/management/ccmexecd Stop: svcadm disable s svc:/application/management/ccmexecd svcadm disable s svc:/application/management/omiserver
1544

Operating system

Commands

AIX

Start: startsrc s omiserver startsrc s ccmexec Stop: stopsrc s ccmexec stopsrc s omiserver

HP-UX

Start: /sbin/init.d/ccmexecd start Stop: /sbin/init.d/ccmexecd stop Restart: /sbin/init.d/ccmexecd restart

Administrator Checklist: Configuring Configuration Manager to Manage Mobile Devices by Using Windows Intune
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Use the following checklist to help you configure Configuration Manager SP1 to manage mobile devices by using the Windows Intune service. For additional information about these steps, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune.
Step More information

Sign up for a Windows Intune organizational account

Sign up for an account at Windows Intune. For more information, see Windows Intune organizational account in the documentation library for Windows Intune. All user accounts must have a publicly registered UPN that can be verified by Windows Intune. GoDaddy or Symantec are typical examples of companies that provide domain names. Before synchronizing the Active Directory user
1545

Make sure that you have a publicly registered domain name

Verify that users have a public domain UPN

Step

More information

account, you must verify that user accounts have a public domain UPN. For more information, see Add User Principal Name Suffixes in the Active Directory documentation library. You can create a Configuration Manager custom report to verify that the UPN of the users who are discovered is consistent with the Intune Account Portal by using the following SQL query:
SELECT UserPrincipalName, COUNT(*) AS NumOfOccurances FROM (SELECT RIGHT(User_Principal_Name0, LEN(User_Principal_Name0)-PATINDEX('%@%', User_Principal_Name0)) AS UserPrincipalName FROM CM_EC1.dbo.v_R_User) AS sub GROUP BY UserPrincipalName

Optional, but strongly recommended: Deploy and configure Active Directory Federated Services (AD FS)

When you set up single sign-on, your users can sign in with their corporate credentials to access the services in Windows Intune. For more information, see the following topics: Prepare for single sign-on Plan for and deploy AD FS 2.0 for use with single sign-on

Deploy and configure directory synchronization

Directory synchronization lets you populate Windows Intune with synchronized user accounts. The synchronized user accounts and security groups are added to Windows Intune. For more information, see Configure directory synchronization in the Active Directory documentation library. If you are not using AD FS, you must set a Microsoft Online password for each user. Create a DNS alias (CNAME record type). You have to configure a CNAME in DNS that redirects EnterpriseEnrollment.<company
1546

Optional, not recommended: If you are not using AD FS, reset users Microsoft Online passwords Create a DNS alias

Step

More information

domain name>.com to manage.microsoft.com. For example, if Melissa's email address is [email protected], you have to create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process. Obtain the required certificates or keys for mobile device platforms For Windows RT devices: Prerequisites for Enrolling Windows RT Devices Prerequisites for Enrolling Windows Phone 8 Devices Prerequisites for Enrolling iOS Devices

For Windows Phone 8 devices:

For iOS devices: Create the Windows Intune subscription Add the Windows Intune connector site system role

How to create the Windows Intune subscription How to configure the Windows Intune Connector role

Verify that Configuration Manager is successfully connecting to the Windows Intune service

Check the Cloudusersync.log to verify that user accounts are successfully synchronized. Check the Sitecomp.log to verify that the Windows Intune connector was created successfully.

See Also
Technical Reference for Client Deployment in Configuration Manager

1547

Deploying Software and Operating Systems in System Center 2012 Configuration Manager
The Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide provides documentation to help you plan, configure, and manage the deployment of software and operating systems in Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Deploying Software and Operating System Topics

Use the following topics to help you deploy applications, software updates, operating systems, and to manage content in System Center 2012 Configuration Manager: Content Management in Configuration Manager Application Management in Configuration Manager Software Updates in Configuration Manager Operating System Deployment in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Content Management in Configuration Manager

Content management in Microsoft System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Before you can deploy software to devices, the distribution point infrastructure must be in place and the content files available on the distribution points.

Content Management Topics

The following topics help you manage content in System Center 2012 Configuration Manager: Introduction to Content Management in Configuration Manager Planning for Content Management in Configuration Manager Configuring Content Management in Configuration Manager
1548

Operations and Maintenance for Content Management in Configuration Manager Security and Privacy for Content Management in Configuration Manager Technical Reference for Content Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Before you can deploy software to Configuration Manager clients, the distribution point infrastructure must be in place, and the content files must be available on the distribution points. For additional information about content management, see the following sections: Distribution Points Preferred Distribution Points Bandwidth Throttling and Scheduling PXE and Multicast Pull-Distribution Points

Distribution Point Groups Prestaging Content Managing Content Content Library Content Monitoring and Validation Whats New in Configuration Manager Whats New in Configuration Manager SP1 Whats New in System Center 2012 R2 Configuration Manager

Distribution Points
Configuration Manager uses distribution points to store files that are required for software to run on client computers. Clients must have access to at least one distribution point from which they can download the files. For more information about distribution points, see the following topics: Planning for Content Management in Configuration Manager Configuring Content Management in Configuration Manager
1549

Operations and Maintenance for Content Management in Configuration Manager

Preferred Distribution Points

When you install and configure a distribution point, you have the option to assign boundary groups to the distribution point. When the clients current network location is in a boundary group that is associated with the distribution point, it is considered a preferred distribution point for that client. When a client requests content, the client first connects to a preferred distribution point to retrieve the application or package content. If the content is not available on any preferred distribution points, depending on the configuration options that you set, the client can retrieve the content from a fallback distribution point. For more information, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic.

Bandwidth Throttling and Scheduling

You can configure bandwidth settings, throttling settings, and create a schedule for content distribution between the site server and distribution point from the distribution point properties. You can configure a schedule and set specific throttling settings on remote distribution points that determine when and how Configuration Manager distributes content. For distribution points not installed on the site server, you can configure different settings that help address network bandwidth limitations from the site server to the distribution point. The scheduling and throttling settings for distribution points are similar to the settings for a standard sender address. For more information about bandwidth throttling and scheduling, see the following: The Planning for Scheduling and Throttling section in the Planning for Content Management in Configuration Manager topic. The Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

PXE and Multicast

You have the option to enable PXE and multicast in the properties of a distribution point. Configuration Manager uses PXE and multicast during operating system deployment. Enable PXE and configure the associated settings for the distribution point to accept PXE requests for operating system deployment. For more information, see Planning for PXEInitiated Operating System Deployments in Configuration Manager. Enable multicast and configure the associated settings to deploy operating system images by using multicast, you must provide a distribution point that supports multicast deployments. For more information, see Planning a Multicast Strategy in Configuration Manager.

Pull-Distribution Points
For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:
1550

Beginning with Configuration Manager SP1, you can configure individual distribution points to be pull-distribution points. Use of pull-distribution points can help reduce the processing load on the site server when you deploy content to a large number of distribution points at one site. By default, the primary site server transfers content that you distribute to the distribution point. However, when you configure a distribution point to be a pull-distribution point, you change how Configuration Manager distributes content to that distribution point computer. When you distribute content to a pull-distribution point, the site server notifies the pull-distribution point which then initiates the transfer of the content from a source distribution point. For more information about pull-distribution points, see the Planning for Pull-Distribution Points section in the Planning for Content Management in Configuration Manager topic.

Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group. This lets you manage and monitor content from a central location for distribution points that span multiple sites. When you distribute content to a distribution point group, Configuration Manager distributes the content to all distribution points that are members of the distribution point group. If you add a distribution point to the distribution point group after an initial content distribution, Configuration Manager automatically distributes the content to the new distribution point member. You can also associate a collection to a distribution point group. When you distribute content to a collection, Configuration Manager determines the distribution point groups associated with the collection, and then the content is distributed to all distribution points that are members of distribution point groups. For more information about distribution point groups, see the following: The Plan for Distribution Point Groups section in the Planning for Content Management in Configuration Manager topic. The Create and Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.

Prestaging Content
You can prestage content to add the content files to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, they are not transferred over the network when you distribute the content. You can prestage content files for applications and packages. In the Configuration Manager console, you select the content that you want to prestage, and then use the Create Prestaged Content File Wizard to create a compressed prestaged content file that contains the files and associated metadata for the content. Then, you can manually import the content at a site server or distribution point. When you import the prestaged content file on a site server, the content files are added to the content library on the site server, and then registered in the site server database. When you import the prestaged content file on a distribution point, the content files are
1551

added to the content library on the distribution point, and a status message is sent to the site server that informs the site that the content is available on the distribution point. You can optionally configure the distribution point as prestaged to help manage content distribution. Then, when you distribute content you can choose whether you want to always prestage the content on the distribution point, prestage the initial content for the package and then use the standard content distribution process when there are updates to the content, or always use the standard content distribution process for the content in the package. For more information about prestaging content, see the following: The Network Bandwidth Considerations for Distribution Points section in the Planning for Content Management in Configuration Manager topic to determine whether to prestage content on the remote distribution point. The Configuring Content Management in Configuration Manager topic for steps to configure the distribution point as prestaged. The Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic for the procedures to prestage content.

Managing Content
You can manage your content from the properties of distribution points, distribution point groups, and package types (for example, applications, deployment packages, and driver packages). From the distribution point and distribution point properties, you can review all package types that are assigned for distribution. In the package properties, you can review all distribution points and distribution point groups in which the package has been distributed. You can redistribute, validate, or remove the content in the properties for the objects. For more information about how to manage content files, see the following sections in the Operations and Maintenance for Content Management in Configuration Manager topic: Distribute Content on Distribution Points Update Content on Distribution Points Redistribute Content on Distribution Points Remove Content on Distribution Points

Content Library
The content library stores all content files for software updates, applications, operating system deployment, and so on. The content library is located on each site server and on each distribution point and provides a single instance store for content files. Before Configuration Manager downloads content files to the site server and copies the files to distribution points, Configuration Manager verifies whether each content file is already in the content library. If the content file is available, Configuration Manager does not copy the file to the distribution point, but instead associates the existing content file with the application or package.

1552

On computers where you install a distribution point, you can configure the disk drives on which you want to create the content library, and you can configure a priority for each drive. Configuration Manager copies the content files to the drive with the highest priority until that drive contains less than a minimum amount of free space that you specify. You configure the drive settings during the distribution point installation. You cannot configure the drive settings in the distribution point properties after installation completes. For more information about how to configure the drive settings for the distribution point, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic. Important For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: To move the content library to a different location on a distribution point after the installation, use the Content Library Transfer Tool in the System Center 2012 Configuration Manager Service Pack 1 Toolkit. You can download the toolkit from the Microsoft Download Center.

About the Content Library on the Central Administration Site

By default, Configuration Manager creates a content library on the central administration site when the site installs. The content library is placed on the drive of the site server that has the most free disk space. Because you cannot install a distribution point on the central administration site, you cannot prioritize the drives for use for the content library. Similar to the content library on other site servers and on distribution points, when the drive that contains the content library runs out of available disk space, the content library automatically spans to the next available drive. Configuration Manager uses the content library on the central administration site in the following scenarios: When you create content at the central administration site. When you migrate content from another Configuration Manager site, and assign the central administration site as the site that will manage that content. Note When you create content at a primary site and then distribute it to a different primary site or a secondary site below a different primary site, the central administration site temporarily stores that content in the scheduler inbox on the central administration site but does not add that content to its content library. Use the following options to manage the content library on the central administration site: To prevent the content library from installing on a specific drive, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before the content library is created. After the content library is created, use Content Library Transfer tool from the System Center 2012 Configuration Manager Service Pack 1 Toolkit to manage the location of the content library. You can download the toolkit from the Microsoft Download Center.
1553

Content Monitoring and Validation

The Configuration Manager console provides content monitoring that includes the status for all package types in relation to the associated distribution points, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point. For more information about monitoring content, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. You can enable content validation on distribution points to verify the integrity of distributed packages. You can configure content validation to run on a schedule. Or, you can manually start content validation from the properties for distribution points, distribution point groups, and package types. You can view status reports in the Monitoring workspace in the Configuration Manager console. For more information about content validation, see the following: The Configuring Content Management in Configuration Manager topic to configure content validation. The Initiate Content Validation section in the Operations and Maintenance for Content Management in Configuration Manager topic to manually start content validation.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for content management since Configuration Manager 2007. Branch distribution points were available in Configuration Manager 2007 to distribute content, for example, to a small office with limited bandwidth. In System Center 2012 Configuration Manager, there is only one distribution point type with the following new functionality: You can install the distribution point site system role on client or server computers. You can configure bandwidth settings, throttling settings, and schedule content distribution between the site server and distribution point. You can prestage content on remote distribution points and manage how Configuration Manager updates content to the prestaged distribution points. The PXE service point and the associated settings are in the properties for the distribution point.

In Configuration Manager 2007, you configure a distribution point as protected to prevent clients outside the protected boundaries from accessing the distribution point. In System Center 2012 Configuration Manager, preferred distribution points replace protected distribution points. Distribution point groups provide a logical grouping of distribution points for content distribution. You can add one or more distribution points from any site in the Configuration
1554

Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group. This expanded functionality lets you manage and monitor content from a central location for distribution points that span multiple sites. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. You can prestage content, which is the process to copy content, to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, Configuration Manager does not copy the files over the network when you distribute the content. The Configuration Manager console provides content monitoring that includes the status for all package types in relation to the associated distribution points, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point. You can enable content validation on distribution points to verify the integrity of packages that have been distributed to the distribution point. In Configuration Manager 2007, content files are automatically distributed to the disk drive with the most amount of free space. In System Center 2012 Configuration Manager, you configure the disk drives on which you want to store content and configure the priority for each drive when Configuration Manager copies the content files. BranchCache has been integrated in System Center 2012 Configuration Manager so that you can control usage at a more detailed level. You can configure the BranchCache settings on a deployment type for applications and on the deployment for a package.

Whats New in Configuration Manager SP1

The following items are new for content management in Configuration Manager SP1. You can configure the drive location for the content library in the Create Site System Server Wizard and Add Site System Roles Wizard when you create the distribution point site role. You can configure some distribution points as pull-distribution points. When you distribute content to a pull-distribution point, the Configuration Manager site server does not transfer the content that you distribute to the distribution point computer. Instead, Configuration Manager notifies the pull-distribution point which then transfers the content from a source distribution point that you specify.

1555

Whats New in System Center 2012 R2 Configuration Manager

The following items are new or have changed for content management in System Center 2012 R2 Configuration Manager. The following changes are introduced for pull-distribution points: Pull-distribution points support the prioritization of their source distribution points. A priority can be assigned to one or more source distribution points, and the pull-distribution point attempts to locate content from a distribution point assigned to the lowest numbered priority before attempting to contact a distribution point associated with the next higher numbered priority. Pull-distribution points push status for completed actions to the site server. This replaces the requirement to have Distribution Manager (distmgr) on the site server poll each pulldistribution point periodically to obtain this status, and helps to reduce the overall processing load for distmgr on the site server.

From the Distribution Status node in the Monitoring workspace of the Configuration Manager console, you can cancel distributions that are in progress to a distribution point, and redistribute distributions that have failed. You can use the new built-in report named Distribution point usage summary, to view details about how individual distribution points are utilized, including how many unique clients access the distribution point, and how much data transfers from the distribution point. You can configure multiple Network Access Accounts at each site. For more information, see Configuring Site Components in Configuration Manager. Clients that use Windows BranchCache to download content and that have a download interrupted now resume the download where it left off, without having to restart the download from the beginning. The following additional optimizations are introduced to improve performance during deployment of content: Each time Configuration Manager transfers content to a distribution point, it calculates the speed of the transfer. During subsequent content deployment, this information is used to prioritize which distribution points receive content first. This is done to maximize the number of distribution points that receive content in the shortest period of time. To improve concurrent distributions, when Configuration Manager validates content on distribution points, it validates up to 50 files during each WMI call to a distribution point. Prior to this version, Configuration Manager used a single WMI call to a distribution point to validate each individual file.

See Also
Content Management in Configuration Manager

1556

Planning for Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager provides the tools for you to manage content files for applications, packages, software updates, and operating system deployment. Configuration Manager uses distribution points to store files that are required for software to run on client computers. These distribution points function as distribution centers for the content files and let users download and run the software. Clients must have access to at least one distribution point from which they can download the files. Use the following sections in this topic to help you plan how to manage content in your Configuration Manager hierarchy: Plan for Distribution Points Distribution Point Configurations Planning for Preferred Distribution Points and Fallback Content Source Location Network Connection Speed to the Content Source Location On-Demand Content Distribution Content Source Location Scenarios

Planning for BranchCache Support Network Bandwidth Considerations for Distribution Points Planning for Scheduling and Throttling Determine Whether To Prestage Content

Planning for Pull-Distribution Points Planning for Cloud-Based Distribution Points Prerequisites for Cloud-Based Distribution Points Plan for the Cost of Using Cloud-Based Distribution About Subscriptions and Certificates for Cloud-Based Distribution Points Site Server to Cloud-Based Distribution Point Communication Client to Cloud-Based Distribution Point Communication

Determine the Distribution Point Infrastructure

Plan for Distribution Point Groups Plan for Distribution Point Priority Plan for Content Libraries Plan for Binary Differential Replication About the Package Transfer Manager Note

1557

For information about the dependencies and supported configurations for content management, see Prerequisites for Content Management in Configuration Manager.

Plan for Distribution Points

When you plan for distribution points in your hierarchy, determine what distribution point attributes you must have in your environment, how to distribute the network and system load on the distribution point, and how to determine the distribution point infrastructure.

Distribution Point Configurations

Distribution points can have a number of different configurations. The following table describes the possible configurations.
Distribution point configuration Descriptions

Preferred distribution point

You assign boundary groups to distribution points. The distribution points are preferred for clients that are within the boundary group for the distribution point. The client uses preferred distribution points as the source location for content. When the content is not available on a preferred distribution point, the client uses another distribution point for the content source location. You can configure a distribution point to let clients that are not in the boundary group use it as a fallback location for content. Enable the PXE option on a distribution point to enable operating system deployment for Configuration Manager clients. The PXE option must be configured to respond to PXE boot requests that Configuration Manager clients on the network make and must then interact with the Configuration Manager infrastructure to determine the appropriate installation actions to take. Important You can enable PXE only on a server that has Windows Deployment Services installed. When you enable PXE, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not
1558

PXE

Distribution point configuration

Descriptions

already installed. Multicast Enable the Multicast option on a distribution point to use multicast when you distribute operating systems. Important You can enable multicast only on a server that has Windows Deployment Services installed. When you enable multicast, Configuration Manager installs Windows Deployment Services on the distribution point site system if it is not already installed. Pull For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Enable the pull-distribution point option on a distribution point to change the behavior of how that computer obtains the content that you distribute to the distribution point. When you configure a distribution point to be a pulldistribution point, you must specify one or more source distribution points from which the pulldistribution point obtains the content. Important Although a pull-distribution point supports communications over HTTP and HTTPS, when you use the Configuration Manager console, you can only specify source distribution points that are configured for HTTP. You can use the Configuration Manager SDK to specify a source distribution point that is configured for HTTPS. Support for mobile devices You must configure the distribution point to accept HTTPS communications to support mobile devices.
1559

Distribution point configuration

Descriptions

Support for Internet-based clients

You must configure the distribution point to accept HTTPS communications to support Internet-based clients. Although there are no configuration requirements for the distribution point to enable streaming of virtual applications to clients, there are application management prerequisites that you must fulfill. For more information, see Prerequisites for Application Management in Configuration Manager.

Application Virtualization

Planning for Preferred Distribution Points and Fallback

When you create a distribution point, you have the option to assign boundary groups to the distribution point. The distribution points are preferred for clients that are in a boundary group that is assigned to the distribution point.

Content Source Location

When you deploy software to a client, the client sends a content request to a management point, the management point sends a list of the preferred distribution points to the client, and the client uses one of the preferred distribution points on the list as the source location for content. When the content is not available on a preferred distribution point, the management point sends a list to the client with distribution points that have the content available. The client uses one of the distribution points for the content source location. In the distribution point properties and in the properties for a deployment type or package, you can configure whether to enable clients to use a fallback source location for content. When a preferred distribution point does not have the content and the fallback settings are not enabled, the client fails to download the content, and the software deployment fails.

Network Connection Speed to the Content Source Location

You can configure the network connection speed of each distribution point in an assigned boundary group. Clients use this value when they connect to the distribution point. By default, the network connection speed is configured as Fast, but it can also be configured as Slow. When the client uses a distribution point that is not preferred, the connection to the distribution point is automatically considered as slow. The network connection speed helps determine whether a client can download content from a distribution point. You can configure the deployment behavior for each network connection speed in the deployment properties for the specific software that you deploy. You can choose to never install software when the network connection is considered slow download and install the software, and so on.
1560

On-Demand Content Distribution

You can select the Distribute the content for this package to preferred distribution points property for an application or package to enable on-demand content distribution to preferred distribution points. The enabled management point creates a trigger for the Distribution Manager to distribute the content to all preferred distribution points in the list when a client requests the content for the package and the content is not available on any preferred distribution points. Depending on the scenario, the client might wait for the content to be available on a preferred distribution point, or it might download the content from a distribution point that is configured to enable a fallback location for content source.

Content Source Location Scenarios

When you deploy software to clients, the content source location that the client uses depends on the following settings: Allow fallback source location for content: This distribution point property enables clients to fall back and use the distribution point as the source location for content when the content is not available on a preferred distribution point. Deployment properties for network connection speed: The deployment properties for network speed are configured as a property for deployed objects, such as application deployment types, software updates, and task sequence deployments. Different deployment objects have different settings, but the properties can configure whether to download and install the software content when the network connection speed is configured as slow. Distribute the content for this package to preferred distribution points : When you select this application deployment type or package property, you enable on-demand content distribution to preferred distribution points.

The following table provides scenarios for different content location and fallback scenarios.
Scenario Scenario 1 Scenario 2 Scenario 3

Fallback configuration and deployment behavior for slow network:

Allow Fallback Not enabled.

Allow Fallback Enabled.

Deployment Fallback option Enabled. Deployment behavior for slow network Download and install content. The client sends a content request to the management point. The client includes a flag with the request to indicate that fallback
1561

Deployment behavior Deployment for slow network behavior for slow network Any configuration. Do not download content.

Distribution points are online and meet the following criteria: Content is available on a preferred

The client sends a content request to the management point. A content location list

The client sends a content request to the management point. The client includes a flag with the request that indicates fallback

Scenario

Scenario 1

Scenario 2

Scenario 3

distribution point. Content is available on a fallback distribution point. The package configuration for on-demand package distribution is not relevant in this scenario.

is returned to the client from the management point with the preferred distribution points that contain the content. The client downloads the content from a preferred distribution point on the list.

distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list.

distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that contain the content. The client downloads the content from a preferred distribution point on the list. The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are enabled. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content. The content is downloaded from a fallback distribution point on the list
1562

Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is not configured for on-demand package distribution.

The client sends a content request to the management point.

The client sends a content request to the management point. The client includes a A content location list is returned to the client flag with the request from the management that indicates fallback point with the preferred distribution points are distribution points that allowed. have the content. A content location list There are no preferred is returned to the client distribution points in from the management the list. point with the The client fails with the preferred distribution points and fallback message Content is distribution points that not available and have the content. goes into retry mode. A new content request There are no preferred distribution points that is started every hour. have the content, but at least one fallback distribution point has the content. The content is not downloaded because the deployment property for when the

Scenario

Scenario 1

Scenario 2

Scenario 3

client uses a fallback distribution point is set to Do not download. The client fails with the message Content is not available and goes into retry mode. The client makes a new content request every hour. Distribution points are online and meet the following criteria: Content is not available on a preferred distribution point. Content is available on a fallback distribution point. The package is configured for ondemand package distribution. The client sends a content request to the management point. The client sends a content request to the management point. The client includes a A content location list is returned to the client flag with the request from the management that indicates fallback point with the preferred distribution points are distribution points that allowed. have the content. A content location list There are no preferred is returned to the client distribution points that from the management have the content. point with the The client fails with the preferred distribution points and fallback message Content is distribution points that not available and have the content. goes into retry mode. A new content request There are no preferred distribution points that is made every hour. have the content, but The management at least one fallback point creates a trigger distribution point that for Distribution has the content. Manager to distribute The content is not the content to all downloaded because preferred distribution the deployment points for the client that made the content property for when the client uses a fallback request. distribution point is set Distribution Manager to Do not download. distributes the content The client fails with the to all preferred message Content is

because the deployment property for when the client uses a fallback distribution point is set to Download and install the content.

The client sends a content request to the management point. The client includes a flag with the request that indicates fallback distribution points are allowed. A content location list is returned to the client from the management point with the preferred distribution points and fallback distribution points that have the content. There are no preferred distribution points that have the content, but at least one fallback distribution point that has the content. The content is downloaded from a fallback distribution point on the list because the deployment property for when the client uses a fallback distribution point is set
1563

Scenario

Scenario 1

Scenario 2

Scenario 3

distribution points.

not available and goes into retry mode. A content request is initiated by the client to The client makes a the management point new content request every hour. every hour. A content location list is returned to the client from the management point with the preferred distribution points that have the content. In most cases, the content is distributed to the preferred distribution points within the hour. The client downloads the content from a preferred distribution point on the list. The management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points. A content request is initiated by the client to the management point. A content location list is returned to the client from the management point with the preferred distribution points that have the content. Typically, the content is distributed to the preferred distribution points within the hour. The client downloads the content from a preferred distribution point on the list.

to Download and install the content. The management point creates a trigger for Distribution Manager to distribute the content to all preferred distribution points for the client that made the content request. Distribution Manager distributes the content to all preferred distribution points.

1564

Planning for BranchCache Support

Windows BranchCache has been integrated in Configuration Manager. You can configure the BranchCache settings on software deployments. When all the requirements for BranchCache are met, this feature enables clients at remote locations to obtain content from local clients that have a current cache of the content. For example, when the first BranchCache-enabled client computer requests content from a distribution point that is running Windows Server 2008 R2 and that has also been configured as a BranchCache server, the client computer downloads the content and caches it. This content is then made available for clients on the same subnet that request this same content, and these clients also cache the content. In this way, subsequent clients on the same subnet do not have to download content from the distribution point, and the content is distributed across multiple clients for future transfers. For more information about BranchCache support in Configuration Manager, see the BranchCache Feature Support section in the Supported Configurations for Configuration Manager topic.

Network Bandwidth Considerations for Distribution Points

To help you plan for the distribution point infrastructure in your hierarchy, consider the network bandwidth that is used for the content management process and ways to reduce the network bandwidth that is used. When you create a package, change the source path for the content or update content on the distribution point, the files are copied from the source path to the content library on the site server. Then, the content is copied from the content library on the site server to the content library on the distribution points. When content source files are updated, and the source files have already been distributed, Configuration Manager retrieves only the new or updated files, and then sends them to the distribution point. Scheduling and throttling controls can be configured for siteto-site communication and for communication between a site server and a remote distribution point. When network bandwidth between the site server and remote distribution point is limited even after you configure the schedule and throttling settings, you might consider prestaging the content on the distribution point.

Planning for Scheduling and Throttling

In Configuration Manager, you can configure a schedule and set specific throttling settings on remote distribution points that determine when and how content distribution is performed. Each remote distribution point can have different configurations that help address network bandwidth limitations from the site server to the remote distribution point. The controls for scheduling and throttling to the remote distribution point are similar to the settings for a standard sender address, but in this case, the settings are used by a new component called Package Transfer Manager. Package Transfer Manager distributes content from a site server, as a primary site or secondary site, to a distribution point that is installed on a site system. The throttling settings are configured on the Rate Limits tab, and the scheduling settings are configured on the Schedule tab for a distribution point that is not on a site server. Warning
1565

The Rate Limits and Schedule tabs are displayed only in the properties for distribution points that are not installed on a site server. For more information about configuring scheduling and throttling settings for a remote distribution point, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

Determine Whether To Prestage Content

Consider prestaging content for applications and packages in the following scenarios: Limited network bandwidth from the site server to distribution point: When scheduling and throttling do not satisfy your concerns about distributing content over the network to a remote distribution point, consider prestaging the content on the distribution point. Each distribution point has the Enable this distribution point for prestaged content setting that you can configure in the distribution point properties. When you enable this option, the distribution point is identified as a prestaged distribution point, and you can choose how to manage the content on a per-package basis. The following settings are available in the properties for an application, package, driver package, boot image, operating system installer, and image, and let you configure how content distribution is managed on remote distribution points that are identified as prestaged: Automatically download content when packages are assigned to distribution points: Use this option when you have smaller packages where the scheduling and throttling settings provide enough control for content distribution. Download only content changes to the distribution point : Use this option when you have an initial package that is possibly large, but you expect future updates to the content in the package to be generally smaller. For example, you might prestage Microsoft Office 2010 because the initial package size is over 700 MB and is too large to send over the network. However, content updates to this package might be less than 10 MB and are acceptable to distribute over the network. Another example might be driver packages where the initial package size is large, but incremental driver additions to the package might be small. Manually copy the content in this package to the distribution point : Use this option for when you have large packages, with content such as an operating system, and you never want to use the network to distribute the content to the distribution point. When you select this option, you must prestage the content on the distribution point. Warning The preceding options are applicable on a per-package basis and are only used when a distribution point is identified as prestaged. Distribution points that have not been identified as prestaged ignore these settings. In this case, content always is distributed over the network from the site server to the distribution points. Restore the content library on a site server: When a site server fails, information about packages and applications that is contained in the content library is restored to the site database as part of the restore process, but the content library files are not restored as part of the process. If you do not have a file system backup to restore the content library, you can create a prestaged content file from another site that contains the packages and applications
1566

that you have to have, and then extract the prestaged content file on the recovered site server. For more information about site server backup and recovery, see the Planning for Backup and Recovery section in the Planning for Site Operations in Configuration Manager topic. For more information about prestaging content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Planning for Pull-Distribution Points

Beginning with Configuration Manager SP1, you can configure a distribution point that is not on a site server to be a pull-distribution point. When you deploy content to a large number of distribution points at a site, pull-distribution points can help reduce the processing load on the site server and can help to speed the transfer of the content to each distribution point. This efficiency is achieved by offloading the process of transferring the content to each distribution point from the distribution manager process on the site server. Instead, each pull-distribution point individually manages the transfer of content by downloading content from another distribution point that already has a copy of the content. A pull-distribution point can only obtain content from a distribution point that is specified as a source distribution point. Pull-distribution points support the same configurations and functionality as typical Configuration Manager distribution points. For example, a distribution point that is configured as a pulldistribution point supports the use of multicast and PXE configurations, content validation, and on-demand content distribution. A pull-distribution point supports HTTP or HTTPS communications from clients, supports the same certificates options as other distribution points, and can be managed individually or as a member of a distribution point group. However, the following configurations are exceptions to support for the pull-distribution point: A cloud-based distribution point cannot be configured as a pull-distribution point. Similarly, a cloud-based distribution point cannot be used as a source distribution point. A distribution point on a site server cannot be configured as a pull-distribution point. The prestage content configuration for a distribution point overrides the pull-distribution point configuration. A pull-distribution point that is configured for prestaged content waits for the content. It does not pull content from source distribution point, and, like a standard distribution point that has the prestage content configuration, does not receive content from the site server. A distribution point that is configured as a pull-distribution point does not use configurations for rate limits when it transfers content. If you configure a previously installed distribution point to be a pull-distribution point, configurations for rate limits are saved, but not used. If, at a later time, you remove the pull-distribution point configuration, the rate limit configurations are implemented as previously configured. Note When a distribution point is configured as a pull-distribution point, the Rate Limits tab is not visible in the properties of the distribution point. For more information, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.
1567

A distribution point that is configured as a pull-distribution point does not use the Retry settings for content distribution. Retry Settings can be configured as part of the Software Distribution Component Properties for each site. To view or configure these properties, in the Administration workspace of the Configuration Manager console, expand Site Configuration, and then select Sites. Next, in the results pane, select a site, and then on the Home tab, select Configure Site Components, and then select Software Distribution. The following sequence of events occurs when you distribute software to a pull-distribution point: As soon as content is distributed to a pull-distribution point, the Package Transfer Manager on the site server checks the site database to confirm if the content is available on a source distribution point. If it cannot confirm that the content is on a source distribution point for the pull-distribution point, it repeats the check every 20 minutes until the content is available. When the Package Transfer Manager confirms that the content is available, it notifies the pull-distribution point to download the content. When the pull-distribution point receives this notification, it attempts to download the content from its source distribution points. After the pull-distribution point completes the download of content, it submits this status to a management point. However, if after 60 minutes, this status is not received, the Package Transfer Manager wakes up and checks with the pull-distribution point to confirm if the pull-distribution point has downloaded the content. If the content download is in progress, the Package Transfer Manager sleeps for 60 minutes before it checks with the pull-distribution point again. This cycle continues until the pull-distribution point completes the content transfer.

To transfer content from a source distribution point in a remote forest, the computer that hosts the pull-distribution point must have a Configuration Manager client installed. A Network Access Account that can access the source distribution point must be configured for use.

You can configure a pull-distribution point when you install the distribution point or after it is installed by editing the properties of the distribution point site system role. A distribution point that you configure as a pull-distribution point can transfer content to clients by HTTP or HTTPS. When you configure the pull-distribution point, you must specify one or more source distribution points. Only distribution points that qualify to be source distribution points are displayed. Only distribution points that support HTTP can be specified as a source distribution points when you use the Configuration Manager console. However, you can use the Configuration Manager SDK to specify a source distribution point that is configured for HTTPS. To use a source distribution point that is configured for HTTPS, the pull-distribution point must be co-located on a computer that runs the Configuration Manager client. A pull-distribution point can be specified as a source distribution point for another pull-distribution point. When you distribute content to the pull-distribution point, the Package Transfer Manager notifies the distribution point about the content but does not transfer the content to the distribution point computer. Instead, after the pull-distribution point is notified, the pull-distribution point attempts to download the content from the first source distribution point on its list of source distribution points. If the content is not available, the pull-distribution point attempts to download the content from the next distribution point on the list, continuing until either the content is successfully downloaded or the content is not accessed from any source distribution point. If the content cannot be
1568

downloaded from any source distribution point, the pull-distribution point sleeps for 30 minutes and then begins the process again. Beginning with System Center 2012 R2 Configuration Manager, you can configure each source distribution point on the list with a priority. You can assign a separate priority to each source distribution point, or assign multiple source distribution points to the same priority. The priority determines in which order the pull-distribution point requests content from its source distribution points. Pull-distribution points initially contact a source distribution point with the lowest value for priority. If there are multiple source distribution points with the same priority, the pull-distribution point nondeterministically selects one of the source distribution points that share that priority. If the content is not available, the pull-distribution point then attempts to download the content from another distribution point with that same priority. If none of the distribution points with a given priority has the content, the pull-distribution point attempts to download the content from a distribution point that has an assigned priority with the next larger value, until the content is either located or the pull-distribution point sleeps for 30 minutes before it begins the process again. To manage the transfer of content, pull-distribution points use the CCMFramework component of the Configuration Manager client software. This framework is installed by the Pulldp.msi when you configure the distribution point to be a pull-distribution point and does not require that the Configuration Manager client be installed. After the pull-distribution point is installed, the CCMExec service on the distribution point computer must be operational for the pull-distribution point to function. When the pull-distribution point transfers content, it transfers content by using Background Intelligent Transfer Service (BITS) and logs its operation in the datatransferservice.log and the pulldp.log on the distribution point computer. Note On a computer that is configured as a pull-distribution point and that runs a Configuration Manager client, the version of the Configuration Manager client must be the same as the Configuration Manager site that installs the pull-distribution point. This is a requirement for the pull-distribution point to use the CCMFramework that is common to both the pulldistribution point and the Configuration Manager client. Tip When a pull-distribution point downloads content from a source distribution point, that pull-distribution point is counted as a client in the Client Accessed (Unique) column of the Distribution point usage summary report. This report first appears in System Center 2012 R2 Configuration Manager. By default, a pull-distribution point uses its computer account to transfer content from a source distribution point. However, when the pull-distribution point transfers content from a source distribution point that is in a remote forest, the pull-distribution point always uses the Network Access Account. This process requires that the computer has the Configuration Manager client installed and that a Network Access Account is configured for use and has access to the source distribution point. For information about the Network Access Account, see the "Network Access Account" section in the Technical Reference for Accounts Used in Configuration Manager topic.

1569

For information about configuring the Network Access Account, see Configure the Network Access Account in the Configuring Content Management in Configuration Manager topic. You can remove the configuration to be a pull-distribution point by editing the properties of the distribution point. When you remove the pull-distribution point configuration, the distribution point returns to normal operation, and the site server manages future content transfers to the distribution point. Note Beginning with System Center 2012 R2 Configuration Manager, the Configuration Manager console displays information that identifies a pull-distribution point. With System Center 2012 Configuration Manager SP1, you must review the properties of the distribution point to identify if it is configured as a pull-distribution point.

Planning for Cloud-Based Distribution Points

Beginning with Configuration Manager SP1, you can use a cloud service in Windows Azure to host a distribution point. When you use a cloud-based distribution, you configure client settings to enable users and devices to access the content, and specify a primary site to manage the transfer of content to the distribution point. Additionally, you specify thresholds for the amount of content that you want to store on the distribution point and the amount of content that you want to enable clients to transfer from the distribution point. Based on these thresholds, Configuration Manager can raise alerts that warn you when the combined amount of content that you have stored on the distribution point is near the specified storage amount, or when transfers of data by clients are close to the thresholds that you defined. Cloud-based distribution points support the following features that are also supported with onpremises distribution points: You manage cloud-based distribution points individually, or as members of distribution point groups. You can use a cloud-based distribution point for fallback content location. You receive support for both intranet and Internet-based clients. Content that is sent to the cloud-based distribution point is encrypted by Configuration Manager before Configuration Manager sends it to Windows Azure. In Windows Azure, you can manually scale the cloud service to meet changing demands for content request by clients, without the requirement to install and provision additional distribution points. The cloud-based distribution point supports the download of content by clients that are configured for Windows BranchCache. You cannot use a cloud-based distribution point to host software update packages. You cannot use a cloud-based distribution point for PXE or multi-cast enabled deployments.

A cloud-based distribution point provides the following additional benefits:

A cloud-based distribution point has the following limitations:

1570

Clients are not offered a cloud-based distribution point as a content location for a task sequence that is deployed by using the deployment option Download content locally when needed by running task sequence. However, task sequences that are deployed by using the deployment option of Download all content locally before starting task sequence can use a cloud-based distribution point as a valid content location. A cloud-based distribution point does not support packages that run from the distribution point. All content must be downloaded by the client, and then run locally. A cloud-based distribution point does not support streaming applications by using Application Virtualization or similar programs. A cloud-based distribution point does not support prestaged content. The Distribution Manager of the primary site that manages the distribution point transfers all content to the distribution point. A cloud-based distribution point cannot be configured as pull-distribution points.

Prerequisites for Cloud-Based Distribution Points

A cloud-based distribution point requires the following prerequisites for its use: A subscription to Windows Azure. A self-signed or PKI management certificate for communication from a Configuration Manager primary site server to the cloud service in Windows Azure. A service certificate (PKI) that Configuration Manager clients use to connect to cloud-based distribution points and download content from them by using HTTPS. A device or user must receive the client setting for Cloud Services of Allow access to cloud distribution points set to Yes, before a device or user can access content from a cloud-based distribution point. By default, this value is set to No. A client must be able to resolve the name of the cloud service, which requires a Domain Name System (DNS) alias, CNAME record, in your DNS namespace. A client must be able to access the Internet to use the cloud-based distribution point.

Plan for the Cost of Using Cloud-Based Distribution

To help control costs that are associated with data transfers to and from a cloud-based distribution point, Configuration Manager includes options to control and monitor data access. You can control and monitor the amount of content that you store in a cloud service, and you can configure Configuration Manager to alert you when thresholds for client downloads meet or exceed monthly limits. Use these alerts to proactively manage data charges when you use a cloud-based distribution point. For more information, see the section Controlling the Cost of Cloud-Based Distribution Points in the topic Manage Cloud Services for Configuration Manager.

About Subscriptions and Certificates for Cloud-Based Distribution Points

Cloud-based distribution points require certificates to enable Configuration Manager to manage the cloud service that hosts the distribution point, and for clients to access content from the
1571

distribution point. The following table provides overview information about these certificates. For more detailed information, see PKI Certificate Requirements for Configuration Manager.
Certificate Details

Management certificate for site server to distribution point communication

The management certificate establishes trust between the Windows Azure management API and Configuration Manager. This authentication enables Configuration Manager to call on the Windows Azure API when you perform tasks such as deploying content or starting and stopping the cloud service. By using Windows Azure, customers can create their own management certificates, which can be either a self-signed certificate or a certificate that is issued by a certification authority (CA): Provide the .cer file of the management certificate to Windows Azure when you configure Windows Azure for Configuration Manager. The .cer file contains the public key for the management certificate. You must upload this certificate to Windows Azure before you install a cloud-based distribution point. This certificate enables Configuration Manager to access the Windows Azure API. Provide the .pfx file of the management certificate to Configuration Manager when you install the cloud-based distribution point. The .pfx file contains the private key for the management certificate. Configuration Manager stores this certificate in the site database. Because the .pfx file contains the private key, you must provide the password to import this certificate file into the Configuration Manager database.

If you create a self-signed certificate, you must first export the certificate as a .cer file, and then export it again as a .pfx file. Optionally, you can specify a version 1 .publishsettings file from the Windows Azure SDK 1.7. For information about .publishsettings files, refer to the Windows Azure
1572

Certificate

Details

documentation. For more information, see How to Create a Management Certificate and How to Add a Management Certificate to a Windows Azure Subscription in the Windows Azure Platform section of the MSDN Library. Service certificate for client communication to the distribution point The Configuration Manager cloud-based distribution point service certificate establishes trust between the Configuration Manager clients and the cloud-based distribution point and secures the data that clients download from it by using Secure Socket Layer (SSL) over HTTPS. Important The common name in the certificate subject box of the service certificate must be unique in your domain and not match any domain-joined device. For an example deployment of this certificate, see the Deploying the Service Certificate for Cloud-Based Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Site Server to Cloud-Based Distribution Point Communication

When you install a cloud-based distribution point, you must assign one primary site to manage the transfer of content to the cloud service. This action is equivalent to installing the distribution point site system role on a specific site.

Client to Cloud-Based Distribution Point Communication

When a device or user of a device is configured with the client setting that enables the use of a cloud-based distribution point, the device can receive the cloud-based distribution point as a valid content location. A cloud-based distribution point is considered a remote distribution point when a client evaluates available content locations. Clients on the intranet only use cloud-based distribution points as a fallback option if on-premises distribution points are not available.

1573

Even though you install cloud-based distribution points in specific regions of Windows Azure, clients that use cloud-based distribution points are not aware of the Windows Azure regions, and non-deterministically select a cloud-based-distribution point. This means if you install cloud-based distribution points in multiple regions, and a client receives multiple cloud-based distribution points as content locations, the client might not use a cloud-based distribution point from the same Windows Azure region as the client. Clients that can use cloud-based distribution points use the following sequence when they perform a content location request: 1. A client that is configured to use cloud-based distribution points always attempts to obtain content from a preferred distribution point first. For information about preferred distribution points, see the Preferred Distribution Points section in the Introduction to Content Management in Configuration Manager topic. 2. When a preferred distribution point is not available, the client uses a remote distribution point, if the deployment supports this option, and if a remote distribution point is available. 3. When a preferred distribution point or remote distribution point is not available, the client can then fall back to obtain the content from a cloud-based distribution point. Note Clients on the Internet that receive both an Internet-based distribution point and a cloud-based distribution point as content locations for a deployment, only attempt to retrieve content from the Internet-based distribution point. If the client on the Internet fails to retrieve content from the Internet-based distribution point, the client does not then attempt to access the cloud-based distribution point. When a client uses a cloud-based distribution point as a content location, the client authenticates itself to the cloud-based distribution point by using a Configuration Manager access token. If the client trusts the Configuration Manager cloud-based distribution point certificate, the client can then download the requested content.

Determine the Distribution Point Infrastructure

At least one distribution point is required at each site in the Configuration Manager hierarchy. By default, a primary site server is configured as a distribution point. However, assign this role to a remote site system and remove it from the site server if possible. This role assignment reduces the resource requirements and improves performance on the site server, and also assists in load balancing. The distribution point site system role is automatically configured on the secondary site server when it is installed. However, the distribution point site system role is not required at secondary sites. Clients connect to distribution points at the parent primary site if one is not available at the secondary site. As you configure your distribution points with assigned boundary groups, consider the physical location and network connection speed between the distribution point and site server Consider the following to help you determine the appropriate number of distribution points to install at a site: The number of clients that might access the distribution point
1574

The configuration of the distribution point, such as PXE and multicast The network bandwidth that is available between clients and distribution points The size of the content that clients retrieve from the distribution point The setting for BranchCache that when it is enabled, lets clients at remote locations obtain content from local clients

For more information about creating and configuring distribution points, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic.

Plan for Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points for content distribution. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group receive the content. If you add a distribution point to the distribution point group after an initial content distribution, the content automatically distributes to the new distribution point member. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group, to manage and monitor content from a central location for distribution points that span multiple sites. You can also add a collection to distribution point groups, which creates an association, and then distribute content to the collection. When you distribute content to a collection, the content is assigned to all distribution point groups that are associated with the collection. The content is then distributed to all distribution points that are members of those distribution point groups. There are no restrictions on the number of distribution point groups that can be associated with a collection or the number of collections that can be associated with a distribution point group. If you add a collection to a distribution point group, the distribution point group does not automatically receive content previously distributed to the associated collection. However, the distribution point group receives all new content that is distributed to the collection. Note After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content is distributed to the new distribution point group. For more information about creating and configuring distribution point groups, see the Create and Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.

Plan for Distribution Point Priority

Beginning with System Center 2012 R2 Configuration Manager, Configuration Manager determines a priority for each distribution point that is based on the time it took the last content deployment to that distribution point to transfer across the network. When you distribute content to multiple distributions points at the same time or to a distribution point group, Configuration
1575

Manager sends the content to the distribution point with the highest priority before it sends that same content to a distribution point with a lower priority. This process is self-tuning and helps Configuration Manager successfully distribute content to more distribution points in a shorter period of time than in previous versions. By default, all new distribution points share the same priority. The priority of a distribution point does not replace a packages distribution priority. The distribution priority, which is high, medium, or low, remains the deciding factor in the sequence of when different distributions are transferred. For example, if you distribute content that has a high distribution priority to a distribution point that has a low distribution point priority, this high distribution priority package always transfers before a package that has a lower distribution priority. The distribution priority applies even if packages that have a lower distribution priority are distributed to distribution points that have higher distribution point priorities. The high distribution priority of the package ensures that Configuration Manager distributes that content to its applicable distribution points before any packages with a lower distribution priority are sent. The priority of distribution points is determined and managed by Configuration Manager automatically. There are no options in the Configuration Manager console to adjust or view this priority. However, you can use the Configuration Manager SDK to manually manage the priority of distribution points. Note Pull-distribution points use a concept of priority to order the sequence of their source distribution points. The distribution point priority for content transfers to the distribution point is distinct from the priority that pull-distribution points use when they search for content from a source distribution point. For more information about pull-distribution points, see Planning for Pull-Distribution Points in this topic.

Plan for Content Libraries

Configuration Manager creates a content library on each site server and on each distribution point. The content library stores all content files for software updates, applications, and operating system deployment. An exception to this process is on the central administration site. On the central administration site, the content library only stores content that is created at the central administration site, and content that you migrate from another site and assign to be managed by the central administration site. When you plan for content management, ensure there is enough free disk space for use by the content library on each distribution point that you deploy, and on each site server that manages content that you create or that you migrate from another Configuration Manager site. For information about the content library, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. Important For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:
1576

To move the content library to a different location on a distribution point after the installation, use the Content Library Transfer Tool in the System Center 2012 Configuration Manager Service Pack 1 Toolkit. You can download the toolkit from the Microsoft Download Center.

Plan for Binary Differential Replication

System Center 2012 Configuration Manager uses binary differential replication, sometimes known as delta replication, to update the copy of applications and packages on remote sites and on distribution points. This process minimizes the network bandwidth that is used to send updates for distributed content by resending only the new or changed content instead of sending the entire set of content source files each time a change to those files is made. When binary differential replication is used, Configuration Manager identifies the changes that occur to source files for each set of content that has previously been distributed. When files in the source content change, Configuration Manager creates a new incremental version of the content set and replicates only the changed files to destination sites and distribution points. A file is considered to be changed if it renamed, moved, or the contents of the file change. For example, if you replace a single driver file for an operating system deployment package that you previously distributed to several sites, only the changed driver file is replicated to those destination sites. Configuration Manager supports up to five incremental versions of a content set before it resends the entire content set. After the fifth update, the next change to the content set causes Configuration Manager to create a new version of the content set. Configuration Manager then distributes the new version of the content set to replace the previous set and any of its incremental versions. After the new content set is distributed, subsequent incremental changes to the source files are again replicated by binary differential replication. Binary replication is supported between each parent and child site in a hierarchy. Within a site, binary replication is supported between the site server and its distribution points. Beginning with Configuration Manager Service Pack 1, this support includes pull-distribution points but does not include cloud-based distribution points. Cloud-based distribution points do not support binary differential replication to transfer content. Applications always use binary differential replication. For packages, binary differential replication is optional and is not enabled by default. To use binary differential replication for packages, you must enable this functionality for each package. To do so, select the option Enable binary differential replication when you create a new package or when you edit the Data Source tab of the package properties.

About the Package Transfer Manager

In a System Center 2012 Configuration Manager site, the Package Transfer Manager is a new component of the SMS_Executive that manages the transfer of content from a site server computer to remote distribution points in a site. When you distribute content to one or more remote distribution points at a site, Distribution Manager creates a content transfer job and then
1577

notifies the Package Transfer Manager on primary and secondary site servers to transfer the content to the remote distribution points. Note In previous versions of Configuration Manager, the Distribution Manager manages the transfer of content to a remote distribution point. Distribution Manager also manages the transfer of content between sites. With System Center 2012 Configuration Manager, Distribution Manager continues to manage the transfer of content between two sites. However, the Package Transfer Manager allows Configuration Manager to offload from Distribution Manager the operations required to transfer content to large numbers of distribution points. Compared to previous product versions, this helps to increase the overall performance of content deployment both between sites and to distribution points within a site. To transfer content to a standard distribution point, Package Transfer Manager operates the same as the Distribution Manager operates in previous versions of Configuration Manager. That is, it actively manages the transfer of files to each remote distribution point. However, to distribute content to a pull-distribution point, the Package Transfer Manager notifies the pull-distribution point that content is available, and then hands the process of transferring that content over to the pull-distribution point. Use the following information to help you understand how Package Transfer Manager manages the transfer of content to standard distribution points and to distribution points configured as pulldistribution points:
Action Standard distribution point Pull-distribution point

Administrative user deploys content to one or more distribution points at a site Distribution Manager runs preliminary checks

Distribution Manager creates a content transfer job for that content. Distribution Manager runs a basic check to confirm that each distribution point is ready to receive the content. After this check, Distribution Manager notifies Package Transfer Manager to start the transfer of content to the distribution point.

Distribution Manager creates a content transfer job for that content. Distribution manager starts Package Transfer Manager, which then notifies the pulldistribution point that there is a new content transfer job for the distribution point. Distribution Manager does not check on the status of remote distribution points that are pull-distribution points because each pulldistribution point manages its own content transfers. For each pull-distribution point in the distribution, Package
1578

Package Transfer Manager prepares to transfer content

Package Transfer Manager examines the single instance

Action

Standard distribution point

Pull-distribution point

content store of each specified remote distribution point, to identify any files that are already on that distribution point. Then, Package Transfer Manager queues up for transfer only those files that are not already present. Note When you use the Redistribute action for content, Package Transfer Manager copies each file in the distribution to the distribution point, even if the files are already present in the single instance store of the distribution point.

Transfer Manager checks the pull-distribution points source distribution points to confirm if the content is available: When the content is available on at least one source distribution point, Package Transfer Manager sends a notification to that pull-distribution point that directs that distribution point to begin the process of transferring content. The notification includes file names and sizes, attributes, and hash values. When the content is not yet available, Package Transfer Manager does not send a notification to the distribution point. Instead, it repeats the check every 20 minutes until the content is available. Then, when the content is available, Package Transfer Manager sends the notification to that pulldistribution point. Note When you use the Redistribute action for content, the pulldistribution point copies each file in the distribution to the distribution point, even if the files are already present in the single instance store of the pull-distribution point.

Content begins to transfer

Package Transfer Manager copies files to each remote

When a pull-distribution point receives a notification file, the

1579

Action

Standard distribution point

Pull-distribution point

distribution point. During the transfer to a standard distribution point: By default, Package Transfer Manager can simultaneously process three unique packages, and distribute them to five distribution points in parallel. These are called Concurrent distribution settings and are configured on the General tab of the Software Distribution Component Properties for each site. Package Transfer Manager uses the scheduling and network bandwidth configurations of each distribution point when transferring content to that distribution point. You configure these settings on the Schedule and Rate Limits tabs in the Properties of each remote distribution point. For more information, see the Modify the Distribution Point Configuration Settings section in the Configuring Content Management in Configuration Manager topic.

distribution point begins the process to transfer the content. The transfer process runs independently on each pulldistribution point: The pull-distribution identifies the files in the content distribution that it does not already have in its single instance store, and prepares to download that content from one of its source distribution points. Next, the pull-distribution point checks with each of its source distribution points, in order, until it locates a source distribution point that has the content available. When the pull-distribution point identifies a source distribution point with the content, it begins the download of that content. Note The process to download content by the pull-distribution point is the same as is used by Configuration Manager clients. For the transfer of content by the pulldistribution point, neither the concurrent transfer settings, nor the scheduling and throttling options that you configure for standard distribution points are used. After the pull-distribution point
1580

Content transfer completes

After the Package Transfer

Action

Standard distribution point

Pull-distribution point

Manager is done transferring files to each designated remote distribution point, it verifies the hash of the content on the distribution point, and notifies Distribution Manager that the distribution is complete.

completes the content download, the distribution point verifies the hash of the content, and then submits a status message to the sites management point to indicate success. However, if after 60 minutes, this status is not received, the Package Transfer Manager wakes up and checks with the pull-distribution point to confirm if the pull-distribution point has downloaded the content. If the content download is in progress, the Package Transfer Manager sleeps for 60 minutes before it checks with the pull-distribution point again. This cycle continues until the pull-distribution point completes the content transfer.

Package Transfer Manager logs its actions in the pkgxfermgr.log file on the site server. The log file is the only location you can view the activities of the Package Transfer Manager.

Supplemental Planning Topics for Content Management

Use the following topics to help you plan for content management in Configuration Manager: Prerequisites for Content Management in Configuration Manager Best Practices for Content Management in Configuration Manager

See Also
Planning for Configuration Manager Sites and Hierarchy

1581

Prerequisites for Content Management in Configuration Manager

Content management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product. For more information about supported configurations for distribution points and other site systems roles that support content management, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Dependencies External to Content Management

The following table lists the external dependencies for content management.
Prerequisite More information

Internet Information Services (IIS) on the site system servers to run the distribution point

For more information about this requirement, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic. When you install a distribution point, Configuration Manager can install and configure IIS if it is not installed. If IIS is already installed, Configuration Manager configures it to support required operations. Configuration Manager does not change settings that have been configured as part of an IIS template. Note You must manually install IIS on computers that run Windows Server 2003 with Service Pack 2.

Certificate for client authentication

When you add the distribution point site role to a server, you must specify a certificate that authenticates the distribution point to management points. Computers use the same certificate if they perform a PXE boot from the distribution point. Configuration Manager can create a self-signed certificate, or you can import a PKI certificate file that contains client authentication capability and the private key. For more information about the PKI certificate
1582

Prerequisite

More information

requirements for the distribution point, see the PKI Certificates for Servers section in the PKI Certificate Requirements for Configuration Manager topic. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

Dependencies Internal to Content Management

The following table lists the dependencies within Configuration Manager for content management.
Dependency More information

Distribution points

Before content files can be sent to devices, at least one distribution point must be configured for the Configuration Manager site. Although distribution point groups are not required, they let you manage content files on a logical grouping of distribution points. For example, you can distribute content to a distribution point group, and all distribution points that are members of the distribution point group receive the content. Package Access Accounts lets you set NTFS file system permissions to specify the users and user groups that can access a package folder on a distribution point to download content files. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators. In most cases, the default settings are sufficient. For more information about configuring the Package Access Account, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.
1583

Distribution point groups

Package Access Accounts

See Also
Planning for Content Management in Configuration Manager

Best Practices for Content Management in Configuration Manager

Use the following best practices for content management in System Center 2012 Configuration Manager:

Use a source file location for packages that has a fast and reliable network connection to the site that owns the package content source
When you create a package that contains source files, such as an application deployment type or deployment package, the site in which the package is created becomes the site owner for the package content source. The source files are copied from the source file path that you specify for the package to the content library on the site that owns the package content source. When you start the Update Content or Update Distribution Point actions, the content files are re-copied from the source file path to the content library on the site that owns the package content source. For more information about updating content, see the Update Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. Before you create a package, consider the network connection between the source file location and the site that owns the package content source. As a best practice, use a source file location for packages that has a fast and reliable network connection to the site that owns the package content source. Note When you create an application, the site on which you created the application owns the package content source. The site also owns the content source for all deployment types for the application regardless of the site on which you create the deployment type. For example, when you create an application at Site X, Site X owns the package content source. When you create a deployment type for the application at Site Y, Site X continues to own the package content source. Therefore, the content for the deployment type is copied to Site X as the owner of the content.

1584

See Also
Planning for Content Management in Configuration Manager

Configuring Content Management in Configuration Manager

Content management in Microsoft System Center 2012 Configuration Manager relies on the infrastructure of the distribution point site role. This section provides configuration information for creating the distribution point site role, configuring the distribution point properties, and creating distribution point groups. Use the following sections in this topic to help you install and configure distribution points and distribution point groups: Install and Configure the Distribution Point Modify the Distribution Point Configuration Settings Create and Configure Distribution Point Groups Configure the Network Access Account Important Planning the distribution point infrastructure is an important first step in your content management strategy. For more information about planning for content management in your hierarchy, see Planning for Content Management in Configuration Manager.

Install and Configure the Distribution Point

You must designate a site system server as a distribution point before content can be made available to client computers. You can add the distribution point site role to a new site system server or add the site role to an existing site system server. Use the following procedure to add the distribution point site role to a new or existing site system server. Security You must have the following security permissions to create and configure a distribution point: Read for the Distribution Point object Copy to Distribution Point for the Distribution Point object Modify for the Site object Manage Certificates for Operating System Deployment for the Site object

To install and configure the distribution point site role on a site system server
1585

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the distribution point site system role to a new or existing site system server by using the associated step: Note For more information about installing site system roles, see Install and Configure Site System Roles for Configuration Manager. New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Existing site system server: Click the server in which you want to install the distribution point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the results pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the distribution point to an existing site system server, verify the values that were previously configured. 5. On the System Role Selection page, select Distribution point from the list of available roles, and then click Next. 6. Configure the distribution point settings on the following pages of the wizard: Distribution Point page Configure the general distribution point settings. Install and configure IIS if required by Configuration Manager: Select this setting to let Configuration Manager install and configure Internet Information Services (IIS) on the server if it is not already installed. IIS must be installed on all distribution points. If IIS is not installed on the server and you do not select this setting, you must install IIS before the distribution point can be installed successfully. Configure how client devices communicate with the distribution point. There are advantages and disadvantages for using HTTP and HTTPS. For more information, see Security Best Practices for Content Management section in the Security and Privacy for Content Management in Configuration Manager topic.

For more information about client communication to the distribution point and other site systems, see the Planning for Client Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
Allow clients to connect anonymously: This setting specifies whether the distribution point will allow anonymous connections from Configuration Manager clients to the content library. Important
1586

When you deploy a Windows Installer application on a Configuration Manager client, Configuration Manager downloads the file to the local cache on the client and the files are eventually removed after the installation completes. The Configuration Manager client updates the Windows Installer source list for the installed Windows Installer applications with the content path for the content library on associated distribution points. Later, if you start the repair action from Add/Remove Programs on a Configuration Manager client, MSIExec attempts to access the content path by using an anonymous user. You must select the Allow clients to connect anonymously setting or the repair fails for clients. You must always select the Allow clients to connect anonymously setting for Windows XP clients. For all other operating systems, you can install the update and modify a registry key described in Microsoft Knowledge Base article 2619572. After the update is installed on the clients, MSIExec will access the content path by using the logged on user account when you do not select the Allow clients to connect anonymously setting. Create a self-signed certificate or import a public key infrastructure (PKI) client certificate for the distribution point. The certificate has the following purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When you select Enable PXE support for clients check box on the PXE Settings page, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

When all your management points in the site are configured for HTTP, create a selfsigned certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager:
Intended use must include client authentication. The private key must be enabled to be exported. Note There are no specific requirements for the certificate subject or subject alternative name (SAN), and you can use the same certificate for multiple distribution points.

For more information about the certificate requirements, see PKI Certificate
1587

Requirements for Configuration Manager.

For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.
Enable this distribution point for prestaged content: Select this setting to enable the distribution point for prestaged content. When this setting is selected, you can configure distribution behavior when you distribute content. You can choose whether you always want to prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package.

Drive Settings page Specify the drive settings for the distribution point. You can configure up to two disk drives for the content library and two disk drives for the package share, although System Center 2012 Configuration Manager can use additional drives when the first two reach the configured drive space reserve. The Drive Settings page configures the priority for the disk drives and the amount of free disk space that remains on each disk drive. Drive space reserve (MB): The value that you configure for this setting determines the amount of free space on a drive before Configuration Manager chooses a different drive and continues the copy process to that drive. Content files can span multiple drives. Content Locations: Specify the content locations for the content library and package share. Configuration Manager copies content to the primary content location until the amount of free space reaches the value specified for Drive space reserve (MB). By default, the content locations are set to Automatic. The primary content location is set to the disk drive that has the most disk space at installation, and the secondary location is assigned to the disk drive that has the second most free disk space. When the primary and secondary drives reach the drive space reserve, Configuration Manager selects another available drive with the most free disk space and continues the copy process. Note To prevent Configuration Manager from installing on a specific drive, create an empty file named no_sms_on_drive.sms and copy it to the root folder of the drive before you install the distribution point.

Pull Distribution Point page For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Configure the distribution point to be a pull-distribution point by selecting Enable this distribution point to pull content from other distribution points . Click Add, and then select one or more of the available distribution points to be
1588

source distribution points.. Click Remove to remove the selected distribution point as a source distribution point. Use the arrow buttons to adjust the order in which the source distribution points are contacted by the pull-distribution point when the pull-distribution point attempts to transfer content. Distribution points with the lowest value are contacted first.

PXE Settings page Specify whether to enable PXE on the distribution point. When you enable PXE, Configuration Manager installs Windows Deployment Services on the server, if required. Windows Deployment Service is the service that performs the PXE boot to install operating systems. After you complete the wizard to create the distribution point, Configuration Manager installs a provider in Windows Deployment Services that uses the PXE boot functions. When you select Enable PXE support for clients, configure the following settings: Allow this distribution point to respond to incoming PXE requests: Specifies whether to enable Windows Deployment Services so that it responds to PXE service requests. Use this check box to enable and disable the service without removing the PXE functionality from the distribution point. Enable unknown computer support: Specify whether to enable support for computers that are not managed by Configuration Manager. Require a password when computers use PXE: To provide additional security for your PXE deployments, specify a strong password. User device affinity: Specify how you want the distribution point to associate users with the destination computer for PXE deployments. Select one of the following options: Allow user device affinity with auto-approval: Select this setting to automatically associate users with the destination computer without waiting for approval. Allow user device affinity pending administrator approval: Select this setting to wait for approval from an administrative user before users are associated with the destination computer. Do not allow user device affinity: Select this setting to specify that users are not associated with the destination computer.

For more information about user device affinity, see How to Associate Users with a Destination Computer.
Network interfaces: Specify that the distribution point responds to PXE requests from all network interfaces or from specific network interfaces. If the distribution point responds to specific network interface, you must provide the MAC address for each network interface. Specify the PXE server response delay (seconds): Specifies, in seconds, how
1589

long the delay is for the distribution point before it responds to computer requests when multiple PXE-enabled distribution points are used. By default, the Configuration Manager PXE service point responds first to network PXE requests. Note You can use the PXE protocol to start operating system deployments to Configuration Manager client computers. Configuration Manager uses the PXE-enabled distribution point site role to initiate the operating system deployment process. The PXE-enabled distribution point must be configured to respond to PXE boot requests that Configuration Manager clients make on the network and then interact with Configuration Manager infrastructure to determine the appropriate deployment actions to take. For more information about using PXE to deploy operating systems in Configuration Manager, see Planning to Deploy Operating Systems in Configuration Manager. Multicast page Specify whether to enable multicast on the distribution point. When you enable multicast, Configuration Manager installs Windows Deployment Services on the server, if required. When you select the Enable multicast to simultaneously send data to multiple clients check box, configure the following settings: Multicast Connection Account: Specify the account to use when you configure Configuration Manager database connections for multicast. Multicast address settings: Specify the IP addresses used to send data to the destination computers. By default, the IP address is obtained from a DHCP server that is enabled to distribute multicast addresses. Depending on the network environment, you can specify a range of IP addresses between 239.0.0.0 and 239.255.255.255. Important The IP addresses that you configure must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. UDP port range for multicast: Specify the range of user datagram protocol (UDP) ports that are used to send data to the destination computers. Important The UDP ports must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. Client transfer rate: Select the transfer rate that is used to download data to the destination computers.
1590

Maximum clients: Specify the maximum number of destination computers that can download the operating system from this distribution point. Enable scheduled multicast: Specify how Configuration Manager controls when to start deploying operating systems to destination computers. When selected, configure the following options: Session start delay (minutes): Specify the number of minutes that Configuration Manager waits before it responds to the first deployment request. Minimum session size (clients): Specify how many requests must be received before Configuration Manager starts to deploy the operating system.

Note Multicast deployments conserve network bandwidth by simultaneously sending data to multiple Configuration Manager clients instead of sending a copy of the data to each client over a separate connection. For more information about using multicast for operating system deployment, see Planning a Multicast Strategy in Configuration Manager. Content Validation page Specify whether to set a schedule to validate the integrity of content files on the distribution point. When you enable content validation on a schedule, Configuration Manager starts the process at the scheduled time, and all content on the distribution point is verified. You can also configure the content validation priority. By default, the priority is set to Lowest. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. Warning You specify the content validation schedule by using the local time for the computer, the schedule displays in the Configuration Manager console by using UTC. Boundary Group page Manage the boundary groups for which this distribution point is assigned. You can associate boundary groups to a distribution point. During content deployment, clients must be in a boundary group associated with the distribution point to use it as a source location for content. You can select the Allow clients to use this site system as a fallback source location for content check box to let clients outside these boundary groups fall back and use the distribution point as a source location for content when no other distribution points are available. For more information about protected distribution points, see Planning for Preferred
1591

Distribution Points and Fallback. After you complete the wizard, the distribution point site role is added to the site system server.

Modify the Distribution Point Configuration Settings

After the distribution point is installed, you can modify the configuration settings in the distribution point properties. In the properties, you can configure the settings that were available during the initial installation. You can also manage the distribution point groups that the distribution point is associated with, review the packages that are associated with the distribution point, schedule when content can transfer to the distribution point, and configure the rate limits to control the network bandwidth that is in use when transferring content. To modify the distribution point properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point that you want to configure. 3. On the Home tab, in the Properties group, click Properties. 4. Configure the distribution point settings on the following tabs in the distribution point properties: General tab Specify the following settings: Configure how client devices communicate with the distribution point. There are advantages and disadvantages for using HTTP and HTTPS. For more information, see Security Best Practices for Content Management section in the Security and Privacy for Content Management in Configuration Manager topic.

For more information about client communication to the distribution point and other site systems, see the Planning for Client Communications in Configuration Manager section in the Planning for Communications in Configuration Manager topic.
Allow clients to connect anonymously: This setting specifies whether the distribution point allows anonymous connections from Configuration Manager clients to the content library. Important When you deploy a Windows Installer application on a Configuration Manager client, Configuration Manager downloads the file to the local cache on the client and the files are eventually removed after the installation completes. The Configuration Manager client updates the Windows Installer source list for the installed Windows Installer applications with the content path for the content library on associated
1592

distribution points. Later, if you start the repair action from Add/Remove Programs on a Configuration Manager client, MSIExec attempts to access the content path by using an anonymous user. You must select the Allow clients to connect anonymously setting or the repair fails for clients. You must always select the Allow clients to connect anonymously setting for Windows XP clients. For all other operating systems, you can install the update and modify a registry key described in Microsoft Knowledge Base article 2619572. After the update is installed on the clients, MSIExec will access the content path by using the logged on user account when you do not select the Allow clients to connect anonymously setting. Create a self-signed certificate or import a PKI client certificate for the distribution point. The certificate has the following purposes: It authenticates the distribution point to a management point before the distribution point sends status messages. When Enable PXE support for clients is selected on the PXE Settings page, the certificate is sent to computers that perform a PXE boot so that they can connect to a management point during the deployment of the operating system.

When all your management points in the site are configured for HTTP, create a selfsigned certificate. When your management points are configured for HTTPS, import a PKI client certificate. To import the certificate, browse to a Public Key Cryptography Standard (PKCS #12) file that contains a PKI certificate with the following requirements for Configuration Manager:
Intended use must include client authentication. The private key must be enabled to be exported. Note There are no specific requirements for the certificate subject or subject alternative name (SAN), and you can use the same certificate for multiple distribution points.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example deployment of this certificate, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.

1593

Enable this distribution point for prestaged content: Select this setting to enable the distribution point for prestaged content. When this setting is selected, you can configure distribution behavior when you distribute content. You can choose whether you always want to prestage the content on the distribution point, prestage the initial content for the package, but use the normal content distribution process when there are updates to the content, or always use the normal content distribution process for the content in the package.

Pull Distribution Point tab For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Configure the distribution point to be a pull-distribution point by selecting Enable this distribution point to pull content from other distribution points . Click Add, and then select one or more of the available distribution points to be source distribution points.. Click Remove to remove the selected distribution point as a source distribution point. Use the arrow buttons to adjust the order in which the source distribution points are contacted by the pull-distribution point when the pull-distribution point attempts to transfer content. Distribution points with the lowest value are contacted first.

PXE tab Specify whether to enable PXE on the distribution point. When you enable PXE, Configuration Manager installs Windows Deployment Services on the server, if required. Windows Deployment Service is the service that performs the PXE boot to install operating systems. After you complete the wizard to create the distribution point, Configuration Manager installs a provider in Windows Deployment Services that uses the PXE boot functions. When you select Enable PXE support for clients, configure the following settings: Allow this distribution point to respond to incoming PXE requests : Specifies whether the PXE service point responds to computer requests. When you do not enable this setting, the PXE service point is installed but it is not activated. Enable unknown computer support: Specify whether to enable support for unknown computers. Unknown computers are computers that are not managed by Configuration Manager. Require a password when computers use PXE: Specify whether a password is required for clients to start the PXE boot. User device affinity: Specifies the user device affinity behavior. Select one of the following options: Allow user device affinity with auto-approval: Select this setting if you want to automatically associate users with the destination computer. Allow user device affinity pending administrator approval: Select this setting if you want to associate users with the destination computer only after
1594

approval is granted. Do not allow user device affinity: Select this setting if you do not want to associate users with the destination computer.

For more information about user device affinity, see How to Associate Users with a Destination Computer.
Network interfaces: Specify whether the distribution point responds to PXE requests on all network interfaces or whether it responds to PXE requests on only specific network interfaces. Specify the PXE server response delay (seconds): Specifies, in seconds, how long the delay is for the distribution point before it responds to computer requests when multiple PXE-enabled distribution points are used. By default, the Configuration Manager PXE service point responds first to network PXE requests. Note You can use the PXE protocol to initiate operating system deployments to Configuration Manager client computers. Configuration Manager uses the PXE-enabled distribution point site role to start the operating system deployment process. The PXE-enabled distribution point must be configured to respond to PXE boot requests made by Configuration Manager clients on the network and then interact with Configuration Manager infrastructure to determine the appropriate deployment actions to take. For more information about using PXE to deploy operating systems in Configuration Manager, see Planning to Deploy Operating Systems in Configuration Manager. Multicast tab Specify whether to enable multicast on the distribution point. When you enable multicast, Configuration Manager installs Windows Deployment Services on the server, if required. When you select the Enable multicast to simultaneously send data to multiple clients check box, configure the following settings: Multicast Connection Account: Specify the account to use when you configure Configuration Manager database connections for multicast. Multicast address settings: Specify the IP addresses used to send data to the destination computers. By default, the IP address is obtained from a DHCP server that is enabled to distribute multicast addresses. Depending on the network environment, you can specify a range of IP addresses between 239.0.0.0 and 239.255.255.255. Important The IP addresses that you configure must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the
1595

destination computer and the site server. UDP port range for multicast: Specify the range of user datagram protocol (UDP) ports used to send data to the destination computers. Important The UDP ports must be accessible by the destination computers that request the operating system image. Verify that routers and firewalls allow for multicast traffic between the destination computer and the site server. Client transfer rate: Select the transfer rate used to download data to the destination computers. Maximum clients: Specify the maximum number of destination computers that can download the operating system from this distribution point. Enable scheduled multicast: Specify how Configuration Manager controls when to start deploying operating systems to destination computers. When selected, configure the following options: Session start delay (minutes): Specify the number of minutes that Configuration Manager waits before it responds to the first deployment request. Minimum session size (clients): Specify how many requests must be received before Configuration Manager starts to deploy the operating system. Note Multicast deployments conserve network bandwidth by simultaneously sending data to multiple Configuration Manager clients rather than sending a copy of the data to each client over a separate connection. For more information about using multicast for operating system deployment, see Planning a Multicast Strategy in Configuration Manager. Group Relationships tab Manage the distribution point groups in which this distribution point is a member. To add this distribution point as a member to an existing a distribution point group, click Add. Select an existing distribution point group in the list in the Add to Distribution Point Groups dialog box, and then click OK. To remove this distribution point from a distribution point group, select the distribution point group in the list, and then click Remove. Content tab Manage the content that has been distributed to the distribution point. The Deployment packages section provides a list of the packages distributed to this distribution point. You can select a package from the list and perform the following actions: Validate: Starts the process to validate the integrity of the content files in the
1596

package. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. Redistribute: Copies all of the content files in the package to the distribution point, and overwrites the existing files. You typically use this operation to repair content files in the package. Remove: Removes the content files from the distribution point for the package.

Content Validation tab Specify whether to set a schedule to validate the integrity of content files on the distribution point. When you enable content validation on a schedule, Configuration Manager starts the process at the scheduled time, and all content on the distribution point is verified. You can also configure the content validation priority. By default, the priority is set to Lowest. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and then click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. Warning You specify the content validation schedule by using the local time for the computer, the schedule displays in the Configuration Manager console by using UTC.

Boundary Groups tab Manage the boundary groups for which this distribution point is assigned. The distribution point is considered protected for the clients that are within the boundaries associated with the boundary group. During a content deployment, only the clients that are in an assigned boundary group can use the distribution point as a content location source. You can select the Allow a client outside these boundary groups to fall back and use this site system as a source location for content check box to let clients not in the assigned boundary groups use the distribution point if a protected distribution point is not available to the client. For more information about protected distribution points, see Planning for Preferred Distribution Points and Fallback.

Schedule tab Tip This tab is only available when you edit the properties for a distribution point that is remote from the site server computer. Specify whether to configure a schedule that restricts when Configuration Manager can transfer data to the distribution point. To restrict data, select the time period and then select one of the following settings for Availability: Open for all priorities: Specifies that Configuration Manager sends data to the
1597

distribution point with no restrictions. Allow medium and high priority: Specifies that Configuration Manager sends only medium and high priority data to the distribution point. Allow high priority only: Specifies that Configuration Manager sends only high priority data to the distribution point. Closed: Specifies that Configuration Manager does not send any data to the distribution point.

You can restrict data by priority or close the connection for selected time periods. Rate Limits tab Tip This tab is only available when you edit the properties for a distribution point that is remote from the site server computer. Specify whether to configure rate limits to control the network bandwidth that is in use when transferring content to the distribution point. You can choose from the following options: Unlimited when sending to this destination: Specifies that Configuration Manager sends content to the distribution point with no rate limit restrictions. Pulse mode: Specifies the size of the data blocks that are sent to the distribution point. You can also specify a time delay between sending each data block. Use this option when you must send data across a very low bandwidth network connection to the distribution point. For example, you might have constraints to send 1 KB of data every five seconds, regardless of the speed of the link or its usage at a given time. Limited to specified maximum transfer rates by hour: Specify this setting to have a site send data to a distribution point by using only the percentage of time that you configure. When you use this option, Configuration Manager does not identify the networks available bandwidth, but instead divides the time it can send data into slices of time. Then data is sent for a short block of time, which is followed by blocks of time when data is not sent. For example, if the maximum rate is set to 50%, Configuration Manager transmits data for a period of time followed by an equal period of time when no data is sent. The actual size amount of data, or size of the data block, is not managed. Instead, only the amount of time during which data is sent is managed.

Create and Configure Distribution Point Groups

Distribution point groups provide a logical grouping of distribution points and collections for content distribution. You can add one or more distribution points from any site in the Configuration Manager hierarchy to the distribution point group. You can also add the distribution point to more than one distribution point group so that you can manage and monitor content from a central location for distribution points that span multiple sites. When you distribute content to a distribution point group, all distribution points that are members of the distribution point group
1598

receive the content. When a new distribution point is added to a distribution point group, it receives all content that has been previously distributed to it. You can also associate collections to the distribution point group. When you distribute content, you can target a collection and the distribution points that are members of all distribution point groups with an association to the collection to receive the content. Important After you distribute content to a collection, and then associate the collection to a new distribution point group, you must redistribute the content to the collection before the content is distributed to the new distribution point group. To create and configure a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups. 3. On the Home tab, in the Create group, click Create Group. 4. Enter the name and description for the distribution point group. 5. On the Collections tab, click Add, select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, click Add, select the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add distribution points and associate collections to an existing distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to modify members. 3. On the Home tab, in the Properties group, click Properties. 4. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 5. On the Members tab, click Add to select the distribution points that you want to add as members of the distribution point group, and then click OK. 6. Click OK to save changes to the distribution point group. To add selected distribution points to a new distribution point group 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points that you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to New Distribution Point Group. 4. Enter the name and description for the distribution point group.
1599

5. On the Collections tab, click Add to select the collections that you want to associate with the distribution point group, and then click OK. 6. On the Members tab, verify that you want Configuration Manager to add the listed distribution points as members of the distribution point group. Click Add to modify the distribution points that you want to add as members of the distribution point group, and then click OK. 7. Click OK to create the distribution point group. To add selected distribution points to existing distribution point groups 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution points that you want to add to the new distribution point group. 3. On the Home tab, in the Distribution Point group, expand Add Selected Items, and then click Add Selected Items to Existing Distribution Point Groups. 4. In the Available distribution point groups, select the distribution point groups to which the selected distribution points are added as members, and then click OK.

Configure the Network Access Account

Client computers use the Network Access Account when they cannot use their local computer account to access content on distribution points; for example, this applies to workgroup clients and computers from untrusted domains. This account might also be used during operating system deployment when the computer installing the operating system does not yet have a computer account on the domain. Note Clients only use the Network Access Account for accessing resources on the network. Grant this account the minimum appropriate permissions to access the software for the content that the client requires. The account must have the Access this computer from the network right on the distribution point. Prior to System Center 2012 R2 Configuration Manager you can create only one Network Access Account per site and this account must function for all packages and task sequences for which it is required. Beginning with System Center 2012 R2 Configuration Manager you can configure multiple accounts for use as a Network Access Account at each site. For more information about using Network Access Accounts, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Warning When Configuration Manager tries to use the computername$ account to download the content and it fails, it automatically tries the Network Access Account again, even if it has previously tried and failed. Create the account in any domain that provides the necessary access to resources. The Network Access Account must always include a domain name. Pass-through security is not supported for
1600

this account. If you have distribution points in multiple domains, create the account in a trusted domain. Tip To avoid account lockouts, do not change the password on an existing Network Access Account. Instead, create a new account and configure the new account in Configuration Manager. When sufficient time has passed for all clients to have received the new account details, remove the old account from the network shared folders and delete the account. Security Do not grant this account interactive logon rights. Do not grant this account the right to join computers to the domain. If you must join computers to the domain during a task sequence, use the Task Sequence Editor Domain Joining Account. Use the following procedure to configure the Network Access Account. Note You cannot configure the Network Access Account on a central administration site. To configure the Network Access Account 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the site. 3. On the Settings group, click Configure Site Components, and then click Software Distribution. 4. Click the Network Access Account tab. If you use System Center 2012 Configuration Manager with no service pack or with SP1, configure the account, and then click OK. Beginning with System Center 2012 R2 Configuration Manager, configure one or more accounts and then click OK.

See Also
Content Management in Configuration Manager

Operations and Maintenance for Content Management in Configuration Manager

After the infrastructure is in place for content management in System Center 2012 Configuration Manager, there are operations that you typically perform to ensure the most recent content files are on distribution points and available to client computers. This section provides
1601

information about managing content files on distribution points, initiating content validation, and monitoring content. Use the following sections in this topic to help you manage typical content operations in your Configuration Manager hierarchy: Distribute Content on Distribution Points Manage Accounts to Access Package Content Update Content on Distribution Points Redistribute Content on Distribution Points Remove Content on Distribution Points Prestage Content Initiate Content Validation Monitor Content

Distribute Content on Distribution Points

You must distribute content to distribution points, before it is available to client computers. Configuration Manager stores content files in a package, and then distributes the package to the distribution point. There are several types of content that you can distribute, including application deployment types, packages, deployment packages, driver packages, operating system images, operating system installers, boot images, and task sequences. When you create a package that contains source files, such as an application deployment type or deployment package, the site on which the package is created becomes the site owner for the package content source. Configuration Manager copies the source files from the source file path that you specify for the object to the content library on the site that owns the package content source. Use the following procedure to distribute content to distribution points. To distribute content on distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to distribute: Applications: Expand Application Management, click Applications, and then select the applications that you want to distribute. Packages: Expand Application Management, click Packages, and then select the packages that you want to distribute. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages that you want to distribute. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you want to distribute. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you want to distribute. Operating System Installers: Expand Operating Systems, click Operating
1602

System Installers, and then select the operating system installers that you want to distribute. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you want to distribute. Task Sequences: Expand Operating Systems, click Task Sequences, and then select the task sequence that you want to distribute. Although task sequences do not contain content, they have associated content dependencies that are distributed. Note If you modify the task sequence, you must redistribute the content. 3. On the Home tab, in the Deployment group, click Distribute Content. The Distribute Content Wizard opens. 4. On the General page, verify that the content listed is the content that you want to distribute, choose whether you want Configuration Manager to detect content dependencies that are associated with the selected content and add the dependencies to the distribution, and then click Next. Note You have the option to configure the Detect associated content dependencies and add them to this distribution setting only for the application content type. Configuration Manager automatically configures this setting for task sequences, and it cannot be modified. 5. On the Content tab, if displayed, verify that the content listed is the content that you want to distribute, and then click Next. Note The Content page displays only when the Detect associated content dependencies and add them to this distribution setting is selected on the General page of the wizard. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about associating collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.
1603

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the points. To monitor the content distribution, see the Monitoring in Content Management section in this topic.

Manage Accounts to Access Package Content

Package Access Accounts enable you to set NTFS file system permissions to specify the users and user groups that can access package content on distribution points. By default, Configuration Manager grants access only to the generic access accounts Users and Administrators, but you can control access for client computers by using additional Windows accounts or groups. Mobile devices always retrieve package content anonymously; therefore, mobile devices do not use the Package Access Accounts. By default, when Configuration Manager copies the content files in a package to a distribution point, it grants Read access to the local Users group and Full Control to the local Administrators group. The actual permissions that are required depend on the package. If you have clients in workgroups or in untrusted forests, those clients use the Network Access Account to access the package content. Ensure that the Network Access Account has permissions to the package by using the defined Package Access Accounts. Use accounts in a domain that can access the distribution points. If you create or modify the account after the package is created, you must redistribute the package. Updating the package does not change the NTFS file system permissions on the package. You do not have to add the Network Access Account as a Package Access Account, because membership of the Users group adds it automatically. Restricting the Package Access Account to only the Network Access Account does not prevent clients from accessing the package. To manage access accounts 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content for which you want to manage access accounts: Applications: Expand Application Management, click Applications, and then select the applications for which to manage access accounts. Packages: Expand Application Management, click Packages, and then select the packages for which to manage access accounts. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages for which to manage access accounts. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages for which to manage access accounts.
1604

Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images for which to manage access accounts. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers for which to manage access accounts. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images for which to manage access accounts.

3. Right-click the selected object, and then click Manage Access Accounts. 4. In the Add Account dialog box, specify the account type that will be granted access to the content, and then specify the access rights associated with the account. Note When you add a user name for the account and Configuration Manager finds a local user account and a domain user account with that name, Configuration Manager with no service pack sets access rights for the local user account. Starting in Configuration Manager SP1, Configuration Manager sets access rights for the domain user account.

Update Content on Distribution Points

When you add new files or replace existing files with a newer version, to the source file location for the package, you can update the content files on distribution points by using the Update Distribution Points or Update Content action. The content files are copied from the source file path to the content library on the site that owns the package content source, the package version is incremented, and the distribution points are updated with only the files that have changed in the package. Warning The package version for applications is always 1. When you update the content for an application deployment type, Configuration Manager creates a new content ID for the deployment type, and the package references the new content ID. Use the following procedure to update content on distribution points. To update content on distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to distribute: Applications: Expand Application Management, click Applications, and then select the applications that you want to distribute. Click the Deployment Types tab, and then select the deployment type that you want to update. Packages: Expand Application Management, click Packages, and then select the packages that you want to update.
1605

Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages that you want to update. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you want to update. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you want to update. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you want to update. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you want to update.

3. On the Home tab, in the Deployment group, click Update Distribution Points, and then click OK to confirm that you want to update the content. Note To update content for applications, click the Deployment Types tab, right-click the deployment type, click Update Content, and then click OK to confirm that you want to refresh the content. Note When you update content for boot images, the Manage Distribution Point Wizard opens. Review the information on the Summary page, and then complete the wizard to update the content.

Redistribute Content on Distribution Points

You can redistribute a package to copy all of the content files in the package to distribution points or distribution point groups and thereby overwrite the existing files. You typically use this operation to repair content files in the package or resend the content when the initial distribution fails. You can redistribute a package in package properties, distribution point properties, or distribution point group properties. Use one of the following procedures to redistribute the content files in a package to distribution points. To redistribute content from package properties 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to distribute: Applications: Expand Application Management, click Applications, and then select the application that you want to redistribute. Packages: Expand Application Management, click Packages, and then select the package that you want to redistribute. Deployment Packages: Expand Software Updates, click Deployment Packages,
1606

and then select the deployment package that you want to redistribute. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver package that you want to redistribute. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system image that you want to redistribute. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installer that you want to redistribute. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot image that you want to redistribute.

3. On the Home tab, in the Properties group, click Properties. 4. Click the Content Locations tab, select the distribution point or distribution point group in which you want to redistribute the content, click Redistribute, and then click OK. To redistribute content from distribution point properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point in which you want to redistribute content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to redistribute, click Redistribute, and then click OK. To redistribute content from distribution point group properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to redistribute content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to redistribute, click Redistribute, and then click OK. Important The content in the package is redistributed to all of the distribution points in the distribution point group.

Remove Content on Distribution Points

When you no longer require content on your distribution points, you can remove the content files on the distribution point. When the content is associated with another package that was distributed to the same distribution point, you cannot remove the content. You can remove the content in package properties, distribution point properties, or distribution point group properties. Use one of the following procedures to remove the content files from distribution points.
1607

To remove package content files from distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to delete: Applications: Expand Application Management, click Applications, and then select the application that you want to remove. Packages: Expand Application Management, click Packages, and then select the package that you want to remove. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment package that you want to remove. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver package that you want to remove. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system image that you want to remove. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installer that you want to remove. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot image that you want to remove.

3. On the Home tab, in the Properties group, click Properties. 4. Click the Content Locations tab, select the distribution point or distribution point group from which you want to remove the content, click Remove, and then click OK. To remove package content from distribution point properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point in which you want to delete the content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to remove, click Remove, and then click OK. To remove content from distribution point group properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Point Groups, and then select the distribution point group in which you want to remove content. 3. On the Home tab, in the Properties group, click Properties. 4. Click the Content tab, select the content to remove, click Remove, and then click OK.

1608

Prestage Content
You can prestage content files for applications and package types in Configuration Manager. In the Configuration Manager console, you select the content that you need and then use the Create Prestaged Content File Wizard to create a compressed, prestaged content file that contains the files and associated metadata for the content that you selected. You can then manually import the content at a site server, secondary site, or distribution point. When you import the prestaged content file on a site server, the content files are added to the content library on the site server, and then registered in the site server database. When you import the prestaged content file on a distribution point, the content files are added to the content library on the distribution point, and a status message is sent to the site server that informs the site that the content is available on the distribution point. Important When the distribution point is located on the site server, do not enable the distribution point for prestaged content. Instead, use the procedure in How to Prestage Content to Distribution Points Located on a Site Server. Important When the distribution point is configured as a pull-distribution point, do not enable the distribution point for prestaged content. The prestage content configuration for a distribution point overrides the pull-distribution point configuration. A pull-distribution point that is configured for prestaged content does not pull content from source distribution point and does not receive content from the site server. Important The content library must be created on the distribution point before you can prestage content to the distribution point. Distribute content over the network at least one time before you prestage content to the distribution point. Important When you prestage content for a package with a long package source path (for example, more than 140 characters), the Extract Content command-line tool might fail to successfully extract the content for that package to the content library. Note For information about when to prestage content files, see the Determine Whether To Prestage Content section in the Planning for Content Management in Configuration Manager topic. Use the following sections to prestage content.

1609

Step 1: Create a Prestaged Content File

You can create a compressed, prestaged content file that contains the files and associated metadata for the content that you select in the Configuration Manager console. Use the following procedure to create a prestaged content file. To create a prestaged content file 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to prestage: Applications: Expand Application Management, click Applications, and then select the applications that you want to prestage. Packages: Expand Application Management, click Packages, and then select the packages that you want to prestage. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you want to prestage. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you want to prestage. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you want to prestage. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you want to prestage. Task Sequences: Expand Operating Systems, click Task Sequences, and then select the task sequence that you want to prestage.

3. On the Home tab, in the Deployment group, click Create Prestage Content File. The Create Prestaged Content File Wizard opens. Note For Applications: On the Home tab, in the Application group, click Create Prestaged Content File. For Packages: On the Home tab, in the <PackageName> group, click Create Prestaged Content File. 4. On the General page, click Browse, choose the location for the prestaged content file, specify a name for the file, and then click Save. You use this prestaged content file on primary site servers, secondary site servers, or distribution points to import the content and metadata. 5. For applications, select Export all dependencies to have Configuration Manager detect and add the dependencies associated with the application to the prestaged content file. By default, this setting is selected. 6. In Administrator comments, enter optional comments about the prestaged content file, and then click Next. 7. On the Content page, verify that the content listed is the content that you want to add to
1610

the prestaged content file, and then click Next. 8. On the Content Locations page, specify the distribution points from which to retrieve the content files for the prestaged content file. You can select more than one distribution point to retrieve the content. The distribution points are listed in the Content locations section. The Content column displays how many of the selected packages or applications are available on each distribution point. Configuration Manager starts with the first distribution point in the list to retrieve the selected content, and then moves down the list in order to retrieve the remaining content required for the prestaged content file. Click Move Up or Move Down to change the priority order of the distribution points. When the distribution points in the list do not contain all of the selected content, you must add distribution points to the list that contain the content or exit the wizard, distribute the content to at least one distribution point, and then restart the wizard. 9. On the Summary page, confirm the details. You can go back to previous pages and make changes. Click Next to create the prestaged content file. 10. The Progress page displays the content that is being added to the prestaged content file. 11. On the Completion page, verify that the prestaged content file was created successfully, and then click Close.

Step 2: Assign the Content to Distribution Points

After you prestage the content file, assign the content to distribution points. Note When you use a prestaged content file to recover the content library on a site server, and do not have to prestage the content files on a distribution point, you can skip this procedure. Use the following procedure to assign the content in the prestaged content file to distribution points. Important Verify that the distribution points that you want to prestage are identified as prestaged distribution points or the content is distributed to the distribution points by using the network. For more information about configuring the distribution point as prestaged, see the To configure the distribution point properties procedure in the Configuring Content Management in Configuration Manager topic. To assign the content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you selected when you created the prestaged content file: Applications: Expand Application Management, click Applications, and then select the applications that you prestaged. Packages: Expand Application Management, click Packages, and then select the
1611

packages that you prestaged. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment packages that you prestaged. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver packages that you prestaged. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system images that you prestaged. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installers that you prestaged. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot images that you prestaged.

3. On the Home tab, in the Deployment group, click Distribute Content. The Distribute Content Wizard opens. 4. On the General page, verify that the content listed is the content that you prestaged, choose whether you want Configuration Manager to detect content dependencies that are associated with the selected content and add the dependencies to the distribution, and then click Next. Note You have the option to configure the Detect associated content dependencies and add them to this distribution setting only for the application content type. Configuration Manager automatically configures this setting for task sequences, and it cannot be modified. 5. On the Content page, if displayed, verify that the content listed is the content that you want to distribute, and then click Next. Note The Content page displays only when the Detect associated content dependencies and add them to this distribution setting is selected on the General page of the wizard. 6. On the Content Destination page, click Add, choose one of the following that includes the distribution points to be prestaged, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about associating collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click
1612

OK. Distribution point groups that have previously received the content are not displayed. When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether or not the content was successfully assigned to the distribution points. To monitor the content distribution, see the Content Status Monitoring section in this topic.

Step 3: Extract the Content from the Prestaged Content File

After you create the prestaged content file and assign the content to distribution points, you can extract the content files to the content library on a site server or distribution point. Typically, you have copied the prestaged content file to a portable drive, such as a USB drive, or burn the content to media, such as a DVD, and have it available at the location of the site server or distribution point that requires the content. Use the following procedure to manually export the content files from the prestaged content file by using the Extract Content command-line tool. Important When you run the Extract Content command-line tool, the tool creates a temporary file as it creates the prestaged content file. Then, the file is copied to the destination folder and the temporary file is deleted. You must have sufficient disk space for this temporary file or the process fails. The temporary file is created in the following location: In Configuration Manager with no service pack, the temporary file is created in the system drive of the computer that hosts the destination folder that you specify for the prestaged content file. Beginning with Configuration Manager SP1, the temporary file is created in same folder that you specify as the destination folder for the prestaged content file.

Security The user that runs the Extract Content command-line tool must have administrator rights on the computer from which you are extracting the prestaged content. To extract the content files from the prestaged content file 1. Copy the prestaged content file to the computer from which you want to extract the content. 2. Copy the Extract Content command-line tool from <ConfigMgrInstallationPath>\bin\<platform> to the computer from which you want to extract the prestaged content file. 3. Open the command prompt and navigate to the folder location of the prestaged content file and Extract Content tool.

1613

Note You can extract one or more prestaged content files on a site server, secondary site server, or distribution point. 4. Type extractcontent /P:<PrestagedFileLocation>\<PrestagedFileName> /S to import a single file. Type extractcontent /P:<PrestagedFileLocation> /S to import all prestaged files in the specified folder. For example, type extractcontent /P:D:\PrestagedFiles\MyPrestagedFile.pkgx /S where D:\PrestagedFiles\ is the PrestagedFileLocation, MyPrestagedFile.pkgx is the prestaged file name, and /S informs Configuration Manager to extract only content files that are newer than what is currently on the distribution point. When you extract the prestaged content file on a site server, the content files are added to the content library on the site server, and then the content availability is registered in the site server database. When you export the prestaged content file on a distribution point, the content files are added to the content library on the distribution point, the distribution point sends a status message to the parent primary site server, and then the content availability is registered in the site database. Important In the following scenario, you must update content that you extracted from a prestaged content file when the content is updated to a new version: a. You create a prestaged content file for version 1 of a package. b. You update the source files for the package with version 2. c. You extract the prestaged content file (version 1 of the package) on a distribution point. Configuration Manager does not automatically distribute package version 2 to the distribution point. You must create a new prestaged content file that contains the new file version and then extract the content, update the distribution point to distribute the files that have changed, or redistribute all files in the package.

Initiate Content Validation

The content validation process verifies the integrity of content files on distribution points. You enable content validation on a schedule, or you can manually initiate content validation from the properties of distribution points and packages. When the content validation process starts, Configuration Manager verifies the content files on distribution points, and if the file hash is unexpected for the files on the distribution point, Configuration Manager creates a status message that you can review in the Monitoring workspace. For more information about configuring the content validation schedule, see the To configure the distribution point properties procedure in the Configuring Content Management in Configuration Manager topic. Use one of the following procedures to manually initiate content validation.
1614

To initiate content validation for all content on a distribution point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Distribution Points, and then select the distribution point in which you want to validate content. 3. On the Home tab, in the Properties group, click Properties. 4. On the Content tab, select the package in which you want to validate the content, click Validate, click OK, and then click OK. The content validation process initiates for the package on the distribution point. 5. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is displayed. For more information about monitoring content status, see Content Status Monitoring in this topic. To initiate content validation for a package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, select one of the following steps for the type of content that you want to validate: Applications: Expand Application Management, click Applications, and then select the application that you want to validate. Packages: Expand Application Management, click Packages, and then select the package that you want to validate. Deployment Packages: Expand Software Updates, click Deployment Packages, and then select the deployment package that you want to validate. Driver Packages: Expand Operating Systems, click Driver Packages, and then select the driver package that you want to validate. Operating System Images: Expand Operating Systems, click Operating System Images, and then select the operating system image that you want to validate. Operating System Installers: Expand Operating Systems, click Operating System Installers, and then select the operating system installer that you want to validate. Boot Images: Expand Operating Systems, click Boot Images, and then select the boot image that you want to prestage.

3. On the Home tab, in the Properties group, click Properties. 4. On the Content Locations tab, select the distribution point or distribution point group in which to validate the content, click Validate, click OK, and then click OK. The content validation process starts for the content on the selected distribution point or distribution point group. 5. To view the results of the content validation process, in the Monitoring workspace, expand Distribution Status, and click the Content Status node. The content for each package type (for example, Application, Software Update Package, and Boot Image) is
1615

displayed. For more information about monitoring the content status, see Content Status Monitoring in this topic.

Monitor Content
The Configuration Manager console provides improved content monitoring, including the status for all package types in relation to the associated distribution points, including the content validation status for the content in the package, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point (Content validation, PXE, and multicast). Note Configuration Manager only monitors the content on a distribution point that is in the content library. Content stored on the distribution point in package or custom shares is not monitored.

Content Status Monitoring

The Content Status node in the Monitoring workspace provides information about content packages. In the Configuration Manager console, you can review information such as the package name, type, how many distribution points have been targeted, the compliance rate, when the package was created, package ID, and source version. You also find information about distribution status for the package, such as the number of failures, pending distributions, installations, and so on. You can also view detailed status information for any package. Beginning with System Center 2012 R2 Configuration Manager, when you view the status of a distribution in the Content Status node, you can manage distributions that remain in progress to a distribution point or that failed to successfully distribute content to a distribution point. The applicable option to either cancel or redistribute content is available when you view the deployment status message of a distribution job to a distribution point in the Asset Details pane of either the In Progress tab or Error tab of the Content Status node. Additionally, the job details display the percentage of the job that has completed when you view the details of a job on the In Progress tab, and the number of retries that remain for a job as well as how long before the next retry occurs when you view the details of a job that is available from the Error tab. When you cancel a deployment that is not yet complete, the distribution job to transfer that content stops. The status of the deployment then updates to indicate the distribution failed and was canceled by a user action. This new status appears in the Error tab. When you redistribute content that previously failed to transfer to a distribution point, Configuration Manager immediately begins deploying that content to the distribution point again and updates the status of the deployment to reflect the ongoing state of that redeployment. When a deployment is near completion, it is possible the action to cancel that distribution will not process before the distribution to the distribution point completes. When this occurs, the action to cancel the deployment is ignored, and the status for the deployment displays as successful. Note
1616

Although you can select the option to cancel a distribution to a distribution point that is located on a site server, this has no effect. This is because the site server and the distribution point on a site server share the same single instance content store and there is no actual distribution job to cancel. Use the following procedures to view content status and manage distributions that remain in progress or that failed. To monitor content status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Content Status. The packages are displayed. 3. Select the package in which you want detailed status information. 4. On the Home tab, click View Status. Detailed status information for the package is displayed. To cancel a distribution that remains in progress 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Content Status. The packages are displayed. 3. Select the package you want to manage, and then in the details pane, click View Status. 4. In the Asset Details pane of the In Progress tab, right-click on the entry for the distribution that you want to cancel, and select Cancel. 5. Click Yes to confirm the action and cancel the distribution job to that distribution point. To redistribute content that failed to distribute 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Content Status. The packages are displayed. 3. Select the package you want to manage, and then in the details pane, click View Status. 4. In the Asset Details pane of the Error tab, right-click on the entry for the distribution that you want to redistribute, and select Redistribute. 5. Click Yes to confirm the action, and start the redistribution process to that distribution point.

Distribution Point Group Status

The Distribution Point Group Status node in the Monitoring workspace provides information about distribution point groups. You can review information such as the distribution point group name, description, how many distribution points are members of the distribution point group, how many packages have been assigned to the group, distribution point group status, and compliance rate. You also find information about errors for the distribution point group, how many distributions
1617

are in progress, how many have been successfully distributed, and so on. You can also view detailed status information for the distribution point group. Use the following procedure to view distribution point group status. To monitor distribution point group status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Distribution Point Group Status. The distribution point groups are displayed. 3. Select the distribution point group in which you want detailed status information. 4. On the Home tab, click View Status. Detailed status information for the distribution point group is displayed.

Distribution Point Configuration Status

The Distribution Point Configuration Status node in the Monitoring workspace provides information about the distribution point. You can review what attributes are enabled for the distribution point, such as the PXE, multicast, and content validation, and the distribution status for the distribution point. You can also view detailed status information for the distribution point. Warning Distribution point configuration status is relative to the last 24 hours. If the distribution point has an error and recovers, the error status might be displayed for up to 24 hours after the distribution point recovers. Use the following procedure to view distribution point configuration status. To monitor distribution point configuration status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Distribution Point Configuration Status. The distribution points are displayed. 3. Select the distribution point in which you want distribution point status information. 4. In the results pane, click the Details tab. Status information for the distribution point is displayed.

See Also
Content Management in Configuration Manager

1618

How to Prestage Content to Distribution Points Located on a Site Server

You can prestage content to add content files to the content library on a site server or distribution point before you distribute the content. Because the content files are already in the content library, they are not transferred over the network when you distribute the content. When a distribution point is installed on a site server, you must use the following procedure to successfully prestage content. When the distribution point is not enabled for prestage content or when the distribution point is not located on a site server, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. To prestage content on distribution points located on a site server 1. Use the following steps to verify that the distribution point is not enabled for prestaged content. a. In the Configuration Manager console, click Administration. b. In the Administration workspace, click Distribution Points, and then select the distribution point that is located on the site server. c. On the Home tab, in the Properties group, click Properties. d. On the General tab, verify that the Enable this distribution point for prestaged content check box is not selected. 2. Create the prestaged content file by using the Step 1: Create a Prestaged Content File section in the Operations and Maintenance for Content Management in Configuration Manager topic. 3. On the site server, export the content from the prestaged content file by using the Step 2: Export the Content from the Prestaged Content File section in the Operations and Maintenance for Content Management in Configuration Manager topic. 4. Assign the content to the distribution point by using the Step 3: Assign the Content to Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. Note When the distribution point is on a secondary site, wait for at least 10 minutes, and then by using a Configuration Manager console that is connected to the parent primary site, assign the content to the distribution point on the secondary site.

See Also
Operations and Maintenance for Content Management in Configuration Manager

1619

Security and Privacy for Content Management in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for content management in System Center 2012 Configuration Manager. Read it in conjunction with the following topics: Security and Privacy for Application Management in Configuration Manager Security and Privacy for Software Updates in Configuration Manager Security and Privacy for Deploying Operating Systems in Configuration Manager

Security Best Practices for Content Management

Use the following security best practices for content management:
Security best practice More information

For distribution points on the intranet, consider the advantages and disadvantages of using HTTPS and HTTP

Differences between HTTPS and HTTP for distribution points: When you use HTTPS for a distribution point, Configuration Manager does not use package access accounts to authorize access to the content, but the content is encrypted when it transferred over the network. When you use HTTP for a distribution point, you can use package access accounts for authorization, but the content is not encrypted when it is transferred over the network.

In most scenarios, using HTTP and package access accounts for authorization provides more security than using HTTPS with encryption but without authorization. However, if you have sensitive data in your content that you want to encrypt during transfer, use HTTPS. If you use a PKI client authentication certificate rather than a self-signed certificate for the When you require a password to import the client authentication certificate that you use for
1620

Security best practice

More information

distribution point, protect the certificate file (.pfx) with a strong password. If you store the file on the network, secure the network channel when you import the file into Configuration Manager.

the distribution point to communicate with management points, this helps to protect the certificate from an attacker. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file. By default, a distribution point is installed on the same server as the site server. Clients do not have to communicate directly with the site server, so to reduce the attack surface, assign the distribution point role to other site systems and remove it from the site server. The distribution point share allows Read access to all users. To restrict which users can access the content, use package access accounts when the distribution point is configured for HTTP. For more information about the Package Access Account, see the Manage Accounts to Access Package Content section in the Operations and Maintenance for Content Management in Configuration Manager topic The distribution point does not require HTTP Redirection and IIS Management Scripts and Tools. To reduce the attack surface, remove these role services for the web server (IIS) role. For more information about the role services for the web server (IIS) role for distribution points, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic. Because changes to the access accounts on the package files become effective only when you redistribute the package, set the package access permissions carefully when you first create the package. This is particularly important for the following scenarios: The package is large. You are distributing the package to many
1621

Remove the distribution point role from the site server.

Secure content at the package access level. Note This does not apply to cloud-based distribution points on Configuration Manager SP1, which do not support package access accounts.

If Configuration Manager installs IIS when you add a distribution point site system role, remove HTTP Redirection and IIS Management Scripts and Tools when the distribution point installation is complete

Set package access permissions when you create the package

Security best practice

More information

distribution points. Implement access controls to protect media that contains prestaged content The network bandwidth capacity for content distribution is limited.

Prestaged content is compressed but not encrypted. An attacker could read and modify the files that are then downloaded to devices. Configuration Manager clients will reject content that is tampered with, but they still download it. To avoid tampering and elevation of privileges, use only the authorized command-line tool that is supplied with Configuration Manager.

Import prestaged content by using only the ExtractContent command-line tool (ExtractContent.exe) that is supplied with Configuration Manager and make sure that is signed by Microsoft Secure the communication channel between the site server and the package source location

Use IPsec or SMB signing between the site server and the package source location for when you create applications and packages. This helps to prevent an attacker from tampering with the source files. When you change from using the default website to using a custom website, Configuration Manager does not remove the old virtual directories. Remove the virtual directories that Configuration Manager originally created under the default website: SMS_DP_SMSPKG$ SMS_DP_SMSSIG$ NOCERT_SMS_DP_SMSPKG$ NOCERT_SMS_DP_SMSSIG$

If you change the site configuration option to use a custom website rather than the default website after any distribution point roles are installed, remove the default virtual directories

For cloud-based distribution points which are available beginning with Configuration Manager SP1: Protect your subscription details and certificates

When you use cloud-based distribution points, protect the following high-value items: The user name and password for your Windows Azure subscription. The Windows Azure management certificate. The cloud-based distribution point service certificate.

Store the certificates securely and if you

1622

Security best practice

More information

browse to them over the network when you configure the cloud-based distribution point, use IPsec or SMB signing between the site system server and the source location. For cloud-based distribution points which are available beginning with Configuration Manager SP1: For service continuity, monitor the expiry date of the certificates Configuration Manager does not warn you when the imported certificates for management of the cloud-based distribution point service is about to expire. You must monitor the expiry dates independently from Configuration Manager and make sure that you renew and then import the new certificate before the expiry date. This is particularly important if you purchase a Configuration Manager cloud-based distribution point service certificate from an external certification authority (CA), because you might need additional time to obtain a renewed certificate. Note If either certificate expires, Cloud Services Manager generates the status message ID 9425 and the CloudMgr.log file contains an entry to indicate that the certificate is in expired state, with the expiry date also logged in UTC.

Security Issues for Content Management

Content management has the following security issues: Clients do not validate content until after it is downloaded Configuration Manager clients validate the hash on content only after it is downloaded to their client cache. If an attacker tampers with the list of files to download or with the content itself, the download process can take up considerable network bandwidth for the client to then discard the content when it encounters the invalid hash. You cannot restrict access to content hosted by cloud-based distribution points to users or groups Beginning with Configuration Manager SP1, when you use cloud-based distribution points, access to the content is automatically restricted to your enterprise and you cannot restrict it further to selected users or groups.
1623

A blocked client can continue to download content from a cloud-based distribution point for up to 8 hours Beginning with Configuration Manager SP1, when you use cloud-based distribution points, clients are authenticated by the management point and then use a Configuration Manager token to access cloud-based distribution points. The token is valid for 8 hours so if you block a client because it is no longer trusted, it can continue to download content from a cloudbased distribution point until the validity period of this token is expired. At this point, the management point will not issue another token for the client because the client is blocked. To avoid a blocked client from downloading content within this 8 hour window, you can stop the cloud service from the Cloud node, Hierarchy Configuration, in the Administration workspace in the Configuration Manager console. For more information, see Manage Cloud Services for Configuration Manager.

Privacy Information for Content Management

Configuration Manager does not include any user data in content files, although an administrative user might choose to do this. Before you configure content management, consider your privacy requirements.

See Also
Content Management in Configuration Manager

Technical Reference for Content Management in Configuration Manager

This section contains technical reference information for Content Management in System Center 2012 Configuration Manager.

Technical Reference Topics

There is currently no technical reference information for Content Management in Configuration Manager.

Other Resources for this Product

Documentation Library for System Center 2012 Configuration Manager Content Management in Configuration Manager

1624

Application Management in Configuration Manager

Application management in Microsoft System Center 2012 Configuration Manager provides a set of tools and resources that can help you to create, manage, deploy, and monitor applications in the enterprise. Use the topics in the following section for detailed information about application management in Configuration Manager.

Application Management Topics

Use the following topics learn how to create, manage, deploy, and monitor applications in Configuration Manager. Introduction to Application Management in Configuration Manager Planning for Application Management in Configuration Manager Configuring the Application Catalog and Software Center in Configuration Manager Operations and Maintenance for Application Management in Configuration Manager Packages and Programs in Configuration Manager Deploying Software to Linux and UNIX Servers in Configuration Manager Security and Privacy for Application Management in Configuration Manager Technical Reference for Application Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Application Management in Configuration Manager

Application management in System Center 2012 Configuration Manager provides both Configuration Manager administrative users and client device users with the tools to manage applications in the enterprise. Important A device, in Configuration Manager, is a collective term that includes any kind of computer such as a desktop, server, or a portable computer, and mobile device, such as a phone or tablet. An application in Configuration Manager contains the files and information that are required to deploy software to a device. Applications are similar to packages in Configuration Manager 2007,
1625

but contain more information to support smart deployment. An application must contain one or more deployment types which contain the installation files for a software package. By using deployment types with applications, you can create one application which contains multiple installation files for a software package on different platforms such as a Windows computer or an iOS device. Configuration Manager can then use rules that you configure to determine which software package gets installed on which device. Applications in Configuration Manager support user-centric management so that you can associate specific users with specific devices. Instead of having to remember the name of a users device, you can now deploy software to the user and to the device. This functionality can help you make sure that the most important software is always available on each device that a specific user accesses. If a user acquires a new computer, you can automatically install the users applications on the device before the user logs on. For more information, see How to Manage User Device Affinity in Configuration Manager. Applications in Configuration Manager support state-based monitoring, by which you can track the last application deployment state for users and devices. The state messages display information about individual devices. For example, if an application is deployed to a collection of users, you can view the compliance state of the deployment and the deployment purpose in the Configuration Manager console. You can monitor the deployment of all software by using the Monitoring workspace in the Configuration Manager console. Software deployments include software updates, compliance settings, applications, task sequences, and packages and programs. For more information, see How to Monitor Applications in Configuration Manager. Application deployments are regularly re-evaluated by Configuration Manager. For example: A deployed application is uninstalled by the end-user. At the next evaluation cycle, Configuration Manager detects that the application is not present and reinstalls it. An application was not installed on a device because it failed to meet the requirements. Later, a change is made to the device and it now meets the requirements. Configuration Manager detects this change and the application is installed.

You can configure the re-evaluation interval for application deployments by using the Schedule re-evaluation for deployments client setting. For more information, see About Client Settings in Configuration Manager. For an example scenario that shows how you might deploy and manage the life-cycle of an application in your environment, see Example Scenario for Managing Applications by Using Configuration Manager. Use the following sections in this topic to help you learn more about application management in Configuration Manager: The Application Management Workflow Typical Elements of an Application Deployment Types Supported by Configuration Manager Monitoring Application Deployments Application Catalog, Software Center, and Company Portals User Device Affinity
1626

Packages and Programs in Configuration Manager Support for Windows Embedded Devices That Use Write Filters Using App-V Virtual Applications with Configuration Manager

The Application Management Workflow

The elements in this table outline the application management process in Configuration Manager:
Operation Description More Information

Create an application

Use the Create Application Wizard to create applications in Configuration Manager. Use the Create Deployment Type Wizard to create one or more deployment types that contain the installation files and commands for the software package. Use simulated deployments to test the applicability of an application deployment to computers without actually installing or uninstalling the application. Use the Deploy Software Wizard to deploy the application to devices. You can monitor the deployment of applications in the Configuration Manager console, and by using reports. Configuration Manager provides tools to help you produce new versions of an application and to supersede older versions of an application. Deploy an application with a deployment action of Uninstall

For more information, see How to Create Applications in Configuration Manager. For more information, see the Steps to Create a Deployment Type section in the How to Create Applications in Configuration Manager topic. For more information, see How to Simulate an Application Deployment in Configuration Manager.

Create deployment types for the application

Perform a simulated deployment of the application

Deploy the application

For more information, see How to Deploy Applications in Configuration Manager. For more information, see How to Monitor Applications in Configuration Manager. For more information, see How to Manage Application Revisions in Configuration Manager and How to Use Application Supersedence in Configuration Manager. For more information, see How to Uninstall Applications in
1627

Monitor the application

Deploy new versions of the application

Uninstall the application

Operation

Description

More Information

to remove the application.

Configuration Manager.

Typical Elements of an Application

You can deploy applications to any device that supports being managed by Configuration Manager by using the Deploy Software Wizard. An application and its deployment types might typically contain the elements described here.
Component Description More Information Supported by

Requirements

In Configuration Manager 2007, query-based collections were the primary method of determining which devices installed which software package. For example, you might create a collection of all computers that have more than 4GB of RAM and then distribute a software package to only that collection. System Center 2012 Configuration Manager removes the need to create collections (although you can still do this) by introducing requirements which are processed by the client device when the application is deployed. For example, you can specify that an application can be installed only on computers that run Windows 7. You can then deploy the application to all devices, but it will only be installed on the computers that meet the specified requirements.

For more information about requirements, see How to Create Applications in Configuration Manager. For more information about client settings, see About Client Settings in Configuration Manager.

Requirements are not supported by Windows Phone 8 and Android devices.

1628

Component

Description

More Information

Supported by

The Configuration Manager client evaluates requirements to determine whether an application and any of its deployment types will be installed. Then it determines the correct deployment type by which to install an application. Every seven days, by default, the requirement rules are reevaluated to ensure compliance according to the client setting Schedule reevaluation for deployments. Global conditions You can configure requirement rules to use with only a single specific deployment type, or you can create global conditions that are available to use with any deployment type. Configuration Manager contains a set of built-in requirements or you can define custom requirements. Simulated deployment You can use simulated deployments to test the applicability of an application deployment to devices without installing the application. When you deploy a simulated deployment, the devices to which the application is deployed evaluate the detection method, For more information, see How to Simulate an Application Deployment in Configuration Manager. For more information, see How to Create Global Conditions in Configuration Manager. Global conditions are not supported by Windows Phone 8 and Android devices. Global conditions are not supported for Mac computers.

You cannot use simulated deployments for collections of mobile devices. Simulated deployments cannot be used to deploy packages and programs.

1629

Component

Description

More Information

Supported by

requirements, and dependencies for a deployment type and then return the evaluation results to the Configuration Manager site. You can view these results in the Deployments node in the Monitoring workspace. Deployment action When you deploy an application, you can specify a deployment action of Install or Uninstall to control whether the application is installed or uninstalled on client devices. For more information, see How to Deploy Applications in Configuration Manager and How to Uninstall Applications in Configuration Manager. For more information, see How to Deploy Applications in Configuration Manager. For System Center 2012 R2 Configuration Manager only: Mobile devices that are enrolled by Windows Intune now support a deployment action of Uninstall. Mobile devices that are enrolled by Configuration Manager do not support applications with a deployment purpose of available. For System Center 2012 R2 Configuration Manager only: Mobile devices that are enrolled by Windows Intune support a deployment purpose of Required if they are configured as Company-owned. Mobile apps with a deployment purpose
1630

Deployment purpose

The deployment purpose is specified in the Deploy Software Wizard. You can choose from two values: Available If the application is deployed to a user, the user sees the published application in the Application Catalog and can request it on demand. If the application is deployed to a device, the user sees and then can install on demand the applications listed in Software Center or a company portal. Required The application is deployed automatically. This typically occurs

Component

Description

More Information

Supported by

according to the configured schedule. However, a user can track the application deployment status and install the application before the deadline by using Software Center or a company portal.

of Required automatically install on Windows 8.1 and Windows RT. For iOS and Android devices the user must consent to the download before mobile apps are installed. You cannot deploy applications to Mac computers that have a purpose of Available. Linux and UNIX servers do not support the deployment purpose option. Application deployments that contain a deployment type featuring a link to an app store do not support a deployment purpose of Available.

Revisions

When you modify an application, a new revision of the application is created. Earlier versions of the application are stored and you can retrieve them later if they are necessary. There are several available methods to determine whether a deployment type is already present on a

For more No additional information, see How information. to Manage Application Revisions in Configuration Manager. For more information, see How to Create Applications in The available detection methods will vary depending on the device you
1631

Detection method

Component

Description

More Information

Supported by

device. You can detect a Windows Installer product code, a file or a folder, or a registry value to determine whether a deployment type is present. You can also write a script to detect whether a deployment type is present on the device. Dependencies A dependency defines one or more prerequisite deployment types that must be installed before another specified deployment type can be installed. You can configure the prerequisite dependent deployment types to install automatically before the dependent deployment type is installed. You can upgrade or replace existing applications by using a supersedence relationship. When you supersede an application, you can specify a new deployment type to replace the deployment type of the superseded application and also configure whether to upgrade or uninstall the superseded application before the superseding application is installed.

Configuration Manager.

are creating a deployment type for.

For more No additional information, see How information. to Create Applications in Configuration Manager.

Supersedence

For more No additional information, see How information. to Use Application Supersedence in Configuration Manager.

1632

Deployment Types Supported by Configuration Manager

Configuration Manager supports the deployment types shown in the following sections: Note When you create an application or a deployment type by reading an application installation file, Configuration Manager can automatically populate some fields of the wizard with information from the file and associated installation files in the same folder.

Deployment Types supported by Configuration Manager with no Service Pack, Configuration Manager SP1, and System Center 2012 R2 Configuration Manager
Deployment type name Description

Windows Installer (Native) (Configuration Manager with no service pack) or Windows Installer (*.msi file) (Configuration Manager SP1) and System Center 2012 R2 Configuration Manager

Creates a deployment type from a Windows Installer file.

Script Installer (Native) (Configuration Creates a deployment type that specifies a Manager with no service pack) or Script script that runs on client devices to install Installer (Configuration Manager SP1) and content or to perform an action. System Center 2012 R2 Configuration Manager Microsoft Application Virtualization (Configuration Manager with no service pack) or Microsoft Application Virtualization 4 (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager) Windows Mobile Cabinet Nokia SIS file Creates a deployment type from a Microsoft Application Virtualization 4 manifest.

Creates a deployment type from a Windows Mobile Cabinet (CAB) file. Creates a deployment type from a Nokia Symbian Installation Source (SIS) file.

Deployment Types Supported by Configuration Manager SP1 and System Center 2012 R2 Configuration Manager

1633

Deployment type name

Description

Windows app package (.appx file) Windows app package (in the Windows Store)

Creates a deployment type for Windows 8 or Windows RT from a Windows app package file. Creates a deployment type for Windows 8 or Windows RT by specifying a link to the app in the Windows Store by browsing to a computer that already has the app installed. Creates a deployment type from a Microsoft Application Virtualization 5 package file. Creates a deployment type from a Windows Phone app package file. Tip You can download sample Windows Phone 8 apps from the Windows Phone Dev Center.

Microsoft Application Virtualization 5 Windows Phone app package (*.xap file)

Windows Phone app package (in the Windows Phone Store) App package for iOS (*.ipa file) App package for iOS from App Store App package for Android (*.apk file) App package for Android on Google Play Mac OS X

Creates a deployment type by specifying a link to the app in the Windows Phone. Creates a deployment type from an iOS app package file. Creates a deployment type by specifying a link to the iOS app in the App Store. Creates a deployment type from an Android app package file. Creates a deployment type by specifying a link to the app on Google Play. Creates a deployment type for Mac computers from a .cmmac file that you have created with the CMAppUtil utility.

Deployment Types Supported by System Center 2012 R2 Configuration Manager Only.

Deployment type name Description

Web Application

Creates a deployment type that specifies a link to a web application. The deployment type
1634

Deployment type name

Description

installs a shortcut to the web application on the users device.

Monitoring Application Deployments

You can monitor the deployment of all software by using the Monitoring workspace in the Configuration Manager console. Software deployments include software updates, compliance settings, applications, task sequences, and packages and programs. Applications in Configuration Manager support state-based monitoring, by which you can track the last application deployment state for users and devices. The state messages display information about individual devices. For example, if an application is deployed to a collection of users, you can view the compliance state of the deployment and the deployment purpose in the Configuration Manager console. An application deployment has one of the following compliance states: Success The application deployment succeeded or was found to be already installed. In Progress The application deployment is in progress. Unknown The state of the application deployment could not be determined. This state is not applicable for deployments with a purpose of Available. Requirements Not Met The application was not deployed because the device was not compliant with a dependency or a requirement rule, or the operating system to which it was deployed was not applicable. Error The application did not deploy because of an error.

For each compliance state, you can view additional information. This information includes subcategories within the compliance state and the number of users and devices in the category. For example, the Error compliance state includes the following subcategories: Error evaluating policy Content related errors Installation Errors

You can use these subcategories to help you quickly identify any important issues with an application deployment. You can also view additional information about which devices fall into a particular subcategory of a compliance state. For more information, see How to How to Monitor Applications in Configuration Manager.

Application Catalog, Software Center, and Company Portals

The Application Catalog and company portals in Configuration Manager can give users control over how and when software is installed on their devices. Configuration Manager can also help
1635

ensure that the software that users need in order to perform their work is available wherever they log on, not just on their primary devices.

Software Center and the Application Catalog

Users of Windows-based computers can manage their software deployment experience by using the new client interface, Software Center. Software Center is automatically installed on client computers so that users can manage their own software. They can perform the following actions: Install software. Schedule software for automatic installation outside of working hours. Configure when Configuration Manager can install software on their device. Configure access settings for remote control if remote control is enabled in Configuration Manager. Configure options for power management if an administrative user enables this.

By using a link in Software Center, users can connect to the Application Catalog where they can browse for, install, and request software. In addition, users can use the Application Catalog to configure certain preference settings and remotely wipe their mobile devices if it is necessary. Because the Application Catalog website is hosted in Internet Information Services (IIS), users can also directly access the Application Catalog on a browser from the intranet or the Internet. As an administrative user, you can add the name of your organization to Software Center and the Application Catalog. This helps users recognize the application as being from a trusted source. You can also customize the Application Catalog by using different theme colors. The Application Catalog supports integration with external websites. For example, if you host a Microsoft SharePoint website, the catalog can be specified as the Web Page link in the Page Viewer. The Application Catalog maintains the style and theme that you configured. The Application Catalog does not support customization by using cascade style sheets (CSS). The Application Catalog requires two new site system roles on your site. Application Catalog web service point Provides software information from the Software Library to the Application Catalog website. Application Catalog website point Gives users a list of available software.

For more information about how to install and configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuration Manager. On a computer that is running Windows, the Configuration Manager client in Control Panel remains in System Center 2012 Configuration Manager. This can help administrative users troubleshoot problems with the client software.

Company Portals
Users who have mobile devices that are enrolled by Windows Intune and Android devices that are managed by the Exchange Server connector can install apps from the company portal. The company portal is the Application Catalog equivalent for these mobile devices.

1636

Company portals enable device users to access a list of available software and also to perform a number of management tasks on their Windows Phone 8, Windows RT, iOS, and Android devices.

User Device Affinity

With Configuration Manager, you can associate specific users with specific devices. This association is called user device affinity. This mapping of devices to users can remove the need to know the names of a users devices when yo u deploy applications. You can define primary devices for a user. These are typically the devices that users use daily to perform their work. When you create an affinity between a user and a device, you gain additional options for deploying software. For example, if a user must have Microsoft Visio, you can install the program on the users primary device by using a Windows Installer deployment. On a device that is not a primary device, you might deploy Microsoft Visio as a Microsoft Application Virtualization (App-V) virtual application. With user device affinity, you can deploy applications to a user without having to install the application on every device that the user logs on to. You can also pre-deploy software on a users device when the user is not logged on. Configuration Manager automatically manages user device affinities for the mobile devices that it enrolls and that are enrolled by Windows Intune. However, Configuration Manager does not create user device affinities for mobile devices that are discovered by using the Exchange Server connector. When Configuration Manager completes mobile device enrollment, users can see their mobile devices listed in the self-service website, Application Catalog. If Configuration Manager wipes the mobile device, Configuration Manager also automatically wipes the user device affinity information for the mobile device. Whereas Configuration Manager manages user device affinity automatically for enrolled mobile devices, you have more flexibility in how you can manage user device affinity for computers. You can define user device affinity for Windows computers by using any of the following methods: The computer user can specify that the device is a primary device in the Application Catalog. An administrative user can import a file that lists users and devices. An administrative user can configure the site to automatically create user device affinities that are based on collected usage statistics. An administrative user can then approve the detected user device affinities. An administrative user can manually create affinities. An administrative user can define user device affinity for a client computer during deployment of an operating system to a computer. Note Configuration Manager does not support user device affinity for Mac computers or Linux and UNIX servers. For more information, see How to Manage User Device Affinity in Configuration Manager.

1637

Packages and Programs in Configuration Manager

Configuration Manager continues to support packages and programs that were used in Configuration Manager 2007. A deployment that uses packages and programs is useful when you deploy any of the following: Scripts that do not install an application on a computer, such as a script to defragment the computer disk drive. One-time scripts that do not require monitoring. Scripts that run on a recurring schedule and do not use global conditions or requirement rules.

For more information, see Packages and Programs in Configuration Manager. In Configuration Manager SP1, you must use packages and programs to deploy software to Linux and UNIX servers. You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and programs into Configuration Manager applications. Download Package Conversion Manager from the Microsoft Download Center site. For more information, see Configuration Manager Package Conversion Manager.

Support for Windows Embedded Devices That Use Write Filters

Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you deploy applications to Windows Embedded devices that are write filter-enabled, you can specify whether to disable the write filter on the device during the deployment and then restart the device after the deployment. If the write filter is not disabled, the software is deployed to a temporary overlay, and unless another deployment forces changes to be persisted, the software will no longer be installed when the device restarts. When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. This lets you manage when the write filter is disabled and enabled, and when the device restarts. The user experience setting that controls the write filter behavior is a check box named Commit changes at deadline or during a maintenance window (requires restarts). For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic.

1638

Using App-V Virtual Applications with Configuration Manager

You can use Configuration Manager to install and manage virtual applications as deployment types in an application. To deploy a virtual application, you must first create the virtual application by using the App-V Application Virtualization Sequencer. The sequencer monitors the installation and setup process for an application and records the information that is needed for the application to run in a virtual environment. You can also use the sequencer to configure which files and configurations apply to all users and which configurations users can customize. When you sequence an application, you must save the package to a location that can be accessed by Configuration Manager. You can then create an application deployment that contains this virtual application. Configuration Manager does not support use of the shared read-only cache feature of App-V. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Configuration Manager supports the shared content store feature in App-V 5. When you create a deployment type for a virtual application, Configuration Manager creates the deployment type by using the contents of the application manifest file. This is an XML file that contains information about the virtual application. Additionally, Configuration Manager creates requirements for the deployment type based on the contents of the App-V .osd file that contains information about the supported operating systems for the virtual application. For more information about how to create and sequence applications with App-V, see Application Virtualization in the TechNet Library. To deploy virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1 or a later version of the client installed. Additionally, before you can successfully deploy virtual applications, you must update the App-V client with the hotfix described in the Knowledge Base article 2645225. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you use connection groups in Microsoft Application Virtualization 5.0, your deployed virtual applications can share the same file system and registry on client computers. Unlike standard virtual applications, these applications can share data with one another. Additionally, connection groups preserve user settings for the applications that they contain. App-V virtual environments in Configuration Manager are used to configure connection groups on client computers. Virtual environments are created or changed on client computers when the application is installed or when clients next evaluate their installed applications. You can prioritize these applications so that when multiple applications try to change a file system or registry value, the application that has the highest priority takes precedence. For more information, see How to Create App-V Virtual Environments in Configuration Manager. For information to help you plan to manage and deploy virtual applications, see Planning for AppV Integration with Configuration Manager.

1639

Whats New in Configuration Manager for App-V Virtual Applications

The following items are new or have changed for virtual applications since Configuration Manager 2007. Virtual applications can support App-V Dynamic Suite Composition by using Configuration Manager local and virtual application dependencies. You can selectively publish the components of a virtual application to client computers. Performance is improved for publishing application shortcuts to client computers. Clients check more quickly for required installations after logon. Clients also now check for required installations when the desktop is unlocked. Applications can be deployed to users of Remote Desktop Services or Citrix servers when other users are logged in. System Center 2012 Configuration Manager supports streaming virtual applications over the Internet from an Internet-based distribution point. Streaming support is provided for packages suited together using Dynamic Suite Composition. In System Center 2012 Configuration Manager, all distribution points are automatically capable of virtual application streaming. Previously, in Configuration Manager 2007, you had to enable streaming support for virtual applications on each distribution point. Disk space usage is reduced on distribution points because application content is no longer duplicated for multiple application revisions. Virtual application content is no longer persisted by default in the Configuration Manager client cache. You can no longer create virtual applications by using Configuration Manager packages and programs. You must use Configuration Manager application management. Configuration Manager supports migrating virtual application packages from Configuration Manager 2007 to System Center 2012 Configuration Manager. When you migrate an App-V package from Configuration Manager 2007, the migration Wizard will create the package as a System Center 2012 Configuration Manager application. The Configuration Manager 2007 client option Allow virtual application package advertisement has been removed. In System Center 2012 Configuration Manager, virtual applications can be deployed by default. Virtual applications that are deployed from an App-V Server are not deleted by the Configuration Manager client. Configuration Manager hardware inventory can be used to inventory virtual applications that are deployed by an App-V Server. Application content that has been downloaded to the App-V cache is not downloaded to the Configuration Manager client cache. Note To modify a virtual application, you must first create it as a Configuration Manager application.
1640

Whats New in Configuration Manager

The following items are new or have changed for application management since Configuration Manager 2007: Software distribution in Configuration Manager 2007 is now replaced by application management in System Center 2012 Configuration Manager. Application management provides new benefits such as user-centric management. Application management implements user device affinity, state-based deployments, deployment types, global conditions, simulated deployments, revisions, dependencies, and supersedence. If you do not require the full management capabilities of application management, you can still deploy packages and programs. Deployments replace advertisements. Required deployments replace mandatory or assigned advertisements. Available deployments replace optional advertisements. The Deploy Software Wizard in System Center 2012 Configuration Manager replaces the previous New Advertisement Wizard in Configuration Manager 2007. Users can browse and request software from the Application Catalog. This requires the two new site system roles: the Application Catalog website point and the Application Catalog web service point. The new Software Center client program replaces the Program Download Monitor and Run Advertised Programs in Control Panel. Software Center is automatically installed on client computers. When you deploy software to users, they no longer have to log off and back on again for Configuration Manager to include the new software deployment in the user policy. However, if the deployment uses a Windows group, any user who was recently added to the group will still have to log off and log back on to receive the software deployment.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for application management in Configuration Manager SP1: App-V virtual environments in Configuration Manager enable virtual applications to share the same file system and registry on client computers. This lets applications that are in the same virtual environment to share data with one another. For more information, see How to Create App-V Virtual Environments in Configuration Manager. You can configure new deployment types for Windows 8 applications that support standalone applications (.appx files) and links to the Windows Store. Configuration Manager includes a new deployment type that you can use to deploy virtual applications that you have created by using Microsoft Application Virtualization 5.0.

1641

Configuration Manager includes a new deployment type that you can use to deploy applications to Mac computers that run the Configuration Manager client. Configuration Manager includes new deployment types for these mobile devices when you use the Windows Intune connector: Windows Phone 8, Windows RT, iOS, and Android. Users download apps for these devices from the new self-service portal for mobile devices, the company portal. For more information, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. You can control the behavior of the write filter on Windows Embedded devices when you deploy applications, and packages and programs, by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts) . For Windows Embedded devices that have the write filter enabled: Software deployments that have a purpose of Available are not supported. If you target a software deployment to these devices, users can see the deployment in Software Center. However, if they try to install the software, they see an error message that they do not have permissions. Users on these devices cannot configure their business hours in Software Center. Users on these devices do not see user notifications to let them postpone a software deployment to nonbusiness hours.

Users can no longer install applications from the Application Catalog if the Client Policy client setting Enable user policy on clients is set to No. By default, the new Computer Agent client setting, Disable deadline randomization, disables the installation randomization delay for required software updates and for required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for application management in System Center 2012 R2 Configuration Manager: Web applications in System Center 2012 R2 Configuration Manager are a new deployment type that allows you to deploy a shortcut to a web-based app on users devices. Windows 8.1 introduces the app bundle (or .appxbundle package) to help optimize the packaging and distribution of Windows Store apps and resource packages. Configuration Manager extends the existing Windows app package deployment type to recognize .appxbundle package files. The Create Application Wizard includes a new option that allows you to configure featured applications. These applications are displayed prominently in the company portal to help users find them.
1642

You can specify a privacy link for each application that users can review before they install the application. You can configure an application to automatically open a VPN connection if a VPN profile has been configured. For more information, see VPN Profiles in Configuration Manager.

For more information, see How to Create Applications in Configuration Manager.

See Also
Application Management in Configuration Manager

Planning for Application Management in Configuration Manager

This section provides planning information to help you use application management in Microsoft System Center 2012 Configuration Manager.

In This Section
Use the following topics to plan for application management in Configuration Manager: Prerequisites for Application Management in Configuration Manager Best Practices for Application Management in Configuration Manager Planning to Deploy Windows 8 Apps in Configuration Manager Planning for App-V Integration with Configuration Manager

See Also
Application Management in Configuration Manager

Prerequisites for Application Management in Configuration Manager

This topic lists the prerequisites for application management in Microsoft System Center 2012 Configuration Manager. The prerequisites are categorized as either external dependencies or dependencies within Configuration Manager.

Dependencies External to Configuration Manager

The following table lists the external dependencies for application management.
1643

Prerequisite

More information

IIS is required on the site system servers that run the Application Catalog website point, the Application Catalog web service point, the management point, and distribution point.

For more information about this requirement, see the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

For client computers that access the Internet Explorer 6 incorrectly detects some Application Catalog by using Internet Explorer 6 areas of the Application Catalog to be unsecure and HTTPS client connections: and displays a security warning about mixed Configure Internet Explorer 6 to disable the content. When this occurs, users might not be able to use the Application Catalog. Later display of mixed content for the Internet versions of Internet Explorer do not display this zone. message. Configure Internet Explorer 6 by using the following steps: 1. In Internet Explorer 6, click Tools, click Internet Options, click the Security tab, select the Internet zone, and then click Custom Level. 2. Locate Display mixed content and click Disable. For mobile devices that are enrolled by Configuration Manager: If you use Active Directory Certificate Services to code sign applications for mobile device applications, do not use a version 3 certificate template. When you code sign applications in order to deploy them to mobile devices, do not use a certificate that was generated by using a version 3 template (Windows Server 2008, Enterprise Edition). This certificate template creates a certificate that is not compatible with Configuration Manager applications for mobile devices. If you deploy .SIS/.SISX files to a Nokia Symbian Belle mobile device that is enrolled by Configuration Manager, you must use a file format that conforms to the OS v9.x SIS file format specification. Configuration Manager reads the following two settings from the local security policy on client computers to determine automatic user device affinities: Audit account logon events Audit logon events

To deploy applications to Symbian Bell mobile devices: The Nokia Symbian Installation Source (SIS) file must conform to the OS v9.x SIS file format specification.

Clients must be configured to audit logon events if you want to automatically create user device affinities.

To automatically create relationships between

1644

Prerequisite

More information

users and devices, make sure that these two settings are enabled on client computers. You can use Windows Group Policy to configure these settings.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for application management.
Prerequisite More information

Management point

Clients will contact a management point to download client policy, to locate content, and to connect to the Application Catalog. Important If clients cannot access a management point, they cannot use the Application Catalog.

Distribution point

Before applications can be deployed to clients, you must have at least one distribution point in the hierarchy. By default, the site server has a distribution point site role enabled during a standard installation. The number and location of distribution points will vary according to the specific requirements of your enterprise. For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager.

Client settings

Many client settings control how applications are installed on the client and the end user experience on the client. These client settings include the following: Computer Agent Computer Restart Software Deployment User and Device Affinity
1645

Prerequisite

More information

For more information about these client settings, see About Client Settings in Configuration Manager. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. For the Application Catalog: Discovered user accounts Users must first be discovered by Configuration Manager before they can view and request applications from the Application Catalog. For more information, see the Configure Active Directory Discovery for Computers, Users, or Groups section in the Configuring Discovery in Configuration Manager topic. To be able to successfully create virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1 or later client installed. You must also update the App-V client with the hotfix described in the Knowledge Base article 2645225 before you can successfully deploy virtual applications. Application Catalog web service point The Application Catalog web service point is a site system role that provides information about available software from the Software Library to the Application Catalog website. For information about how to configure this site system role, see Configuring the Application Catalog and Software Center in Configuration Manager. Application Catalog website point The Application Catalog website point is a site system role that provides users with a list of available software. For information about how to configure this site system role, see Configuring the Application Catalog and Software Center in Configuration Manager. Reporting services point To be able to use the reports in Configuration Manager for application management, you must
1646

App-V 4.6 SP1 or later client to run virtual applications

Prerequisite

More information

first install and configure a reporting services point. For more information, see Configuring Reporting in Configuration Manager. Security permissions for application management You must have the following security permissions to manage applications. To create, modify and retire applications: Alerts Create, Delete, Modify, Modify Report, Read, Run Report. Application Approve, Create, Delete, Modify, Modify Folder, Move Object, Read, Run Report, Set Security Scope. Boundaries Read. Boundary Group Read. Collection Modify Client Status Alert, Read, Read Resource. Distribution Point Copy to Distribution Point, Read. Distribution Point Group Copy to Distribution Point, Read. Global Condition Read. Package Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, Set Security Scope. Site Read.

The Application Author security role includes the preceding listed permissions that are required to create, modify and retire applications in Configuration Manager. To deploy applications: Alerts Create, Delete, Modify, Modify Report, Read, Run Report. Application Read, Run Report. Boundaries Read. Boundary Group Read. Client Agent Setting Read. Collection Deploy Applications, Deploy Client Settings, Deploy
1647

Prerequisite

More information

Packages, Modify Client Status Alert, Read, Read Resource. Deployment Templates Read. Distribution Point Read. Distribution Point Group Read, Create Association to Collection. Global Condition Read. Mobile Device Enrollment Profiles Read. Package Read, Run Report. Query Read. Site Read. Status Messages Read. User Device Affinities Read, Run Report.

The Application Deployment Manager security role includes the preceding listed permissions that are required to deploy applications in Configuration Manager. The Application Administrator security role contains all of the permissions from both the Application Author and the Application Deployment Manager security roles. For more information, see Configure RoleBased Administration in the Configuring Security for Configuration Manager topic.

See Also
Planning for Application Management in Configuration Manager

Best Practices for Application Management in Configuration Manager

Use the following best practices for application management in Microsoft System Center 2012 Configuration Manager.

1648

Use application supersedence to update deployed applications

When you modify a deployed application, any new installations will use the modified version of the application. If, when you modify the application you also modify the detection method associated with the application, then all deployed copies of the application will be updated. To provide greater control for application updates, use application supersedence. For more information about how to supersede applications, see How to Use Application Supersedence in Configuration Manager.

Use required applications rather than available applications for Windows Embedded devices that have write filters enabled
Because users cannot install applications from the Application Catalog from a Windows Embedded device that has write filters enabled, always deploy applications that are required rather than available to these devices. Typically, this will not be a problem because computers that run a Windows Embedded operating system often run a single application that must run in the same way for multiple users. Because of this, these devices are highly managed and locked down by the IT department. Required applications are well-suited to this scenario. However, if users do run more than one application on embedded devices when write filters are enabled, educate these users about the following limitations: Users cannot install applications from the Application Catalog. Users cannot install required software from Software Center. Users cannot change their business hours in the Options tab of Software Center. Users cannot postpone the installation of a required application.

In addition, low-rights users cannot log on during a maintenance period if Configuration Manager SP1 is committing changes for software installations and updates. During this period, users see a message informing them that the device is unavailable because it is being serviced.

Do not deploy applications to Windows Embedded devices that have write filters enabled if the applications require the user to accept the license terms
When writer filters are disabled so that Configuration Manager can install software on embedded devices, low-rights users cannot log on to the device. If the installation requires the user to accept the license terms, this will not be possible and the installation will fail. Make sure that you do not deploy software to Windows Embedded devices if the installation requires user interaction. You can use the Applicable Platforms list to filter these operating systems.
1649

See Also
Planning for Application Management in Configuration Manager

Planning to Deploy Windows 8 Apps in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Use the information in the following table to help you plan and prepare to deploy Windows 8 applications (apps) to System Center 2012 Configuration Manager SP1 clients in your organization.
Process Reference

Review the available information about the basic concepts for application management in Configuration Manager.

For introductory information about application managemen t, see Introduction to Application Managemen t in Configuratio n Manager. For information about the prerequisites for application managemen t, see Prerequisite s for Application
1650

Review and implement the prerequisites to deploy applications in Configuration Manager.

Process

Reference

Managemen t in Configuratio n Manager. Configure and test the Application Catalog and Software Center to enable users to browse for and install software. For information about how to configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuratio n Manager. No additional information.

Review the two different available methods that you can use to deploy software to computers that run Windows 8: Deploy the application by providing a link to the app in the Windows Store. Deploy the app installation file (.appx file) to computers directly, bypassing the Windows Store. This process is sometimes called sideloading.

Review the requirements and recommendations to deploy Windows 8 apps to computers in the company. If you are deploying a line of business application, work with the application developers to ensure that the following requirements are met: The technical compliance of the App has been validated to ensure that it provides a consistent Windows 8 application experience, that it meets the minimum technical requirements for an app, and that it will function correctly on future versions of Windows. The app is signed by a certification authority (CA) that is trusted by the Windows 8 computers that will install the app. The publisher name in the package manifest file must match the publisher name in the certificate that signs the app. Note Microsoft recommends that all apps that are installed by deploying

For information about how to validate the technical compliance of Windows 8 apps, see Testing your app with the Windows App Certification Kit in the
1651

Process

Reference

application installation files are signed by a certificate that is from a trusted certification authority. By default, Windows trusts many certification authorities without any additional configuration. If the signing certificate is from one of these trusted authorities, you do not need to deploy and manage additional certificates on Windows 8 computers that will install the Windows 8 app. You can also use your internal PKI to sign the app if computers trust the certification authority that issues the signing certificate. Visual Studio provides a self-signing test certificate that you can use to test apps internally. Microsoft recommends that you use these selfsigned certificates for internal testing only and that you do not use them on production networks for enterprise deployment. Important When you import a Windows 8 app into Configuration Manager, no validation is done to ensure that the app is signed. Be sure to take the steps outlined in this topic to sign the application before you import it into Configuration Manager. Configure Windows 8 computers to allow direct installation of Windows 8 apps. To do so, use group policy to configure the following sideloading registry settings: Note Client computers that run different versions of Windows 8 have different requirements for enabling the sideloading of apps. For example, you must configure the sideloading key on a computer that runs Windows 8 Enterprise if the computer is not joined to a domain. For more information about these requirements, see the section Windows 8 Sideloading Requirements in this topic. On computers that run enterprise versions of Windows 8 Enterprise, use this registry setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\All owAllTrustedApps = 1 On computers that run Windows 8 Professional, use this registry setting: HKEYLOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\Allo wAllTrustedApps = 1

Windows Dev Center. For information about how to sign apps by using Microsoft Visual Studio, see Signing an app package (Windows Store apps) in the Windows Dev Center. For more information about how to configure group policy preferences in order to configure registry settings, see your Windows documentati on.

When you create an application of the type Windows app package (in the Windows Store), you must browse to a reference computer and select the application in order to create a link. Before you can do this, you must prepare the reference computer to receive Web Service Management (WS-Management) requests from the Configuration Manager console.

See Prepare the Reference Computer for Application

1652

Process

Reference

Browsing in this topic.

Supplemental Procedures to Prepare to Deploy Windows 8 Apps

Use the following information when the steps in the preceding table require supplemental procedures.

Prepare the Reference Computer for Application Browsing

Perform the following procedure to configure an HTTPS connection between the computer that runs the Configuration Manager console and the reference computer, which is the Windows 8 computer that contains the Windows Store applications to be browsed. To prepare the reference computer 1. Ensure that the account you use to log on to the computer that runs the Configuration Manager console has Administrator permissions on both the computer running the console and on the reference computer. 2. At a command prompt on the reference computer, enter the following command to create an HTTPS-based listener: winrm qc Transport:HTTPS 3. On the reference computer, enter the following command to allow Windows PowerShell to make remote connections to the computer: enable-psremoting 4. On the reference computer, enter the following command to remove the HTTP-based listener that was enabled by the previous command: winrm delete winrm/config/Listener?Address=*+Transport=HTTP 5. On the reference computer, configure a Windows Firewall inbound rule for port 5986, which is the default HTTPS port that will be used for communication.

Windows 8 Sideloading Requirements

Use the following table to understand when you must configure the sideloading keys in Windows 8 or Windows Server 2012 to enable the direct installation of applications: Important The Desktop Experience feature of Windows Server 2012 must be enabled if you want to install applications from the Windows Store.
1653

Windows version

Configure AllowAllTrustedApps registry key

Domain joined Sign .appx file with trusted enterprise code signing certificate

Sideloading key required

Windows 8 Enterprise

Yes

Yes

Yes. Code signing certification authority is trusted on Windows 8 clients. Yes. Code signing certification authority is trusted on Windows 8 clients. Yes. Code signing certification authority is trusted on Windows 8 clients. Yes. Code signing certification authority is trusted on Windows Server 2012 clients.

Required if Enterprise client is not joined to a domain

Windows 8 Professional

Yes

Not required

Yes

Windows RT

Yes

Not required

Yes

Windows Server 2012

Yes

Yes

Does not support sideloading key

Note Windows 8 Home versions do not support enterprise sideloading.

See Also
Planning for Application Management in Configuration Manager
1654

Planning for App-V Integration with Configuration Manager

System Center 2012 Configuration Manager supports the management of virtual applications that are created with Microsoft Application Virtualization (App-V). When you use Configuration Manager to manage App-V applications, Configuration Manager takes over the management and streaming components of a typical App-V infrastructure. When you use Configuration Manager to manage virtual applications, you gain the benefits of using a single management infrastructure. You will also gain the benefits of scalability, deployment, and content distribution features, such as collections and user device affinity, and additional advanced application management features that Configuration Manager provides. AppV also integrates with Configuration Manager features, such as operating system deployment, software and hardware inventory, software metering, and Asset Intelligence to support virtual applications. To deploy virtual applications to computers, you must have the Configuration Manager client and App-V Client installed on your computers. Client devices can include desktop and portable computers, and Virtual Desktop Infrastructure (VDI) clients. The Configuration Manager and AppV Client software work together to deliver, locate, and launch virtual application packages. The Configuration Manager client manages the delivery of virtual application packages to the App-V Client. The App-V Client runs the virtual application on the client. Use the information in the following sections to help you plan to integrate your App-V environment with Configuration Manager and Configuration Manager SP1. Supported App-V Versions Steps to Manage App-V Virtual Applications Configuration Manager Virtual Application Delivery Methods Migrating from an App-V Infrastructure to a Configuration Manager and App-V Infrastructure Migrating App-V 5 Connection Groups to Configuration Manager Virtual Environments (Configuration Manager SP1 Only) Dynamic Suite Composition in App-V 4.6 Converting App-V 4.6 Applications to App-V 5 Applications (Configuration Manager SP1 Only) User and Deployment Configuration Files (Configuration Manager SP1 ) App-V Local Interaction App-V 5 Shared Content Store Monitoring Virtual Applications

For more information about how to create and sequence applications by using App-V, see your App-V documentation.

1655

Supported App-V Versions

Configuration Managersupports the following versions of App-V: App-V 4.6: System Center 2012 Configuration Manager with no service pack, System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. To use virtual applications in Configuration Manager, client computers must have the App-V 4.6 SP1, App-V 4.6 SP2, or App-V 4.6 SP3 client installed. You must also update the App-V 4.6 SP1 client with the hotfix that is described in the Knowledge Base article 2645225 before you can successfully deploy virtual applications. App-V 5, App-V 5.0 SP1 and App-V 5.0 SP2: System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.

Steps to Manage App-V Virtual Applications

There are five major steps that you must follow to manage App-V virtual applications: Sequencing - Sequencing is the process of converting an application into a virtual application by using the App-V sequencer. Create Configuration Manager applications Use the Create Deployment Type Wizard to import the sequenced application into a Configuration Manager deployment type that you can then add to an application. You can also create virtual environments that allow multiple virtual applications to share settings. Distribution Distribution is the process of making App-V applications available on Configuration Manager distribution points. Deployment Deployment is the process of making the application available on client computers. This is referred to as streaming in an App-V full infrastructure. Configuration Manager provides two options for the deployment of virtual applications: streaming and download and execute.

Configuration Manager Virtual Application Delivery Methods

Configuration Manager supports two methods for delivery of virtual applications to clients: streaming delivery and local delivery (download and execute): Streaming delivery When the App-V Client is managed by Configuration Manager, it supports the streaming of virtual applications through HTTP or HTTPS from a distribution point. Streaming through HTTP or HTTPS is enabled by default and is configured in the distribution point properties dialog box. When you deploy a virtual application to client computers and a user runs the virtual application, the Configuration Manager client contacts a management point to determine which distribution point to use; then, the application is streamed from the distribution point. Local delivery (download and execute)
1656

When you use this delivery method, the Configuration Manager client first downloads the entire virtual application package into the Configuration Manager client cache, and then it instructs the App-V Client to stream the application from the Configuration Manager cache into the App-V cache. If you deploy a virtual application to client computers and its content is not in the App-V cache, then the App-V Client streams the application content from the Configuration Manager client cache into the App-V cache, and then it runs the application. After the application runs successfully, you can configure the Configuration Manager client to delete any older versions of the package at the next deletion cycle, or to persist them in Configuration Manager client cache. When you decide which Configuration Manager virtual application delivery method to use, compare the reduced disk space requirement for streaming delivery against the guaranteed availability of App-V applications by using local delivery. The increased client disk space that is required for local delivery might be worthwhile so that users always have the application available from any location. Use the information in the following table to help you decide the best delivery method.
Delivery method Advantages Disadvantages

Streaming delivery

This method uses standard network protocols to stream package content from distribution points. Program shortcuts for virtual applications invoke a connection to the distribution point, so the virtual application delivery is on demand. This method works well for clients with high-bandwidth connections to the distribution points. Updated virtual applications distributed throughout the enterprise are available as clients receive policy that informs them that the current version is superseded and they download only the changes from the previous version.

Virtual applications are not streamed until the user runs the application for the first time. In this scenario, a user might receive program shortcuts for virtual applications and then disconnect from the network before running the virtual applications for the first time. If the user tries to run the virtual application while the client is offline, the user sees an error and will not be able to run the virtualized application because a Configuration Manager distribution point is not available to stream the application. The application will be unavailable until the user reconnects to the network and runs the application.

To avoid this bad user Access permissions are defined experience, you can use the at the distribution point to local delivery method for virtual
1657

Delivery method

Advantages

Disadvantages

prevent users from accessing unauthorized applications or packages. Local delivery The standard distribution point functionality is used to download the package by using Background Intelligent Transfer Service (BITS). Virtual application package contents are delivered locally to the client, which means that users can run them when their computer is not connected to the network. This method is suitable for slow or unreliable network connections and for computers that only occasionally connect to the network. Configuration Manager uses Remote Differential Compression (RDC) to send to clients only the bytes within the files that have changed when virtual application package content is updated. The Configuration Manager client uses RDC to build a new version of a virtual application package based on the current version of the package and any changes sent to the client. This method provides application resiliency for mobile users or disconnected users. Administrators can choose to persist the package in the Configuration Manager cache after delivery if the virtual

application delivery to clients, or you can enable the Internetbased client management for streaming delivery. Disk space equaling up to twice the size of the virtual application package is required on the client when the virtual application is persisted in the Configuration Manager cache.

1658

Delivery method

Advantages

Disadvantages

application was deployed with an Install action. The package in the Configuration Manager client cache serves as a local, reliable streaming source for the App-V Client to pull the package into its cache. You can also preinstall virtual applications on a computer and then create an image of that computer for deployment to other computers. However, if the virtual application package was created at a different site, then the binary delta replication will not be used to download updates to the application. This option can be useful in a virtual desktop infrastructure when you want applications to be available immediately instead of downloading the applications after the user logs on.

Migrating from an App-V Infrastructure to a Configuration Manager and App-V Infrastructure

Use the following table to help you plan a migration from an existing App-V infrastructure to virtual application management with Configuration Manager.
Step More information

Examine your current virtual applications to choose the applications that you want to migrate into your Configuration Manager infrastructure. Evaluate the users and devices to which the virtual applications will be deployed.

No additional information.

Create Configuration Manager collections to group together the users and devices to which you want to deploy the virtual applications. For more information, see Collections in Configuration Manager. For more information, see the Migrating App-V 5 Connection Groups to Configuration Manager Virtual Environments (Configuration Manager SP1 Only) section in this topic.

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Migrate App-V 5 connection groups to Configuration Manager SP1 virtual environments. Investigate to find out if any of your virtual

For easier management, you can add the

1659

Step

More information

applications exist as full applications in your Configuration Manager infrastructure.

virtual application as a new deployment type to the existing full application. For more information about how to create deployment types, see How to Create Deployment Types in Configuration Manager. For more information about how to create Configuration Manager applications, see Introduction to Application Management in Configuration Manager and How to Create Applications in Configuration Manager.

Create applications to replace your existing App-V packages.

Configuration Manager begins to manage No additional information. virtual applications on a client after the first deployment of a virtual application. After this, all App-V applications on the computer must be managed by Configuration Manager. Distribute the content to the appropriate distribution points to enable local delivery of applications. Deploy the application to Configuration Manager clients. Note If the App-V application was created with an earlier version of the sequencer that does not create a manifest XML file, you can open it and save it in a newer version of the sequencer to create the file. This file is required to deploy virtual applications with Configuration Manager. App-V supports the virtual application packages that are created with the SoftGrid 4.1 SP1 or 4.2 versions of the Sequencer. If the applications were previously installed locally, you must uninstall them before you deploy a virtual version of the application. System Center 2012 Configuration Manager no For more information, see Planning for the
1660

For more information, see Content Management in Configuration Manager. For more information, see How to Deploy Applications in Configuration Manager.

Step

More information

longer supports using packages and programs that contain virtual applications. When you migrate from Configuration Manager 2007 to System Center 2012 Configuration Manager, Configuration Manager converts these packages into applications. Configuration Manager 2007 advertisements are converted into the following deployment types: Migrating App-V packages with no advertisement: One deployment type that uses the default deployment type settings. Migrating App-V packages with one advertisement: One deployment type that uses the same settings as the Configuration Manager 2007 advertisement. Migrating App-V packages with multiple advertisements: A deployment type for each Configuration Manager 2007 advertisement, that uses the settings for that advertisement.

Migration of Configuration Manager Objects to System Center 2012 Configuration Manager.

Migrating App-V 5 Connection Groups to Configuration Manager Virtual Environments (Configuration Manager SP1 Only)
App-V virtual environments in Configuration Manager allow virtual applications that you have deployed to share the same file system and registry on client computers. This means that unlike standard virtual applications, these applications can share data with each other. Virtual environments are created or modified on client computers when the application is installed or when clients next evaluate their installed applications. Virtual environments are similar to connection groups in standalone App-V 5. When you migrate connection groups from standalone App-V 5 to Configuration Manager virtual environments, you must ensure that the connection groups that already exist on client computers are managed correctly by Configuration Manager, and that the user's environment within those connection groups is preserved. Use the following procedure to help you successfully convert App-V 5 connection groups into Configuration Manager virtual environments.
1661

To convert App-V 5 connection groups to Configuration Manager virtual environments 1. Create Configuration Manager applications for all applications that existed in App-V. 2. Deploy the applications to users or devices with a deployment purpose of Required. Deployments to users must be deployed to the same users who used the application in App-V, and deployments to computers must be deployed to the same computers that had the application in App-V. 3. After the deployment is completed, create virtual environments that match the connection groups that are published in standalone App-V. The virtual environment must contain the same packages, specifically, App-V 5 deployment types, in the same order. For information about how to create an App-V virtual environment, see How to Create App-V Virtual Environments in Configuration Manager. Alternatively, you can delete all connection groups from the App-V Client before you begin to deploy applications with Configuration Manager. However, this will lose any settings that users might have saved in App-V connection groups.

Dynamic Suite Composition in App-V 4.6

Dynamic Suite Composition is a feature that provides the ability to define one virtual application package as having a dependency on another virtual application package. When the application is run, the App-V Client hosts the primary package and the dependent package in the same virtual environment for the application. To use this feature with Configuration Manager, both packages must be deployed and registered with the App-V Client. To ensure that dependent package content is hosted locally on the client computer, configure the application deployment for local delivery (download and execute). For more information about the App-V Dynamic Suite Composition feature, see your App-V documentation.

Converting App-V 4.6 Applications to App-V 5 Applications (Configuration Manager SP1 Only)
The application package format has changed between App-V 4.6 and App-V 5. Applications that have been sequenced by using App-V 4.6 are no longer supported. However, App-V 5 has a package converter tool that you can use to convert applications. For more information, see your App-V 5 documentation. Use the following steps to convert App-V 4.6 applications to App-V 5 applications: 1. Convert or re-sequence the App-V 4.6 packages into the App-V 5 format. 2. Deploy the App-V 5 client to computers in your hierarchy. 3. Create new applications that contain deployment types for your App-V 5 applications, and create supersedence rules to supersede the App-V 4.6 applications. 4. Create virtual environments as required.
1662

5. Deploy the new App-V 5 applications to computers.

User and Deployment Configuration Files (Configuration Manager SP1 )

User and deployment configuration files contain settings that control how an application behaves. You can use these files to change application settings without re-sequencing the application. A typical App-V 5 application might contain the following files: An application package (.appv) file. A user configuration file. A deployment configuration file.

The user configuration file contains settings that apply only to the logged on user. You could, for example, edit the configuration files to change the information about the application shortcut that will be deployed to users. You can also create a Configuration Manager application with multiple deployment types, and each deployment type can contain a different user configuration file and use requirement rules to ensure that these are installed for the relevant users. The deployment configuration file contains settings that apply to the computer, such as registry settings. The file can also contain user settings, which will be applied to all users. If you want to deploy App-V 5 virtual applications with Configuration Manager, all three files must be present in the same folder when you create the App-V 5 deployment type. If there are multiple files in the folder, Configuration Manager will use the most recent. For more information about user and deployment configuration files, see your App-V 5 documentation.

App-V Local Interaction

In some application deployment scenarios, some applications are installed locally on client computers and other applications are deployed as virtual applications to the same client computer. By default, the applications that were locally installed cannot see or communicate directly with virtualized applications. This is the intended behavior of the application isolation that is provided by App-V. Local Interaction is a feature of the App-V Client that you can enable for each application to allow locally installed applications that run on a client computer to see and communicate with virtualized applications. Configuration Manager and App-V fully support local interaction. For more information about the App-V Local Interaction feature, see your App-V documentation.

App-V 5 Shared Content Store

The App-V 5 Shared Content Store feature is supported by Configuration Manager SP1. For more information about this feature, see your App-V documentation.

1663

Monitoring Virtual Applications

Use the information in this section to plan how to monitor App-V applications in Configuration Manager.

Virtual Application Reports

You can use the following reports to monitor App-V in your Configuration Manager environment:
Report name Description

App-V Virtual Environment Results

Displays information about a selected virtual environment that is in a specified state for a selected collection (App-V 5 only). Displays information about a selected virtual environment for a specified asset and any deployment types for the selected virtual environment (App-V 5 only). Displays compliance information for a selected virtual environment for a selected collected. The Retained column in this report displays the assets in which a virtual environment that was previously configured is no longer applicable, but it is retained to persist user settings in applications that run in the virtual environment (App-V 5 only). Displays a summary of computers that have the specified App-V shortcut that was created by the Application Virtualization Management Sequencer (App-V 4.6 only). Displays a list of computers that have the specified App-V application package installed (App-V 4.6 only). Displays a count of all detected App-V application packages (App-V 4.6 only). Displays a count of all detected App-V applications (App-V 4.6 only).

App-V Virtual Environment Results For Asset

App-V Virtual Environment Status

Computers with a specific virtual application

Computers with a specific virtual application package Count all instances of virtual application packages Count all instances of virtual applications

1664

Log Files
Configuration Manager records information about virtual application deployments in log files. For information about the log files that are used by virtual applications and Configuration Manager application management, see Technical Reference for Log Files in Configuration Manager. Additionally, you can find logs for the App-V client in the following locations: Windows XP: C:\Documents and Settings\All Users\Application Data\Microsoft\Application Virtualization Client Windows Vista, Windows 7, and Windows 8: C:\ProgramData\Microsoft\Application Virtualization Client

See Also
Planning for Application Management in Configuration Manager

Configuring the Application Catalog and Software Center in Configuration Manager

This topic describes the steps that are needed in order to configure the Application Catalog and Software Center in System Center 2012 Configuration Manager. Note Software Center is automatically installed on client computers when you install the Configuration Manager client. Software Center includes a link to the Application Catalog. You must install and configure the Application Catalog independently from client deployment. Use the following steps and the supplemental procedures to install and configure the Application Catalog site system roles.

Steps to Install and Configure the Application Catalog and Software Center
Use the following table for the steps, details, and more information about installing and configuring the Application Catalog and Software Center to support application management. Important Before you perform these steps, make sure that you have met all of the prerequisites. For more information, see Prerequisites for Application Management in Configuration Manager.

1665

Steps

Details

More information

Step 1: If you will use HTTPS connections, make sure that you have deployed a web server certificate to site system servers.

Deploy a web server certificate to the site system servers that will run the Application Catalog website point and the Application Catalog web service point. Additionally, if you want clients to access the Application Catalog from the Internet, deploy a web server certificate to at least one management point site system server and configure it for client connections from the Internet.

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example of a deployment that creates and installs this web server certificate, see Deploying the Web Server Certificate for Site Systems that Run IIS.

Step 2: If you will use a client PKI certificate for connections to management points, deploy a client authentication certificate to client computers.

Although clients do not have to use a client PKI certificate to connect to the Application Catalog, they must connect to a management point before they can use the Application Catalog. You must deploy a client authentication certificate to client computers in the following scenarios: All management points on the intranet accept only HTTPS

For information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For an example of a deployment that creates and installs this client certificate, see Deploying the Client Certificate for Computers.

1666

Steps

Details

More information

client connections. Clients will connect to the Application Catalog from the Internet. For more information about site system role placement, see Site System Role Placement in the Hierarchy. To configure the Application Catalog web service point and the Application Catalog website point, see the following procedure in this topic: Step 3: Installing and configuring the Application Catalog site system roles.

Step 3: Install and configure the Application Catalog web service point and the Application Catalog website.

You must install both of these site system roles in the same site. You do not have to install them on the same site system server or in the same Active Directory forest. However, the Application Catalog web service point must reside in the same forest as the site database.

Step 4: If you have users from other domains:

By default, in Configuration Manager with no Configure NTFS Service Pack, the domain users from access for the the current domain other domain users can access the Application Catalog. You must add the users from other domains to the Application Catalog folder and then grant them access. In Configuration Manager SP1, by default, users can access the Application Catalog

The Application Catalog folder is named CMApplicationCatalog. It is installed in one of the following listed locations or to a custom location if you did not install the Configuration Manager client to the default location. <drive>:\SMS_CCM\ <drive>:\Program files\SMS_CCM\ <drive>:\Windows\CCM\

Grant the users the following permissions to the CMApplicationCatalog folder and to the CMApplicationCatalog\Content\Images\AppIcons folder: Read & execute List folder contents Read Note These permissions are reset to the defaults
1667

Steps

Details

More information

from other domains.

if the Application Catalog website role is reinstalled. In addition to manual reinstallation, Configuration Manager can automatically reinstall this site system role if you change the client connections to or from HTTP and HTTPS, add or remove a client or server language pack, or upgrade the site or apply a hotfix. You must explicitly set permissions for the AppIcons folder in addition setting permissions for the CMApplicationCatalog folder. This is because the AppIcons folder does not inherit permissions from its parent folder.

Step 5: Configure client settings for the Application Catalog and Software Center.

Configure the default client settings if you want all users to have the same setting. Otherwise, configure custom client settings for specific collections. You can access the Application Catalog directly from a browser or from Software Center.

For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings, see the following procedure in this topic: Step 5: Configuring the client settings for the Application Catalog and Software Center.

Step 6: Verify that the Application Catalog is operational.

See the following procedure in this topic: Step 6: Verifying that the Application Catalog is operational.

Supplemental procedures to install and configure the Application Catalog and Software Center
Use the following information when the steps in the preceding table require supplemental procedures.

1668

Step 3: Installing and configuring the Application Catalog site system roles
These procedures configure the site system roles for the Application Catalog. Choose one of these procedures depending on whether you will install a new site system server or use an existing site system server: To install and configure the Application Catalog site systems: New site system server To install and configure the Application Catalog site systems: Existing site system server Note The Application Catalog cannot be installed on a secondary site or on a central administration site. To install and configure the Application Catalog site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles. 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. Tip If you want client computers to access the Application Catalog over the Internet, specify the Internet fully qualified domain name (FQDN). 5. On the System Role Selection page, select Application Catalog web service point and Application Catalog website point from the list of available roles, and then click Next. 6. Complete the wizard. To install and configure the Application Catalog site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server to use for the Application Catalog. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. Tip If you want client computers to access the Application Catalog over the Internet, specify the Internet fully qualified domain name (FQDN). 5. On the System Role Selection page, select Application Catalog web service point and Application Catalog website point from the list of available roles, and then click
1669

Next. 6. Complete the wizard. Verify the installation of these site system roles by using status messages and by reviewing the log files: 1. Status messages: Use the components SMS_PORTALWEB_CONTROL_MANAGER and SMS_AWEBSVC_CONTROL_MANAGER. For example, status ID 1015 for SMS_PORTALWEB_CONTROL_MANAGER confirms that Site Component Manager was successfully installed the Application Catalog website point. 2. Log files: Search for SMSAWEBSVCSetup.log and SMSPORTALWEBSetup.log. For more detailed information, search for the log files awebsvcMSI.log and portlwebMSI.log.

Step 5: Configuring the client settings for the Application Catalog and Software Center
This procedure configures the default client settings for the Application Catalog and Software Center that will apply to all devices in the hierarchy. If you want these settings to apply to only some devices, you can create a custom client setting and deploy it to a collection that contains the devices that will have the specific settings. For more information about how to create a custom device setting, see the How to Create and Deploy Custom Client Settings section in the How to Configure Client Settings in Configuration Manager topic. To configure the default client settings for Application Catalog and Software Center 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. Review and configure settings that relate to user notifications, the Application Catalog, and Software Center. For example: a. Computer Agent group: Default Application Catalog website point Add default Application Catalog website to Internet Explorer trusted sites zone Organization name displayed in Software Center Tip To specify the organization name displayed in the Application Catalog and configure the website theme, use the Customization tab on the Application Catalog website properties. Install permissions Show notifications for new deployments
1670

b. Power Management group: c. Allow users to exclude their device from power management Users can change policy or notification settings in Software Center Allow users to define their primary devices Remote Tools group:

d. User and Device Affinity group:

Note For more information about the client settings, see About Client Settings in Configuration Manager. 6. Click OK to close the Default Client Settings dialog box. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

Step 6: Verifying that the Application Catalog is operational

Use the following procedures to verify that the Application Catalog is operational. You can access the Application Catalog directly from a browser or from Software Center. Note The Application Catalog requires Microsoft Silverlight, which is automatically installed as a Configuration Manager client prerequisite. If you access the Application Catalog directly from a browser by using a computer that does not have the Configuration Manager client installed, first verify that Microsoft Silverlight is installed on the computer. Tip Missing prerequisites are among the most typical reasons for the Application Catalog to not operate correctly after installation. Confirm the site system role prerequisites for the Application Catalog site system roles. You can do this by using the Site System Requirements section of the Supported Configurations for Configuration Manager topic. To access the Application Catalog directly from a browser In a browser, type the address of the Application Catalog website and confirm that the web page displays with the three tabs: Application Catalog, My Application Requests, and My Devices. Select and use the appropriate address below for the Application Catalog, where <server> is the computer name, intranet FQDN, or Internet FQDN: HTTPS client connections and default site system role settings: https://<server>/CMApplicationCatalog HTTP client connections and default site system role settings:
1671

http://<server>/CMApplicationCatalog HTTPS client connections and custom site system role settings: https://<server>:<port>/<web application name> HTTP client connections and custom site system role settings: http://<server>:<port>/<web application name>

To access the Application Catalog from Software Center 1. On a client computer, click Start, click All Programs, click Microsoft System Center 2012, click Configuration Manager, and then click Software Center. 2. If you previously configured an organizational name for Software Center as a client setting, confirm that this displays as specified. 3. Click Find additional applications from the Application Catalog and confirm that the page displays with the three tabs: Application Catalog, My Application Requests, and My Devices. Warning After you have installed the Application Catalog site system roles, you will not immediately see the Application Catalog when you click the Find additional applications from the Application Catalog link from Software Center. The Application Catalog becomes available from Software Center after the client next downloads its client policy or up to 25 hours after the Application Catalog site system roles are installed.

See Also
Application Management in Configuration Manager

Operations and Maintenance for Application Management in Configuration Manager

Use the topics in this section for more information about operations and maintenance for application management in Microsoft System Center 2012 Configuration Manager.

In This Section
How to Create Applications in Configuration Manager How to Create and Deploy Applications for Mac Computers in Configuration Manager How to Deploy Applications in Configuration Manager How to Simulate an Application Deployment in Configuration Manager How to Manage Applications and Deployment Types in Configuration Manager
1672

How to Manage Application Revisions in Configuration Manager How to Use Application Supersedence in Configuration Manager How to Uninstall Applications in Configuration Manager How to Monitor Applications in Configuration Manager How to Manage User Device Affinity in Configuration Manager How to Create Global Conditions in Configuration Manager How to Create App-V Virtual Environments in Configuration Manager How to Create and Deploy Applications for Mobile Devices in Configuration Manager

See Also
Application Management in Configuration Manager

How to Create Applications in Configuration Manager

A System Center 2012 Configuration Manager application contains the files and information that are required to deploy software to a device. An application contains one or more deployment types that comprise the installation files and information that are required to install software. A deployment type also contains rules that specify when and how the software is deployed. You can create applications by using the following methods: Automatically create the application and deployment types by reading the application installation files. Manually create the application and then add deployment types later.

Use the following steps to create applications and deployment types by using Configuration Manager. For information about how to import an application, see How to import an application in this topic.

Steps to Create an Application

The following table provides the steps, details, and more information about how create an application.
Step Details More Information

Step 1: Start the Create Application Wizard

The Create Application Wizard is used to configure general information about an application. You can use the following

See Step 1: Start the Create Application Wizard in this topic. See Step 2: Specify whether
1673

Step 2: Specify whether you

Step

Details

More Information

want to automatically detect application information or manually define the information

methods to configure general information about the application: Automatically detect application information. In this method, Configuration Manager attempts to read information about the application from the application installation files, and then it automatically populates fields in the wizard with discovered information. Use this method when you want to create an application that has a single deployment type that uses the default settings. Manually define application information. In this method, the administrator manually enters information about the application. Use this method when you want to create a more complex application that has multiple deployment types, detection methods, requirements, or dependencies. Also use this method when application information cannot be read from the installation files.

you want to automatically detect application information or manually define the information in this topic.

Supplemental Procedures to Create an Application

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Application Wizard

Use this procedure to start the Create Application Wizard.

1674

To start the Create Application Wizard 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. On the Home tab, in the Create group, click Create Application.

Step 2: Specify whether you want to automatically detect application information or manually define the information
Use one of the following procedures to automatically detect or manually define application information: Use the procedure To automatically detect application information when you want to create a simple application that has a single deployment type, such as a Windows Installer file that has no dependencies or requirements. After you create an application by using this procedure, you can edit it as needed to add or change deployment types and add detection methods, dependencies, or requirements. Use the procedure To manually define application information to create more complex applications that have multiple deployment types, dependencies, detection methods, or requirements. To automatically detect application information 1. On the General page of the Create Application Wizard, select the Automatically detect information about this application from installation files check box. 2. In the Type drop-down list, select the application installation file type that you want to use to detect application information. For information about the available installation types, see Deployment Types Supported by Configuration Manager in this topic. 3. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> or the store link for the application installation file that you want to use to detect application information. Alternatively, click Browse to browse to the installation file. Important When you select Windows Installer (Native) (Configuration Manager with no service pack) or Windows Installer (*.msi file) (Configuration Manager Service Pack 1 [SP1]) as an application type, all of the files in the folder that you specify will be imported with the application and will be sent to distribution points. Ensure that only the files that are necessary to install the application are in the folder that you specify. Configuration Manager is tested to support up to 20,000 application files in the application package. If your application contains more files, consider creating multiple applications that have a smaller number of files. Note You must have access to the UNC path that contains the application and any
1675

subfolders that contain application content. 4. Click Next. 5. On the Import Information page of the Create Application Wizard, review the information that was imported, and then click Next. If necessary, you can click Previous to go back and correct any errors. 6. On the General Information page of the Create Application Wizard, specify the following information: Note Some of this information might already be populated if it was automatically obtained from the application installation files. Additionally, the displayed options might be different depending on the application type that you create. Provide general information about the application, such as the application name, comments, version, and an optional reference to help you reference the application in the Configuration Manager console. Installation program: Specify the installation program and any required properties that are needed to install the application deployment type. Note If the installation program does not appear, click Browse and browse to the installation program location. Install behavior: Specify whether the application deployment type will be installed for the currently logged-on user only or for all users. You can also specify that the deployment type will be installed for all users if it is deployed to a device or only to a specific user if it is deployed to a user. For System Center 2012 R2 Configuration Manager only: Use an automatic VPN connection (if configured): Select this option if you want this application to open an automatic VPN connection that you have configured by using the Create VPN Profile Wizard. For more information, see VPN Profiles in Configuration Manager. This option is available only when you configure a deployment type for a Windows app package.

7. Click Next, review the application information on the Summary page, and then complete the Create Application Wizard. 8. The new application appears in the Applications node of the Configuration Manager console, and you have completed the process of creating an application. If you want to add more deployment types to the application, see Steps to Create a Deployment Type in this topic. To manually define application information 1. On the General page of the Create Application Wizard, select Manually specify the application information, and then click Next. 2. Specify general information about the application, such as the application name, comments, version, and an optional reference to help you find the application in the
1676

Configuration Manager console. 3. Click Next. 4. On the Application Catalog page of the Create Application Wizard, specify the following information: Selected language: In the drop-down list, select the language version of the application that you want to configure. Click Add/Remove to configure more languages for this application. Localized application name: Specify the application name in the language that you selected in the Selected language drop-down list. Important You must specify a localized application name for each language version that you configure. User categories: Click Edit to specify application categories in the language that you selected in the Selected Language drop-down list. Users of the Application Catalog can use these selected categories to help filter and sort the available applications. User documentation: Click Browse to specify the URL to, or the UNC path and file name of, a file that users of the Application Catalog can read to get more information about this application. Link text: Specify the text that will appear in place of the URL to the application. Application Privacy URL: Specify a URL that links to the privacy statement for the application. Localized description: Enter a description for this application in the language that you selected in the Selected Language drop-down list. Keywords: Enter a list of keywords in the language that you selected in the Selected Language drop-down list. These keywords will help users of the Application Catalog search for the application. Icon: Click Browse to select an icon for this application from the available icons. If you do not specify an icon, a default icon will be used for this application. Display this as a featured app and highlight it in the company portal: Select this option to display the app prominently in the company portal.

5. Click Next. 6. On the Deployment Types page of the Create Application Wizard, click Add to create a new deployment type. Note For information about how to create a deployment type, see Steps to Create a Deployment Type in this topic. 7. Click Next, review the application information on the Summary page, and then complete the Create Application Wizard. 8. The new application appears in the Applications node of the Configuration Manager console.

1677

Steps to Create a Deployment Type

The following table provides the steps, details, and more information about how create a deployment type. Note If you select the Automatically identify information about this deployment type from installation files check box on the General page of the Create Deployment Type Wizard, you might not need to complete some of the steps in the following procedures.
Step Details More information

Step 1: Start the Create Deployment Type Wizard Step 2: Specify whether you want to automatically detect or manually define the deployment type information

No additional information.

See Step 1: Start the Create Deployment Type Wizard in this topic. See Step 2: Specify whether you want to Automatically Detect Deployment Type Information or Manually Define the Information in this topic.

You can use the following methods to configure general information about the deployment type: Automatically detect the deployment type information. Configuration Manager attempts to read information about the deployment type from the application installation files, and then automatically populates fields in the wizard with discovered information. Manually configure the deployment type information. The administrator manually enters information about the deployment type.

Step 3: Specify the content options for the deployment type

The Content page of the Create Deployment Type Wizard contains options to configure the location of the deployment type content and information about the commands that are used to install and uninstall the content.

See Step 3: Specify Content Options for the Deployment Type in this topic.

1678

Step

Details

More information

Step 4: Configure the detection methods to indicate the presence of the application

A detection method in Configuration Manager contains rules that check whether an application is already installed on a device. This detection occurs before the application is installed, immediately after the application is installed, and at regular intervals afterward. This detection can prevent Configuration Manager from needlessly reinstalling the application and can also determine whether the user has already uninstalled the application. You can specify information about the behavior of the deployment type when it is installed on devices. You can use requirements to specify the conditions that must be met before a deployment type can be installed on a client device. Dependencies define one or more deployment types from other applications that must be installed before a deployment type is installed. You can configure the dependent deployment types to be installed automatically before you install a deployment type. After you perform all the steps, confirm the settings that you selected for the deployment type, and then complete the

See Step 4: Configure Detection Methods to Indicate the Presence of the Deployment Type in this topic.

Step 5: Specify the user experience options for the deployment type Step 6: Specify the requirements for the deployment type

See Step 5: Specify User Experience Options for the Deployment Type in this topic. See Step 6: Specify Requirements for the Deployment Type in this topic.

Step 7: Specify the dependencies for the deployment type

See Step 7: Specify Dependencies for the Deployment Type in this topic.

Step 8: Confirm the deployment type settings and complete the wizard

See Step 8: Confirm the Deployment Type Settings and Complete the Wizard in this topic.
1679

Step

Details

More information

wizard. Step 9: Configure additional options for the deployment types that contain virtual applications After you create a deployment type, you can configure additional options that control the content and publishing options for the deployment types that contain virtual applications. See Step 9: Configure Additional Options for Deployment Types that contain Virtual Applications in this topic.

Supplemental Procedures to Create a Deployment Type

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Deployment Type Wizard

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. Select an application and then, on the Home tab, in the Application group, click Create Deployment Type to create a new deployment type for this application. Note You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the Deployment Types tab of the <application name> Properties dialog box.

Step 2: Specify whether you want to Automatically Detect Deployment Type Information or Manually Define the Information
Use one of the following procedures to automatically detect or manually define deployment type information. To automatically detect the deployment type information 1. On the General page of the Create Deployment Type Wizard, select the Automatically identify information about this deployment type from installation files check box. Note If you want to define this application information manually, go to the procedure.
1680

2. In the Type field, select the application installation file type that you want to use to detect the deployment type information. 3. In the Location field, specify the UNC path in the form \\<server>\<share>\<file_name> or the store link to the application installation files and the content that you want to use to detect the deployment type information, or click Browse to browse to the installation file. Note You must have access to the UNC path that contains the application and any subfolders that contain the application content. 4. Click Next. 5. On the Import Information page of the Create Deployment Type Wizard, review the information that was imported, and then click Next. You can also click Previous to go back and correct any errors. 6. On the General Information page of the Create Deployment Type Wizard, specify the following information: Note Some of the deployment type information might already be present if it was read from the application installation files. Additionally, the displayed options might differ depending on the deployment type that you are creating. Specify general information about the deployment type, such as the name, administrator comments, and available languages. Installation program: Specify the installation program and any properties that you require to install the deployment type. Install behavior: Specify whether to install the deployment type for the currently logged-on user or for all users. You can also specify whether to install the deployment type for all users if it is deployed to a device, or whether to install the deployment type to a user only if it is deployed to a user. For System Center 2012 R2 Configuration Manager only: Use an automatic VPN connection (if configured): Select this option if you want this application to open an automatic VPN connection that you have configured by using the Create VPN Profile Wizard. For more information, see VPN Profiles in Configuration Manager. This option is available only when you configure a deployment type for a Windows app package.

7. Click Next, and then continue to the procedure Step 3: Specify Content Options for the Deployment Type. To manually define the deployment type information 1. On the General page of the Create Deployment Type Wizard, select Manually specify the deployment type information. Note If you want to automatically retrieve the deployment type information, go to the procedure in Step 2: Specify whether you want to Automatically Detect
1681

Deployment Type Information or Manually Define the Information. 2. In the Type field, choose the application installation file type that you want to use to detect the deployment type information. You can choose the same installation types that you would use when you automatically detect the deployment type information, and you can additionally specify a script to install the deployment type. 3. Click Next. 4. On the General Information page of the Create Deployment Type Wizard, specify a name for the deployment type, an optional description, and the languages in which you want to make this deployment type available, and then click Next. 5. Continue to Step 3: Specify Content Options for the Deployment Type.

Step 3: Specify Content Options for the Deployment Type

Use the following procedure to specify the location of the content for the deployment type, along with the installation and uninstallation commands for the content. To specify content options for the deployment type 1. On the Content page of the Create Deployment Type Wizard, specify the following information: Content location: Specify the location of the content for this deployment type, or click Browse to choose the deployment type content folder. Important The System account of the site server computer must have permissions to the content location that you specify. Persist content in the client cache: Select this option to specify whether the content should be retained in the cache on the client computer indefinitely, even if it has already been run. Although this option can be useful with some deployments, such as Windows Installerbased software that requires a local source copy to be available for applying updates, it will reduce the available cache space. If you select this option, it might cause a large deployment to fail at a later point if the cache does not have sufficient available space. Allow clients to share content with other clients on the same subnet : Select this option to reduce load on the network by allowing clients to download content from other local clients on the network that have already downloaded and cached the content. This option utilizes Windows BranchCache technology, and you can use it on computers that run Windows Vista SP2 and later operating systems. Installation program: Specify the name of the installation program and any required installation parameters, or click Browse to browse to the installation file. Installation start in: Specify the folder that contains the installation program for the deployment type. This folder can be an absolute path on the client, or a path to the distribution point folder that contains the installation files. This field is optional. Uninstall program: Specify the name of the uninstallation program and any required parameters, or click Browse to browse to the location of the uninstallation program.
1682

This field is optional. Uninstall start in: Specify the folder that contains the uninstallation program for the deployment type. This folder can be an absolute path on the client, or a path that is relative to the distribution point folder that contains the package. This field is optional. Run installation and uninstall program as 32-bit process on 64-bit clients: Use the 32-bit file and registry locations on Windows-based computers to run the installation program for the deployment type.

2. Click Next.

Step 4: Configure Detection Methods to Indicate the Presence of the Deployment Type
Use the following procedure to configure detection methods that indicate whether the deployment type is already installed. To configure a detection method 1. On the Detection Method page of the Create Deployment Type Wizard, select Configure rules to detect the presence of this deployment type , and then click Add Clause. Note You can also select Use a custom script to detect the presence of this deployment type. For more information, see the To use a custom script to determine the presence of a deployment type section in this topic. 2. In the Detection Rule dialog box, in the Setting type drop-down list, select the method that you want to use to detect the presence of the deployment type. You can choose from the following available methods: File System: Use this method to detect whether a specified file or folder exists on a client device, thus indicating that the application is installed. Note The File system setting type does not support specifying a UNC path to a network share in the Path field. You can only specify a local path on the client device. Note Select the option This file or folder is associated with a 32-bit application on 64-bit systems to check 32-bit file locations for the specified file or folder first. If the file or folder is not found, 64-bit locations will be searched. Registry: You can use this method to detect whether a specified registry key or registry value exists on a client device, thus indicating that the application is installed. Note Select the option This registry key is associated with a 32-bit application
1683

on 64-bit systems to check 32-bit registry locations for the specified registry key first. If the registry key is not found, 64-bit locations will be searched. Windows Installer: Use this method to detect whether a specified Windows Installer file exists on a client device, thus indicating that the application is installed.

3. Specify details about the item that you want to use to detect whether this deployment type is installed. For example, you can use a file, folder, registry key, registry value, or a Windows Installer product code. 4. Specify details about the value that you want to assess against the item that you use to detect whether the deployment type is installed. For example, if you use a file to determine whether the deployment type is installed, you can select the The file system setting must exist on the target system to indicate presence of this application check box. 5. Click Next to close the Detection Rule dialog box. To use a custom script to determine the presence of a deployment type 1. On the Detection Method page of the Create Deployment Type Wizard, select the Use a custom script to detect the presence of this deployment type check box, and then click Edit. 2. In the Script Editor dialog box, in the Script type drop-down list, select the script language that you want to use to detect the deployment type. 3. In the Script contents field, enter the script that you want to use. You can also paste the contents of an existing script in this field, or click Open to browse to an existing saved script. Configuration Manager determines the results from the script by reading the values that are written to the Standard Out (STDOUT) output stream, the Standard Error (STDERR) output stream, and the exit code from the script. If the exit code is a nonzero value, the script has failed and the application detection status is unknown. If the exit code is zero and STDOUT contains data, the application detection status is Installed. Use the following table to determine how you can use the output from a script to determine whether an application is installed.
Script exit code Data read from STDOUT Data read from STDERR Script result Application detection state

0 0 0 0 Non-zero value

Empty Empty Not empty Not empty Empty

Empty Not empty Empty Not empty Empty

Success Failure Success Success Failure

Not installed Unknown Installed Installed Unknown

1684

Non-zero value Non-zero value Non-zero value

Empty Not empty Not empty

Not empty Empty Not empty

Failure Failure Failure

Unknown Unknown Unknown

The following table contains Microsoft Visual Basic (VB) sample scripts that you can use to write your own application detection scripts.
Visual Basic sample script Description

WScript.Quit(1)

The script returns an exit code that is not zero, which indicates that it failed to run successfully. In this case, the application detection state is unknown. The script returns an exit code of zero, but the value of STDERR is not empty, which indicates that the script failed to run successfully. In this case, the application detection state is unknown. The script returns an exit code of zero, which indicates that it ran successfully. However, the value for STDOUT is empty, which indicates that the application is not installed. The script returns an exit code of zero, which indicates that it ran successfully. The value for STDOUT is not empty, which indicates that the application is installed. The script returns an exit code of zero, which indicates that it ran successfully. The values for STDOUT and STDERR are not empty, which indicates that the application is installed.

WScript.StdErr.Write "Script failed" WScript.Quit(0)

WScript.Quit(0)

WScript.StdOut.Write "The application is installed" WScript.Quit(0)

WScript.StdOut.Write "The application is installed" WScript.StdErr.Write "Completed" WScript.Quit(0)

Note The maximum size that you can use for a script is 32 kilobytes (KB).
1685

4. Click OK to close the Script Editor dialog box. 5. Click Next.

Step 5: Specify User Experience Options for the Deployment Type

Use the following procedure to configure what the user will see when the deployment type is installed on their device. To specify user experience options for the deployment type 1. On the User Experience page of the Create Deployment Type Wizard, specify the following information: Installation behavior: In the drop-down list, select one of the following options: Install for user: The application is installed only for the user to whom the application is deployed. Install for System: The application is installed only once, and it is available to all users. Install for System if resource is device; otherwise install as user: If the application is deployed to a device, it will be installed for all users. If the application is deployed to a user, it will be installed for only that user.

Logon requirement: Specify the logon requirements for this deployment type from the following options: Only when a user is logged on Whether or not a user is logged on Only when no user is logged on Note This option defaults to Only when a user is logged on, and it cannot be changed if you selected Install for user in the Installation behavior dropdown list.

Installation program visibility: Specify the mode in which the deployment type will run on client devices. The following options are available: Maximized: The deployment type runs maximized on client devices. Users will see all installation activity. Normal: The deployment type runs in the normal mode based on system and program defaults. This is the default mode. Minimized: The deployment type runs minimized on client devices. Users might see the installation activity in the notification area or taskbar. Hidden: The deployment type runs hidden on client devices, and users will see no installation activity.

Allow users to view and interact with the program installation: Specify whether a user can interact with the deployment type installation to configure the installation options.
1686

Note This option is enabled by default if you selected the Install for user option in the Installation behavior drop-down list. Maximum allowed run time (minutes): Specify the maximum time that the program is expected to run on the client computer. You can specify this setting as a whole number greater than zero. The default setting is 120 minutes. This value is used for the following purposes: To monitor the results from the deployment type. To determine whether a deployment type will be installed when maintenance windows are defined on client devices. When a maintenance window is in place, a program will start only if enough time is available in the maintenance window to accommodate the Maximum Allowed Run Time setting.

Important A conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance window. If the user sets the maximum run time to a period that exceeds the length of any available maintenance window, that deployment type will not be run. 2. Estimated installation time (minutes): Specify the estimated time that installation of the deployment type will take. This is displayed to users of the Application Catalog. 3. Click Next.

Step 6: Specify Requirements for the Deployment Type

1. On the Requirements page of the Create Deployment Type Wizard, click Add to open the Create Requirement dialog box, and add a new requirement. Note You can also add new requirements on the Requirements tab of the <deployment type name> Properties dialog box. 2. In the Category drop-down list, select whether this requirement is for a device or a user, or select Custom to use a previously created global condition. When you select Custom, you can also click Create to create a new global condition. For more information about global conditions, see How to Create Global Conditions in Configuration Manager. Important If you create a requirement of the category User and the condition Primary Device, and then deploy the application to a device collection, the requirement will be ignored. 3. In the Condition drop-down list, select the condition that you want to use to assess
1687

whether the user or device meets the installation requirements. The contents of this list will vary depending on the selected category. 4. In the Operator drop-down list, select the operator that will be used to compare the selected condition to the specified value to assess whether the user or device meets the installation requirements. The available operators will vary depending on the selected condition. Important The available requirements will differ depending on the device type that the deployment type is for. 5. In the Value field, specify the values that will be used with the selected condition and operator to evaluate whether the user or device meets the installation requirements. The available values will vary depending on the selected condition and the selected operator. 6. Click OK to save the requirement rule and close the Create Requirement dialog box. 7. On the Requirements page of the Create Deployment Type Wizard, click Next.

Step 7: Specify Dependencies for the Deployment Type

Dependencies define one or more deployment types from another application that must be installed before a deployment type is installed. You can configure the dependent deployment types to be installed automatically before a deployment type is installed. Use this procedure to configure dependencies in Configuration Manager. Important In some cases, a deployment type is dependent on a deployment type that also contains dependencies. In this scenario, where a chain of dependencies exists, the maximum number of supported dependencies in the chain is five. To specify deployment type dependencies 1. On the Dependencies page of the Create Deployment Type Wizard, click Add if you want to specify the deployment types that must be installed before this deployment type can be installed. Note You can also add new dependencies on the Dependencies tab of the <deployment type name> Properties dialog box. 2. In the Add Dependency dialog box, click Add. 3. In the Specify Required Application dialog box, select an existing application and one of the application deployment types to use as a dependency. Note You can click View to display the properties of the selected application or deployment type. 4. Click OK to close the Specify Required Application dialog box.
1688

5. If you want a dependent application to be automatically installed, select Auto Install next to the dependent application. Note A dependent application does not need to be deployed to be automatically installed. 6. In the Add Dependency dialog box, in the Dependency group name field, enter a name to refer to this group of application dependencies. 7. Optionally, use the Increase Priority and Decrease Priority buttons to change the order in which each dependency is evaluated. 8. Click OK to close the Add Dependency dialog box. 9. Click Next.

Step 8: Confirm the Deployment Type Settings and Complete the Wizard
Use the following steps to complete the Create Deployment Type Wizard:

1. On the Summary page of the Create Deployment Type Wizard, review the actions that the wizard will take. Click Next to create the deployment type, or click Previous to go back and change the settings for the deployment type. 2. After the Progress page of the wizard finishes, review the actions that the wizard took, and then click Close to complete the wizard. 3. If you started the Create Deployment Type Wizard from the Create Application Wizard, you will return to the Deployment Types page of the Create Application Wizard.

Step 9: Configure Additional Options for Deployment Types that contain Virtual Applications
Use the following procedures to configure additional options for deployment types that contain virtual applications. To configure content options for Application Virtualization (App-V) deployment types 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Applications. 3. In the Applications list, select an application that contains an App-V deployment type. Then, on the Home tab, in the Properties group, click Properties. 4. In the Application Name Properties dialog box, on the Deployment Types tab, select an App-V deployment type, and then click Edit. 5. In the Deployment Type Name Properties dialog box, on the Content tab, configure the following options if required: Persist content in the client cache: Select this option to ensure that the content for this deployment type is not deleted from the Configuration Manager client cache.
1689

Load content into App-V cache before launch: Select this option to ensure that all content for the virtual application is loaded into the App-V cache before the application starts. Selection of this option also ensures that the application content is not pinned in the cache and can be deleted as required.

6. Click OK to close the <Deployment Type Name> Properties dialog box. 7. Click OK to close the <Application Name> Properties dialog box. To configure publishing options for App-V deployment types 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Applications. 3. In the Applications list, select an application that contains an App-V deployment type. Then, on the Home tab, in the Properties group, click Properties. 4. In the <Application Name> Properties dialog box, on the Deployment Types tab, select an App-V deployment type, and then click Edit. 5. In the <Deployment Type Name> Properties dialog box, on the Publishing tab, select the items in the virtual application that you want to publish. 6. Click OK to close the <Deployment Type Name> Properties dialog box. 7. Click OK to close the <Application Name> Properties dialog box.

How to import an application

Use the following procedure to import an application into Configuration Manager. For information about how to export an application, see How to Manage Applications and Deployment Types in Configuration Manager. To import an application 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. On the Home tab, in the Create group, click Import Application. 4. On the General page of the Import Application Wizard, click Browse and then specify a UNC path to the compressed file (.zip file) that contains the application to import. Alternatively, click Browse and browse to the file location. 5. On the File Content page of the wizard, select the action that will be taken if the application that you are trying to import is a duplicate of an existing application. You can specify to create a new application or to ignore the duplicate and add a new revision to the existing application. 6. On the Summary page of the wizard, review the actions to be taken, and then complete the wizard. The new application will appear in the Applications node. Tip The Windows PowerShell cmdlet Import-CMApplication performs the same function
1690

as this procedure. For more information, see Import-CMApplication in the Microsoft System Center 2012 Configuration Manager SP1 Cmdlet Reference documentation.

Deployment Types Supported by Configuration Manager

Configuration Manager supports the deployment types that are described in the following sections. Note When you create an application or a deployment type by reading an application installation file, Configuration Manager can automatically populate some fields of the wizard with information from the file and associated installation files in the same folder.

Deployment Types Supported by Configuration Manager with no Service Pack, Configuration Manager SP1, and System Center 2012 R2 Configuration Manager
Name Description

Windows Installer (Native) (Configuration Manager with no service pack) or Windows Installer (*.msi file) (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager) Script Installer (Native) (Configuration Manager with no service pack) or Script Installer (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager) Microsoft Application Virtualization (Configuration Manager with no service pack) or Microsoft Application Virtualization 4 (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager) Windows Mobile Cabinet Nokia SIS file

Creates a deployment type from a Windows Installer file

Creates a deployment type that specifies a script that runs on client devices to install content or to perform an action

Creates a deployment type from a Microsoft Application Virtualization 4 manifest

Creates a deployment type from a Windows Mobile Cabinet (CAB) file Creates a deployment type from a Nokia Symbian Installation Source (SIS) file
1691

Deployment Types Supported by Configuration Manager SP1, and System Center 2012 R2 Configuration Manager
Name Description

Windows app package (.appx file) (Configuration Manager with no service pack and Configuration Manager SP1) or Windows app package (*.appx, *.appxbundle) (System Center 2012 R2 Configuration Manager) Windows app package (in the Windows Store)

Creates a deployment type for the Windows 8 or Windows RT operating system from a Windows app package file. In System Center 2012 R2 Configuration Manager, you can also create a deployment type from a Windows app bundle (.appxbundle) package.

Creates a deployment type for Windows 8 or Windows RT by specifying a link to the app in the Windows Store by browsing to a computer that already has the app installed. If you want to deploy the app as a link to the Windows Store, make sure that the Group Policy setting Turn off the Store application is set to Disabled or Not configured. If this setting is enabled, clients will not be able to connect to the Windows Store to download and install applications.

Microsoft Application Virtualization 5 Windows Phone app package (*.xap file) Windows Phone app package (in the Windows Phone Store) App package for iOS (*.ipa file) App package for iOS from App Store App package for Android (*.apk file) App package for Android on Google Play

Creates a deployment type from a Microsoft Application Virtualization 5 package file. Creates a deployment type from a Windows Phone app package file. Creates a deployment type by specifying a link to the app in the Windows Phone. Creates a deployment type from an iOS app package file. Creates a deployment type by specifying a link to the iOS app in the App Store. Creates a deployment type from an Android app package file. Creates a deployment type by specifying a link to the app on Google Play. For example, use the URL, https://play.google.com/store/apps/details?id=com.microsoft.skydrive
1692

Name

Description

to download the Microsoft SkyDrive app from Google play. Mac OS X Creates a deployment type for Mac computers from a .cmmac file that you have created by using the CMAppUtil tool.

Deployment Types Supported by System Center 2012 R2 Configuration Manager Only

Name Description

Web Application

Creates a deployment type that specifies a link to a web application. The deployment type installs a shortcut to the web application on the users device.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Create and Deploy Applications for Mac Computers in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. You can use Microsoft System Center 2012 Configuration Manager to deploy applications to Mac computers. The steps to deploy software to Mac computers are similar to those that are used to deploy software to Windows computers. However, before you create and deploy applications for Mac computers that are managed by Configuration Manager, consider the following: Before you can deploy Mac application packages to Mac computers, you must use the CMAppUtil tool on a Mac computer to convert these applications into a format that can be read by Configuration Manager. Configuration Manager does not support the deployment of Mac applications to users; these deployments must be to a device. Similarly, for Mac application deployments, Configuration Manager does not support the Pre-deploy software to the users primary device option on the Deployment Settings page of the Deploy Software Wizard. Mac applications support simulated deployments.
1693

You cannot deploy applications to Mac computers that have a purpose of Available. The option to send wake-up packets when you deploy software is not supported for Mac computers. Mac computers do not support Background Intelligent Transfer Service (BITS) to download application content. If an application download fails, it will be restarted from the beginning. Configuration Manager does not support global conditions when you create deployment types for Mac computers.

Use the following steps to create and deploy applications for Mac computers.

Steps to Create and Deploy an Application

The following table provides the steps, details, and more information for creating and deploying applications for Mac computers.
Step Details More information

Step 1: Prepare Mac applications for Configuration Manager.

Before you can create See Step 1: Prepare Mac Configuration Manager Applications for Configuration applications from Mac software Manager in this topic. packages, you must use the CMAppUtil tool on a Mac computer to convert the Mac software into a Configuration Manager .cmmac file. Use the Create Application See Step 2: Create a Wizard to create an application Configuration Manager for the Mac software. application that contains the Mac software in this topic. This step is required only if you See Step 3: Create a did not automatically import Deployment Type for the Mac this information from the Application in this topic. application. Use the Deploy Software Wizard to deploy the application to Mac computers. Monitor the success of application deployments to Mac computers. See Step 4: Deploy the Mac Application in this topic. See Step 5: Monitor the Deployment of the Mac Application in this topic.

Step 2: Create a Configuration Manager application that contains the Mac software Step 3: Create a deployment type for the Mac application

Step 4: Deploy the Mac application Step 5: Monitor the deployment of the Mac application

1694

Supplemental Procedures to Create and Deploy Applications for Mac Computers

Use the following procedures to create and deploy applications for Mac computers that are managed by Configuration Manager.

Step 1: Prepare Mac Applications for Configuration Manager

The required process to create and deploy Configuration Manager applications to Mac computers is similar to the deployment process for Windows computers. However, before you create Configuration Manager applications that contain Mac deployment types, you must prepare the applications by using the CMAppUtil tool. This tool is downloaded with the Mac client installation files. The CMAppUtil tool can gather information about the application, which includes detection data from the following Mac packages: Apple Disk Image (.dmg) Meta Package File (.mpkg) Mac OS X Installer Package (.pkg) Mac OS X Application (.app)

After it gathers application information, the CMAppUtil then creates a file with the extension .cmmac. This file contains the installation files for the Mac software and information about detection methods that can be used to evaluate whether the application is already installed. CMAppUtil can also process .dmg files that contain multiple Mac applications and create different deployment types for each application. To prepare Mac software to be deployed by Configuration Manager 1. Copy the Mac software installation package to the folder on the Mac computer where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center. 2. On the same Mac computer, open a terminal window and navigate to the folder where you extracted the contents of the macclient.dmg file. 3. Navigate to the Tools folder and enter the following command-line: ./CMAppUtil <properties> For example, if you want to convert the contents of an Apple disk image file named MySoftware.dmg stored in the users desktop folder into a cmmac file in the same folder and you want to create cmmac files for all applications that are found in the disk image file. To do this, use the following command line: ./CMApputil c /Users/<User Name>/Desktop/MySoftware.dmg -o /Users/<User Name>/Desktop -a Note The application name must be no more than 128 characters in length. To configure options for CMAppUtil, use the command-line properties in the following
1695

table:
Property More information

-h -r

Displays the available command-line properties. Outputs the detection.xml of the provided .cmmac file to stdout. The output contains the detection parameters and the version of CMAppUtil that was used to create the .cmmac file. Specify the source file to be converted. This property must be used in conjunction with the c property to specify the output path. Use this property in conjunction with the c property and the disk image (.dmg) file to automatically create .cmmac files for all applications and packages that are found in the disk image file. Skips generating the detection.xml if no detection parameters are found and forces the creation of the .cmmac file without the detection.xml file. Displays more detailed output from the CMAppUtil tool together with diagnostic information.

-c -o

-a

-s

-v

4. Ensure that the .cmmac file has been created in the output folder that you specified.

Step 2: Create a Configuration Manager application that contains the Mac software
Use the following procedure to help you create an application for Mac computers that are managed by Configuration Manager. To create an application for a Mac computer 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications.
1696

3. On the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. Note Select Manually specify the application information if you want to specify information about the application yourself. For more information about how to manually specify the information, see the To manually define application information section in the How to Create Applications in Configuration Manager topic. 5. In the Type drop-down list, select Mac OS X. 6. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> to the Mac application installation file (.cmmac file) that will detect application information. Alternatively, click Browse to browse and specify the installation file location. Note You must have access to the UNC path that contains the application. 7. Click Next. 8. On the Import Information page of the Create Application Wizard, review the information that was imported. If necessary, you can click Previous to go back and correct any errors. Click Next to proceed. 9. On the General Information page of the Create Application Wizard, specify information about the application such as the application name, comments, version, and an optional reference to help you reference the application in the Configuration Manager console. Note Some of the application information might already be present on this page if it was previously obtained from the application installation files. 10. Click Next, review the application information on the Summary page, and then complete the Create Application Wizard. 11. The new application is displayed in the Applications node of the Configuration Manager console.

Step 3: Create a Deployment Type for the Mac Application

Use the following procedure to help you create a deployment type for Mac computers that are managed by Configuration Manager. Note If you automatically imported information about the application in the Create Application Wizard, a deployment type for the application might already have been created. To create a deployment type for a Mac computer

1697

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. Select an application and then, on the Home tab, in the Application group, click Create Deployment Type to create a new deployment type for this application. Note You can also start the Create Deployment Type Wizard from the Create Application Wizard and from the Deployment Types tab of the <application name> Properties dialog box. 4. On the General page of the Create Deployment Type Wizard, in the Type drop-down list, select Mac OS X. 5. In the Location field, specify the UNC path in the form \\<server>\<share>\<filename> to the application installation file (.cmmac file). Alternatively, click Browse to browse and specify the installation file location. Note You must have access to the UNC path that contains the application. 6. Click Next. 7. On the Import Information page of the Create Deployment Type Wizard, review the information that was imported. If necessary, click Previous to go back and correct any errors. Click Next to continue. 8. On the General Information page of the Create Deployment Type Wizard , specify information about the application such as the application name, comments, and the languages in which the deployment type is available. Note Some of the deployment type information might already be present on this page if it was previously obtained from the application installation files. 9. Click Next. 10. On the Requirements page of the Create Deployment Type Wizard, you can specify the conditions that must be met before the deployment type can be installed on Mac computers. 11. Click Add to open the Create Requirement dialog box and add a new requirement. Note You can also add new requirements on the Requirements tab of the <deployment type name> Properties dialog box. 12. From the Category drop-down list, select that this requirement is for a device. 13. From the Condition drop-down list, select the condition that you want to use to assess whether the or Mac computer meets the installation requirements. The contents of this list will vary depending on the selected category. 14. From the Operator drop-down list, choose the operator that will be used to compare the
1698

selected condition to the specified value to assess whether the user or device meets in the installation requirement. The available operators will vary depending on the selected condition. 15. In the Value field, specify the values that will be used with the selected condition and operator whether the user or device meets in the installation requirement. The available values will vary depending on the selected condition and the selected operator. 16. Click OK to save the requirement rule and exit the Create Requirement dialog box. 17. On the Requirements page of the Create Deployment Type Wizard, click Next. 18. On the Summary page of the Create Deployment Type Wizard, review the actions for the wizard to take. If necessary, click Previous to go back and change deployment type settings. Click Next to create the deployment type. 19. After the Progress page of the Wizard completes, review the actions that have been taken, and then click Close to complete the Create Deployment Type Wizard. 20. If you started this wizard from the Create Application Wizard, you will return to the Deployment Types page of the wizard.

Step 4: Deploy the Mac Application

The steps to deploy an application to Mac computers are the same as those used to deploy an application to Windows computers, except for the following differences: The deployment of applications to users is not supported. Deployments that have a purpose of Available are not supported. The Pre-deploy software to the users primary device option on the Deployment Settings page of the Deploy Software Wizard is not supported. Because Mac computers do not support Software Center, the setting User notifications on the User Experience page of the Deploy Software Wizard is ignored. The option to send wake-up packets when you deploy software is not supported for Mac computers. Note You can build a collection containing only Mac computers. To do so, create a collection that uses a query rule and use the example WQL query in the Example WQL Queries section of the topic How to Create Queries in Configuration Manager. For more information, see How to Deploy Applications in Configuration Manager.

Step 5: Monitor the Deployment of the Mac Application

You can use the same process to monitor application deployments to Mac computers as you would use for application deployments to Windows computers. For more information, see How to Monitor Applications in Configuration Manager.

1699

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Deploy Applications in Configuration Manager

Before you can deploy an application in Microsoft System Center 2012 Configuration Manager, you must create at least one deployment type for the application. For more information about creating applications and deployment types, see How to Create Applications in Configuration Manager. Important You can deploy (install/uninstall) required applications, but not packages or software updates. Available applications, which users request from the Application Catalog, are not supported for mobile devices. Mobile devices also do not support simulated deployments. Additionally, mobile devices do not support user experience and scheduling settings in the Deploy Software Wizard. To deploy an application 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that you want to deploy. Then, in the Home tab, in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the following information: Software This displays the application to deploy. You can click Browse to select a different application to deploy. Collection Click Browse to select the collection to deploy the application to. Use default distribution point groups associated to this collection Select this option if you want to store the application content on the collection's default distribution point group. If you have not associated the selected collection with a distribution point group, this option is not available. Automatically distribute content for dependencies If this is enabled and any of the deployment types in the application contain dependencies, then the dependent application content will be also sent to distribution points. Important If you update the dependent application after the primary application has been deployed, any new content for the dependency will not be automatically
1700

distributed. Comments (optional) Optionally, enter a description of this deployment. 5. Click Next. 6. On the Content page of the Wizard, click Add to add the content that is associated with this deployment to distribution points or distribution point groups. If you have selected Use default distribution points associated to this collection on the General page of the Wizard, then this option will be automatically populated and can only be modified by a member of the Application Administrator security role. 7. Click Next. 8. On the Deployment Settings page of the Deploy Software Wizard, specify the following information: Action From the drop-down list, choose whether this deployment is intended to Install or Uninstall the application. Note If an application is deployed twice to a device, once with an action of Install and once with an action of Uninstall, the application deployment with an action of Install will take priority. Note You cannot change the action of a deployment after it has been created. Purpose From the drop-down list, choose one of the following options: Available - If the application is deployed to a user, the user sees the published application in the Application Catalog and can request it on demand. If the application is deployed to a device, the user will see it in the Software Center and can install it on demand. Required - The application is deployed automatically according to the configured schedule. However, a user can track the application deployment status if it is not hidden, and can install the application before the deadline by using the Software Center. Note When the deployment action is set to Uninstall, the deployment purpose is automatically set to Required and cannot be changed. Deploy automatically according to schedule whether or not a user is logged on If the deployment is to a user, select this option to deploy the application to the users primary devices. This setting does not require the user to log on before the deployment runs. Do not select this option if the user must provide input to complete the installation. This option is only available when the deployment has a purpose of Required. Note In System Center 2012 Configuration Manager SP1, this option is named Pre-deploy software to the users primary device.
1701

Send wake-up packets If the deployment purpose is set to Required and this option is selected, a wake-up packet is sent to computers before the deployment is installed to wake the computer from sleep at the installation deadline time. Before you can use this option, computers and networks must be configured for Wake On LAN. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Allow clients on a metered Internet connection to download content after the installation deadline, which might occur additional costs This option is only available for deployments with a purpose of Required.

Require administrator approval if users request this application If this option is selected, the administrator must approve any user requests for the application before it can be installed. This option is unavailable when the deployment purpose is Required or when the application is deployed to a device collection. Note Application approval requests are displayed in the Approval Requests node, under Application Management in the Software Library workspace. If an approval request is not approved within 45 days, it will be removed. Additionally, reinstalling the Configuration Manager client might cancel any pending approval requests.

Automatically upgrade any superseded version of this application If this option is selected, any superseded versions of the application will be upgraded with the superseding application.

9. Click Next. 10. On the Scheduling page of the Deploy Software Wizard, configure when this application will be deployed or made available to client devices. Note The options on this page will differ depending on whether the deployment action is set to Available or Required. 11. If the application you are deploying supersedes another application, you can configure the installation deadline when users will receive the new application. Do this by using the setting Installation Deadline to upgrade users with superseded application . 12. Click Next. 13. On the User Experience page of the Deploy Software Wizard, specify information about how users can interact with the application installation. For Configuration Manager SP1 only: When you deploy applications to Windows Embedded devices that are write-filter enabled, you can specify to install the application on the temporary overlay and commit changes later, or to commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device.
1702

Note When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. For more information about how maintenance windows are used when you deploy applications to Windows Embedded devices, see the Introduction to Application Management in Configuration Manager topic. Note The options Software Installation and System restart (if required to complete the installation) are not used if the deployment purpose is set to Available. You can also configure the level of notification a user sees when the application is installed. 14. Click Next. 15. On the Alerts page of the Deploy Software Wizard, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure thresholds for reporting alerts and turn off reporting for the duration of the deployment. 16. Click Next. 17. On the Summary page of the Deploy Software Wizard, review the actions that will be taken by this deployment, and then click Next to complete the Wizard. 18. The new deployment will be displayed in the Deployments list in the Deployments node of the Monitoring workspace. You can edit the properties of this deployment or delete the deployment from the Deployments tab of the application detail pane. To delete an application deployment 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that for which to delete the deployment. 4. In the Deployments tab of the <application name> list, select the application deployment to delete. Then, in the Deployment tab, in the Deployment group, click Delete. When you delete an application deployment, any instances of the application that have already been installed are not removed. To remove these applications, you must deploy the application to computers with the action Uninstall. If you delete an application deployment, or remove a resource from the collection you are deploying to, the application will no longer be visible in Software Center or the Application Catalog.

See Also
Operations and Maintenance for Application Management in Configuration Manager

1703

How to Simulate an Application Deployment in Configuration Manager

Use simulated deployments if you want to test the applicability of an application deployment to computers without installing or uninstalling the application. A simulated deployment evaluates the detection method, requirements and dependencies for a deployment type, and reports the results in the Deployments node of the Monitoring workspace. Use the procedure in this topic to simulate an application deployment in Microsoft System Center 2012 Configuration Manager. Note You cannot use simulated deployments for collections of mobile devices. Note You cannot deploy an application with a deployment purpose of Uninstall if a simulated deployment of the same application is active. To simulate an application deployment 1. In the Configuration Manager console, select one of the following: A collection of users. A collection of devices. A Configuration Manager application.

2. In the Home tab, in the Deployment group, click Simulate Deployment. 3. In the Simulate Application Deployment Wizard , specify the following information: Application: Click Browse and then select the application for which you want to create a simulated deployment. Collection: Click Browse and then select the collection that you want to use for the simulated deployment. Action: From the drop-down list, select whether you want to simulate the installation, or the uninstallation of the selected application. Deploy automatically with or without user login If this option is checked, the clients will evaluate the simulated deployment whether or not the clients are logged in.

4. Click Next, review the information on the Summary page, and then complete the wizard to create the simulated application deployment. 5. Simulated applications appear in the Deployments node of the Monitoring workspace with a purpose of Simulate. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

See Also
Operations and Maintenance for Application Management in Configuration Manager
1704

How to Manage Applications and Deployment Types in Configuration Manager

Use the information in the following sections to help you manage Microsoft System Center 2012 Configuration Manager applications and deployment types. How to Manage Applications How to Manage Deployment Types

For information about how to create applications and deployment types, see How to Create Applications in Configuration Manager. Important Depending on the type of application or deployment type, some of the management options might not be available.

How to Manage Applications

In the Software Library workspace, expand Application Management, select Applications, select the application to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Task Details More information

Manage Access Accounts

Opens the Manage Access Accounts dialog box where you can specify the level of access that is allowed for the content that is associated with the selected application.

No additional information.

Create Prestage Content File

Opens the Create Prestaged Content File Wizard that See Prestage helps you to manage the distribution of content to Content on a remote distribution points. When the scheduling and Distribution Point. throttling does not provide a valid solution for the remote distribution point, you can prestage the content on the distribution point Opens the Application Revision History dialog box that allows you to view the properties of revisions that were made to this application, delete old application revisions and restore old versions of this application. See How to Manage Application Revisions in Configuration Manager. See How to
1705

Revision History

Create

Opens the Create Deployment Type Wizard that

Task

Details

More information

Deployment Type

allows you to add a new deployment type to the selected application.

Create Applications in Configuration Manager.

Update Statistics

Updates the information that is displayed in the See How to Deployments node of the Monitoring workspace about Monitor the deployments of this application. Applications in Configuration Manager. This option reinstates an application that was retired by using the Retire management task. When you retire an application, it is no longer available for deployment but the application and any deployments of the application are not deleted. Existing copies of this application that were installed on client computers will not be removed. If an application that has no deployments is retired, it will be deleted from the Configuration Manager console after 60 days. However, any installed copies of the application are not removed. Important To delete an application, you must first retire the application, delete any deployments, remove references to it by other deployments, and then delete all of its revisions. No additional information. See How to Manage Application Revisions in Configuration Manager.

Reinstate Retire

Export

Opens the Export Application Wizard that allows you to export the selected applications to a .zip file that you can then archive or install on another site. If you choose to export application content, a folder will be created and will contain the content. You can also export application dependencies, supersedence relationships and conditions and content for the application and its dependencies. Tip The Windows PowerShell cmdlet, ExportCMApplication, performs the same function. For more information, see http://go.microsoft.com/fwlink/p/?LinkID=258880 in the Microsoft System Center 2012

No additional information.

1706

Task

Details

More information

Configuration Manager SP1 Cmdlet Reference documentation. Delete Deletes the currently selected application. Note You cannot delete an application if other applications are dependent on it, if it has an active deployment, or if it has dependent task sequences. Simulate Deployment Opens the Simulate Application Deployment Wizard where you can test the results of an application deployment to computers without installing or uninstalling the application. No additional information.

See How to Simulate an Application Deployment in Configuration Manager. See How to Deploy Applications in Configuration Manager. See Operations and Maintenance for Content Management in Configuration Manager. See How to Use Application Supersedence in Configuration Manager. See How to Create Global Conditions in Configuration Manager.

Deploy

Opens the Deploy Software Wizard where you can deploy the selected application to collections of computers in your hierarchy.

Distribute Content

Opens the Distribute Content Wizard where you can copy the content for the selected application to distribution points in your hierarchy.

View Relationships

Displays a graphical diagram showing the relationships of the selected applications to other applications. Choose from one of the following: Dependency Displays the applications that are dependent on, and the applications that the selected application depends on. Supersedence Displays the applications that are superseded, and applications that the selected item is superseded by. Global Conditions Displays the global conditions that are referenced by this application.

1707

How to Manage Deployment Types

In the Software Library workspace, expand Application Management, select Applications, select the application that contains the deployment type that you want to manage, in the details pane, click the Deployment Types tab, select the deployment type that you want to manage and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Task Details More information

Increase Priority

Increases the priority of the No additional information. selected deployment type. Deployment types are evaluated in order. When a deployment type meets the specified requirements, it will be run and then no further deployment types on the priority list will be evaluated. Decreases the priority of the selected deployment type. Deletes the selected deployment type. Important You cannot delete a deployment type if it is referenced by a deployment type in another application. To delete a deployment type, you must remove any dependencies to the deployment type that are contained in other deployment types. Additionally, you must also remove previous revisions of any application that contains a deployment type that references the deployment type that you want to delete.
1708

Decrease Priority Delete

No additional information. No additional information.

Task

Details

More information

Update Content

Refreshes the content for the selected deployment type. When you start this wizard for a deployment type that contains a virtual application, the Update Content Wizard is started. This wizard allows you to modify publishing options and requirement rules for the selected virtual application. For more information, see How to Create Deployment Types in Configuration Manager. Important When you refresh the content of a deployment type, a new revision of the application is created. This might cause client devices to be updated with the new application.

No additional information.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Manage Application Revisions in Configuration Manager

When you make revisions to an application or to a deployment type that is contained in an application, Microsoft System Center 2012 Configuration Manager creates a new revision of the application. You can display the history of each application revision. You can also view its properties, restore a previous revision of an application, or delete an old revision. Important If you restore an application revision or create a new application revision and make changes to the detection method of one of the applications deployment types, then the installed copies of the application might be automatically replaced when the deployment
1709

schedule is next evaluated. For more control over application replacement, create a new application that supersedes the application that you want to replace and then deploy this application to the required collection. For more information, see How to Use Application Supersedence in Configuration Manager. To display an application revision history 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications, and then click the application that you want. 3. On the Home tab, in the Application group, click Revision History to open the Application Revision History dialog box. To view an application revision 1. In the Application Revision History dialog box, select an application revision, and then click View. 2. In the Properties dialog box, examine the properties of the selected application. Note The application properties that are displayed are read-only. 3. Close the Properties dialog box. To restore an application revision 1. In the Application Revision History dialog box, select an application revision, and then click Restore. 2. In the Confirm Revision Restore dialog box, click Yes to restore the selected application revision. To delete an application revision 1. In the Application Revision History dialog box, select an application revision, and then click Delete. 2. In the Delete Application Revision dialog box, click Yes. Note You can only delete the current application revision if the application is retired and contains no references.

See Also
Operations and Maintenance for Application Management in Configuration Manager

1710

How to Use Application Supersedence in Configuration Manager

Application management in Microsoft System Center 2012 Configuration Manager allows you to upgrade or replace existing applications by using a supersedence relationship. When you supersede an application, you can specify a new deployment type to replace the deployment type of the superseded application and also configure whether to upgrade or uninstall the superseded application before the superseding application is installed. When you supersede an application, this applies to all future deployments and Application Catalog requests. This will not affect the existing installations of the application. Important When the option to uninstall the superseded deployment type is selected, a deployment type cannot be superseded by a deployment type that was deployed to a different collection type. For example, a deployment type that was deployed to a device collection cannot be superseded by a deployment type that was deployed to a user collection if the option to uninstall the superseded deployment type is selected. To specify a supersedence relationship 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications, and then click the application that will supersede another application. 3. On the Home tab, in the Properties group, click Properties to open the <Application Name> Properties dialog box. 4. On the Supersedence tab of the <Application Name> Properties dialog box, click Add. 5. In the Specify Supersedence Relationship dialog box, click Browse. 6. In the Choose Application dialog box, select the application that you want to supersede and then click OK. 7. In the Specify Supersedence Relationship dialog box, select the deployment type that will replace the deployment type of the superseded application. Note By default, the new deployment type will not uninstall the deployment type of the superseded application. This scenario is commonly used when you want to deploy an upgrade to an existing application. Select Uninstall to remove the existing deployment type before the new deployment type is installed. If you decide to upgrade an application, make sure that you test this in a lab environment first. 8. Click OK to close the Specify Supersedence Relationship dialog box. 9. Click OK to close the <Application Name> Properties dialog box.

1711

To display applications that supersede the current application 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, click Applications, and then click the application that you want. 3. On the Home tab, in the Properties group, click Properties to open the <Application Name> Properties dialog box. 4. On the References tab of the <Application Name> Properties dialog box, select Applications that supersede this application from the Relationship type drop-down list. 5. Review the list of applications that supersede the selected application, then click OK to close the <Application Name> Properties dialog box.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Uninstall Applications in Configuration Manager

Perform the following steps to uninstall an application by using Microsoft System Center 2012 Configuration Manager: Specify the command line to uninstall the deployment type content on the Content page of the Create Deployment Type Wizard. Deploy the application by using a deployment action of Uninstall. Important Some application types do not support uninstallation. The following list gives more information about the application uninstall behavior: When you uninstall a Configuration Manager application, the dependent applications are not automatically uninstalled. If you deploy an application that uses an action of Uninstall to a user, and the application was installed for all users of the computer, then the uninstall might fail if the users account does not have permissions to uninstall the application. If you remove a user or device from a collection that has an application deployed to it, the application will not be automatically removed from the device. A deployment with the deployment purpose of Uninstall does not check requirement rules. If the application is installed on the computer on which the deployment runs, it will be uninstalled. Important
1712

You must delete any existing deployments or simulated deployments of an application to a collection before you can deploy the application with a deployment action of Uninstall. For more information about how to create a deployment type, see How to Create Applications in Configuration Manager. For more information about how to deploy an application, see How to Deploy Applications in Configuration Manager. To uninstall an application 1. Configure the application deployment type with the uninstall command line by using one of the following methods: On the General page of the Create Deployment Wizard, select the option Automatically identify information about this deployment type from installation files. If the information is available in the installation files, the uninstall command line is automatically added to the deployment type properties. On the Content page of the Create Deployment Type Wizard, in the Uninstall program field, specify the command line to uninstall the application. Note The Content page is displayed only if you select the option Manually specify the deployment type information on the General page of the Create Deployment Type Wizard. In the Programs tab of the <deployment type name> Properties dialog box specify the command line to uninstall the application in the Uninstall program field.

2. Deploy the application and select the deployment action Uninstall from the Deployment Settings page of the Deploy Software Wizard. Note When you select a deployment action of Uninstall, the deployment purpose is automatically configured as Required.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Monitor Applications in Configuration Manager

In Microsoft System Center 2012 Configuration Manager, you can monitor the deployment of all software, including software updates, compliance settings, applications, task sequences, and packages and programs. You can monitor deployments by using the Monitoring workspace in the Configuration Manager console or by using reports.
1713

Applications in Configuration Manager support state-based monitoring, which allows you to track the last application deployment state for users and devices. These state messages display information about individual devices. For example, if an application is deployed to a collection of users, you can view the compliance state of the deployment and the deployment purpose in the Configuration Manager console. An application deployment state has one of the following compliance states: Success The application deployment succeeded or was found to be already installed. In Progress The application deployment is in progress. Unknown The state of the application deployment could not be determined. This state is not applicable for deployments with a purpose of Available. This state is typically displayed when state messages from the client are not yet received. Requirements Not Met The application was not deployed because it was not compliant with a dependency or a requirement rule, or because the operating system to which it was deployed was not applicable. Error The application failed to deploy because of an error.

You can view additional information for each compliance state, which includes subcategories within the compliance state and the number of users and devices in this category. For example, the Error compliance state includes the following subcategories: Error evaluating requirements Content related errors Installation errors

When more than one compliance state applies for an application deployment, you can see the aggregate state that represents the lowest compliance. For example: If a user logs in to two devices and the application is successfully installed on one device but fails to install on the second device, the aggregate deployment state of the application for that user displays as Error. If an application is deployed to all users that log on to a computer, you will receive multiple deployment results for that computer. If one of the deployments fails, the aggregate deployment state for the computer displays as Error.

The deployment state for package and program deployments is not aggregated. Use these subcategories to help you to quickly identify any important issues with an application deployment. You can also view additional information about the devices that fall into a particular subcategory of a compliance state. Application management in Configuration Manager includes a number of built-in reports that allow you to monitor information about applications and deployments. These reports have the report category of Software Distribution Application Monitoring. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. To monitor the state of an application in the Configuration Manager console

1714

1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. To review deployment details for each compliance state and the devices in that state, select a deployment, and then, on the Home tab, in the Deployment group, click View Status to open the Deployment Status pane. In this pane, you can view the assets with each compliance state. Click any asset to view more detailed information about the deployment status to that asset. Note The number of items that can be displayed in the Deployment Status pane is limited to 20,000. If you need to see more items, use Configuration Manager reports to view application status data. The status of deployment types is aggregated in the Deployment Status pane. To view more detailed information about the deployment types, use the report Application Infrastructure Errors in the report category Software Distribution Application Monitoring. 4. To review general status information about an application deployment, select a deployment, and then click the Summary tab in the Selected Deployment window. 5. To review information about the applications deployment type, select a deployment, and then click the Deployment Types tab in the Selected Deployment window. Important The information shown in the Deployment Status pane after you click View Status is live data from the Configuration Manager database. The information shown in the Summary tab and the Deployment Types tab is summarized data. If the data that is shown in the Summary tab and the Deployment Types tab does not match the data that is shown in the Deployment Status pane, click Run Summarization to update the data in these tabs. You can configure the default application deployment summarization interval as follows: In the Configuration Manager console, click Administration. In the Administration workspace, expand Site Configuration, and then click Sites. From the Sites list, select the site for which you want to configure the summarization interval, and then in the Home tab, in the Settings group, click Status Summarizers. In the Status Summarizers dialog box, click Application Deployment Summarizer, and then click Edit. In the Application Deployment Summarizer Properties dialog box, configure the required summarization intervals and then click OK.

See Also
Operations and Maintenance for Application Management in Configuration Manager
1715

How to Manage User Device Affinity in Configuration Manager

User device affinity in Microsoft System Center 2012 Configuration Manager is a method of associating a user with one or more specified devices. User device affinity can eliminate the need to know the names of a users devices in order to deploy an application to that user. Instead of deploying the application to all of the users devices, you deploy the application to the user. Then, user device affinity automatically ensures that the application install on all devices that are associated with that user. You can define primary devices. These are typically the devices that users use on a daily basis to perform their work. When you create an affinity between a user and a device, you gain more software deployment options. For example, if a user requires Microsoft Office Visio, you can install it on the users primary device by using a Windows Installer deployment. However, on a device that is not a primary device, you might deploy Microsoft Office Visio as a virtual application. You can also use user device aff inity to predeploy software on a users device when the user is not logged in. Then, when the user logs on, the application is already installed and ready to run. In addition to following the procedures in this topic, you can configure user device affinity when you deploy an operating system to a computer. For more information, see How to Associate Users with a Destination Computer. You must manage user device affinity information for computers. User device affinities are automatically managed by Configuration Manager for the mobile devices that it enrolls.

How to Manually Configure User Device Affinity

Use the following procedures to manually configure the affinity between users and devices from the Configuration Manager console. To configure primary users for a device 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices. 3. Select a device from the list. Then, in the Home tab, in the Device group, click Edit Primary Users. 4. In the Edit Primary Users dialog box, search for and select the users to add as primary users for the selected device, and then click Add. Note The Primary Users list shows users who are already primary users of this device and the method by which each user-device relationship was assigned. 5. Click OK to close the Edit Primary Users dialog box.

1716

To configure primary devices for a user 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Users. 3. Select a user from the list. Then, in the Device tab, click Edit Primary Devices. 4. In the Edit Primary Devices dialog box, search for and select the devices to add as primary devices for the selected user, and then click Add. Note The Primary Devices list shows devices that are already configured as primary devices for this user and the method by which each user-device relationship was assigned. 5. Click OK to close the Edit Primary Devices dialog box.

How to configure the site to automatically create user device affinities

Use the following procedure to enable your Configuration Manager site to automatically create user device affinities from usage data that is reported by client devices. Configuration Manager reads data about user logons from the Windows Event log. To be able to automatically create user device affinities, you must enable the following two settings from the local security policy on client computers to store logon events in the Windows Event log. Audit account logon events Audit logon events

You can use Windows Group Policy to configure these settings. Important If an error causes the Windows Event log to generate a high number of entries, this can result in a new event log being created. If this occurs, existing logon events might be no longer be available to Configuration Manager. Important Be careful implementing the Audit account logon events and Audit logon events in Windows XP. By default the retention policy is 7 days and it is very likely that these events will fill up the Security Event Log. Standard users will not be able to logon if the event log is full. To prevent the issue, also set the policy Retention Method for the security log to Overwrite events as needed. To allow sufficient data for user device affinity, also set the policy Maximum security log size to a reasonable value such as 5-20 MB. To configure the site to automatically create user device affinities

1717

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. To modify the default client settings, select Default Client Settings, and then, in the Home tab, in the Properties group, click Properties. To create custom client agent settings, select the Client Settings node, and then, in the Home tab, in the Create group, click Create Custom Client Device Settings. Note If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information about configuring client settings, see How to Configure Client Settings in Configuration Manager. 4. For the client setting User and Device Affinity, configure the following: User device affinity threshold (minutes) - Specify the number of minutes of usage before a user device affinity is created. User device affinity threshold (days) Specify the number of days over which the usage based affinity threshold is measured. Note For example, if User device affinity threshold (minutes) is specified as 60 minutes and User device affinity threshold (days) is specified at 5 days, the user must use the device for at least 60 minutes over a period of 5 days to automatically create a user device affinity. Automatically configure user device affinity from usage data From the dropdown list, select True to enable the site to automatically create user device affinities. If you select False, then an administrative user must approve all user device affinity assignments. Important After an automatic user device affinity is created, Configuration Manager continues to monitor the user device affinity thresholds. If the users activity for the device falls below the configured thresholds, then the user device affinity will be removed. Configure User device affinity threshold (days) to a value of at least 7 days to avoid situations where an automatically configured user device affinity might be lost while the user is not logged on, for example, during the weekend. 5. Click OK to close the client settings dialog box.

How to import a file that contains user device affinities

You can import a file that contains user device affinities to enable you to create many relationships at one time. For this procedure, the subject devices must have been discovered and exist as resources in the Configuration Manager database, otherwise this procedure will fail.
1718

Use this procedure to import a file containing user and device affinities to System Center 2012 Configuration Manager. To import a file that contains user device affinities 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click either Users or Devices. 3. On the Home tab, in the Create group, click Import User Device Affinity. 4. On the Choose Mapping page of the Import User Device Affinity Wizard, specify the following information: File name Specify a comma-separated values (.csv) file that contains a list of users and devices between which you want to create an affinity. In this file, each user-anddevice pair must be on a separate line separated by a comma. Use the format <Domain>\<user name>,<device NetBIOS name>. Important The devices listed in the file must already exist as resources in the Configuration Manager database. Otherwise, the import will fail. This file has column headings for reference purposes If the comma-separated values file has a top-row header line, select this option and the header line will be ignored during the import.

5. If the file you are importing contains more than two items on each line, you can use Column and Assign to specify which columns represent users and devices and which columns to ignore during import. 6. Click Next and then complete the Import User Device Affinity Wizard.

How to allow users to create a user device affinity

Use these procedures to allow users to create their own user device affinity from the Application Catalog. To configure the site to allow users to create a user device affinity 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. To modify the default client settings, select Default Client Settings, and then, in the Home tab, in the Properties group, click Properties. To create custom client agent settings, select the Client Settings node, and then, in the Home tab, in the Create group, click Create Custom Client User Settings. Note If you modify the default client settings, they will be deployed to all computers in the hierarchy. For more information about configuring client settings, see How to Configure Client Settings in Configuration Manager.
1719

4. Configure the following for the client setting User and Device Affinity: In the Allow user to define their primary devices drop-down list, select True. 5. Click OK to close the client settings dialog box. To configure a user device affinity 1. In the Application Catalog, click My Systems. 2. Enable the option I regularly use this computer to do my work.

How to Manage User Device Affinity Requests

When the client setting Automatically configure user device affinity from usage data is set to False, an administrative user must approve all user device affinity assignments. Use the following procedure to approve or reject a Configuration Manager user device affinity assignment. To approve or reject a user device affinity assignment 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, select the user or device collection for which you want to manage affinity requests. 3. In the Home tab, in the Collection group, click Manage Affinity Requests. 4. In the Manage User Device Affinity Requests dialog box, select the affinity requests to approve or reject, and then click Approve or Reject. 5. Click Close to close the Manage User Device Affinity Requests dialog box.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Create Global Conditions in Configuration Manager

In System Center 2012 Configuration Manager, global conditions are rules that represent business or technical conditions that you can use to specify how an application is provided and deployed to client devices. You can create global conditions from the Global Conditions node of the Configuration Manager console or from within the Create Deployment Type Wizard. Global conditions are accessed from the Requirements page of the Create Deployment Type Wizard. Note You can only edit global conditions from the site where they were created. Use the following procedures to create Configuration Manager global conditions.
1720

Provide Basic Information about the Global Condition

Several different types of global conditions are available. Different options are associated with the different global condition types. When you select a specific global condition type, Configuration Manager displays the options that apply to your selection. To provide basic information about the global condition 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Global Conditions. 3. On the Home tab, in the Create group, click Create Global Condition. 4. In the Create Global Condition dialog box, provide a name and an optional description for the global condition. 5. In the Device type drop-down list, choose whether the global condition is for a Windows computer, Windows Mobile device, or a Nokia device. 6. In the Condition Type drop-down list, choose one of the following options: Setting This option checks for the existence of one or more items on client devices. For example, you can check that a particular file, folder, or registry key value exists on a client device. Expression This option allows you to configure more complex rules to determine if the condition is satisfied on client devices. For example, you can determine if the physical memory on a computer is between 2 GB and 4 GB or to determine if a mobile device uses touch screen input.

Configure Rules for the Global Condition

The procedure for defining the global condition rules is different depending on whether you are configuring a setting or an expression. Use the applicable procedure here to configure a setting or an expression for the global condition. To configure a setting for the global condition 1. In the Condition Type drop-down list, choose Setting. 2. In the Setting type drop-down list, choose the item to use as the condition for which requirements will be checked. The following setting types are available.
Setting type More information

Active Directory query

Configure the following for this setting type: LDAP prefix - Specify a valid LDAP prefix to the Active Directory Domain Services query to assess compliance
1721

on client computers. You can use either LDAP:// or GC://. Distinguished Name (DN) - Specify the distinguished name of the Active Directory Domain Services object that will be assessed for compliance on client computers. Search filter - Specify an optional LDAP filter to refine the results from the Active Directory Domain Services query to assess compliance on client computers. Search scope - Specify the search scope in Active Directory Domain Services: Base - Queries only the object specified. One Level - This option is not used in this version of Configuration Manager. Subtree - Queries the object specified and its complete subtree in the directory.

Property - Specify the property of the Active Directory Domain Services object that will be used to assess compliance on client computers. Query - Displays the LDAP query that is constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter if specified and Property. This query will be used to assess compliance on client computers.

Assembly

Configure the following for this setting type: Assembly name: Specifies the name of the assembly object to search for. The name cannot be the same as any other assembly object of the same type and the name must be registered in the Global Assembly Cache. The assembly name can be a maximum of 256 characters long.
1722

Note An assembly is a piece of code that can be shared between applications. Assemblies can have the file name extension .dll or .exe. The Global Assembly Cache is a folder named %systemroot%\assembly on client computers in which all shared assemblies are stored. File system Configure the following for this setting type: Type From the drop-down list, select whether you want to search for a File or a Folder. Path - Specify the path to the specified file or folder on client computers. You can specify system environment variables and the %USERPROFILE% environment variable in the path. Note If you use the %USERPROFILE% environment variable in the Path or File or folder name fields, all user profiles on the client computer will be searched. This could result in the discovery of multiple instances of the file or folder. File or folder name - Specify the name of the file or folder object that will be searched for. You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also use the wildcards * and ? in the filename. Note If you specify a file or folder name and use wildcards, this
1723

might produce a high numbers of results. This could result in high resource use on the client computer and also high network traffic when reporting results to Configuration Manager. Include subfolders Enable this option if you also want to search any subfolders under the specified path. This file or folder is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\system32) should be searched in addition to the 32-bit system file location (%windir%\syswow64) on Configuration Manager clients that run a 64-bit version of Windows. Note If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer, multiple files will be discovered by the global condition. The File system setting type does not support specifying a UNC path to a network share in the Path field. IIS metabase Configure the following for this setting type: Registry key Metabase path - Specify a valid path to the IIS Metabase. Property ID - Specify the numeric property of the IIS Metabase setting.

Configure the following for this setting type: Hive From the drop-down list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. The
1724

format used should be key\subkey. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that run a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys will be discovered by the global condition. Registry value Configure the following for this setting type: Hive - From the drop-down list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. The format used should be key\subkey. Value Specify the value that must be contained within the specified registry key. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that run a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys will be discovered by the global condition. Script Configure the following for this setting type: Discovery script Click Add to
1725

enter, or browse to the script to use. You can use Windows PowerShell, VBScript or JScript scripts. Run scripts by using the logged on user credentials If you enable this option, the script will run on client computers by using the logged on users credentials. Note The value returned by the script will be used to assess the compliance of the global condition. For example, when you use VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global condition. SQL query Configure the following for this setting type: SQL Server instance Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name. Note The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server instance, you should use a script setting. Database - Specify the name of the Microsoft SQL Server database for which the SQL query will be run. Column - Specify the column name returned by the Transact-SQL statement to use to assess the compliance of the global condition. Transact-SQL statement Specify the full SQL query to use for the global condition. You can also click Open to open an existing SQL query.
1726

WQL query

Configure the following for this setting type: Namespace - Specify the WMI namespace that will be used to build a WQL query that will be assessed for compliance on client computers. The default value is Root\cimv2. Class - Specifies the WMI class that will be used to build a WQL query that will be assessed for compliance on client computers. Property - Specifies the WMI property that will be used to build a WQL query that will be assessed for compliance on client computers. WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a WHERE clause to be applied to the specified namespace, class, and property on client computers.

XPath query

Configure the following for this setting type: Path - Specify the path to the XML file on client computers that will be used to assess compliance. Configuration Manager supports the use of all Windows system environment variables and the %USERPROFILE% user variable in the path name. XML file name - Specify the file name containing the XML query to use to assess compliance on client computers. Include subfolders - Enable this option if you also want to search any subfolders under the specified path. This file is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\system32) should be searched in addition to the 32-bit system file location (%windir%\syswow64) on Configuration Manager clients that
1727

run a 64-bit version of Windows. XPath query - Specify a valid full XML path language (XPath) query to use to assess compliance on client computers. Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes to use during the XPath query.

3. In the Data type drop-down list, choose the format in which data will be returned by the condition before it is used to check requirements. Note The Data type drop-down list is not displayed for all setting types. 4. Configure further details about this setting below the Setting type drop-down list. The items you can configure will vary depending on the setting type you have selected. 5. Click OK to save the rule and to close the Create Global Condition dialog box. To configure an expression for the global condition 1. In the Condition Type drop-down list, choose Expression. 2. Click Add Clause to open the Add Clause dialog box. 3. From the Select category drop-down list, select whether this expression is for a device or a user. Alternatively, select Custom to use a previously configured global condition. 4. From the Select a condition drop-down list, select the condition to use to assess whether the user or device meets the rule requirements. The contents of this list will vary depending on the selected category. 5. From the Choose operator drop-down list, choose the operator that will be used to compare the selected condition to the specified value to assess whether the user or device meets the rule requirements. The available operators will vary depending on the selected condition. 6. In the Value field, specify the values that will be used with the selected condition and operator to assess whether the user or device meets the rule requirements. The available values will vary depending on the selected condition and the selected operator. 7. Click OK to save the expression and to close the Add Clause dialog box. 8. When you have finished adding clauses to the global condition, click OK to close the Create Global Condition dialog box and to save the global condition.

See Also
Operations and Maintenance for Application Management in Configuration Manager

1728

How to Create App-V Virtual Environments in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Microsoft Application Virtualization (App-V) virtual environments in Microsoft System Center 2012 Configuration Manager enable deployed virtual applications to share the same file system and registry on client computers. This means that unlike standard virtual applications, these applications can share data with each other. Virtual environments are created or modified on client computers when the application is installed or when clients next evaluate their installed applications. You can order these applications so that when multiple applications try to modify a file system or registry value, the application with the highest order takes priority. Security Do not rely upon App-V virtual environments to provide security protection, for example, from malware. Use the following procedure to create App-V virtual environments in Configuration Manager.

To create an App-V virtual environment 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management and then click App-V Virtual Environments. 3. In the Home tab, in the Create group, click Create Virtual Environment. 4. In the Create Virtual Environment dialog box, specify the following information: Name: Specify a unique name for the virtual environment with a maximum of 128 characters. Description: Optionally specify a description for the virtual environment.

5. Click Add to add a new deployment type to the virtual environment. You must add at least one deployment type. 6. In the Add Applications dialog box, specify a Group name of up to 128 characters that you will use to refer to this group of applications that you add to the virtual environment. 7. Click Add, select the App-V 5 applications and deployment types that you want to add to the group and then click OK. 8. In the Add Applications dialog box, you can click Increase Order or Decrease Order to specify which application will take priority if multiple applications attempt to modify file
1729

system or registry settings in the same virtual environment. 9. Click OK to return to the Create Virtual Environment dialog box. 10. When you have finished adding groups, click OK to create the virtual environment. The new virtual environment is displayed in the App-V Virtual Environments node of the Configuration Manager console. You can monitor the status of your virtual environments by using the report App-V Virtual Environment Status. Note The virtual environment will be added or modified on client computers when the application is installed or when the client next evaluates installed applications.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Create and Deploy Applications for Mobile Devices in Configuration Manager
Mobile apps that are deployed using Configuration Manager appear in the company portal on mobile devices. You can deploy sideloaded apps or links to application stores to enrolled devices. Use the information in the following sections to help you create and deploy applications to mobile devices.

Steps to Create and Deploy an App

The following table provides the steps, details, and more information for creating and deploying apps for mobile devices.
Step More Information

Step 1: Create a Configuration Manager application that contains the mobile app. Step 2: Deploy the application.

Use the Create Application Wizard to create an application for the mobile device. Use the Deploy Software Wizard to deploy the application to mobile devices. For more information, see To deploy an application to mobile devices.

1730

Create an application
You can use the Create Application Wizard to create an application to that you can deploy to mobile devices.

Create an application for Windows Phone 8 devices

For Windows Phone 8 devices, you can deploy apps or you can deploy links to apps in the Windows Phone Store. To deploy apps to Windows Phone 8, you must select Windows Phone 8 devices when you configure the Windows Intune subscription. To create an application for sideloading a line-of-business app for Windows Phone 8 devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down list, select Windows Phone app package (*.xap file). 6. Click Browse to select the Windows Phone app package you want to import, and then click Next. 7. On the General Information page of the wizard, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to the Windows Phone Store for Windows Phone 8 devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select Windows Phone app package (in the Windows Phone Store) 6. Click Browse to open the Windows Phone Store, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal.
1731

8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for Windows RT, Windows RT 8.1, or Windows 8.1 devices
For Windows RT or Windows 8.1 devices, you can deploy line-of-business apps or you can deploy links to apps in the Windows Store. For Windows 8.1, the following procedures are for mobile apps and the Windows 8.1 devices do not have the Configuration Manager client installed. To create an application for sideloading a line-of-business app for Windows RT, Windows RT 8.1, or Windows 8.1 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select Windows app package (*.appx file). 6. Click Browse, select the signed .appx program file that you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application containing a link to the Windows Store for Windows RT, Windows RT 8.1, or Windows 8.1 devices
To create a link to the Windows Store for Windows RT, the app must be installed on a Windows 8 computer. You must first configure WinRM for HTTPS on the Windows 8 computer. Configure WinRM for HTTPS for the Windows 8 computer that has the app installed 1. Create an HTTPS-based listener by running winrm qc Transport:HTTPS. 2. Run the command enable-psremoting to allow PowerShell remoting. 3. Run the command winrm delete winrm/config/Listener?Address=*+Transport=HTTP to remove the HTTP-based listener that was automatically created by the enablepsremoting command. 4. Open Windows Firewall and add an inbound rule for port 5986, which is the default
1732

HTTPS port for Windows Remote Management (WinRM). To create an application containing a link to the Windows Store for Windows RT 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type dropdown, select Windows app package (in the Windows Store) 6. Click Browse and then, in the Browse Windows App Packages dialog box, connect to a computer that runs Windows 8 and that has the required app installed, select the app, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. Note For applications containing a link to the Windows Store, you must create a requirement that adds the value Windows RT to the Operating system condition. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for iOS devices

For devices that run iOS, you can deploy line-of-business apps or you can deploy links to apps on the App store. To create an application for sideloading a line-of-business app for iOS devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, select Create group, and then click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down list, select App Package for iOS (*.ipa file). 6. Click Browse, select the signed application (*.ipa) file that you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal.
1733

8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace. To create an application containing a link to the App Store for iOS devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type dropdown, select App Package for iOS from App Store . 6. Click Browse, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Create an application for Android devices

For Android devices, you can deploy apps or you can deploy links to Google Play by using the company portal. To create an application for sideloading a line-of-business app for Android devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select App Package for Android (*.apk file). 6. Click Browse, select the .apk program file you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. Note If you create more than one deployment type for the same app, only the deployment type with the highest priority will be displayed in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library
1734

workspace. To create an application containing a link to Google Play 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Home tab, in the Create group, click Create Application. 4. On the General page of the Create Application Wizard, select Automatically detect information about this application from installation files. 5. In the Type drop-down, select App Package for Android in Google Play. 6. Click Browse, select the app you want to include, and then click Next. 7. On the General Information page, enter the descriptive text and category information that you want users to see in the company portal. 8. Complete the wizard. The new application is displayed in the Applications node of the Software Library workspace.

Deploying an Application to Mobile Devices

Use the information in the following section to deploy applications to mobile devices. After you deploy the application, the app is not automatically installed on devices. Users must download the app from the company portal. To deploy an application to mobile devices 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Applications. 3. In the Applications list, select the application that you want to deploy, on the Home tab, in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the following information: a. Software To display the applications that you want to deploy. You can click Browse to select a different application to deploy. b. Collection Click Browse and select the collection that you selected for enablement in the Windows Intune Subscription Wizard. Important Selecting the device collection All Mobile Devices will not deploy apps to iOS, Android, Windows Phone 8, or Windows RT. You must select the same user collection or a subset of the user collection that you selected in the Windows Intune Subscription Wizard. 5. Click Next.
1735

6. On the Content page of the wizard, select Manage.Microsoft.com as your distribution point. Click Next. 7. On the Deployment Settings page of the Deploy Software Wizard, specify the following information: a. Action From the drop-down list, select Install to install the application. b. Purpose From the drop-down list, select the purpose. For personal-owned devices you can choose Available, for your options for company-owned devices, see Company-owned Devices. 8. Complete the wizard by specifying your preferred setting for the alerts and scheduling pages. The User Experience page is not relevant to mobile devices.

Company-owned Devices
You can configure enrolled devices as company-owned or personal-owned. Company-owned allows you to get software inventory on all mobile devices. You can configure devices as personal-owned or company-owned by using the Change ownership action. Change ownership is only available for devices that are not domain-joined and do not have the Configuration Manager client installed. The following table lists the behavior of the deployment type for devices that are company-owned. Deployment scenario Available Install deployed to users Required Install deployed to users and devices Remote Uninstall deployed to users and devices Windows 8.1 Yes Windows Phone 8 Yes Windows RT Yes iOS Yes Android Yes

Automatically installed

Not available

Automatically Installed

User is prompted and must consent before app is installed Yes

User is prompted and must consent before app is installed User is prompted and must consent before app is uninstalled

Automatically uninstalled

Not available

Automatically uninstalled

1736

To Change Ownership for a device 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or open any collection that displays devices. 3. Click the computer that you want to change ownership on and then, in the Home tab, in the Devices group, click Change Ownership. 4. Choose Personal or Company.

Supersedence
Supersedence works the same for mobile apps as it does for other apps with the exception of the Windows Phone 8 company portal app. For more information about superseding applications, see How to Use Application Supersedence in Configuration Manager.

Steps to Deploy the latest Windows Phone 8 Company Portal App with Supersedence
The following table provides the steps, details, and more information for creating and deploying the latest Windows Phone 8 company portal app.
Step More Information

Step 1: Get the latest company portal app. Step 2: Sign the company portal app with your Symantec certificate. Step 3: Create a new application with the latest version of the company portal app and specify a supersedence relationship. Step 4: Add the application to the Windows Intune Subscription Wizard.

Download the Windows Phone 8 company portal app. For information on how to sign the company portal app, see Prerequisites for Enrolling Windows Phone 8 Devices. For more information, see Create an application for Windows Phone 8 devices and How to Use Application Supersedence in Configuration Manager. Add the application Windows Phone 8 page of the Windows Intune Subscription Wizard. For more information, see Configuring the Windows Intune Subscription. The Windows Intune subscription has created an automatic deployment of this app, as this deployment will not support supersedence.

Step 5: Delete the deployment that is automatically created when you added the company portal app to the Windows Intune Subscription Wizard.

1737

Step

More Information

Step 6: Create a new deployment of the application and check Automatically upgrade any superceded versions of this application on the Deployment Settings page of the Deploy Software Wizard. Step 7 (Optional): The superseding apps would install on devices after 7 days by default. To deploy the company portal app sooner to previously enrolled devices, you can change the schedule re-evaluation for deployments setting to a lower value. Important Setting this value to a lower value than the default may negatively affect the performance of your network and client computers.

Create a new deployment with supersedence using the application you created with the supersedence relationship.

For more information, see Software Deployment.

Approval for Apps

Users can request approval to download an app from their devices. The following table contains information on how to request approval in order to download an app.
Platform Users can request approval to download an app from the company portal.

Windows Phone 8 Windows RT or Windows RT 8.1

Yes A user can only request approval to download an app from a Windows-based computer or a Windows RT device. If you deploy an app that requires approval from an administrative user, the user must request approval from the Application Catalog on a Windows-based computer. As soon as the user requests approval, the app appears in the company portal. Yes Not available

Windows 8.1 iOS company portal app

1738

Platform

Users can request approval to download an app from the company portal.

Android company portal app

Not available

Requirement Rules
Requirements rules specify conditions that must be met before a deployment type can be installed on a client device. The requirements that are specific to mobile devices are listed in the following table:
Platform Requirements available

Windows Phone 8 Windows RT, Windows RT 8.1, Windows 8.1, Windows 8.1 Pro

Not available Operating system version, device ownership, and language requirements are supported. Important For applications containing a link to the Windows Store, you must create a requirement that adds the value Windows RT to the Operating system condition. If you create a deployment type for a Windows app package (*.appx) file with any additional requirements, those rules will not be evaluated.

iOS

iOS operating system, device ownership, language requirements, and chassis (iPad or iPhone) are supported. Not available

Android

For more information about requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Deployment Types in Configuration Manager topic.

Expired Certificates for Mobile Device Apps

On iOS, Windows Phone 8, and Windows RT, if the certificate that is used to sign apps expires, apps are no longer available for users to download.
1739

Platform

Expired certificate consequences

Resolution

iOS

Users can no longer install apps

Renew the APNs certificate and locate the Windows Intune Subscription iOS page to upload the new certificate. The new certificate must be created by using the same ID as the original certificate or devices have to be enrolled again.

Windows Phone 8

Users can no longer install apps

Renew the code signing certificate and go the Windows Intune Subscription page to upload the certificate. All apps signed with the previous certificate and the new certificate will run. Renew the code signing certificate and open the Windows Intune Subscription Wizard Windows RT page to upload the new certificate.

Windows RT

Users can no longer install apps

Packages and Programs in Configuration Manager

Microsoft System Center 2012 Configuration Manager continues to support packages and programs that were used in Configuration Manager 2007. A deployment that uses packages and programs might be more suitable than a deployment that uses an application when you deploy any of the following: Scripts that do not install an application on a computer, such as a script to defragment the computer disk drive. One-off scripts that do not need to be continually monitored. Scripts that run on a recurring schedule and cannot use global evaluation.

When you migrate a Configuration Manager 2007 site to a Configuration Manager hierarchy, you can migrate existing packages and deploy them in your Configuration Manager hierarchy. After
1740

migration is complete, your Configuration Manager 2007 packages appear in the Packages node in the Software Library workspace. You can modify and deploy these packages in the same way as you did by using Configuration Manager 2007 software distribution. The Import Package from Definition Wizard remains in Configuration Manager to import legacy packages. Advertisements are converted to deployments when they are migrated from Configuration Manager 2007 to a Configuration Manager hierarchy. Note You can use Microsoft System Center Configuration Manager Package Conversion Manager to convert packages and programs into Configuration Manager applications. Download Package Conversion Manager from the Microsoft Download Center. For more information, see Configuration Manager Package Conversion Manager (Prerelease). Packages can use some new features of Configuration Manager, including distribution point groups and the new monitoring functionality. Microsoft Application Virtualization applications can no longer be distributed by using packages and programs in Configuration Manager. To distribute virtual applications, you must create these as Configuration Manager applications. Note To successfully create virtual applications in System Center 2012 Configuration Manager, 64-bit client computers must have the App-V 4.6 or later client installed before the Configuration Manager client is upgraded. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about how to deploy packages and programs to clients that run Linux and UNIX, see Deploying Software to Linux and UNIX Servers in Configuration Manager.

In This Section
Use the following topics to create, deploy, monitor, and manage packages and programs in Configuration Manager: How to Create Packages and Programs in Configuration Manager How to Deploy Packages and Programs in Configuration Manager How to Monitor Packages and Programs in Configuration Manager How to Manage Packages and Programs in Configuration Manager

See Also
Application Management in Configuration Manager

1741

How to Create Packages and Programs in Configuration Manager

You can create or import a Microsoft System Center 2012 Configuration Manager package and program by using one of the following procedures in this topic: How to Create a Package and Program by using the Create Package and Program Wizard How to Create a Package and Program from a Package Definition File How to Import a Package and Program

How to Create a Package and Program by using the Create Package and Program Wizard
You can create a new package and program by using the Create Package and Program Wizard. To do so, use the following procedure. To create a package and program 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. In the Home tab, in the Create group, click Create Package. 4. On the Package page of the Create Package and Program Wizard, specify the following information: Name: Specify a name for the package with a maximum of 50 characters. Description: Optionally specify a description for this package with a maximum of 128 characters. Manufacturer: Optionally specify a manufacturer name to help you identify the package in the Configuration Manager console. This name can be a maximum of 32 characters. Language: Optionally specify the language version of the package with a maximum of 32 characters. Version: Optionally specify a version number for the package with a maximum of 32 characters. This package contains source files - This setting indicates whether the package requires source files to be present on client devices. By default, this check box is cleared and Configuration Manager does not use distribution points for the package. When this check box is selected, distribution points are used. Source folder: If the package contains source files, click Browse to open the Set Source Folder dialog box and specify the location of the source files for the package.

1742

Note The computer account of the site server must have read access permissions to the source folder that you specify. 5. On the Program Type page of the Create Package and Program Wizard, select the type of program to create, and then click Next. You can create a program for a computer or device, or you can skip this step and create a program later. Important You can only create packages and programs for devices running Windows CE. Note To create a new program for an existing package, select the package, and then, in the Home tab, in the Package group, click Create Program to open the Create Program Wizard. 6. Use one of the following procedures to create a standard program or a device program. To create a standard program 1. On the Program Type page of the Create Package and Program Wizard, select Standard Program, and then click Next. 2. On the Standard Program page of the Wizard, specify the following information: Name: Specify a name for the program with a maximum of 50 characters. Note The program name must be unique within a package. After you create a program, you cannot modify its name. Command Line: Enter the command line to be used to start this program, or click Browse to browse to the file location. If a specified file name does not have an extension specified, Configuration Manager attempts to use .com, .exe, and .bat as possible extensions. When the program is run on a client, Configuration Manager first searches for the command-line file name within the package, searches next in the local Windows folder, and then searches in local %path%. If the file cannot be found, the program fails. Startup folder: Optionally use this field to specify the folder from which the program runs, up to 127 characters. This folder can be an absolute path on the client or a path relative to the distribution point folder that contains the package. Run: Specifies the mode in which the program will run on client computers. Select one of the following: Normal - The program runs in the normal mode based on system and program defaults. This is the default mode. Minimized The program runs minimized on client devices. Users might see installation activity in the notification area or taskbar.
1743

Maximized The program runs maximized on client devices. Users will see all installation activity. Hidden The program runs hidden on client devices. Users will not see any installation activity.

Program can run: Specify whether the program can run only when a user is logged on, run only when no user is logged on, or run regardless of whether a user is logged on to the client computer. Run mode: Specify whether the program will run with administrative permissions or with the permissions of the currently logged on user. Allow users to view and interact with the program installation - Use this setting, if available, to specify whether to allow users to interact with the program installation. This check box is available only when Only when no user is logged on or Whether or not a user is logged on is selected for Program can run and Run with administrative rights is selected for Run mode. Drive mode: Specify information about how this program will runs on the network. Choose one of the following: Runs with UNC name - Indicates that the program runs with a Universal Naming Convention (UNC) name. This is the default setting. Requires drive letter - Indicates that the program requires a drive letter to fully qualify its location. For this setting, Configuration Manager can use any available drive letter on the client. Requires specific drive letter (example: Z:) - Indicates that the program requires a specific drive letter that you specify to fully qualify its location. If the specified drive letter is already used on a client, the program does not run.

Reconnect to distribution point at log on - Use this check box to indicate whether the client computer reconnects to the distribution point when the user logs on. By default, this check box is cleared.

3. On the Requirements page of the Create Package and Program Wizard, specify the following information: Run another program first You can use this setting to identify a package and program that will be run before this package and program will be run. Platform requirements Select This program can run on any platform or select This program can run only on specified platforms and then choose the operating systems that clients must be running to be able to install the package and program. Estimated disk space: Specify the amount of disk space that the software program requires to be able to run on the computer. This can be specified as Unknown (the default setting) or as a whole number greater than or equal to zero. If a value is specified, units for the value must also be specified. Maximum allowed run time (minutes): Specify the maximum time that the program is expected to run on the client computer. This can be specified as Unknown (the default setting) or as a whole number greater than zero. By default, this value is set to 120 minutes.

1744

Important If you are using maintenance windows for the collection on which this program is run, a conflict may occur if the Maximum allowed run time is longer than the scheduled maintenance window. However, if the maximum run time is set to Unknown, the program will start to run during the maintenance window and will continue to run as needed after the maintenance window is closed. If the user sets the maximum run time to a specific period that exceeds the length of any available maintenance window, then the program will not be run. If the value is set as Unknown, Configuration Manager sets the maximum allowed run time as 12 hours (720 minutes). Note If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration Manager will stop the program if run with administrative rights is selected and Allow users to view and interact with the program installation is not selected. 4. Click Next and continue to To complete the Create Package and Program Wizard. To create a device program 1. On the Program Type page of the Create Package and Program Wizard, select Program for device, and then click Next. 2. On the Program for Device page of the Wizard, specify the following information: Name: Specify a name for the program with a maximum of 50 characters. Note The program name must be unique within a package. After you create a program, you cannot modify its name. Comment: Optionally, specify a comment for this device program with a maximum of 127 characters. Download folder: Specify the name of the folder on the Windows CE device in which the package source files will be stored. The default value is \Temp\. Command Line: Enter the command line to use to start this program, or click Browse to browse to the file location. Run command line in download folder Select this option to run the program from the previously specified download folder. Run command line from this folder Select this option to specify a different folder from which to run the program. Estimated disk space: Specify the amount of disk space required for the software. This will be displayed to users of mobile devices before they install the program. Download program: Specify information regarding when this program can be
1745

3. On the Requirements page of the Wizard, specify the following information:

downloaded to mobile devices. You can specify As soon as possible, Only over a fast network, or Only when the device is docked. Additional requirements: Specify any additional requirements for this program. These will be displayed to users before they install the software. For example, you could notify users that they need to close all other applications before running the program.

4. Click Next. To complete the Create Package and Program Wizard 1. On the Summary page of the Wizard, review the actions that will be taken, then complete the Wizard. 2. Optionally, verify that the new package and program is displayed in the Packages node of the Software Library workspace.

How to Create a Package and Program from a Package Definition File

Use the following procedure to create a package and program from a package definition file. For more information about package definition files, see About the Package Definition File Format in this topic. To import a package and program from a definition file 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. In the Home tab, in the Create group, click Create Package from Definition. 4. On the Package Definition page of the Create Package from Definition Wizard , choose an existing package definition file, or click Browse to open a new package definition file. After you have specified a new package definition file, select it from the Package definition list, and then click Next. 5. On the Source Files page of the Wizard, specify information about any required source files for the package and program, and then click Next. 6. If the package requires source files, on the Source Folder page of the Wizard, specify the location from which the source files are to be obtained, and then click Next. 7. On the Summary page of the Wizard, review the actions that will be taken and then complete the Wizard. The new package and program is displayed in the Packages node of the Software Library workspace.

About the Package Definition File Format

Package definition files are scripts that you can use to help automate package and program creation with Configuration Manager. They provide all of the information that Configuration
1746

Manager needs in order to create a package and program, except for the location of package source files. Each package definition file is an ASCII or UTF-8 text file following the .ini file format and containing the following described sections: [PDF] [Package Definition] [Program]

[PDF]
This section identifies the file as a package definition file. It contains the following information: Version: This specifies the version of the package definition file format that is used by the file. This corresponds to the version of System Management Server (SMS) or Configuration Manager for which it was written. This entry is required.

[Package Definition]
This section of the package definition file specifies the properties of the package and program. It provides the following information: Name: The name of the package, up to 50 characters. This entry is required. Version: The version of the package, up to 32 characters. This entry is optional. Icon: Optionally, the file containing the icon to use for this package. If specified, this icon will replace the default package icon in the Configuration Manager console. Publisher: The publisher of the package, up to 32 characters. This entry is required. Language: The language version of the package, up to 32 characters. This entry is required. Comment: An optional comment about the package, up to 127 characters. ContainsNoFiles: This entry indicates whether or not a source is associated with the package. Programs: The programs defined for this package. Each program name corresponds to a [Program] section in this package definition file. This entry is required. Example:
Programs=Typical, Custom, Uninstall

MIFFileName: The name of the Management Information Format (MIF) file that contains the package status, up to 50 characters. MIFName: The name of the package (for MIF matching), up to 50 characters. MIFVersion: The version number of the package (for MIF matching), up to 32 characters. MIFPublisher: The software publisher of the package (for MIF matching), up to 32 characters.

[Program]
For each program specified in the Programs entry in the [Package Definition] section, the package definition file must include a [Program] section that defines that program. Each Program section provides the following information:
1747

Name: The name of the program, up to 50 characters. This entry must be unique within a package. This name is used when defining advertisements. On client computers, the name of the program is shown in Run Advertised Programs in Control Panel. This entry is required. Icon: Optionally specifies the file containing the icon to use for this program. If specified, this icon will replace the default program icon in the Configuration Manager console and will be displayed on client computers when the program is advertised. Comment: An optional comment about the program, up to 127 characters. CommandLine: Specifies the command line for the program, up to 127 characters. The command is relative to the package source folder. This entry is required. StartIn: Specifies the working folder for the program, up to 127 characters. This entry can be an absolute path on the client computer or a path relative to the package source folder. This entry is required. Run: Specifies the program mode in which the program will run. You can specify Minimized, Maximized, or Hidden. If this entry is not included, the program will run in normal mode. AfterRunning: Specifies any special action that occurs after the program is successfully completed. Options available are SMSRestart, ProgramRestart, or SMSLogoff. If this entry is not included, the program will not run a special action. EstimatedDiskSpace: Specifies the amount of disk space that the software program requires to be able run on the computer. This can be specified as Unknown (the default setting) or as a whole number greater than or equal to zero. If a value is specified, the units for the value must also be specified. Example:
EstimatedDiskSpace=38MB

EstimatedRunTime: Specifies the estimated duration (in minutes) that the program is expected to run on the client computer. This can be specified as Unknown (the default setting) or as a whole number greater than zero. Example:
EstimatedRunTime=25

SupportedClients: Specifies the processors and operating systems on which this program will run. The specified platforms must be separated by commas. If this entry is not included, supported platform checking will be disabled for this program. SupportedClientMinVersionX, SupportedClientMaxVersionX: Specifies the beginning-toending range for version numbers for the operating systems specified in the SupportedClients entry. Example: SupportedClients=Win NT (I386),Win NT (IA64),Win NT (x64) Win NT (I386) MinVersion1=5.00.2195.4 Win NT (I386) MaxVersion1=5.00.2195.4 Win NT (I386) MinVersion2=5.10.2600.2 Win NT (I386) MaxVersion2=5.10.2600.2 Win NT (I386) MinVersion3=5.20.0000.0
1748

Win NT (I386) MaxVersion3=5.20.9999.9999 Win NT (I386) MinVersion4=5.20.3790.0 Win NT (I386) MaxVersion4=5.20.3790.2 Win NT (I386) MinVersion5=6.00.0000.0 Win NT (I386) MaxVersion5=6.00.9999.9999 Win NT (IA64) MinVersion1=5.20.0000.0 Win NT (IA64) MaxVersion1=5.20.9999.9999 Win NT (x64) MinVersion1=5.20.0000.0 Win NT (x64) MaxVersion1=5.20.9999.9999 Win NT (x64) MinVersion2=5.20.3790.0 Win NT (x64) MaxVersion2=5.20.9999.9999 Win NT (x64) MinVersion3=5.20.3790.0 Win NT (x64) MaxVersion3=5.20.3790.2 Win NT (x64) MinVersion4=6.00.0000.0 Win NT (x64) MaxVersion4=6.00.9999.9999 AdditionalProgramRequirements: Optionally provide any other information or requirements for client computers, up to 127 characters. CanRunWhen: Specifies the user status that the program requires to be able run on the client computer. Available values are UserLoggedOn, NoUserLoggedOn, or AnyUserStatus. The default value is UserLoggedOn. UserInputRequired: Specifies whether the program requires interaction with the user. Available values are True or False. The default value is True. This entry is set to False if CanRunWhen is not set to UserLoggedOn. AdminRightsRequired: Specifies whether the program requires administrative credentials on the computer to be able to run. Available values are True or False. The default value is False. This entry is set to True if CanRunWhen is not set to UserLoggedOn. UseInstallAccount: Specifies whether the program uses the Client Software Installation Account when it runs on client computers. By default, this value is False. This value is also False if CanRunWhen is set to UserLoggedOn. DriveLetterConnection: Specifies whether the program requires a drive letter connection to the package files that are located on the distribution point. You can specify True or False. The default value is False, which allows the program to use a Universal Naming Convention (UNC) connection. When this value is set to True, the next available drive letter will be used (starting with Z: and proceeding backward). SpecifyDrive: Optionally, specifies a drive letter that the program requires to connect to the package files on the distribution point. This specification forces the use of the specified drive letter for client connections to distribution points. ReconnectDriveAtLogon: Specifies whether the computer reconnects to the distribution point when the user logs on. Available values are True or False. The default value is False.
1749

DependentProgram: Specifies a program in this package that must run before the current program. This entry uses the format DependentProgram=<ProgramName>, where <ProgramName> is the Name entry for that program in the package definition file. If there are no dependent programs, leave this entry empty. Example: DependentProgram=Admin DependentProgram=

Assignment: Specifies how the program is assigned to users. This value can be: FirstUser, only the first user who logs on runs the program; or EveryUser, every user who logs on to the client runs the program. When CanRunWhen is not set to UserLoggedOn, this entry is set to FirstUser. Disabled: Specifies whether this program can be advertised to clients. Available values are True or False. The default value is False.

How to Import a Package and Program

To import a package and program 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. In the Home tab, in the Create group, Click Import. 4. On the General page of the Import Package Wizard, specify or browse to the compressed (.zip) file that contains the package and program to import, and then click Next. 5. On the File Content page of the Wizard, review the items that will be imported, and then click Next. You can click View Failure to examine the details of items that cannot be imported. If the package you are trying to import already exists, you can choose to either ignore the duplicate package or overwrite the original package. 6. On the Summary page of the Wizard, review the actions that will be taken and then complete the Wizard. The new package and program is displayed in the Packages node of the Software Library workspace.

See Also
Packages and Programs in Configuration Manager

1750

How to Deploy Packages and Programs in Configuration Manager

Use the procedure in this topic to deploy a Microsoft System Center 2012 Configuration Manager package and program to devices in your hierarchy. For more information about how to create packages and programs, see How to Create Packages and Programs in Configuration Manager.

To deploy a package and program 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. Select the package that you want to deploy, and then in the Home tab in the Deployment group, click Deploy. 4. On the General page of the Deploy Software Wizard, specify the name of the package and program that you want to deploy, the collection to which you want to deploy the package and program, and optional comments for the deployment. Select Use default distribution point groups associated to this collection if you want to store the package content on the collections default distribution point group. If you did not associate the selected collection with a distribution point group, this option will be unavailable. 5. On the Content page of the Wizard, click Add, and then select the distribution points or distribution point groups to which you want to deploy the content that is associated with this package and program. 6. On the Deployment Settings page of the Wizard, choose a purpose for this deployment, and specify whether you want to send wake-up packets before the package and program is installed. The deployment purpose options are the following: Available - If the application is deployed to a user, the user sees the published package and program in the Application Catalog and can request it on demand. If the package and program is deployed to a device, the user will see it in Software Center and can install it on demand. Required - The package and program is deployed automatically, according to the configured schedule. However, a user can track the package and program deployment status and install it before the deadline by using Software Center. Send wake-up packets If the deployment purpose is set to Required and this option is selected, a wake-up packet will be sent to computers before the deployment is installed to wake the computer from sleep at the installation deadline time. Before you can use this option, computers must be configured for Wake On LAN.

7. On the Scheduling page of the Wizard, configure when this package and program will be deployed or made available to client devices.
1751

The options on this page will vary depending on whether the deployment action is set to Available or Required. 8. If the deployment purpose is set to Required, configure the rerun behavior for the program from the Rerun behavior drop-down list. Choose from the following options:
Rerun behavior More information

Never rerun deployed program

The program will not be rerun on the client, even if the program originally failed, or the program files are changed. The program will always be rerun on the client when the deployment is scheduled, even if the program has already successfully run. This can be useful when you use recurring deployments in which the program is updated, for example with antivirus software. The program will be rerun when the deployment is scheduled only if it failed on the previous run attempt. The program will be rerun only if it previously ran successfully on the client. This is useful when you use recurring advertisements in which the program is routinely updated, and in which each update requires the previous update to be successfully installed.

Always rerun program

Rerun if failed previous attempt

Rerun if succeeded on previous attempt

9. On the User Experience page of the Wizard, specify the following information: Allow users to run the program independently of assignments If enabled, users can install this software from the application catalogue regardless of any scheduled installation time. Software installation Allows the software to be installed outside of any configured maintenance windows. System restart (if required to complete the installation) If the software installation requires a device restart to complete, allow this to happen outside of any configured maintenance windows. Embedded Devices - For Configuration Manager SP1 only. When you deploy packages and programs to Windows Embedded devices that are write filter enabled, you can specify to install the packages and programs on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or
1752

during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy a package or program to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. For more information about how maintenance windows are used when you deploy packages and programs to Windows Embedded devices, see the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic. 10. On the Distribution Points page of the Wizard, specify the following information: Deployment options Specify the actions that a client should take to run program content. You can specify behavior when the client is in a fast network boundary, or a slow or unreliable network boundary. Allow clients to share content with other clients on the same subnet Select this option to reduce load on the network by allowing clients to download content from other clients on the network that already downloaded and cached the content. This option utilizes Windows BranchCache and can be used on computers that run Windows Vista SP2 and later. Allow clients to use a fallback source location for content If enabled, clients can search other distribution points in the hierarchy for required content if this is not available on the specified distribution point or distribution point groups.

11. On the Summary page of the Wizard, review the actions that will be taken and then complete the Wizard. You can view the deployment in the Deployments node of the Monitoring workspace and in the details pane of the package deployment tab when you select the deployment. For more information, see How to Monitor Packages and Programs in Configuration Manager. Important If you configured the option Run program from distribution point on the Distribution Points page of the Deploy Software Wizard, do not clear the option Copy the content in this package to a package share on distribution points, because this will make the package unavailable to run from distribution points.

See Also
Packages and Programs in Configuration Manager

1753

How to Monitor Packages and Programs in Configuration Manager

To monitor Microsoft System Center 2012 Configuration Manager package and program deployments, you can use the same procedures that you use to monitor applications. For more information about how to monitor packages and programs in System Center 2012 Configuration Manager, see How to Monitor Applications in Configuration Manager. Packages and programs in Configuration Manager also includes a number of built-in reports, which allow you to monitor information about the deployment status of packages and programs. These reports have the report category of Software Distribution Packages and Programs and Software Distribution Package and Program Deployment Status. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager.

See Also
Operations and Maintenance for Application Management in Configuration Manager

How to Manage Packages and Programs in Configuration Manager

Use the information in this topic to help you manage packages and programs in Microsoft System Center 2012 Configuration Manager. Note For information about how to create Configuration Manager packages and programs, see How to Create Packages and Programs in Configuration Manager.

How to Manage Packages and Programs

In the Software Library workspace, expand Application Management, click Packages, select the package that you want to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.

1754

Task

Details

Create Prestage Content File

Opens the Create Prestaged Content File Wizard that allows you to create a file that contains the package content that can be manually imported to another site. This is useful in situations where you have low network bandwidth between the site server and the distribution point. Opens the Create Program Wizard that allows you to create a new program for this package. Opens the Export Package Wizard that allows you to export the selected package and its content to a file. For information about how to import packages and programs, see How to Import a Package and Program in the How to Create Packages and Programs in Configuration Manager topic.

Create Program Export

Deploy

Opens the Deploy Software Wizard that allows you to deploy the selected package and program to a collection. For more information, see How to Deploy Packages and Programs in Configuration Manager. Opens the Distribute Content Wizard that allows you to send the content that is associated with the package and program to selected distribution points or distribution point groups. Updates distribution points with the latest content for the selected package and program.

Distribute Content

Update Distribution Points

See Also
Packages and Programs in Configuration Manager

1755

Deploying Software to Linux and UNIX Servers in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. The Microsoft System Center 2012 Configuration Manager client for Linux and UNIX supports software deployments that use packages and programs. You cannot deploy System Center 2012 Configuration Manager applications to computers that run Linux and UNIX. The client supports the following functionality for packages and program deployments: You can install software for Linux and UNIX servers, including the following: New software deployment Software updates for programs already on the computer Operating system patches

You can run native Linux and UNIX commands, and run scripts that are located on Linux and UNIX servers. You can limit deployment to the operating systems that you specify when you select the program option Only on specified client platforms. You can use maintenance windows to control when software installs. You can use deployment status messages to monitor deployments.

Beginning with the client from cumulative update 1, the following additional functionality is supported: The client can throttle network usage when downloading software from a distribution point. When you configure and deploy packages and programs for Linux and UNIX servers, use the same methods that you use to configure and deploy packages and programs to your Windowsbased computers with the following caveats:
Configuration Details

Use only configurations that are intended for computers, and do not use configurations that are intended for users.

The Configuration Manager client for Linux and UNIX does not support configurations that are intended for users.

Configure programs to download the software The Configuration Manager client for Linux and from the distribution point and run the programs UNIX does not support running software from from the local client cache the distribution point. Instead, you must configure the software to download to the client and then install. By default, after the client for Linux and UNIX installs software, that software is deleted from
1756

Configuration

Details

the clients cache. However, packages that are configured with Persist content in the client cache are not deleted from the client and remain in the clients cache after the software installs. The client for Linux and UNIX does not support configurations for the client cache, and the maximum size of the client cache is limited only by the free disk space on the client computer. Configure the Network Access Account for distribution point access Linux and UNIX computers are designed to be workgroup computers. In order to access packages from the distribution point in the Configuration Manager site server domain, you must configure the Network Access Account for the site. You must specify this account as a software distribution component property and configure the account before you deploy software. Beginning with System Center 2012 R2 Configuration Manager, you can configure multiple Network Access Accounts at each site. The client for Linux and UNIX can use each of the accounts you configure as a Network Access Account. For more information, see Configuring Site Components in Configuration Manager. You can deploy packages and programs to collections that contain only Linux or UNIX clients, or you can deploy them to collections that contain a mix of client types, such as the All Systems Collection. Note When you deploy software to a mixed collection, it is likely that many clients in the collection are unable to run the software successfully because they are the wrong operating system type to understand the program files. As a result, the deployment will report failure. When the Configuration Manager client for Linux and UNIX receives and runs a deployment, it generates status messages. You can view these status messages in the Configuration Manager console, or by using reports to monitor the deployment status.

1757

For information about how to use packages and programs, see Packages and Programs in Configuration Manager. The following sections provide details about software deployment to Linux and UNIX servers.

Configuring Packages, Programs, and Deployments for Linux and UNIX Servers
You can create and deploy packages and programs by using the options that are available by default in the Configuration Manager console. The client does not require any unique configurations. Use the information in the following sections to configure packages and programs as well as deployments.

Packages and Programs

To create a package and program for a Linux or UNIX server, use the Create Package and Program Wizard from the Configuration Manager console. The client for Linux and UNIX supports most package and program settings. However, several settings are not supported. When you create or configure a package and program, consider the following: Include the file types that are supported by the destination computers Define the command lines that are appropriate for use on the destination computer Settings that interact with users are not supported

The following table lists the properties for packages and programs that are not supported.
Package and program property Behavior More information

Package share settings: All options

An error is generated and the software install fails

The client does not support this configuration. Instead, the client must download the software by using HTTP or HTTPS, and then run the command line from its local cache. The client does not support this configuration. The client does not support this configuration.

Package update settings: Disconnect users from distribution points

Setting is ignored

Operating system deployment settings: All options

Settings are ignored

Reporting: Use package properties

Settings are ignored

The client does not support the use of status MIF files.
1758

Package and program property

Behavior

More information

for status MIF matching Use these fields for status MIF matching Settings are ignored The client always runs packages with no user interface. The client ignores all configuration options for Run. After running: Configuration Manager restarts computer Program controls restart Configuration Manager logs the user off An error is generated and the software install fails The system restart setting and user specific settings are not supported. When any setting other than the No action required setting is in use, the client generates an error and continues the software installation, with no action taken. An error is generated and the software install fails User specific settings are not supported. When this option is configured, the client generates an error and fails the installation of the software. Other options are ignored and the software installation continues. Run mode: Run with users rights Setting is ignored User specific settings are not supported. However, the client does support the configuration to run with Administrative rights. Important When you specify Run with administrative rights, the Configuration Manager client uses its root credentials. This setting does not generate an error or log entry. Instead, the software installation fails when the client generates an error for the prerequisite configuration of
1759

Run: All options

Program can run: Only when a user is logged on

Package and program property

Behavior

More information

Program can run = Only when a user is logged on. Allow users to view and interact with the program installation. Setting is ignored User specific settings are not supported. This configuration is ignored and the software installation continues. Settings are ignored This setting is not supported because content is always downloaded to the client and run locally. Recursive program installation is not supported. When a program is configured to run another program first, the software installation fails, and the other program installation is not started. When this program is assigned to a computer: Run once for every user who logs on Setting is ignored User specific settings are not supported. However, the client does support the configuration to run once for the computer. This setting does not generate an error or log entry because an error and log entry are already created for the prerequisite configuration of Program can run = Only when a user is logged on. Suppress program notifications. Setting is ignored The client does not implement a user interface. When this configuration is selected, it is ignored and the software installation continues. Disable this program on computers where it is deployed Allow this program to be Setting is ignored This setting is not supported and does not affect the installation of software. The client does not support task
1760

Drive mode: All options

Run another program first

An error is generated and the software install fails

Setting is ignored

Package and program property

Behavior

More information

installed from the Install Package task sequence without being deployed.

sequences. This setting is not supported and does not affect the installation of software. Settings are ignored The client does not support Windows Installer files or settings. The client does not support this configuration.

Windows Installer: All options

OpsMgr Maintenance Mode: All options

Settings are ignored

For information about how to create a package and program, see How to Create Packages and Programs in Configuration Manager.

Deployments
To deploy software to a Linux or UNIX server by using a package and program, you can use the Deploy Software Wizard from the Configuration Manager console. Most deployment settings are supported by the client for Linux and UNIX, however several settings are not supported. When you deploy software consider the following: You must provision the package on at least one distribution point that is associated with a boundary group that is configured for content location. The client for Linux and UNIX that receive this deployment must be able to access this distribution point from its network location. The client for Linux and UNIX downloads the package from the distribution point and runs the program on the local computer. The client for Linux and UNIX cannot download packages from shared folders. It downloads packages from IIS enabled distribution points that support HTTP or HTTPS.

The following table lists properties for deployments that are not supported:
Deployment property Behavior More information

Deployment settings purpose: Setting is ignored Available Required

User specific settings are not supported. However, the client supports the setting Required, which enforces the scheduled installation time, but does not support manual installation prior to that scheduled time.

Send wake-up packets

Setting is ignored

The client does not support this

1761

Deployment property

Behavior

More information

configuration. Assignment schedule: logon logoff An error is generated and the software install fails User specific settings are not supported. However, the client supports the setting As soon as possible. Setting is ignored The client does not implement a user interface.

Notification settings: Allow users to run the program independently of assignments

When the scheduled assignment time is reached, allow the following activity to be performed outside the maintenance window: System restart (if required to complete the installation)

An error is generated

The client does not support a system restart.

Deployment option for fast (LAN) networks: Run program from distribution point

An error is generated and the software install fails

The client cannot run software from the distribution point and instead must download the program before it can run. The client does not support sharing content between peers.

Deployment option for a slow or Setting is ignored unreliable network boundary, or a fallback source location for content: Allow clients to share content with other clients on the same subnet

For more information about content location, see Planning for Content Management in Configuration Manager. For more information about how to create a deployment, see How to Deploy Packages and Programs in Configuration Manager.

1762

Manage Network Bandwidth for Software Downloads from Distribution Points

Beginning with the client for Linux and UNIX from cumulative update 1, the client supports network bandwidth controls when downloading software from a distribution point. The client uses the BITS settings that you configure as client settings in Configuration Manager, but does not implement BITS. Instead, to throttle the use of network bandwidth, the client controls the HTTP request chunk size and inter-chunk delay for the software download. To configure a client to use network bandwidth controls, you configure client settings for Background Intelligent Transfer and then apply the settings to the client computer. To use bandwidth controls, the client must receive client settings for Background Intelligent Transfer with the following setting configured as Yes: Limit the maximum network bandwidth for BITS background transfers Throttling window start time Throttling window end time Maximum transfer rate during throttling window (Kbps) Maximum transfer rate during throttling window (Kbps) The client supports the following configurations for Background Intelligent Transfer:

The following configuration for Background Intelligent Transfer is not supported, and is ignored by the client for Linux and UNIX: Allow BITS downloads outside the throttling window If the download of software to the client from a distribution point is interrupted, the client for Linux and UNIX does not resume the download and instead restarts the download of the entire software package.

Operations for Software Deployments

Similar to the Windows client, the Configuration Manager client for Linux and UNIX discovers new software deployments when it polls and checks for new policy. The frequency at which the client checks for new policy depends on client settings. You can configure maintenance windows to control when software deployments occur. You can configure software deployments to Linux and UNIX servers by using package properties, program properties, and deployment properties. When the client receives policy for a deployment, it submits a status message. It also submits status messages when it starts the installation of software and when the installation finishes, or fails. Programs for software deployments run with the root credentials that the Configuration Manager client for Linux and UNIX runs with. The exit code of the programs command is used to determine success or failure. An exit code of 0 (zero) is treated as success. In addition, the stdout (standard output stream) and stderr (standard error stream) are copied to the log file when the log level is set to INFO or TRACE.
1763

Tip If the software that you want to deploy is located on a Network File System (NFS) share that the Linux or UNIX server can access, you do not need to use a distribution point to download the package. Instead, when you create the package, do not select the check box for This package contains source files. Then, when you configure the program, specify the appropriate command line to directly access the package on the NFS mount point.

Security and Privacy for Application Management in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains information about security and privacy for application management in System Center 2012 Configuration Manager. This topic also includes the Application Catalog and Software Center. Use the following sections for more information: Security best practices for application management Security issues for application management Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog Privacy information for application management User device affinity Application Catalog

Security best practices for application management

Use the following security best practices for application management:
Security best practice More information

Configure the Application Catalog points to use HTTPS connections and educate users about the dangers of malicious websites.

Configure the Application Catalog website point and the Application Catalog web service point to accept HTTPS connections so that the server is authenticated to users and the data that is transmitted is protected from tampering
1764

Security best practice

More information

and viewing. Help to prevent social engineering attacks by educating users to connect to trusted websites only. Note Do not use the branding configuration options that display the name of your organization in the Application Catalog as proof of identify when you do not use HTTPS. Use role separation, and install the Application Catalog website point and the Application Catalog service point on separate servers. If the Application Catalog website point is compromised, install it on a separate server to the Application Catalog web service point. This will help to protect the Configuration Manager clients and the Configuration Manager infrastructure. This is particularly important if the Application Catalog website point accepts client connections from the Internet because this configuration makes the server vulnerable to attack. If users browse to an external website in the same browser window that they used for the Application Catalog, the browser continues to use the security settings that are suitable for trusted sites in the intranet. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy software by using user device affinity that is not specified by a trusted administrative user, the software might be installed on computers and to users who are not authorized to receive that software. When you configure deployments to download content from a distribution point and run locally, the Configuration Manager client verifies the package hash after it downloads the content, and it discards the package if the hash does not match the hash in the policy. In comparison, if you configure the deployment to run directly from a distribution point, the Configuration
1765

Educate users to close the browser window when they finish using the Application Catalog.

Manually specify the user device affinity instead of allowing users to identify their primary device; and do not enable usage-based configuration.

Always configure deployments to download content from distribution points rather than run from distribution points.

Security best practice

More information

Manager client does not verify the package hash, which means that the Configuration Manager client can install software that has been tampered with. If you must run deployments directly from distribution points, use NTFS least permissions on the packages on the distribution points, and use IPsec to secure the channel between the client and the distribution points and between the distribution points and the site server. Do not allow users to interact with programs if the option Run with administrative rights is required. When you configure a program, you can set the option Allow users to interact with this program so that users can respond to any required prompts in the user interface. If the program is also configured to Run with administrative rights, an attacker at the computer that runs the program could use the user interface to escalate privileges on the client computer. Use Windows Installer-based setup programs with per-user elevated privileges for software deployments that require administrative credentials, but that must be run in the context of a user who does not have administrative credentials. Windows Installer per-user elevated privileges provides the most secure way to deploy applications that have this requirement. Restrict whether users can install software interactively by using the Installation permissions client setting. Configure the Computer Agent client device setting Install permissions to restrict the types of users that can install software by using the Application Catalog or Software Center. For example, create a custom client setting with Install permissions set to Only administrators. Then apply this client setting to a collection of servers to prevent users without administrative permissions from installing software on those computers. Deploy mobile device applications only if they are code signed by a certification authority (CA)
1766

For mobile devices, deploy only applications that are signed

Security best practice

More information

that is trusted by the mobile device. For example: An application from a vendor, which is signed by a well-known CA, such as VeriSign. An internal application that you sign independently from Configuration Manager, by using your internal CA. An internal application that you sign by using Configuration Manager when you create the application type and use a signing certificate.

If you sign mobile device applications by using the Create Application Wizard in Configuration Manager, secure the location of the signing certificate file, and secure the communication channel.

To help protect against elevation of privileges and against man-in-the-middle attacks, store the signing certificate file in a secured folder and use IPsec or SMB between the following computers: The computer that runs the Configuration Manager console. The computer that stores the certificate signing file. The computer that stores the application source files.

Alternatively, sign the application independently from Configuration Manager and before you run the Create Application Wizard. Implement access controls to protect reference computers. When an administrative user configures the detection method in a deployment type by browsing to a reference computer, make sure that the computer has not been compromised.

Restrict and monitor the administrative users who are granted the role-based security roles that are related to application management: Application Administrator Application Author Application Deployment Manager

Even when you configure role-based administration, administrative users who create and deploy applications might have more permissions than you realize. For example, when administrative users create or modify an application, they can select dependent applications that are not in their security scope.

1767

Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you configure Microsoft Application Virtualization (App-V) virtual environments, select applications in the virtual environment that have the same trust level. If you deploy applications for Mac computers, make sure that the source files are from a trustworthy source.

Because applications in an App-V virtual environment can share resources, such as the clipboard, configure the virtual environment such that the selected applications have the same trust level. For more information, see How to Create App-

V Virtual Environments in Configuration Manager.

The CMAppUtil tool does not validate the signature of the source package, so make sure that it comes from a source that you trust. The CMAppUtil tool is not able to detect whether the files have been tampered with.

If you deploy applications for Mac computers, secure the location of the .cmmac file and secure the communication channel when you import this file into Configuration Manager.

Because the .cmmac file that the CMAppUtil tool generates and that you import into Configuration Manager is not signed or validated, to help prevent tampering of this file, store it in a secured folder and use IPsec or SMB between the following computers: The computer that runs the Configuration Manager console. The computer that stores the .cmmac file.

For System Center 2012 R2 Configuration Manager only: If you configure a web application deployment type, use HTTPS rather than HTTP to secure the connection

If you deploy a web application by using an HTTP link rather than an HTTPS link, the device could be redirected to a rogue server and data transferred between the device and server could be tampered with.

Security issues for application management

Application management has the following security issues: Low-rights users can copy files from the client cache on the client computer. Users can read the client cache, but cannot write to it. With read permissions, a user can copy application installation files from one computer to another. Low-rights users can modify files that record software deployment history on the client computer. Because the application history information is not protected, a user can modify files that report whether an application installed.
1768

App-V packages are not signed. App-V packages in Configuration Manager do not support signing to verify that the content is from a trusted source and that it has not been altered in transit. There is no mitigation for this security issue; make sure that you follow the security best practice to download the content from a trusted source and from a secure location.

Published App-V applications can be installed by all users on the computer. When an App-V application is published on a computer, all users who log on to that computer can install the application. This means that you cannot restrict which users can install the application after it is published.

You cannot restrict install permissions for the company portal Although you can configure a client setting to restrict install permissions, for example, to primary users of a device, or to local administrators only, this setting does not work for the company portal. This could result in an elevation of privileges because a user could install an app that they should not be allowed to install.

Certificates for Microsoft Silverlight 5, and elevated trust mode required for the Application Catalog
Note Applies to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only. System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager clients require Microsoft Silverlight 5, which must run in elevated trust mode for users to install software from the Application Catalog. By default, Silverlight applications run in partial trust mode to prevent applications from accessing user data. Configuration Manager automatically installs Microsoft Silverlight 5 on clients if it is not already installed, and by default, it configures the Computer Agent client setting Allow Silverlight applications to run in elevated trust mode to Yes. This setting allows signed and trusted Silverlight applications to request elevated trust mode. When you install the Application Catalog website point site system role, the client also installs a Microsoft signing certificate in the Trusted Publishers computer certificate store on each Configuration Manager client computer. This certificate allows Silverlight applications that are signed by this certificate to run in the elevated trust mode that computers require to install software from the Application Catalog. Configuration Manager automatically manages this signing certificate. To ensure service continuity, do not manually delete or move this Microsoft signing certificate. Warning When enabled, the client setting Allow Silverlight applications to run in elevated trust mode allows all Silverlight applications that are signed by certificates in the Trusted
1769

Publishers certificate store in either the computer store or the user store to run in elevated trust mode. The client setting cannot enable elevated trust mode specifically for the Configuration Manager Application Catalog or for the Trusted Publishers certificate store in the computer store. If malware adds a rogue certificate in the Trusted Publishers store, for example, in the user store, malware that uses its own Silverlight application can now also run in elevated trust mode. If you configure the client setting Allow Silverlight applications to run in elevated trust mode to be No, this does not remove the Microsoft signing certificate from clients. For more information about trusted applications in Silverlight, see Trusted Applications.

Privacy information for application management

Application management allows you to run any application, program, or script on any client computer or client mobile device in the hierarchy. Configuration Manager has no control over what types of applications, programs, or scripts you run or what type of information they transmit. During the application deployment process, Configuration Manager might transmit information between clients and servers that identify the device and logon accounts. Configuration Manager maintains status information about the software deployment process. Software deployment status information is not encrypted during transmission unless the client communicates by using HTTPS. The status information is not stored in encrypted form in the database. The use of Configuration Manager software installation to remotely, interactively, or silently install software on clients might be subject to software license terms for that software, and is separate from the Software License Terms for System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms before you deploy software by using Configuration Manager. Software deployment does not happen by default and requires several configuration steps. Two optional features that help efficient software deployment are user device affinity and the Application Catalog: User device affinity maps a user to devices so that a Configuration Manager administrator can deploy software to a user, and the software is automatically installed on one or more computers that the user uses most often. The Application Catalog is a website that allows users to request software to install.

View the following sections for privacy information about user device affinity and the Application Catalog. Before you configure application management, consider your privacy requirements.

User device affinity

Configuration Manager might transmit information between clients and management point site systems that identify the computer and logon account and the summarized usage for logon accounts.
1770

The information that is transmitted between the client and server is not encrypted unless the management point is configured to require clients communicate by using HTTPS. The computer and logon account usage information that is used to map a user to a device is stored on client computers, sent to management points, and then stored in the Configuration Manager database. The old information is deleted from the database by default after 90 days. The deletion behavior is configurable by setting the Delete Aged User Device Affinity Data site maintenance task. Configuration Manager maintains status information about user device affinity. Status information is not encrypted during transmission unless clients are configured to communicate with management points by using HTTPS. Status information is not stored in encrypted form in the database. Computer, logon account usage information, and status information is not sent to Microsoft. Computer and logon usage information that is used to establish user and device affinity is always enabled. In addition, users and administrative users can supply user device affinity information.

Application Catalog
The Application Catalog allows the Configuration Manager administrator to publish any application or program or script for users to run. Configuration Manager has no control over what types of programs or scripts are published in the catalog, or what type of information they transmit. Configuration Manager might transmit information between clients and the Application Catalog site system roles that identify the computer and logon accounts. The information that is transmitted between the client and servers is not encrypted unless these site system roles are configured to require that clients connect by using HTTPS. The information about the application approval request is stored in the Configuration Manager database. The requests that are canceled or denied are deleted by default after 30 days, along with the corresponding request history entries. The deletion behavior is configurable by setting the Delete Aged Application Request Data site maintenance task. The application approval requests that are in approved and pending states are never deleted. Information that is sent to and from the Application Catalog is not sent to Microsoft. The Application Catalog is not installed by default. This installation requires several configuration steps.

See Also
Application Management in Configuration Manager

1771

Technical Reference for Application Management in Configuration Manager

Use the following topics in this section for technical reference information for application management in Microsoft System Center 2012 Configuration Manager.

In this Section
Example Scenario for Managing Applications by Using Configuration Manager

See Also
Application Management in Configuration Manager

Example Scenario for Managing Applications by Using Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario for how you can use System Center 2012 Configuration Manager to manage applications in your enterprise. It covers the lifecycle of the application deployment: The initial creation and testing to deploy the application; updating the deployed application to a later version; and the removal of the application from computers on the production network. John is the Configuration Manager administrator at Woodgrove Bank who must deploy the latest version of Microsoft Visio to 200 users, according to the following requirements: He must install the application only to computers that run Windows 7. For performance reasons, only computers with more than 4 GB of RAM must install this application. If computers have less than 4 GB RAM, they must run the virtual version of the application. A company specific application, Woodgrove.msi, must be installed on all company computers before installing the application. If the application is installed on a computer that is not the users primary computer, a virtual version of the application must be installed. Computers that run Windows Server must not install Microsoft Visio and the Woodgrove.msi application.

1772

The application must also be made available to users to install on-demand to other computers in the organization.

The following sections in this topic provide example steps for how to use Configuration Manager to create, deploy, and manage applications in your organization: Preparation Step 1: Create and deploy the Woodgrove.msi application Step 2: Create an application for Microsoft Visio Step 3: Create multiple deployment types for the Microsoft Visio application Step 4: Test the application by using a simulated deployment Step 5: Deploy the Microsoft Visio application Step 6: Supersede the Microsoft Visio application Step 7: Remove the Microsoft Visio application

Preparation
Before John can manage applications by using Configuration Manager, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for application management in Configuration Manager. John reviews and implements the required prerequisites to deploy applications.

For overview information about application management, see Introduction to Application Management in Configuration Manager. For information about the prerequisites for application management, see Prerequisites for Application Management in Configuration Manager. For information about how to configure the Application Catalog and Software Center, see Configuring the Application Catalog and Software Center in Configuration Manager.

John configures and tests the Application Catalog and Software Center, which allow users to browse for and install software.

Step 1: Create and deploy the Woodgrove.msi application

The application named Woodgrove.msi must be installed on all computers in the company, except for servers. To create this application in Configuration Manager, John takes the actions outlined in the following table.

1773

Process

Reference

From the Configuration Manager console, John runs the Create Application Wizard.

For information about how to start the Create Application Wizard, see the Step 1: Start the Create Application Wizard section in the How to Create Applications in Configuration Manager topic. For information about how to automatically detect information about the application from the application installation files, see the To automatically detect application information section in the How to Create Applications in Configuration Manager topic.

To automatically populate the wizard with information about the Woodgrove.msi installation file, John selects the installation file type Windows Installer (Native). He then reviews the information that has been read from the application installation file and provides further information on the General page of the Create Application Wizard. John names the application Woodgrove Business Application. John completes the wizard. The new application and a deployment type (named Woodgrove MSI) for the application is created and displayed in the Applications node of the Software Library workspace. John starts the Distribute Content Wizard in order to copy the application content to the required distribution points in the Woodgrove Bank hierarchy. He uses the Content Status node in the Monitoring workspace to confirm that the content for the application has been successfully distributed.

For information about the Distribute Content Wizard, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor the distribution of application content, see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to create collections, see How to Create Collections in Configuration Manager

John creates a device collection that contains all computers that run a desktop operating system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers. John uses the Deploy Software Wizard to deploy the application to the All Desktop and Laptop Computers collection by using the following parameters:

For information about how to deploy applications, see How to Deploy Applications in Configuration Manager.

1774

Process

Reference

Deployment action - Install Deployment purpose Required For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

John monitors the deployment of Woodgrove.msi to ensure that it is successfully installed on all computers in the All Desktop and Laptop Computers collection.

Step 2: Create an application for Microsoft Visio

John must now create an application for Microsoft Visio. To create this application in Configuration Manager, John takes the actions outlined in the following table.
Process Reference

From the Configuration Manager console, John runs the Create Application Wizard.

For information about how to start the Create Application Wizard, see the Step 1: Start the Create Application Wizard section in the How to Create Applications in Configuration Manager topic. For information about how to automatically detect information about the application from the application installation files, see the To automatically detect application information section in the How to Create Applications in Configuration Manager topic.

John uses the Create Application Wizard to create a new application named Microsoft Visio (Woodgrove Bank). He selects the option to automatically detect application information from the Windows Installer (.msi) file for Microsoft Visio. John completes the wizard. The new application and a deployment type for the application is created and displayed in the Applications node of the Software Library workspace. John opens the properties for the Microsoft Visio (Woodgrove Bank) application and clicks the Deployment Types tab. He then selects the deployment type that was just created, and clicks Edit. On the Requirements tab of the <deployment type> Properties dialog box, John configures the following requirements: Category: Device, Condition: Total

For information about deployment type requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Applications in Configuration Manager topic.

1775

Process

Reference

physical memory, Operator: Greater than or equal to, Value (MB): 4000 This requirement ensures that the deployment type can be installed only on computers with more than 4 GB RAM. Category: Device, Condition: Operating system, Operator: One of, Windows 7 This requirement ensures that the deployment type can be installed only on computers that run Windows 7. Note This requirement also prevents the deployment type from installing on computers that run Windows Server. Category: User, Condition: Primary Device, Operator: Equals, Value: True This requirement ensures that the Windows Installer deployment type can run only on the user's primary device. For more information about dependencies, see the Step 7: Specify Dependencies for the Deployment Type section in the How to Create Applications in Configuration Manager topic.

On the Dependencies tab of the <deployment type> Properties dialog box, John configures the following dependency: Dependency group name Woodgrove Visio Applications. Application Woodgrove Business Application Supported Deployment Types Woodgrove MSI

John also selects the Auto Install check box to ensure that the Woodgrove.msi business application will automatically install on any computer, if required, before installing Microsoft Visio.

1776

Step 3: Create multiple deployment types for the Microsoft Visio application
For John's business purposes, he requires two deployment types: The MSI deployment type that locally installs the application, and a virtual deployment type. John creates a deployment type for the Microsoft Visio virtual application by taking the actions outlined in the following table.
Process Reference

John uses the Microsoft Application Virtualization (App-V) Sequencer to create a virtual application for Microsoft Visio. John opens the Applications node in the Software Library workspace and selects the Microsoft Visio (Woodgrove Bank) application. Then, on the Home tab, in the Application group, he clicks Create Deployment Type. To automatically populate the wizard with information about the virtual application, John selects the installation file type Microsoft Application Virtualization and then browses to the XML manifest file for the Microsoft Visio virtual application. On the Requirements page of the Create Deployment Type Wizard, John configures the following requirements: Category: Device, Condition: Total physical memory, Operator: Greater than or equal to, Value (MB): 4000 This requirement ensures that the deployment type can be installed only on computers with more than 4 GB RAM. Category: Device, Condition: Operating system, Operator: One of, Windows 7 This requirement ensures that the deployment type can be installed only on computers that run Windows 7. Note This requirement also prevents the deployment type from installing on computers that run

For more information, see the topic How to Sequence a New Application (App-V 4.6) in the Application Virtualization documentation. For more information about how to create deployment types, see How to Create Applications in Configuration Manager.

For information about deployment type requirements, see the Step 6: Specify Requirements for the Deployment Type section in the How to Create Applications in Configuration Manager topic.

1777

Process

Reference

Windows Server. Category: User, Condition: Primary Device, Operator: Equals, Value: False This requirement ensures that the virtual application deployment type will run only on devices that are not the users primary device. For more information about application dependencies, see the Step 7: Specify Dependencies for the Deployment Type section in the How to Create Applications in Configuration Manager topic.

On the Dependencies tab of the <deployment type> Properties dialog box, John configures the following dependency: Dependency group name Woodgrove Visio Applications. Application Woodgrove Business Application Supported Deployment Types Woodgrove MSI

John also selects the Auto Install check box to ensure that the Woodgrove.msi business application will automatically install on any computer, if required, before installing Microsoft Visio. John starts the Distribute Content Wizard to copy the application content to the required distribution points in the Woodgrove Bank hierarchy. He then uses the Content Status node in the Monitoring workspace to confirm that the content for the application has been successfully distributed. For information about the Distribute Content Wizard, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. For information about how to monitor the distribution of application content, see the Content Status Monitoring section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 4: Test the application by using a simulated deployment

Before John deploys the Microsoft Visio application, he wants to test the deployment to find out how many computers will install local and virtual copies of Microsoft Visio. He also wants to determine how many computers do not meet the requirements to install the application. In order

1778

to obtain this information, John configures a simulated deployment by taking the actions outlined in the following table.
Process Reference

John creates two new user collections. The first collection is named Required Visio Installation. It contains the names of the 200 users who must have Visio installed. The second collection, named Optional Visio Installation, contains all users. In this second collection, John adds a new exclude collection rule so that the members of the Required Visio Installation collection will be excluded from this collection. John runs the Simulate Application Deployment Wizard. He creates a simulated deployment with an action of Install and deploys it to the Required Visio Installation collection. He then creates a second simulated deployment by using the same parameters to the Optional Visio Installation collection. John examines the status of each simulated deployment in the Deployments node of the Monitoring workspace. These deployments are listed with a purpose of Simulate. He discovers that about ten percent of the computers do not meet the requirements to install Microsoft Visio and he reports this information to his manager.

For more information about how to create user collections, see the To create a user collection section in the How to Create Collections in Configuration Manager topic.

For more information about simulated application deployments, see How to Simulate an Application Deployment in Configuration Manager.

For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 5: Deploy the Microsoft Visio application

John is now ready to deploy the new Microsoft Visio application. To accomplish this, he takes the actions outlined in the following table.
Process Reference

John uses the Deploy Software Wizard to create two deployments of the Microsoft Visio

For information about how to deploy applications, see How to Deploy Applications in
1779

Process

Reference

application: Deployment 1 to the Required Visio Installation collection with an action of Install and a purpose of Required. Deployment 2 to the Optional Visio Installation collection with an action of Install and a purpose of Available.

Configuration Manager.

John regularly monitors both of these For more information about how to monitor deployments of Microsoft Visio. He can application deployments, see How to Monitor troubleshoot any problems that might occur by Applications in Configuration Manager. using the information in the Deployments node of the Monitoring workspace. John is able to report to his managers at Woodgrove Bank that the Microsoft Visio deployment has been successful.

Step 6: Supersede the Microsoft Visio application

A new version of Microsoft Visio is released and Woodgrove Bank decides to upgrade all installed copies of the software to the new version. To accomplish this task, John takes the actions outlined in the following table.
Process Reference

John deletes the current deployments of the Microsoft Visio application. John creates deployment types for the new versions in the Microsoft Visio application for the full installation of Microsoft Visio and for a virtual installation of Microsoft Visio. John adds two new supersedence relationships: One for the full installation of Microsoft Visio and one for the virtual installation. He also selects the option to uninstall the previous versions.

For information about how to delete an application deployment, see How to Deploy Applications in Configuration Manager. For more information, see Step 3: Create multiple deployment types for the Microsoft Visio application in this topic. For more information about superseding applications, see How to Use Application Supersedence in Configuration Manager.

John redeploys the Microsoft Visio application For information about how to deploy an to computers in the Woodgrove Bank hierarchy. application, see How to Deploy Applications in Configuration Manager.
1780

Process

Reference

John monitors the state of these application deployments and is able to report to his manager that the new version of Microsoft Visio has been successfully deployed.

For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

Step 7: Remove the Microsoft Visio application

Woodgrove Bank decides that they no longer require Microsoft Visio to be installed on computers in their hierarchy. They ask John to remove all copies of the software from computers in the company. To accomplish this, he takes the actions outlined in the following table.
Process Reference

John deletes all deployments of the Microsoft Visio application. John checks the properties of each deployment type in the Microsoft Visio application. On the Programs tab of the Deployment Properties dialog box, he verifies that an uninstall program has been specified. John then deploys the Microsoft Visio application to all computers with an action of Uninstall and a purpose of Required. John monitors the application deployment and is able to report to his manager that all copies of Microsoft Visio have been removed from the computers at Woodgrove Bank.

For information about how to delete an application deployment, see How to Deploy Applications in Configuration Manager. For more information about deployment type options, see How to Create Applications in Configuration Manager.

For information about how to deploy an application, see How to Deploy Applications in Configuration Manager. For more information about how to monitor application deployments, see How to Monitor Applications in Configuration Manager.

See Also
Technical Reference for Application Management in Configuration Manager

Software Updates in Configuration Manager

Software Updates in System Center 2012 Configuration Manager provides a set of tools and resources that can help you to manage, deploy, and monitor software updates in the enterprise.
1781

Software Updates Topics

The following topics help you to manage software updates in Configuration Manager: Introduction to Software Updates in Configuration Manager Planning for Software Updates in Configuration Manager Configuring Software Updates in Configuration Manager Operations and Maintenance for Software Updates in Configuration Manager Security and Privacy for Software Updates in Configuration Manager Technical Reference for Software Updates in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Software Updates in Configuration Manager

Software updates in System Center 2012 Configuration Manager provides a set of tools and resources that can help manage the complex task of tracking and applying software updates to client computers in the enterprise. An effective software update management process is necessary to maintain operational efficiency, overcome security issues, and maintain the stability of the network infrastructure. However, because of the changing nature of technology and the continual appearance of new security threats, effective software update management requires consistent and continual attention. See the following sections for more information about software updates: Software Updates Synchronization Software Updates Compliance Assessment Software Update Deployment Packages Software Update Deployment Workflows Software Update Deployment Process Extend Software Updates in Configuration Manager Support for Windows Embedded Devices That Use Write Filters Network Access Protection Whats New in Configuration Manager Whats New in Configuration Manager SP1 Whats New in System Center 2012 R2 Configuration Manager

1782

For an example scenario that shows how you might deploy software updates in your environment, see Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft.

Software Updates Synchronization

Software updates synchronization in Configuration Manager uses Microsoft Update to retrieve software updates metadata. The top-level site (central administration site or stand-alone primary site) synchronizes with Microsoft Update on a schedule or when you manually start synchronization from the Configuration Manager console. When Configuration Manager finishes software updates synchronization at the top-level site, software updates synchronization starts at child sites, if they exist. When synchronization is complete at each primary site or secondary site, a site-wide policy is created that provides to client computers the location of the software update points. Note Software updates are enabled by default in client settings. However, if you set the Enable software updates on clients client setting to No to disable software updates on a collection or in the default settings, the location for software update points are not sent to associated clients. For more information about the software updates client settings, see the Software Updates section in the About Client Settings in Configuration Manager topic. After the client receives the policy, the client starts a scan for software updates compliance and writes the information to Windows Management Instrumentation (WMI). The compliance information is then sent to the management point that then sends the information to the site server. For more information about compliance assessment, see the Software Updates Compliance Assessment section in this topic. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Starting in Configuration Manager SP1, you can install multiple software update points at a primary site. The first software update point that you install is configured as the synchronization source. This synchronizes from Microsoft Update or a WSUS server not in your Configuration Manager hierarchy. The other software update points at the site use the first software update point as the synchronization source. Note When the software updates synchronization process is complete at the top-level site, the software updates metadata is replicated to child sites by using database replication. When you connect a Configuration Manager console to the child site, Configuration Manager displays the software updates metadata. However, until you install and configure a software update point at the site, clients will not scan for software updates compliance, clients will not report compliance information to Configuration Manager, and you cannot successfully deploy software updates.
1783

Synchronization on the Top-Level Site

The software updates synchronization process at the top-level site retrieves from Microsoft Update the software updates metadata that meet the criteria that you specify in Software Update Point Component properties. You configure the criteria only at the top-level site. Note Starting in Configuration Manager SP1, at the top-level site, you can specify as the synchronization source instead of Microsoft Update an existing WSUS server that is not in the Configuration Manager hierarchy. The following list describes the basic steps for the synchronization process on the top-level site: 1. Software updates synchronization starts. 2. WSUS Synchronization Manager sends a request to WSUS running on the software update point to start synchronization with Microsoft Update. 3. The software updates metadata is synchronized from Microsoft Update, and any changes are inserted or updated in the WSUS database. 4. When WSUS has finished synchronization, WSUS Synchronization Manager synchronizes the software updates metadata from the WSUS database to the Configuration Manager database, and any changes after the last synchronization are inserted or updated in the site database. The software updates metadata is stored in the site database as a configuration item. 5. The software updates configuration items are sent to child sites by using database replication. 6. When synchronization has finished successfully, WSUS Synchronization Manager creates status message 6702. 7. WSUS Synchronization Manager sends a synchronization request to all child sites. 8. For a stand-alone primary site that is running System Center 2012 Configuration Manager SP1 only: WSUS Synchronization Manager sends a request one at a time to WSUS running on other software update points at the site. The WSUS servers on the other software update points are configured to be replicas of WSUS running on the default software update point at the site.

Synchronization on Child Primary and Secondary Sites

During the software updates synchronization process on the top-level site, the software updates configuration items are replicated to child sites by using database replication. At the end of the process, the top-level site sends a synchronization request to the child site, and the child site starts the WSUS synchronization. The following list provides the basic steps for the synchronization process on a child primary site or secondary site: 1. WSUS Synchronization Manager receives a synchronization request from the top-level site. 2. Software updates synchronization starts.

1784

3. WSUS Synchronization Manager makes a request to WSUS running on the software update point to start synchronization. 4. WSUS running on the software update point on the child site synchronizes software updates metadata from WSUS running on the software update point on the parent site. 5. When synchronization has finished successfully, WSUS Synchronization Manager creates status message 6702. 6. From a primary site, WSUS Synchronization Manager sends a synchronization request to any child secondary sites. The secondary site starts the software updates synchronization with the parent primary site. The secondary site is configured as a replica of WSUS running on the parent site. 7. For Configuration Manager with no service pack only: When there is a remote Internet-based software update point, WSUS Synchronization Manager starts the synchronization process for WSUS running on the remote site system. 8. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: WSUS Synchronization Manager sends a request one at a time to WSUS running on other software update points at the site. The WSUS servers on the other software update points are configured to be replicas of WSUS running on the default software update point at the site.

Synchronization for Internet-Based Software Update Points

Important This section applies to Configuration Manager with no service pack only. When synchronization has finished for the active software update point at a site, synchronization is started for the active Internet-based software update point for the site, if you configured it. This process resembles the synchronization process on child sites, except that WSUS running on the active Internet-based software update point synchronizes with WSUS running on the active software update point for the same site. 1. WSUS Synchronization Manager makes a request to WSUS running on the remote Internetbased software update point to start synchronization. 2. WSUS running on the remote Internet-based software update point synchronizes software updates metadata from WSUS running on the active software update point for the same site. 3. When synchronization has finished successfully, WSUS Synchronization Manager creates status message 6702. 4. WSUS Synchronization Manager sends a synchronization request to any child sites. When the synchronization source configured for the Internet-based software update point is not configured to synchronize with an upstream update server, you can use the Export and Import functions of the WSUSutil tool to synchronize software updates metadata from an active software update point for the site. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in the Configuring Software Updates in Configuration Manager topic.
1785

Software Updates Compliance Assessment

Before you deploy software updates to client computers in Configuration Manager, start a scan for software updates compliance on client computers. For each software update, a state message is created that contains the compliance state for the update. The state messages are sent in bulk to the management point and then to the site server, where the compliance state is inserted into the site database. The compliance state for software updates is displayed in the Configuration Manager console. You can deploy and install software updates on computers that require the updates. The following sections provide information about the compliance states and describe the process for scanning for software updates compliance.

Software Updates Compliance States

The following table lists and describes each compliance state that is displayed in the Configuration Manager console for software updates.
State Description

Required

Specifies that the software update is applicable and required on the client computer. Any of the following conditions could be true when the software update state is Required: The software update was not deployed to the client computer. The software update was installed on the client computer. However, the most recent state message has not yet been inserted into the database on the site server. The client computer rescans for the update after the installation has finished. There might be a delay of up to two minutes before the client sends the updated state to the management point that then forwards the updated state to the site server. The software update was installed on the client computer. However, the software update installation requires a computer restart before the update is completed. The software update was deployed to the client computer but has not yet been installed.

Not Required

Specifies that the software update is not applicable on the client computer. Therefore, the software update is not required.
1786

State

Description

Installed

Specifies that the software update is applicable on the client computer and that the client computer already has the software update installed. Specifies that the site server has not received a state message from the client computer, typically because one of the following: The client computer did not successfully scan for software updates compliance. The scan finished successfully on the client computer. However, the state message has not yet been processed on the site server, possibly because of a state message backlog. The scan finished successfully on the client computer, but the state message has not been received from the child site. The scan finished successfully on the client computer, but the state message file was corrupted in some way and could not be processed.

Unknown

Scan for Software Updates Compliance Process

When the software update point is installed and synchronized, a site-wide machine policy is created that informs client computers that Configuration Manager Software Updates was enabled for the site. When a client receives the machine policy, a compliance assessment scan is scheduled to start randomly within the next two hours. When the scan is started, a Software Updates Client Agent process clears the scan history, submits a request to find the WSUS server that should be used for the scan, and updates the local Group Policy with the WSUS server location. Note Internet-based clients must connect to the WSUS server by using SSL. A scan request is passed to the Windows Update Agent (WUA). The WUA then connects to the WSUS server location that is listed in the local policy, retrieves the software updates metadata that has been synchronized on the WSUS server, and scans the client computer for the updates. A Software Updates Client Agent process detects that the scan for compliance has finished, and it creates state messages for each software update that changed in compliance state after the last scan. The state messages are sent to the management point in bulk every 15 minutes. The
1787

management point then forwards the state messages to the site server, where the state messages are inserted into the site server database. After the initial scan for software updates compliance, the scan is started at the configured scan schedule. However, if the client has scanned for software updates compliance in the time frame indicated by the Time to Live (TTL) value, the client uses the software updates metadata that is stored locally. When the last scan is outside the TTL, the client must connect to WSUS running on the software update point and update the software updates metadata stored on the client. Including the scan schedule, the scan for software updates compliance can start in the following ways: Software updates scan schedule: The scan for software updates compliance starts at the configured scan schedule that is configured in the Software Updates Client Agent settings. For more information about how to configure the Software Updates client settings, see the see the Software Updates section in the About Client Settings in Configuration Manager topic. Configuration Manager Properties action: The user can start the Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle action on the Action tab in the Configuration Manager Properties dialog box on the client computer. Deployment reevaluation schedule: The deployment evaluation and scan for software updates compliance starts at the configured deployment reevaluation schedule, which is configured in the Software Updates Client Agent settings. For more information about the Software Updates client settings, see the Software Updates section in the About Client Settings in Configuration Manager topic. Prior to downloading update files: When a client computer receives an assignment policy for a new required deployment, the Software Updates Client Agent downloads the software update files to the local client cache. Before downloading the software update files, the client agent starts a scan to verify that the software update is still required. Prior to software update installation: Just before the software update installation, the Software Updates Client Agent starts a scan to verify that the software updates are still required. After software update installation: Just after a software update installation is complete, the Software Updates Client Agent starts a scan to verify that the software updates are no longer required and creates a new state message that states that the software update is installed. When the installation has finished, but a restart is necessary, the state message indicates that the client computer is pending a restart. After system restart: When a client computer is pending a system restart for the software update installation to finish, the Software Updates Client Agent starts a scan after the restart to verify that the software update is no longer required and creates a state message that states that the software update is installed.

Time to Live Value

The software updates metadata that is required for the scan for software updates compliance is stored on the local client computer, and by default, is relevant for up to 24 hours. This value is known as the Time to Live (TTL).
1788

Scan for Software Updates Compliance Types

The client scans for software updates compliance by using an online or offline scan and a forced or non-forced scan, depending on the way the scan for software updates compliance is started. The following table describes which methods for starting the scan are online or offline and whether the scan is forced or non-forced.
Scan method Scan type Description

Software updates scan schedule

Non-forced online scan

At the configured scan schedule, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. The client computer always connects to WSUS running on the software update point to retrieve the software updates metadata before the client computer scans for software updates compliance. After the scan is complete, the TTL counter is reset. For example, if the TTL is 24 hours, after a user starts a scan for software updates compliance, the TTL is reset to 24 hours. At the configured deployment reevaluation schedule, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. Before the client can download update files in required deployments, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last
1789

Software Updates Scan Cycle or Software Updates Deployment Evaluation Cycle

Forced online scan

Deployment reevaluation schedule

Non-forced online scan

Prior to downloading update files

Non-forced online scan

Scan method

Scan type

Description

scan was outside the TTL. Prior to software update installation Non-forced online scan Before the client installs software updates in required deployments, the client connects to WSUS running on the software update point to retrieve the software updates metadata only when the last scan was outside the TTL. After a software update is installed, the Software Updates Client Agent starts a scan by using the local metadata. The client never connects to WSUS running on the software update point to retrieve software updates metadata. After a software update is installed and the computer is restarted, the Software Updates Client Agent starts a scan by using the local metadata. The client never connects to WSUS running on the software update point to retrieve software updates metadata.

After software update installation

Forced offline scan

After system restart

Forced offline scan

Software Update Deployment Packages

A software update deployment package is the vehicle used to download software updates to a network shared folder, and copy the software update source files to the content library on site servers and on distribution points that are defined in the deployment. By using the Download Updates Wizard, you can download software updates and add them to deployment packages before you deploy them. This wizard lets you provision software updates on distribution points and verify that this part of the deployment process is successful before you deploy the software updates to clients. When you deploy downloaded software updates by using the Deploy Software Updates Wizard, the deployment automatically uses the deployment package that contains the software updates. When software updates that have not been downloaded are deployed, you must specify a new or
1790

existing deployment package in the Deploy Software Updates Wizard, and the software updates are downloaded when the wizard is finished. Important You must manually create the shared network folder for the deployment package source files before you specify it in the wizard. Each deployment package must use a different shared network folder. Security The SMS Provider computer account and the administrative user who actually downloads the software updates both require Write permissions to the package source. Restrict access to the package source to reduce the risk of an attacker tampering with the software updates source files in the package source. When a new deployment package is created, the content version is set to 1 before any software updates are downloaded. When the software update files are downloaded by using the package, the content version is incremented to 2. Therefore, all new deployment packages start with a content version of 2. Every time that the content changes in a deployment package, the content version is incremented by 1. For more information about content management in Configuration Manager, see Introduction to Content Management in Configuration Manager. Clients install software updates in a deployment by using any distribution point that has the software updates available, regardless of the deployment package. Even if a deployment package is deleted for an active deployment, clients still can install the software updates in the deployment as long as each update was downloaded to at least one other deployment package and is available on a distribution point that can be accessed from the client. When the last deployment package that contains a software update is deleted, client computers cannot retrieve the software update until the update is downloaded again to a deployment package. Software updates appear with a red arrow in the Configuration Manager console when the update files are not in any deployment packages. Deployments appear with a double red arrow if they contain any updates in this condition.

Software Update Deployment Workflows

There are two main scenarios for deploying software updates in your environment, manual deployment and automatic deployment. Typically, you deploy software updates manually to create a baseline for client computers, and then you manage software updates on clients by using automatic deployment. The following sections provide a summary for the workflow for manual and automatic deployment for software updates.

Manual Deployment of Software Updates

Manual deployment of software updates is the process of selecting software updates in the Configuration Manager console and manually starting the deployment process. You typically use this method of deployment to get the client computers up-to-date with required software updates before you create automatic deployment rules that manage ongoing monthly software update
1791

deployments, and to deploy out of band software update requirements. The following list provides the general workflow for manual deployment of software updates: 1. Filter for software updates that use specific requirements. For example, you could provide criteria that retrieves all security or critical software updates that are required on more than 50 client computers. 2. Create a software update group that contains the software updates. 3. Download the content for the software updates in the software update group. 4. Manually deploy the software update group.

Automatic Deployment of Software Updates

Automatic software updates deployment is configured by using automatic deployment rules. You typically use this method of deployment for your monthly software updates (generally known as Patch Tuesday) and for managing definition updates. When the rule runs, the software updates that meet a specified criteria (for example, all security software updates released in the last week) are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client computers in the target collection. The following list provides the general workflow for automatic deployment of software updates: 1. Create an automatic deployment rule that specifies deployment settings such as the following: Target collection Decide whether to enable the deployment or report on software updates compliance for the client computers in the target collection Software updates criteria Evaluation and deployment schedules User experience Download properties

2. The software updates are added to a software update group. 3. The software updates group is deployed to the client computers in the target collection, if it is specified. You must determine what deployment strategy to use in your environment. For example, you might create the automatic deployment rule and target a collection of test clients. After you verify that the software updates are installed on the test group, you can change the collection in the automatic deployment rule to a target collection that includes a larger set of clients. The software update objects that are created by the automatic deployment rules are interactive. Software updates that were deployed by using an automatic deployment rule are automatically deployed to new clients added to the target collection. New software updates added to a software update group are automatically deployed to the clients in the target collection.
1792

You can enable or disable deployments at any time for the automatic deployment rule.

Software Update Deployment Process

After you deploy software updates or when an automatic deployment rule runs and deploys software updates, a deployment assignment policy is added to the machine policy for the site. The software updates are downloaded from the download location, the Internet, or network shared folder, to the package source. The software updates are copied from the package source to the content library on the site server, and then copied to the content library on the distribution point. When a client computer in the target collection for the deployment receives the machine policy, the Software Update Client Agent starts an evaluation scan. The client agent downloads the content for required software updates from a distribution point to the local client cache soon after it receives the deployment, but waits until after the Software available time setting for the deployment before the software updates are available to install. The software updates in optional deployments (deployments that do not have an installation deadline) are not downloaded until a user manually starts the installation. When the configured deadline passes, the Software Updates Client Agent performs a scan to verify that the software updates are still required. Then it checks the local cache on the client computer to verify that the software update source files are still available. Finally, the client installs the software updates. If the content was deleted from the client cache to make room for another deployment, the client re-downloads the software updates from the distribution point to the client cache. Software updates are always downloaded to the client cache regardless of the configured maximum client cache size. When the installation is complete, the client agent verifies that the software updates are no longer required, and then sends a state message to the management point to indicate that the software updates are now installed on the client.

Required System Restart

By default, when software updates from a required deployment are installed on a client computer and a system restart is required for the installation to finish, the system restart is started. For software updates that were installed before the deadline, the automatic system restart is postponed until the deadline, unless the computer is restarted before that for some other reason. The system restart can be suppressed for servers and workstations. These settings are configured in the User Experience page of the Deploy Software Updates Wizard or Create Automatic Updates Rule Wizard.

Deployment Reevaluation Cycle

By default, client computers start a deployment reevaluation cycle every 7 days. During this evaluation cycle, the client computer scans for software updates that were previously deployed and installed. If any software updates are missing, the software updates are reinstalled from the local cache. If a software update is no longer available in the local cache, it is downloaded from a
1793

distribution point and then installed. You can configure the reevaluation schedule on the Software Updates page in client settings for the site.

Support for Windows Embedded Devices That Use Write Filters

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you deploy software updates to Windows Embedded devices that are write filter-enabled, you can specify whether to disable the write filter on the device during the deployment and then restart the device after the deployment. If the write filter is not disabled, the software is deployed to a temporary overlay and the software will no longer be installed when the device restarts unless another deployment forces changes to be persisted. Note When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. This lets you manage when the write filter is disabled and enabled, and when the device restarts. The user experience setting that controls the write filter behavior is a check box named Commit changes at deadline or during a maintenance windows (requires restarts) . For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic.

Extend Software Updates in Configuration Manager

Use System Center Updates Publisher 2011 to manage software updates that are not available from Microsoft Update. After you publish the software updates to the update server and synchronize the software updates in Configuration Manager, you can deploy the software updates to Configuration Manager clients. For more information about Updates Publisher 2011, see Updates Publisher 2011.

Network Access Protection

Configuration Manager Network Access Protection (NAP) interacts with Configuration Manager and Windows Network Access Protection to help protect the network.

Network Access Protection with Software Updates

When NAP is enabled, Configuration Manager clients can assess whether they are compliant or not with the software updates that you select. Configuration Manager clients send this information
1794

in a statement of health (SoH).This is presented to the Configuration Manager System Health Validator that resides on the System Health Validator point site system role. The System Health Validator point is installed on a computer that is running Windows Server 2008 with the Network Policy Server role. It validates whether the client computer is compliant or noncompliant and passes the health state of that computer to the Windows Network Policy Server.

Enforcing Compliance with Software Updates on the Network Policy Server

The Windows Network Policy Server is configured to use policies that determine the action for computers that are known to be compliant or noncompliant. If the health state of a client cannot be determined, then this is considered an error condition. By default, all error conditions are mapped to a noncompliant state. However, they are split into five categories and each category can be configured to map to either compliant or noncompliant. The actions that the Network Policy Server can take based on computer health states include the following: Restrict computers from accessing the full network Provide full access to the network but for a limited period Provide full access to the network indefinitely Remediate noncompliant computers to bring them into compliance with policies

Be aware that the Configuration Manager administrative user cannot control the action that will be taken because of a computer health state that it passes to the Network Policy Server. However, if the Network Policy Server is configured to enforce compliance through remediation, Configuration Manager services are then used to deliver the software updates that are required to bring noncompliant clients into compliance. When compliance is successfully remediated, clients reassess their statement of health, which then changes from noncompliant to compliant, and their health state is updated to compliant.

Configuring Software Updates for Network Access Protection

You select the software updates that clients must have to be compliant by creating Configuration Manager NAP policies. You can only select software updates that are already downloaded to the content library on the site server. Unlike software update deployments that are targeted to collections of your choice, Configuration Manager NAP policies are automatically targeted to all computers that are assigned to the site. Configuration Manager NAP policies flow down the Configuration Manager hierarchy, similar to the behavior of software deployments and packages in Configuration Manager. Sites that inherit the Configuration Manager NAP policies then automatically target the Configuration Manager NAP policies to clients assigned to the site. Important

1795

Because of this automatic targeting and inheritance throughout the hierarchy, you must remember that a Configuration Manager NAP policy potentially affects every client in the hierarchy.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. Although the general concepts for deploying software updates are the same in System Center 2012 Configuration Manager as they were in Configuration Manager 2007, new or updated functionality is available that improves the software update deployment process. This includes automatic approval and deployment for software updates, improved search with expanded criteria, improvements to software updates monitoring, and greater user control for scheduling software update installation. The following items are new or have changed since Configuration Manager 2007: Software update groups are new in Configuration Manager and replace update lists that were used in Configuration Manager 2007. Software update groups more effectively organize software updates in your environment. You can manually add software updates to a software updates group, or add software updates automatically to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group, and they are automatically deployed. Automatic deployment rules automatically approve and deploy software updates. You specify the criteria for software updates (for example, all Windows 7 software updates released in the last week), the software updates are added to a software update group, you configure deployment and monitoring settings, and decide whether to deploy the software updates in the software update group. You can deploy the software updates in the software update group or retrieve compliance information from client computers for the software updates in the software update group without deploying them. New search and expanded criteria are available when software updates are listed in the Configuration Manager console. You can add a set of criteria that makes it easy to find the software updates that you must have. You can save the search criteria to use later. For example, you can set criteria for all critical software updates for Windows 7 and for software updates that were released in the last year. After you filter for the updates that you must have, you can select the software updates and review compliance information per software update, create a software update group that contains the software updates, manually deploy the software updates, and so on. In the Configuration Manager console, you can monitor the following software updates objects and processes: Important software updates compliance and deployment views Detailed state messages for all deployments and assets
1796

Software updates error codes with additional information to help identify issues Status for software updates synchronization Alerts for important software updates issues

Software update reports are also available that provide detailed state information for software updates, software update groups, and software update deployments. Superseded software updates in Configuration Manager 2007 were automatically expired during the full software updates synchronization process for a site. In System Center 2012 Configuration Manager, you can decide whether to manage superseded software updates as in Configuration Manager 2007, or you can configure a specified time where the software update is not automatically expired after it is superseded. During this time, you can deploy superseded software updates. Configuration Manager gives users more control over when to install software updates on their computer. Configuration Manager Software Center is an application that is installed with the Configuration Manager client. Users run this application on the Start menu to manage the software that is deployed to them. This includes software updates. In Software Center, users can schedule software update installation at a convenient time before the deadline and install optional software updates. For example, you can configure your business hours and have software updates run outside those hours to minimize productivity loss. When the deadline is reached for a software update, the installation for the software update is started. The content library in System Center 2012 Configuration Manager is the location that stores all content files for software updates, applications, operating system deployment, and so on. The content library provides a single instance store for content files on the site server and distribution points, and provides an advantage over content management functionality in Configuration Manager 2007. For example, in Configuration Manager 2007, you might distribute the same content files multiple times by using different deployments and deployment packages. The result was that the same content files were stored multiple times on the site server and on distribution points and added unnecessary processing overhead and excessive hard disk space requirements. For more information about content management, see the Content Library section in the Introduction to Content Management in Configuration Manager topic. There is no longer a Deployment Templates node in the Configuration Manager console to manage your templates. Deployment templates can be created only in the Automatic Deployment Rules Wizard or Deploy Software Updates Wizard. Deployment templates store many of the deployment properties that might not change from deployment to deployment, and they can save much time for administrative users when they deploy software updates. Deployment templates can be created for different deployment scenarios in your environment. For example, you can create a template for expedited software update deployments and planned deployments. The template for the expedited deployment can suppress display notifications on client computers, set the deadline for zero (0) days from the deployment schedule, and enable system restarts outside maintenance windows. The template for a planned deployment can allow for display notifications on client computers and set the deadline for 14 days from the deployment schedule. When an Internet-based client receives a deployment, the client first tries to download the software files from Microsoft Update instead of distribution points. When the connection to
1797

Microsoft is not successful, clients fall back to a distribution point that hosts the software update files and is configured to accept communication from clients on the Internet. Although you can still deploy software updates in System Center 2012 Configuration Manager, there is no longer a visible software update deployment object. The deployment object is now nested in a software update group. There is a non-configurable limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, verify that the criterion that you specify does not result in more than 1000 software updates. When you manually deploy software updates, do not select more than 1000 updates to deploy. The Network Access Protection node in the Configuration Manager console and the New Policies Wizard are no longer available in System Center 2012 Configuration Manager. To create a NAP policy for software updates, you must select Enable NAP evaluation on the NAP Evaluation tab in software update properties.

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for software updates in Configuration Manager SP1: Software update points are redesigned in Configuration Manager SP1. You can install multiple software update point site systems at a site. You can configure a software update point to be in the same forest as the site server or in a different forest, and whether to accept communication from clients on the Internet, intranet, or both. This behavior provides a level of fault tolerance without requiring a network load balancing (NLB) cluster. You cannot install more than one software update point in a secondary site. For more information, see the Determine the Software Update Point Infrastructure section in the Planning for Software Updates in Configuration Manager topic. Note The active software update point concept is deprecated in Configuration Manager SP1. You no longer have the option to configure a software update point as an NLB in the Configuration Manager console. Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to configure NLB by using the Set-CMSoftwareUpdatePoint PowerShell cmdlet. For more information about a software update point configured to use an NLB, see Software Update Point Configured to Use an NLB section in the Planning for Software Updates in Configuration Manager topic. For more information about the Set-CMSoftwareUpdatePoint PowerShell cmdlet, see the SetCMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide.

1798

At the top-level Configuration Manager site, you can now specify an existing WSUS server as the upstream synchronization source location. During synchronization, the site connects to this location to synchronize software updates. For example, if you have an existing WSUS server that is not part of the Configuration Manager hierarchy, you can specify the existing WSUS server to synchronize software updates. You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle. In the software update point properties, you can provide credentials for the site server to use to connect to the WSUS server. You can specify this account to connect to a software update point in a different forest, for example. You can run an automatic deployment rule up to 3 times per day to align with the Endpoint Protection definition updates publishing frequency. You can select multiple software updates to install as a group from Software Center. You can control the behavior of the write filter on Windows Embedded devices when you deploy software updates by using the new user experience setting of Commit changes at deadline or during a maintenance windows (requires restarts). For more information about how Configuration Manager manages embedded devices that use write filters, see the Deploying the Configuration Manager Client to Windows Embedded Devices section in the Introduction to Client Deployment in Configuration Manager topic. The new Computer Agent client setting, Disable deadline randomization lets you disable the installation randomization delay for required software updates and required application deployments. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for software updates in System Center 2012 R2 Configuration Manager: New maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates. When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. You can now change the deployment package for an existing automatic deployment rule. New software updates are added to the specified deployment package every time an automatic deployment rule is run. Deployment packages can become very large over time
1799

and might impact replication scenarios, particularly when a new distribution point is added to your hierarchy or when a distribution point is added to a distribution point group. You can now change the deployment package periodically to keep the size of the deployment package from getting too large. For more information about automatic deployment rules, see the Automatic Deployment of Software Updates section in this topic. You can now preview software updates that meet the property filters and search criteria that you define in an automatic deployment rule. Software updates preview lets you review the software updates before you create the deployment. The Preview button is located on the Software Updates page in the Automatic Deployment Wizard and on the Software Updates tab in the properties for the automatic deployment rule.

See Also
Software Updates in Configuration Manager

Planning for Software Updates in Configuration Manager

Before you implement software updates in a System Center 2012 Configuration Manager production environment, you must first plan for this implementation. Use the following sections in this topic to plan for software updates in your Configuration Manager hierarchy: Capacity Planning for the Software Update Point Determine the Software Update Point Infrastructure Software Update Points in Configuration Manager Software Update Point List Software Update Point Switching Software Update Points in an Untrusted Forest Use an Existing WSUS Server as the Synchronization Source at the Top-Level Site Software Update Point Configured to Use an NLB Software Update Point on a Secondary Site Active Software Update Point Internet-Based Software Update Point Active Software Update Point Configured to Use an NLB Software Update Point on a Secondary Site

Software Update Points in Configuration Manager with No Service Pack

Upgrade from Configuration Manager with No Service Pack to Configuration Manager SP1 Planning for Software Update Point Installation Requirements for the Software Update Point Plan for WSUS Installation
1800

Configure Firewalls Synchronization Source Synchronization Schedule Update Classifications Products Supersedence Rules Languages Client Settings for Software Updates Client Cache Setting Group Policy Settings for Software Updates

Plan for Synchronization Settings

Plan for Settings Associated with Software Updates

Plan for a Software Updates Maintenance Window

Capacity Planning Recommendations for Software Updates

You can use the following recommendations as a baseline that can help you determine the information for the software updates capacity planning that is appropriate to your organization. The actual capacity requirements might vary from the recommendations that are listed in this topic depending on the following criteria: your specific networking environment, the hardware that you use to host the software update point site system, the number of clients that are installed, and the site system roles that are installed on the server.

Capacity Planning for the Software Update Point

The number of supported clients depends on the version of Windows Server Update Services (WSUS) that runs on the software update point, and it also depends on whether the software update point site system role co-exists with another site system role. The software update point can support up to 25,000 clients when WSUS 3.0 Service Pack 2 (SP2) runs on the software update point computer and the software update point co-exists with another site system role. The software update point can support up to 100,000 clients when WSUS 3.0 SP2 runs on the software update point computer and the software update point does not co-exist with another site system role.
2 1

To support more than 25,000 clients, the software update point can be configured to use Network Load Balancing (NLB).
2

To support up to 100,000 clients, the software update point must meet the WSUS. For more information, see Determine WSUS Capacity Requirements.

1801

Capacity Planning for Software Updates Objects

Use the following capacity information to plan for software updates objects. Limit of 1000 software updates in a deployment You must limit the number of software updates to 1000 for each software update deployment. When you create an automatic deployment rule, specify a criteria that limits the number of software updates that are returned. The automatic deployment rule fails when the criteria that you specify returns more than 1000 software updates. You can check the status of the automatic deployment rule from the Automatic Deployment Rules node in the Configuration Manager console. When you manually deploy software updates, do not select more than 1000 updates to deploy.

Determine the Software Update Point Infrastructure

The central administration site and all child primary sites must have a software update point where you will deploy software updates. As you plan for the software update point infrastructure, you need to determine the following dependencies: where to install the software update point for the site; which sites require a software update point that accepts communication from Internetbased clients; whether you will configure the software update point as an NLB cluster and whether you need a software update point at a secondary site. Use the following sections to determine the software update point infrastructure. Important For information about the internal and external dependencies that are required for software updates, see Prerequisites for Software Updates in Configuration Manager.

Software Update Points in Configuration Manager

Important The information in this section applies only to Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Starting with Configuration Manager SP1, you can add multiple software update points at a Configuration Manager primary site. The ability to have multiple software update points at a site provides fault tolerance without requiring the complexity of NLB. However, the failover that you receive with multiple software update points is not as robust as NLB for pure load balancing, but it is rather designed for fault-tolerance. Also, the failover design of the software update point is different than the pure randomization model that is used in the design for management points. Unlike in the design of management points, in the software update points there are client and network performance costs that are associated with switching to a new software update point. When the client switches to a new WSUS server to scan for software updates, the result is an increase in the catalog size and associated client-side and network performance demands.

1802

Therefore, the client preserves affinity with the last software update point for which it successfully scanned. The first software update point that you install on a primary site is the synchronization source for all additional software update points that you add at the primary site. After you added your software update points and initiated software updates synchronization, you can view the status of the software update points and the synchronization source from the Software Update Point Synchronization Status node in the Monitoring workspace. When a software update point fails, and that software update point is configured as the synchronization source for the other software update points at the site, you must manually remove the failed software update point and select a new software update point to use as the synchronization source. For more information about how to remove a software update point, see the Remove the Software Update Point Site System Role section in the Configuring Software Updates in Configuration Manager topic.

Software Update Point List

Configuration Manager provides the client with a software update point list in the following scenarios: when a new client receives the policy to enable software updates, or when a client cannot contact its software update point and needs to switch to another software update point. The client randomly selects a software update point from the list, and it prioritizes the software update points that are in the same forest. Configuration Manager provides clients with a different list depending on the type of client. Intranet-based clients: Receive a list of software update points that you can configure to allow connections only from the intranet, or a list of software update points that allow Internet and intranet client connections. Internet-based clients: Receive a list of software update points that you configure to allow connections only from the Internet, or a list of software update points that allow Internet and intranet client connections.

Software Update Point Switching

If you have multiple software update points at a site, and then one fails or becomes unavailable, clients will connect to a different software update point and continue to scan for the latest software updates. When a client is first assigned a software update point, it will stay assigned to that software update point unless it fails to scan for software updates on that software update point. Note When you have an active software update point (SUP01) in a Configuration Manager with no service pack site, upgrade the site to Configuration Manager SP1, and then add a second software update point (SUP02). As a result, the existing clients will only switch to SUP02 on the condition of a failed scan. All new clients will randomly be assigned to SUP01 or SUP02 after you upgraded your site to Configuration Manager SP1.

1803

The scan for software updates can fail with a number of different retry and non-retry error codes. When the scan fails with a retry error code, the client starts a retry process to scan for the software updates on the software update point. The high-level conditions that result in a retry error code are typically because the WSUS server is unavailable or because it is temporarily overloaded. The client uses the following process when it fails to scan for software updates: 1. The client scans for software updates at its scheduled time, or when it is initiated through the control panel on the client, or by using the SDK. If the scan fails, the client waits 30 minutes to retry the scan, and it uses the same software update point. 2. The client retries a minimum of four times at 30 minute intervals. After the fourth failure, and after it waits an additional two minutes, the client will move to the next software update point in the software update point list. 3. After a successful scan, the client will continue to connect to the software update point. The following list provides additional information that you can consider for software update point retry and switching scenarios: If a client is disconnected from the corporate intranet and fails to scan for software updates, it will not switch to another software update point. This is an expected failure, because the client cannot reach the corporate network or the software update point that allows connection from the intranet. The Configuration Manager client determines the availability of the intranet software update point. If Internet-based client management is enabled, and there are multiple software update points that are configured to accept communication from clients on the Internet, the switching process will follow the standard retry process that is described in the previous scenario. If the scan process started, but the client was powered down before the scan completed, it is not considered a scan failure and it does not count as one of the four retries.

Software Update Points in an Untrusted Forest

You can create one or more software update points at a site to support clients in an untrusted forest. To add a software update point in another forest, you must first install and configure a WSUS server in the forest. Then start the wizard to add a Configuration Manager site server with the software update point site system role. In the wizard, configure the following settings to successfully connect to WSUS in the untrusted forest: Specify a Site System Installation account that can access the WSUS server in the forest. Specify the WSUS Server Connection account to use to connect to the WSUS server.

For example, you have a primary site in forest A with two software update points (SUP01 and SUP02). Also, for the same primary site you have two software update points (SUP03 and SUP04) in forest B. When the switching occurs in this example, the software update points from the same forest as the client are prioritized first.

Use an Existing WSUS Server as the Synchronization Source at the TopLevel Site
Typically, the top-level site in your hierarchy is configured to synchronize software updates metadata with Microsoft Update. When your corporate security policy does not allow access to
1804

the Internet from the top-level site, you can configure the synchronization source for the top-level site to use an existing WSUS server that is not in your Configuration Manager hierarchy. For example, you might have a WSUS server installed in your DMZ that has Internet access, but your top-level site does not. You can configure the WSUS server in the DMZ as your synchronization source for software updates metadata. You must ensure that the WSUS server in the DMZ synchronizes software updates that meet the criteria that you need in your Configuration Manager hierarchy. Otherwise, the top-level site might not synchronize the software updates that you expect. When you install the software update point, configure a WSUS connection account that has access to the WSUS server in the DMZ and confirm that the firewall permits traffic for the appropriate ports. For more information about the ports that are used by the software update point to the synchronization source, see the Software Update Point -- > Upstream WSUS Server section in the Technical Reference for Ports Used in Configuration Manager topic.

Software Update Point Configured to Use an NLB

Starting with Configuration Manager SP1, software update point switching will likely address the fault tolerance needs that you have. However, NLB is more robust than software update point failover for pure load balancing, and NLB can increase the reliability and performance of a network. Though there is no option in the Configuration Manager console to configure the software update point to use NLB, you have the option to configure NLB by using the SetCMSoftwareUpdatePoint PowerShell cmdlet. For more information about the SetCMSoftwareUpdatePoint PowerShell cmdlet, see the Set-CMSoftwareUpdatePoint topic in the System Center 2012 Configuration Manager SP1 Cmdlet Reference guide. Note Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB from your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using Windows PowerShell.

Software Update Point on a Secondary Site

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica of the default software update point at the parent primary site. You can install only one software update point at a secondary site. The devices that are assigned to a secondary site are configured to use a software update point at the parent site when a software update point is not installed at the secondary site. Typically, you will install a software update point at a secondary site when there is limited network bandwidth between the devices that are assigned to the secondary site and the software update points at the parent primary site, or when the software update point approaches the capacity limit. After a software update point is successfully installed and configured at the secondary site, a site-wide policy is updated for client computers that are assigned to the site, and they will start to use the new software update point.

1805

Software Update Points in Configuration Manager with No Service Pack

Important The information in this topic applies only to Configuration Manager with no service pack. Use the following sections to determine the software update point infrastructure in Configuration Manager with no service pack. Note For more information about how to install a software update point in an untrusted forest, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Active Software Update Point

The central administration site and all child primary sites in the Configuration Manager hierarchy must have an active software update point to support software update deployments to client computers. The active software update point on a primary site uses the central administration site as the synchronization source. The software update point communicates with WSUS to configure settings and to synchronize software updates. You can configure the active software update point to accept communication only from clients on the intranet or to accept communication from clients on the intranet and Internet. When the active software update point is not configured to accept communication from clients on the Internet, you have the option to create an Internet-based software update point on a remote site system. You can add the software update site role to a secondary site, or client computers at the secondary site can connect directly to the active software update point on the parent primary site.

Internet-Based Software Update Point

The Internet-based software update point accepts communication from client computers on the Internet. You can create the Internet-based software update point only when the active software update point is not configured to accept communication from client computers on the Internet. You must install the Internet-based software update point on a site system that is remote from the site server, located in a perimeter network, and accessible to Internet-based client computers. The Internet-based software update point synchronizes with the active software update point at the same site by default. When the Internet-based software update point is disconnected from the active software update point, you can manually synchronize software updates by using the export and import process. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.

Active Software Update Point Configured to Use an NLB

NLB can increase the reliability and performance of a network. You can set up multiple WSUS servers that share a single SQL Server failover cluster, and then configure a software update point to use NLB. If you configure the active software update point site system in a NLB cluster, it
1806

does not necessarily increase client capacity, but it might provide higher availability for the software update point. Before you configure the software update point to use an NLB cluster, you must complete several configuration steps. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Software Update Point on a Secondary Site

The software update point is optional on a secondary site. When you install a software update point on a secondary site, the WSUS database is configured as a replica instead of an autonomous WSUS instance that is used when you install the software update point on a primary site or central administration site. The devices that are assigned to a secondary site are configured to use the active software update point at the parent site when a software update point is not configured at the secondary site. Typically, you will install a software update point at a secondary site when there is limited network bandwidth between devices that are assigned to the secondary site and the software update points at the parent primary site, or when the software update point approaches the capacity limit. After a software update point is successfully installed and configured at the secondary site, a site-wide policy is updated for client computers that are assigned to the site, and they will start to use the new software update point.

Upgrade from Configuration Manager with No Service Pack to Configuration Manager SP1
When you upgrade an existing Configuration Manager with no service pack site to Configuration Manager SP1, consider the following: Before you upgrade from Configuration Manager with no service pack to Configuration Manager SP1, you must remove the NLB for your active software update point. After the upgrade is complete, you have the option to reconfigure the NLB by using Windows PowerShell. For more information about how to switch a software update point, see the Software Update Point Switching section in this topic. When you have an active Internet-based software update point in a Configuration Manager with no service pack site, and then you upgrade the site to Configuration Manager SP1, the active Internet-based software update point is upgraded to a software update point in the software update point list that allows connections only from clients on the Internet. When you have an active software update point (SUP01) in a Configuration Manager with no service pack site, upgrade the site to Configuration Manager SP1, and then add a second software update point (SUP02). As a result, the existing clients will automatically be assigned to SUP01. The clients will switch to SUP02 only on the condition of a failed scan. After you upgraded your site, all new clients will randomly be assigned to SUP01 or SUP02 For more information about the software update point list, see the Software Update Point List section in this topic.

1807

Planning for Software Update Point Installation

Before you create a software update point site system role in Configuration Manager, there are several requirements that you must consider depending on your Configuration Manager infrastructure. When you configure the software update point to communicate by using SSL, this section is especially important to review because you must take additional steps for the software update points in your hierarchy will work properly. This section provides information about the steps that you must take to successfully plan and prepare for the software update point installation.

Requirements for the Software Update Point

The software update point site system role must be installed on a site system that meets the minimum requirements for WSUS and the supported configurations for Configuration Manager site systems. 1. For more information about the minimum requirements for WSUS 3.0 SP2, see Confirm WSUS 3.0 SP2 installation requirements in the Windows Server Update Services 3.0 SP2 documentation library. 2. For more information about the minimum requirements for the WSUS server role in Windows Server 2012, see Step 1: Prepare for Your WSUS Deployment in the Windows Server 2012 documentation library. 3. For more information about the supported configurations for Configuration Manager site systems, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic.

Plan for WSUS Installation

Software updates requires that a supported version of WSUS is installed on all site system servers that you configure for the software update point site system role. Additionally, when you do not install the software update point on the site server, you must install the WSUS Administration Console on the site server computer, if it is not already installed. This allows the site server to communicate with WSUS that runs on the software update point. When you use WSUS on Windows Server 2012, you must configure additional permissions to allow WSUS Configuration Manager in Configuration Manager to connect to the WSUS in order to perform periodic health checks. Choose one of the following options to configure the permissions: Add the SYSTEM account to the WSUS Administrators group Add the NT AUTHORITY\SYSTEM account as a user for the WSUS database (SUSDB) and configure a minimum of the webService database role membership

For more information about how to install WSUS 3.0 SP2, see Install WSUS Server or Administration Console in the Windows Server Update Services 3.0 SP2 documentation library.

1808

For more information about how to install WSUS on Windows Server 2012, see Install the WSUS Server Role in the Windows Server 2012 documentation library. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. If you share the same database, it significantly mitigates, but does not completely eliminate the client and the network performance impact that you might experience when clients switch to a new software update point. A delta scan still occurs when a client switches to a new software update point that shares a database with the old software update point, but the scan is much smaller than it would be if the WSUS server had its own database.

Configure WSUS to Use a Custom Web Site

When you install WSUS, you have the option to use the existing IIS Default website, or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website, instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications. This is especially true when you install the software update point site system role on the site server. When you run WSUS in Windows Server 2012 or you configure a custom website for WSUS 3.0 SP2, WSUS is configured by default to use port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point at a site.

Use an Existing WSUS Infrastructure

You can use a WSUS server that was active in your environment before you installed Configuration Manager. When the software update point is configured, you must specify the synchronization settings. Configuration Manager connects to the WSUS that runs on the software update point and configures the WSUS server with the same settings. When the WSUS server was previously synchronized with products or classifications that you did not configure as part of the software update point synchronization settings, the software updates metadata for the products and classifications are synchronized for all of the software updates metadata in the WSUS database regardless of the synchronization settings for the software update point. This might result in unexpected software updates metadata in the site database. You will experience the same behavior when you add products or classifications directly in the WSUS Administration console, and then immediately initiate synchronization. Every hour, by default, Configuration Manager connects to the WSUS that runs on the software update point and resets any settings that were modified outside of Configuration Manager. Starting with Configuration Manager SP1, the software updates that do not meet the products and classifications that you specify in synchronization settings are set to expired, and then they are removed from the site database.

1809

Configure WSUS as a Replica Server

When you create a software update point site system role on a primary site server, you cannot use a WSUS server that is configured as a replica. When the WSUS server is configured as a replica, Configuration Manager fails to configure the WSUS server, and the WSUS synchronization fails as well. When a software update point is created on a secondary site, Configuration Manager configures WSUS to be a replica server of the WSUS that runs on the software update point at the parent primary site. Starting with Configuration Manager SP1, the first software update point that you install at a primary site is the default software update point. Additional software update points at the site are configured as replicas of the default software update point.

Decide Whether to Configure WSUS to Use SSL

You can use the SSL protocol to help secure the WSUS that runs on the software update point. WSUS uses SSL to authenticate client computers and downstream WSUS servers to the WSUS server. WSUS also uses SSL to encrypt software update metadata. When you choose to secure WSUS with SSL, you must prepare the WSUS server before you install the software update point. For more information about how to configure WSUS for SSL, see the Secure WSUS with the Secure Sockets Layer Protocol in the WSUS 3.0 SP2 documentation library. When you install and configure the software update point, you must select the Enable SSL communications for the WSUS Server setting. Otherwise, Configuration Manager will configure WSUS not to use SSL. When you enable SSL for WSUS that runs on a software update point, WSUS that runs on the software update point at any child sites must also be configured to use SSL.

Configure Firewalls
Software updates on a Configuration Manager central administration site communicate with the WSUS that runs on the software update point, which in turn communicates with the synchronization source to synchronize software updates metadata. Software update points on a child site communicate with the software update point at the parent site. When there is a remote active Internet-based software update point at a Configuration Manager with no service pack site, the site server must communicate with the active Internet-based software update point, and the Internet-based software update point must communicate with the active software update point of the site, so that the synchronization completes successfully. Starting with Configuration Manager SP1, when there is more than one software update point at a primary site, the additional software update points must communicate with the first software update point that is installed at the site, which is the default software update point. The firewall might need to be configured to accept the HTTP or HTTPS ports that are used by WSUS in following scenarios: when you have a corporate firewall between the Configuration Manager software update point and the Internet; when you have a software update point and its upstream synchronization source; when you have an active Internet-based software update point and the active software update point for the Configuration Manager with no service pack site, or when you have the additional software update points and the default software update point at a
1810

Configuration Manager SP1 site. The connection to Microsoft Update is always configured to use port 80 for HTTP and port 443 for HTTPS. You can use a custom port for the connection from WSUS that runs on the software update point at a child site to WSUS that runs on the software update point at the parent site. During software updates synchronization, WSUS that runs on the Internet-based software update point always connects to WSUS that runs on the active software update point by using HTTPS. When your security policy does not allow an HTTPS connection, you must use the export and import synchronization method. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. For more information about the ports that are used by WSUS, see How to Determine the Port Settings Used by WSUS.

Restrict Access to Specific Domains

If your organization does not allow the ports and protocols to be open to all addresses on the firewall between the active software update point and the Internet, you can restrict access to the following domains, so that WSUS and Automatic Updates can communicate with Microsoft Update: http://windowsupdate.microsoft.com http://*.windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http://*.download.windowsupdate.com http://test.stats.update.microsoft.com http://ntservicepack.microsoft.com

You might need to add the following addresses to the firewall that is located between the two site systems in the following cases: if child sites have a software update point or if there is a remote active Internet-based software update point at a site: Software update point on the child site http://<FQDN for software update point on child site> https://<FQDN for software update point on child site> http://<FQDN for software update point on parent site> https://<FQDN for software update point on parent site > http://<FQDN for active software update point for site> https://<FQDN for active software update point for site> http://<FQDN for active Internet-based software update point>
1811

Internet-based software update point

https://<FQDN for active Internet-based software update point>

Plan for Synchronization Settings

The software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata based on criteria that you configure. The top-level site in your hierarchy, the central administration site or stand-alone primary site synchronizes software updates from Microsoft Update. Starting with Configuration Manager SP1, you have the option to configure the software update point on the top-level site to synchronize with an existing WSUS server, not in the Configuration Manager hierarchy. The child primary sites synchronize software updates metadata from the software update point on the central administration site. Before you install and configure a software update point, use this section to plan for the synchronization settings.

Synchronization Source
The synchronization source settings for the software update point specify the location for where the software update point retrieves software updates metadata, and whether the WSUS reporting events are created during the synchronization process. Synchronization source: The software update point at the top-level site configures the synchronization source for Microsoft Update by default. Starting in Configuration Manager SP1, you have the option to synchronize the top-level site with an existing WSUS server. The software update point on a child primary site configures the synchronization source as the software update point at the central administration site by default. Note When you have a remote Internet-based software update point, the upstream update server is the software update point for the same site. Note Starting with Configuration Manager SP1, the first software update point that you install at a primary site, which is the default software update point, synchronizes with the central administration site. Additional software update points at the primary site synchronize with the default software update point at the primary site. When a software update point is disconnected from Microsoft Update or from the upstream update server, you can configure the synchronization source not to synchronize with a configured synchronization source, but instead to use the export and import function of the WSUSUtil tool to synchronize software updates. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in the Configuring Software Updates in Configuration Manager topic. WSUS reporting events: The Windows Update Agent on client computers can create event messages that are used for WSUS reporting. These events are not used by software update in Configuration Manager, and therefore, the Do not create WSUS reporting events option is selected by default. When these events are not created, the only time that the client
1812

computer should connect to the WSUS server is during software update evaluation and compliance scans. If these events are needed for reporting outside of software updates in Configuration Manager, you will need to modify this setting to create WSUS reporting events.

Synchronization Schedule
You can configure the synchronization schedule only at the software update point on the top-level site in the Configuration Manager hierarchy. When you configure the synchronization schedule, the software update point synchronizes with the synchronization source at the date and time that you specified. The custom schedule allows you to synchronize software updates on a date and time when the demands from the WSUS server, site server, and network are low, such as 2:00 AM once a week. Alternatively, you can initiate synchronization on the top-level site by using the Synchronization Software Updates action from the All Software Updates or Software Update Groups node in the Configuration Manager console. Tip Schedule the software updates synchronization to run by using a timeframe that is appropriate for your environment. One common scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is typically referred to as Patch Tuesday. Another common scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates. After the software update point successfully completes synchronization, a synchronization request is sent to child sites. Starting with Configuration Manager SP1, if you have additional software update points at a primary site, a synchronization request is sent to each software update point. In Configuration Manager with no service pack, a synchronization request is sent to the active Internet-based software update point, if it is installed. The process is repeated on every site in the hierarchy.

Update Classifications
Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications will be synchronized. Configuration Manager allows you to synchronize software updates with the following update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non-security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and feature that are typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, securityrelated issue.

1813

Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file that is currently installed.

The update classification settings are configured only on the top-level site. The update classification settings are not configured on the software update point on child sites, because the software updates metadata is replicated from the top-level site to child primary sites. When you select the update classifications, be aware that the more classifications that you select, the longer it takes to synchronize the software updates metadata. Warning As a best practice, clear all classifications before you synchronize software updates for the first time. After the initial synchronization, select the classifications from Software Update Point Component properties, and then re-initiate synchronization.

Products
The metadata for each software update defines one or more products for which the update is applicable. A product is a specific edition of an operating system or application,. An example of a product is Microsoft Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Microsoft Windows, of which Microsoft Windows Server 2008 is a member. You can specify a product family or individual products within a product family. When software updates are applicable to multiple products, and at least one of the products is selected for synchronization, all of the products will appear in the Configuration Manager console even if some products were not selected. For example, if Windows Server 2008 is the only operating system that you subscribed to, and if a software update applies to Windows Server 2008 and Windows Server 2008 Datacenter Edition, both products will be in the site database. The product settings are configured only on the top-level site. The product settings are not configured on the software update point for child sites because the software updates metadata is replicated from the top-level site to child primary sites. When you select products, be aware that the more products that you select, the longer it will take to synchronize the software updates metadata. Important Configuration Manager stores a list of products and product families that you can choose from when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until
1814

you complete software updates synchronization, which updates the list of available products and product families from which you can choose. As a best practice, clear all products before you synchronize software updates for the first time. After the initial synchronization, select the products from Software Update Point Component properties, and then reinitiate synchronization.

Supersedence Rules
Typically, a software update that supersedes another software update does one or more of the following actions: Enhances, improves, or updates the fix that was provided by one or more previously released updates. Improves the efficiency of the superseded update file package, which is installed on client computers if the update is approved for installation. For example, the superseded update might contain files that are no longer relevant to the fix or to the operating systems that are supported by the new update, so those files are not included in the superseding file package of the update. Updates newer versions of a product. In other words, it updates versions that are no longer applicable to older versions or configurations of a product. Updates can also supersede other updates if modifications were made to expand language support. For example, a later revision of a product update for Microsoft Office might remove the support for an older operating system, but it might add additional support for new languages in the initial update release.

In the properties for the software update point, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that they contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. Consider the following scenarios in which you might need to deploy a superseded software update: If a superseding software update supports only newer versions of an operating system, and some of your client computers run earlier versions of the operating system. If a superseding software update has more restricted applicability than the software update it supersedes. This would make it inappropriate for some client computers. If a superseding software update was not approved for deployment in your production environment.

Languages
The language settings for the software update point allow you to configure the languages for which the summary details (software updates metadata) are synchronized for software updates, and the software update file languages that will be downloaded for software updates.

1815

Software Update File

The languages that you configure for the Software update file setting in the properties for the software update point provide the default set of languages that are available when you download software updates at a site. You can modify the languages that are selected by default each time that the software updates are downloaded or deployed. During the download process, the software update files for the configured languages are downloaded to the deployment package source location, if the software update files are available in the selected language. Then they are copied to the content library on the site server, and then they are copied to the distribution points that are configured for the package. The software update file language settings should be configured with the languages that are most often used in your environment. For example, if client computers that are assigned to the site use mostly English and Japanese languages for the operating system or applications, and there are very few other languages that are used at the site, then select English and Japanese in the Software Update File column when you download or deploy the software update and clear the other languages. This allows you to use the default settings on the Language Selection page of the deployment and to download wizards. This also prevents unneeded update files from being downloaded. This setting is configured at each software update point in the Configuration Manager hierarchy.

Summary Details
During the synchronization process, the summary details information (software updates metadata) is updated for software updates in the languages that you specify. The metadata provides the information about the software update, such as name, description, products that the update supports, update classification, article ID, download URL, applicability rules, and so on. The summary details settings are configured only on the top-level site. The summary details are not configured on the software update point on child sites because the software updates metadata is replicated from the central administration site down to these sites by using file-based replication. When you select the summary details languages, select only the languages that you need in your environment. The more languages that you select, the longer it takes to synchronize the software updates metadata. Configuration Manager displays the software updates metadata in the locale of the operating system in which the Configuration Manager console runs. If the localized properties for the software updates are not available in the locale of the operating system, the software updates information displays in English. Important It is important that you select all of the summary details languages that you will need in your Configuration Manager hierarchy. When the software update point on top-level site synchronizes with the synchronization source, the selected summary details languages determine the software updates metadata that is retrieved. If you modify the summary details languages after synchronization ran at least one time, the software updates metadata is retrieved for the modified summary details languages only for new or updated software updates. The software updates that have already been synchronized
1816

are not updated with new metadata for the modified languages unless there is a change to the software update on the synchronization source.

Plan for Settings Associated with Software Updates

The software updates client settings in Configuration Manager are site-wide and are configured with default values. There are software updates and network access protection (NAP) client settings that affect when software updates are scanned for compliance, and how and when software updates are installed on client computers. There are also Group Policy settings on the client computer that might need to be configured depending on your environment. For more information about how to configure settings that are associated with software updates, see the Step 4: Verify Software Updates Client Settings and Group Policy Configurations section in the Configuring Software Updates in Configuration Manager topic.

Client Settings for Software Updates

After you install the software update point, the software updates client agent is enabled by default and you are not required to configure specific client settings, but you should review the settings to ensure that the default values meet your needs. You configure software updates and NAP client settings in Client Settings in the Administration workspace. For more information about how to configure the settings that are associated with software updates, see the Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic. Important The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration Manager removes the existing deployment policies from client. Also, NAP and compliance settings policies that rely on the software updates device setting will no longer function.

Group Policy Settings for Software Updates

There are specific Group Policy settings that are used by Windows Update Agent (WUA) on client computers to connect to the WSUS that runs on the active software updates point, successfully scan for software update compliance, and automatically update the software updates and the WUA. Warning If you have an Active Directory Group Policy object assigned to clients that specify a WSUS server that is not a Configuration Manager software update point, it will override the local Group Policy setting that is configured by Configuration Manager. Before you can assess software updates compliance and manage software update deployments on these clients, you must reconfigure the Active Directory Group Policy setting, or move
1817

client computers to an organizational unit (OU) that does not have this Group Policy setting applied. For more information about how to configure the settings that are associated with software updates, see the Group Policy Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic.

Client Cache Setting

The Configuration Manager client downloads the content for required software updates to the local client cache soon after it receives the deployment. However, the client waits download the content until after the Software available time setting for the deployment. The client does not download software updates in optional deployments (deployments that do not have a scheduled installation deadline) until the user manually initiates the installation. When the configured deadline passes, the software updates client agent performs a scan to verify that the software update is still required, then the software updates client agent checks the local cache on the client computer to verify that the software update source file is still available, and then installs the software update. If the content was deleted from the client cache to make room for another deployment, the client downloads the software updates to the cache. Software updates are always downloaded to the client cache regardless of the configured maximum client cache size. For other deployments, such as applications or packages, the client only downloads content that is within the maximum cache size that you configure for the client. Cached content is not automatically deleted, but it remains in the cache for at least one day after the client used that content.

Plan for a Software Updates Maintenance Window

Starting in System Center 2012 R2 Configuration Manager, you can add a maintenance window dedicated for software updates installation. This lets you configure a general maintenance window and a different maintenance window for software updates. When a general maintenance window and software updates maintenance window are both configured, clients install software updates only during the software updates maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

Supplemental Topics for Planning Software Updates

Use the following topics to plan for software updates in Configuration Manager. Prerequisites for Software Updates in Configuration Manager Best Practices for Software Updates in Configuration Manager

See Also
Software Updates in Configuration Manager
1818

Prerequisites for Software Updates in Configuration Manager

This topic lists the prerequisites for software updates and Network Access Protection (NAP) in System Center 2012 Configuration Manager. For each of these, the external dependencies and internal dependencies are listed in separate tables.

Prerequisites for Software Updates in Configuration Manager

This section includes the internal and external prerequisites for software updates in Configuration Manager.

Software Update Dependencies External to Configuration Manager

The following table lists the external dependencies for software updates.
Requirement More information

Internet Information Services (IIS) on the site system servers in order to run the software update point, the management point, and the distribution point

See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic.

Windows Server Update Services (WSUS)

WSUS is necessary for software updates synchronization and for the software updates compliance assessment scan on clients. The WSUS server must be installed before you create the software update point site system role. Important For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you have multiple software update points at a site, ensure that they are all running the same version of WSUS.
1819

Requirement

More information

WSUS Administration Console

The WSUS Administration Console is required on the Configuration Manager site server when the software update point is on a remote site system server and WSUS is not already installed on the site server. Important The WSUS version on the site server must be the same as the WSUS version running on the software update points. Important Do not use the WSUS Administration Console to configure WSUS settings. Configuration Manager connects to WSUS that is running on the software update point and configures the appropriate settings.

Windows Update Agent (WUA)

The WUA client is required on clients to enable them to connect to the WSUS server and retrieve the list of software updates that must be scanned for compliance. When you install Configuration Manager, the latest version of the WUA is downloaded. Then, when the Configuration Manager client is installed, the WUA is upgraded if necessary. However, if the installation fails, you must use a different method to upgrade the WUA.

Software Update Dependencies Internal to Configuration Manager

The following table lists the dependencies for software updates in Configuration Manager.
Requirement More information

Management point

Management points transfer information between client computers and the Configuration Manager site. They are required for software updates.
1820

Requirement

More information

Software update point

You must install a software update point on the WSUS server to be able to deploy software updates in Configuration Manager. For more information, see Configuring Software Updates in Configuration Manager

Distribution point

Distribution points are required to store the content for software updates. For more information about how to install distribution points and manage content, see Configuring Content Management in Configuration Manager

Client settings for software updates

By default, software updates is enabled for clients. However there are other available settings that control how and when clients assess compliance for the software updates and control how the software updates are installed. For more information, see the following: The Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic. The Software Updates section in the About Client Settings in Configuration Manager topic.

Reporting services point

The reporting services point site system role can display reports for software updates. This role is optional, but recommended. For more information about how to create a reporting services point, see Configuring Reporting in Configuration Manager.

Prerequisites for Network Access Protection in Configuration Manager

This section includes the internal and external prerequisites for Network Access Protection (NAP) in System Center 2012 Configuration Manager.
1821

NAP Dependencies External to Configuration Manager

The following table lists the external dependencies for when you use software updates and NAP.
Requirement More information

NAP enforcement technology installed and configured appropriately for one or more of the following: DHCP, IPsec, VPN, or 802.1X. Note All Windows NAP enforcement solutions require a server that runs a version of the operating system that is at least Windows Server 2008.

Documentation is published on the Network Access Protection website.

One or more Network Policy Servers configured Documentation is published in the Network appropriately with remediation server groups, Access Protection Design Guide health policies, connection request policies, and network policies Perimeter devices configured to enable traffic between communicating servers See Technical Reference for Ports Used in Configuration Manager.

NAP Dependencies Internal to Configuration Manager

The following table lists the Configuration Manager dependencies for when you use software updates and NAP.
Requirement More information

Client settings for NAP

By default, clients are not enabled to support NAP in Configuration Manager. Optionally, you can set the client setting Enable Network Access Protection on clients to True (Configuration Manager with no service pack) or Yes (Configuration Manager SP1). For more information, see the following: The Configure Client Settings for Software Updates section in the Configuring Software Updates in Configuration Manager topic. The Network Access Protection (NAP) section in the About Client Settings in Configuration Manager topic.
1822

Requirement

More information

Note You do not have to enable the software updates client settings to support NAP in Configuration Manager. An Active Directory forest with the schema extended with the Configuration Manager schema extensions, and provisioned with a System Management container in at least one domain The site server publishes Configuration Manager NAP health state references to Active Directory Domain Services. The System Health Validator point retrieves them. Publishing to Active Directory Domain Services requires that the schema is extended, but you can select which forest to use. See the Configure Active Directory Forest Discovery section in the Configuring Discovery in Configuration Manager topic. For more information about how to install a site system role, see Install and Configure Site System Roles for Configuration Manager. Note Although the System Health Validator can be installed in a different Active Directory forest than the site server's forest, it must be installed in a domain and is not supported in a workgroup. Software updates configured, which includes software update deployment packages Although the software updates client settings do not have to be enabled for clients, you must provide the software updates infrastructure, such as a software update point and synchronized software updates. For more information, see Configuring Software Updates in Configuration Manager. Reporting services point The reporting services point site system role can display reports for software updates and NAP in Configuration Manager. This role is optional, but recommended. For more information about how to create a reporting services point, see Configuring Reporting in Configuration Manager.

Configuration Manager sites that are enabled for NAP configured to publish site information to Active Directory Domain Services The installation of at least one System Health Validator point on Windows Server 2008 with the server role of Network Policy Server

1823

See Also
Planning for Software Updates in Configuration Manager

Best Practices for Software Updates in Configuration Manager

This topic includes best practices for software updates in Microsoft System Center 2012 Configuration Manager. The information is sorted into best practices for initial installation and best practices for ongoing operations.

Installation Best Practices

Use the following best practices when you install software updates in Configuration Manager:

Use a Shared WSUS Database for Software Update Points

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: When you install more than one software update point at a primary site, use the same WSUS database for each software update point in the same Active Directory forest. By sharing the same database you can significantly mitigate the client and network performance impact that can occur when clients switch to a new software update point. When a client switches to a new software update point that shares a database with the old software update point, a delta scan still occurs, but this scan is much smaller than it would be if the WSUS server had its own database. For more information about software update point switching, see the Software Update Point Switching section in the Planning for Software Updates in Configuration Manager topic.

When Configuration Manager and WSUS use the same SQL Server, configure one of these to use a named instance and the other to use the default instance of SQL Server
When the Configuration Manager and WSUS databases use the same SQL Server and share the same instance of SQL Server, you cannot easily determine the resource usage between the two applications. When you use a different SQL Server instance for Configuration Manager and WSUS, it is easier to troubleshoot and diagnose resource usage issues that might occur for each application.

Use a custom website for the WSUS installation

When you install WSUS 3.0, you can specify whether to use the default Internet Information Services (IIS) website or create a new custom WSUS 3.0 website. As a best practice, select
1824

Create a Windows Server Update Services 3.0 Web site so that IIS hosts the WSUS 3.0 services in a dedicated website instead of sharing the same website with other Configuration Manager site systems or other software applications. When you use a custom website for WSUS 3.0, WSUS configures port 8530 for HTTP and port 8531 for HTTPS. You must specify these port settings when you create the software update point for the site.

Specify the "Store updates locally" setting for the WSUS installation
When you install WSUS 3.0, select the Store updates locally setting. When this setting is selected, the license terms that are associated with software updates are downloaded during the synchronization process and stored on the local hard drive for the WSUS server. When this setting is not selected, client computers might fail to scan for software updates compliance for software updates that have license terms. When you install the software update point, WSUS Synchronization Manager verifies that this setting is enabled every 60 minutes, by default.

Operational Best Practices

Use the following best practices when you use software updates:

Limit software updates to 1000 in a single software update deployment

You must limit the number of software updates to 1000 for each software update deployment. When you create an automatic deployment rule, verify that the criteria that you specify does not result in more than 1000 software updates. When you manually deploy software updates, do not select more than 1000 updates to deploy.

Create a new software update group each time an automatic deployment rule runs for Patch Tuesday and for general deployment
There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you specify whether to use an existing update group or create a new update group each time the rule runs. When you specify criteria in an automatic deployment rule that results in multiple software updates and the rule runs on a recurring schedule, specify to create a new software update group each time the rule runs. This will prevent the deployment from surpassing the limit of 1000 software updates per deployment.

Use an existing software update group for automatic deployment rules for Endpoint Protection definition updates
Always use an existing software update group when you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis. Otherwise, potentially
1825

hundreds of software update groups will be created over time. Typically, definition update publishers will set definition updates to expire when they are superseded by four newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than four definition updates for the publisher: one active and three superseded.

See Also
Planning for Software Updates in Configuration Manager

Configuring Software Updates in Configuration Manager

Before the compliance assessment data of the software update displays in the System Center 2012 Configuration Manager console and before you can deploy software updates to client computers, you must complete the following steps: install and configure a software update point, synchronize the software updates metadata, and verify the configuration for settings that are associated with software updates. When you have a Configuration Manager hierarchy, install and configure the software update point at the central administration site first, and then install and configure the software update points on other sites. Some settings are only available when you configure the software update point on the top-level site, which is the central administration site or the stand-alone primary site. There are different configuration options that you must consider depending on where the software update point is installed. Use the steps in the following table to install and configure the software update point, synchronize software updates, and configure the settings that are associated with software updates.

Configure Software Updates

Use the following steps and procedures in this topic to configure software updates in Configuration Manager.
Step Details More information

Step 1: Install and configure a software update point

The software update point is required on the central administration site and on the primary sites to enable the software updates compliance assessment and to deploy software updates to clients. The software update point is

For more information, see the detailed Step 1: Install and Configure a Software Update Point in this topic.

1826

Step

Details

More information

optional on secondary sites. Step 2: Synchronize software updates Synchronize software updates on a connected software update point The synchronization of software updates is the process of retrieving software updates metadata from the Microsoft Update site and the replication of the metadata to all sites that are enabled for software updates in the Configuration Manager hierarchy. The software update point on the central administration site or on a stand-alone primary site retrieves software updates metadata from Microsoft Update. The child primary sites, secondary sites, and remote Internet-based software update points retrieve the software updates metadata from the software update point that is identified as the upstream update source. You must have access to the upstream update source to successfully synchronize software updates. Synchronize software updates on a disconnected software update point. Automatic synchronization of software updates is not possible when the software update point at the central administration site or standalone primary site is For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. For more information, see the detailed Step 2: Synchronize Software Updates in this topic.

1827

Step

Details

More information

disconnected from the Internet, or when an Internet-based software update point is disconnected from the active software update point for the site. To retrieve the latest software updates for a disconnected software update point, you must use the WSUSUtil tool to export the software updates metadata and the license terms files from a software update source, and then you must import the metadata and files to the disconnected software update point. Step 3: Configure classifications and products to synchronize Perform this configuration on the central administration site or stand-alone primary site. After you synchronize software updates without any classifications or products selected, you must configure the software updates classifications and products in the Software Update Point Component properties. After you configure the properties, repeat step 2 to initiate the software updates synchronization to retrieve the software updates that meet the configured criteria for classification and products. Step 4: Verify software updates client settings and Group Policy configurations There are Configuration Manager client settings and group policy configurations that are associated with software updates, and that you must For more information, see the detailed Step 3: Configure Classifications and Products to Synchronize in this topic.

For more information, see the detailed Step 4: Verify Software Updates Client Settings and Group Policy Configurations in this topic.
1828

Step

Details

More information

verify before you deploy software updates.

Step 1: Install and Configure a Software Update Point

Important Before you install the software update point site system role, you must verify that the server meets the required dependencies and determines the software update point infrastructure on the site. For more information about how to plan for software updates and to determine your software update point infrastructure, see Planning for Software Updates in Configuration Manager. The software update point is required on the central administration site and on the primary sites in order to enable software updates compliance assessment and to deploy software updates to clients. The software update point is optional on secondary sites. The software update point site system role must be created on a server that has WSUS installed. The software update point interacts with the WSUS services to configure the software update settings and to request synchronization of software updates metadata. When you have a Configuration Manager hierarchy, install and configure the software update point on the central administration site first, then on child primary sites, and then optionally, on secondary sites. When you have a standalone primary site, not a central administration site, install and configure the software update point on the primary site first, and then optionally, on secondary sites. Some settings are only available when you configure the software update point on a top-level site. There are different options that you must consider depending on where you installed the software update point. Important For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Starting with Configuration Manager SP1, you can install more than one software update points on a site. The first software update point that you install is configured as the synchronization source, which synchronizes the updates from Microsoft Update or from the upstream synchronization source. The other software update points on the site are configured as replicas of the first software update point. Therefore, some settings are not available after you install and configure the initial software update point. You can add the software update point site system role to an existing site system server or you can create a new one. On the System Role Selection page of the Create Site System Server Wizard or Add Site System Roles Wizard , depending on whether you add the site system role to a new or existing site server, select Software update point, and then configure the software update point settings in the wizard. The settings are different depending on the version of
1829

Configuration Manager that you use. For more information about how to install site system roles, see the Install Site System Roles section in the Install and Configure Site System Roles for Configuration Manager topic. Use the following sections for information about the software update point settings on a site.

Proxy Server Settings

You can configure the proxy server settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You must configure the proxy server, and then specify when to use the proxy server for software updates. Configure the following settings: Configure the proxy server settings on the Proxy page of the wizard or on the Proxy tab in Site system Properties. The proxy server settings are site system specific, which means that all site system roles use the proxy server settings that you specify. Specify whether to use the proxy server when Configuration Manager synchronizes the software updates and when it downloads content by using an automatic deployment rule. Configure the software update point proxy server settings on the Proxy and Account Settings page of the wizard or on the Proxy and Account Settings tab in Software update point Properties. Note The Use a proxy when downloading content by using automatic deployment rules setting is available but it is not used for a software update point on a secondary site. Only the software update point on the central administration site and primary site downloads content from the Microsoft Update page. For Configuration Manager with no service pack only: Configure the proxy server settings on the Active Software Update Point page of the wizard or on the General tab in Software Update Point Component Properties. The proxy server settings are associated only with the software update point at the site. Important By default, the Local System account for the server on which an automatic deployment rule was created is used to connect to the Internet and download software updates when the automatic deployment rules run. When this account does not have access to the Internet, software updates fail to download and the following entry is logged to ruleengine.log: Failed to download the update from internet. Error = 12007 . Configure the credentials to connect to the proxy server when the Local System account does not have Internet access.

1830

WSUS Settings
You must configure WSUS settings settings on different pages of the Create Site System Server Wizard or Add Site System Roles Wizard depending on the version of Configuration Manager that you use, and in some cases, only in the properties for the software update point, also known as Software Update Point Component Properties. Use the information in the following sections to configure the WSUS settings.

WSUS Port Settings

You must configure the WSUS port settings on different pages of the wizard depending on the version of the Configuration Manager that you use. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You must configure the WSUS port settings on the Software Update Point page of the wizard or in the properties of the software update point. For Configuration Manager with no service pack only: You can configure the WSUS port settings on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties. Warning You have the option to configure the WSUS port settings for the active Internet-based software update point. For more information, see the Active Internet-Based Software Update Point section in this topic. To determine the website and port configurations in WSUS, see How to Determine the Port Settings Used by WSUS.

Configure SSL Communications to WSUS

You can use the SSL protocol to help secure the WSUS that runs on the software update point. You can configure SSL on different pages of the wizard depending on the version of Configuration Manager that you use. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can configure SSL communication on the General page of the wizard or on the General tab in the properties of the software update point. For Configuration Manager with no service pack only: You can configure SSL communication on the General tab in Software Update Point Component Properties. This setting is not available in the wizard. For more information about how to use SSL, see the Deciding Whether to Configure WSUS to Use SSL section in the Planning for Software Updates in Configuration Manager topic.

1831

WSUS Connection Account

You can configure an account to be used by the site server when it connects to WSUS that runs on the software update point. When you do not configure this account, the Configuration Manager uses the computer account for the site server to connect to WSUS. You can configure the account in different places of the wizard depending on the version of Configuration Manager that you use. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can configure the WSUS Server Connection Account on the Proxy and Account Settings page of the wizard, or on the Proxy and Account Settings tab in Software update point Properties. For Configuration Manager with no service pack only: You can configure the Software Update Point Connection account on the General tab in Software Update Point Component Properties. This setting is not available in the wizard. For more information about Configuration Manager accounts, see Technical Reference for Accounts Used in Configuration Manager.

Active Software Update Point

Important This section is for Configuration Manager with no service pack only. Specify the active software update point for the site on the Active Settings page of the wizard or on the General tab in Software Update Point Component Properties. In Software Update Point Component Properties, you can change the location for the active software update point or choose to configure the software update point to use NLB. When the active software update point is installed on a remote site system server, the Active software update point and Software Update Point Connection Account settings are available for you to configure. In Active software update point you can only select the remote site system servers that have the software update point site system role installed. You can have only one active software update point for a site, but multiple site system servers can have the software update point site system role installed and they can be available to select as the active software update. Important When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster.

Active Internet-Based Software Update Point

Important This section is for Configuration Manager with no service pack.
1832

You can specify the active Internet-based software update point for the site on the Internetbased tab in Software Update Point Component Properties. You can configure the following settings: Important The settings on the Internet-based tab are configurable only when the active software update point is configured for intranet-only client connections, where the Allow intranetonly client connections setting is selected on the General tab, and when you have installed a non-active software update point on a remote site system computer. Internet-based software update point: Specifies whether the Internet-based software update point is configured, and if so, whether it is installed on a remote site system server or configured to use NLB. Note When the active software update point only accepts communication from clients on the intranet and the Internet-based software update point is not configured, clients on the Internet will not scan for software updates compliance. When the active software update point is installed on a remote site system server, the Active server name and Software Update Point Connection Account settings are displayed on this page. Important When you decide to use NLB for a software update point, there are additional steps that you must perform before you configure the software update point. For more information, see How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster. Port number: Specifies the HTTP port number that is configured on the WSUS server. The site server uses this port when it communicates with the WSUS server. This setting is configured when you install the software update point. Tip For information about how to find the port numbers that are used by WSUS, see How to Determine the Port Settings Used by WSUS. SSL port number: Specifies the SSL (HTTPS) port number that is configured on the WSUS server. When the Enable SSL for this WSUS server setting is enabled, software updates uses this port when it synchronizes the software updates with the WSUS server. This setting is configured when you install the software update point. Software Update Point Connection Account: Specifies the account that is used by the site server when it connects to a remote software update point or to an active software update point that is configured as an NLB cluster. When this account is not specified, the computer account for the site server is used to connect to the software update point. Important The account that is used to connect to the remote software update point must have local Administrator rights on the remote site system server computer.

1833

Do not synchronize from the software update point located on the intranet: Specifies that the Internet-based software update point does not synchronize with the active software update point. Select this option if the Internet-based software update point is disconnected from the active software update point. For more information about how to synchronize software updates on a disconnected software updates point, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. Important Even though the Internet-based software update point accepts client connections from the Internet only, the web server certificate must contain both the Internet FQDN and the intranet FQDN.

Synchronization Source
You can configure the upstream synchronization source for software updates synchronization on the Synchronization Source page of the wizard, or on the on the Sync Settings tab in Software Update Point Component Properties. Your options for the synchronization source vary depending on the site. For more information, see the Synchronization Source section in the Planning for Software Updates in Configuration Manager topic. Use the following table for the available options when you configure the software update point at a site.
Site Available synchronization source options

Central administration site Stand-alone primary site

Synchronize from the Microsoft Update website Synchronize from an upstream data source 1 location Do not synchronize from Microsoft Update or upstream data source Synchronize from an upstream data source 3 location

Additional software update points at a site Child primary site Secondary site

The following list provides more information about each option that you can use as the synchronization source: Synchronize from Microsoft Update: Use this setting to synchronize software updates metadata from Microsoft Update. The central administration site must have Internet access; otherwise, synchronization will fail. This setting is available only when you configure the software update point on the top-level site. Note When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that
1834

are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic. Synchronize from an upstream data source location : Use this setting to synchronize software updates metadata from the upstream synchronization source. The child primary sites and secondary sites are automatically configured to use the parent site URL for this setting. Starting with Configuration Manager SP1, you have the option to synchronize software updates from an existing WSUS server. Specify a URL, such as https://WSUSServer:8531, where 8531 is the port that is used to connect to the WSUS server. Do not synchronize from Microsoft Update or upstream data source : Use this setting to manually synchronize software updates when the software update point at the top-level site is disconnected from the Internet. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.
1 2

Starting with Configuration Manager SP1, you have the option to synchronize software updates from a WSUS server that is not in your Configuration Manager hierarchy.
2

Starting with Configuration Manager SP1, you have the option to add multiple software update points at a site.
3

In Configuration Manager with no service pack this setting is Synchronize from an upstream update server. Note When there is a firewall between the active software update point and the Internet, the firewall might need to be configured to accept the HTTP and HTTPS ports that are used for the WSUS Web site. You can also choose to restrict access on the firewall to limited domains. For more information about how to plan for a firewall that supports software updates, see the Configuring Firewalls section in the Planning for Software Updates in Configuration Manager topic. You can also configure whether to create WSUS reporting events on the Synchronization Source page of the wizard or on the on the Sync Settings tab in Software Update Point Component Properties. Configuration Manager does not use these events; therefore, you will normally choose the default setting Do not create WSUS reporting events.

Synchronization Schedule
Configure the synchronization schedule on the Synchronization Schedule page of the wizard or in the Software Update Point Component Properties. This setting is configured only on the software update point at the top-level site. If you enable the schedule, you can configure a recurring simple or custom synchronization schedule. When you configure a simple schedule, the start time is based on the local time for the computer that runs the Configuration Manager console at the time when you create the schedule.

1835

When you configure the start time for a custom schedule, it is based on the local time for the computer that runs the Configuration Manager console. Tip Schedule software updates synchronization to run by using a timeframe that is appropriate for your environment. One typical scenario is to set the software updates synchronization schedule to run shortly after the Microsoft regular security update release on the second Tuesday of each month, which is normally referred to as Patch Tuesday. Another typical scenario is to set the software updates synchronization schedule to run daily when you use software updates to deliver the Endpoint Protection definition and engine updates. Note When you choose not to enable software updates synchronization on a schedule, you can manually synchronize software updates from the All Software Updates or Software Update Groups node in the Software Library workspace. For more information, see the Step 2: Synchronize Software Updates section in this topic.

Supersedence Rules
Configure the supersedence settings on the Supersedence Rules page of the wizard or on the Supersedence Rules tab in Software Update Point Component Properties. You can configure the supersedence rules only on the top-level site. On this page, you can specify that the superseded software updates are immediately expired, which prevents them from being included in new deployments and flags the existing deployments to indicate that the superseded software updates contain one or more expired software updates. Or, you can specify a period of time before the superseded software updates are expired, which allows you to continue to deploy them. For more information, see the Supersedence Rules section in the Planning for Software Updates in Configuration Manager topic. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Supersedence Rules page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points.

Classifications
Configure the classifications settings on the Classifications page of the wizard, or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic. Note

1836

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Classifications page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, configure the classifications from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Products
Configure the product settings on the Products page of the wizard, or the on the Products tab in Software Update Point Component Properties. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Products page of the wizard is available only when you configure the first software update point at the site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, configure the products from an updated list, and then re-initiate synchronization. This setting is configured only on the software update point at the top-level site.

Languages
Configure the language settings on the Languages page of the wizard, or the on the Languages tab in Software Update Point Component Properties. Specify the languages for which you want to synchronize software update files and summary details. The Software Update File setting is configured at each software update point in the Configuration Manager hierarchy. The Summary Details settings are configured only on the top-level software update point. For more information, see the Languages section in the Planning for Software Updates in Configuration Manager topic. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Languages page of the wizard is available only when you install the software update point at the central administration site. You can configure the Software Update File languages at child sites from the Languages tab in Software Update Point Component Properties.

1837

Step 2: Synchronize Software Updates

Software updates synchronization in Configuration Manager is the process of retrieving the software updates metadata that meets the criteria that you configure on the top-level site. The software update point on the top-level site retrieves the metadata from the Microsoft Update website or from an existing WSUS server on a schedule, or you can manually initiate synchronization from the Configuration Manager console. To successfully complete the synchronization, the software update point must have access to its upstream synchronization source. When the software update point is disconnected from the upstream synchronization source, you must use the WSUSUtil tool to export software updates metadata from a software updates source and import the metadata to the disconnected software update point. The following table lists the software update point types and the upstream synchronization source for which the software update point requires access.
Software update point Upstream synchronization source

Central administration site

Microsoft Update (Internet) Existing WSUS server

2

Stand-alone primary site

Microsoft Update (Internet) Existing WSUS server

2

Child primary site Secondary site Remote Internet-based software update point
1

Central administration site Parent primary site Active software update point for the site
1

When the software update point is disconnected from the upstream update source, you can manually perform software updates synchronization. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic.
2

Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source.

Synchronize Software Updates from a Connected Software Update Point

Typically, the software update points in your Configuration Manager hierarchy will have access to the upstream update source. In this scenario, the software update point at the top-level site will connect to the Internet and synchronize software updates from the Microsoft Update site, and then the top-level site will send a synchronization request to other sites to initiate the synchronization process. When a site receives the synchronization request from the top-level site, the software update point for the site retrieves software updates metadata from its upstream synchronization source. Note
1838

The software update point on child primary sites and secondary sites must be connected to their upstream synchronization source to synchronize software updates. When a software update point is disconnected from its upstream synchronization source, you can use the export and import method to synchronize software updates. For more information, see the Synchronize Software Updates from a Disconnected Software Update Point section in this topic. When software updates synchronization is initiated on a configured schedule, the top-level software update point initiates synchronization with Microsoft Update at the scheduled date and time. The custom schedule allows you to synchronize software updates on a date and time when the demands of the WSUS server, site server, and network are low, for example when it synchronizes every week at 2:00 AM. During the scheduled synchronization, all changes to the software updates metadata since the last scheduled synchronization are inserted into the site database. This includes new software updates metadata or metadata that has been modified, removed, or is now expired. After the synchronization with the upstream synchronization source is complete, a synchronization request is sent to software update points on child primary or secondary sites. You can also manually initiate software updates synchronization on the top-level site in the Configuration Manager console from the All Software Updates node in the Software Library workspace. Use the following procedures on the top-level site to schedule or to manually initiate software updates synchronization. To schedule software updates synchronization 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the results pane, click the central administration site or stand-alone primary site. 4. On the Home tab, in the Settings group, expand Configure Site Components, and then click Software Update Point. 5. In the Software Update Point Component Properties dialog box, select Enable synchronization on a schedule, and then specify the synchronization schedule. To manually initiate software updates synchronization 1. In the Configuration Manager console that is connected to the central administration site or stand-alone primary site, click Software Library. 2. In the Software Library workspace, expand Software Updates and click All Software Updates or Software Update Groups. 3. On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes in the dialog box to confirm that you want to initiate the synchronization process.

After you initiate the synchronization process on the software update point, you can monitor the synchronization process from the Configuration Manager console for all software update points in

1839

your hierarchy. Use the following procedure to monitor the software updates synchronization process. To monitor the software updates synchronization process 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Software Update Point Synchronization Status. The software update points in your Configuration Manager hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. When you want more detailed information about the synchronization process, you can review the wsyncmgr.log file that is located in <ConfigMgrInstallationPath>\Logs on each site server. Top of page

Synchronize Software Updates from a Disconnected Software Update Point

When the software update point at the top-level site is disconnected from the Internet, you must use the export and import functions of the WSUSUtil tool to synchronize software updates metadata. Starting with Configuration Manager SP1, you can choose an existing WSUS that is not in your Configuration Manager hierarchy as the synchronization source. This section provides information about how to use the export and import functions of the WSUSUtil tool. To export and import software updates metadata, you must export software updates metadata from the WSUS database on a specified export server, then copy the locally stored license terms files to the disconnected software update point, and then import the software updates metadata to the WSUS database on the disconnected software update point. Warning In Configuration Manager with no service pack, you have the option to synchronize an Internet-based software update point that is disconnected from the active software update point for the site. Use the following table to identify the export server in which to export the software updates metadata.
Software update point Upstream update source for connected software update points Export server for a disconnected software update point

Central administration site

Microsoft Update (Internet) Existing WSUS server

2

Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in
1840

Software update point

Upstream update source for connected software update points

Export server for a disconnected software update point

your Configuration Manager environment. Stand-alone primary site Microsoft Update (Internet) Existing WSUS server
2

Choose a WSUS server that is synchronized with Microsoft Update by using the software update classifications, products, and languages that you need in your Configuration Manager environment. Choose the software update point for the central administration site or choose the active software update point for the same site, if possible. However, you can choose any other software update point in the Configuration Manager hierarchy as long as it contains the most recent software updates.

For Configuration Manager with Active software update point no service pack only: for the site Remote Internet-based software update point

Starting with Configuration Manager SP1, you can specify an existing WSUS server that is not part of your Configuration Manager hierarchy as the upstream synchronization source. Before you start the export process, verify that software updates synchronization is completed on the selected export server to ensure that the most recent software updates metadata is synchronized. To verify that software updates synchronization has completed successfully, use the following procedure. To verify that software updates synchronization has completed successfully on the export server 1. Open the WSUS Administration console and connect to the WSUS database on the export server. 2. In the WSUS Administration console, click Synchronizations. A list of the software updates synchronization attempts are displayed in the results pane. 3. In the results pane, find the latest software updates synchronization attempt and verify that it completed successfully. Important
1841

The WSUSUtil tool must be run locally on the export server to export the software updates metadata, and it also must be run on the disconnected software update point server to import the software updates metadata. In addition, the user that runs the WSUSUtil tool must be a member of the local Administrators group on each server.

Export Process for Software Updates

The export process for software updates consists of two main steps: to copy the locally stored license terms files to the disconnected software update point, and to export software updates metadata from the WSUS database on the export server. Use the following procedure to copy the local license terms metadata to the disconnected software update point. To copy local files from the export server to the disconnected software update point server 1. On the export server, navigate to the folder where software updates and the license terms for software updates are stored. By default, the WSUS server stores the files at <WSUSInstallationDrive>\WSUS\WSUSContent\, where WSUSInstallationDrive is the drive on which WSUS is installed. 2. Copy all files and folders from this location to the WSUSContent folder on the disconnected software update point server. Use the following procedure to export the software updates metadata from the WSUS database on the export server. To export software updates metadata from the WSUS database on the export server 1. At the command prompt on the export server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at % ProgramFiles%\Update Services\Tools. For example, if the tool is located in the default location, type cd %ProgramFiles%\Update Services\Tools. 2. Type the following to export the software updates metadata to a package file: wsusutil.exe export packagename logfile For example: wsusutil.exe export export.cab export.log The format can be summarized as follows: WSUSutil.exe is followed by the export option, the name of the export .cab file that is created during the export operation, and the name of a log file. WSUSutil.exe exports the metadata from the export server and creates a log file of the operation. Note The package (.cab file) and the log file name must be unique in the current folder. 3. Move the export package to the folder that contains WSUSutil.exe on the import WSUS
1842

server. Note If you move the package to this folder, the import experience can be easier. You can move the package to any location that is accessible to the import server, and then specify the location when you run WSUSutil.exe.

Import Software Updates Metadata

Use the following procedure to import software updates metadata from the export server to the disconnected software update point. Important Never import any exported data from a source that you do not trust. If you import content from a source that you do not trust, it might compromise the security of your WSUS server. To import metadata to the database of the import server 1. At the command prompt on the import WSUS server, navigate to the folder that contains WSUSutil.exe. By default, the tool is located at % ProgramFiles%\Update Services\Tools. 2. Type the following: wsusutil.exe import packagename logfile For example: wsusutil.exe import export.cab import.log The format can be summarized as follows: WSUSutil.exe is followed by the import command, the name of package file (.cab) that is created during the export operation, the path to the package file if it is in a different folder, and the name of a log file. WSUSutil.exe imports the metadata from the export server and creates a log file of the operation. Top of page

Classifications
Configure the classifications settings on the Classifications page of the wizard or the on the Classifications tab in Software Update Point Component Properties. For more information about software update classifications, see the Update Classifications section in the Planning for Software Updates in Configuration Manager topic. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Classifications page of the wizard is available only when you configure the first software update point that you configure on a stand-alone
1843

primary site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the software updates classifications. After the initial software updates synchronization, you must configure the classifications from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the toplevel site.

Products
Configure the product settings on the Products page of the wizard or the on the Products tab in Software Update Point Component Properties. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The Products page of the wizard is available only when you configure the first software update point that you configure on a stand-alone primary site. This page is not displayed when you install additional software update points. Tip When you first install the software update point on the top-level site, clear all of the products. After the initial software updates synchronization, you must configure the products from an updated list, and then reinitiate synchronization. This setting is configured only on the software update point at the top-level site.

Step 3: Configure Classifications and Products to Synchronize

Note Use the procedure from this section only on the top-level site. In Step 1, you cleared the list classifications and products. In Step 2, you initiated software update synchronization to update the list of classifications and products in Configuration Manager and WSUS. In step 3, you must select the classifications and products to synchronize. Use the following procedure to configure classifications and products to synchronize. To configure classifications and products to synchronize 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and then select the central administration site or stand-alone primary site. 3. On the Home tab, in the Settings group, click Configure Site Components, and then
1844

click Software Update Point. 4. On the Classifications tab, specify the software update classifications for which you want to synchronize software updates. Note Every software update is defined with an update classification that helps to organize the different types of updates. During the synchronization process, the software updates metadata for the specified classifications are synchronized. Configuration Manager provides the ability to synchronize software updates with the following update classifications: Critical Updates: Specifies a broadly released update for a specific problem that addresses a critical, non-security-related bug. Definition Updates: Specifies an update to virus or other definition files. Feature Packs: Specifies new product features that are distributed outside of a product release and that are typically included in the next full product release. Security Updates: Specifies a broadly released update for a product-specific, security-related issue. Service Packs: Specifies a cumulative set of hotfixes that are applied to an application. These hotfixes can include: security updates, critical updates, software updates, and so on. Tools: Specifies a utility or feature that helps to complete one or more tasks. Update Rollups: Specifies a cumulative set of hotfixes that are packaged together for easy deployment. These hotfixes can include security updates, critical updates, updates, and so on. An update rollup generally addresses a specific area, such as security or a product component. Updates: Specifies an update to an application or file that is currently installed.

5. On the Products tab, specify the products for which you want to synchronize software updates, and then click Close. Note The metadata for each software update defines the products for which the update is applicable. A product is a specific edition of an operating system or application, such as Windows Server 2008. A product family is the base operating system or application from which the individual products are derived. An example of a product family is Windows, of which Windows Server 2008 is a member. You can specify a product family or individual products within a product family. The more products that you select, the longer it will take to synchronize software updates. When software updates are applicable to multiple products, and at least one of the products was selected for synchronization, all of the products will appear in the Configuration Manager console even if some products were not selected. For example, if Windows Server 2008 is the only operating system that you selected, and if a software update applies to Windows 7 and Windows Server 2008, both
1845

products will be displayed in the Configuration Manager console. Important Configuration Manager stores a list of products and product families from which you can choose when you first install the software update point. Products and product families that are released after Configuration Manager is released might not be available to select until you complete software updates synchronization, which updates the list of available products and product families from which you can choose. 6. Repeat Step 2: Synchronize Software Updates to manually initiate software updates synchronization.

Step 4: Verify Software Updates Client Settings and Group Policy Configurations
There are client settings and group policy configurations that you must verify before you deploy software updates.

Client Settings for Software Updates

After you install the software update point, software updates is enabled on clients by default, and the settings on the Network Access Protection (NAP) and Software Updates pages in client settings have default values. Before you deploy software updates, verify that the client settings on these pages are appropriate for the software updates at your site. Important The Enable software updates on clients setting is enabled by default. If you clear this setting, Configuration Manager removes the existing deployment policies from the client. Also, NAP and compliance settings policies that rely on the software updates device setting will no longer function. For information about how to configure client settings, see How to Configure Client Settings in Configuration Manager. For more information about the client settings, see About Client Settings in Configuration Manager.

Group Policy Settings for Software Updates

There are specific Group Policy settings that are used by Windows Update Agent (WUA) on client computers to connect to WSUS that runs on the software updates point. These Group Policy settings are also used to successfully scan for software update compliance, and to automatically update the software updates and the WUA.

1846

Specify Intranet Microsoft Update Service Location Local Policy

When the software update point is created for a site, clients receive a machine policy that provides the software update point server name and configures the Specify intranet Microsoft update service location local policy on the computer. The WUA retrieves the server name that is specified in the Set the intranet update service for detecting updates setting, and then it connects to this server when it scans for software updates compliance. When a domain policy is created for the Specify intranet Microsoft update service location setting, it overrides the local policy, and the WUA might connect to a server other than the active software update point. If this happens, the client might scan for software update compliance based on different products, classifications, and languages. Therefore, you should not configure the Active Directory policy for client computers.

Allow Signed Content from Intranet Microsoft Update Service Location Group Policy
You must enable the Allow signed content from intranet Microsoft update service location Group Policy setting before the WUA on computers will scan for software updates that were created and published with System Center Updates Publisher. When the policy setting is enabled, WUA will accept software updates that are received through an intranet location if the software updates are signed in the Trusted Publishers certificate store on the local computer. For more information about the Group Policy settings that are required for Updates Publisher, see Updates Publisher 2011 Documentation Library.

Automatic Updates Configuration

Automatic Updates allows security updates and other important downloads to be received on client computers. Automatic Updates is configured through the Configure Automatic Updates Group Policy setting or through the Control Panel on the local computer. When Automatic Updates is enabled, client computers will receive update notifications and, depending on the configured settings, the client computers will download and install the required updates. When Automatic Updates coexists with software updates, each client computer might display notification icons and popup display notifications for the same update. Also, when a restart is required, each client computer might display a restart dialog box for the same update.

Self Update
When Automatic Updates is enabled on client computers, the WUA automatically performs a selfupdate when a newer version becomes available or when there are problems with a WUA component. When Automatic Updates is not configured or is disabled, and client computers have an earlier version of the WUA, the client computers must run the WUA installation file.

1847

Remove the Software Update Point Site System Role

You can remove the software update point site system role at a site from the Configuration Manager console. The client policy is updated to remove the software update point from the list. When you remove the last software update point at the site, the software update point list will contain no software update points, and software updates is essentially disabled at the site. Starting with Configuration Manager SP1, when you have more than one software update point at a primary site and you remove the software update point that is configured as the synchronization source, you must choose another software update point at the site to be the new synchronization source. Note When you remove the software update point site role from a site system, wait at least 15 minutes before you reinstall the software update point site role. Use the following procedure to remove a software update point. To remove the software update point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Select the site system server with the software update point to remove, and then in Site System Roles, select Software update point. 4. On the Site Role tab, in the Site Role group, click Remove Role. Confirm that you want to remove the software update point. Or, in Configuration Manager SP1, select a new synchronization source for the other software update points at the site.

See Also
Software Updates in Configuration Manager

How to Configure a Software Update Point to Use Network Load Balancing (NLB) Cluster
Note The information in this topic applies only to Microsoft System Center 2012 Configuration Manager with no service pack. For more information about whether to configure a software update point to use Network Load Balancing (NLB) in Configuration Manager, see the Software Update Point Configured to Use an NLB section in the Planning for Software Updates in Configuration Manager topic.
1848

This topic provides the steps for how to configure NLB in Configuration Manager with no service pack. NLB can increase the reliability and performance of a network. You can set up multiple WSUS servers that share a single SQL Server failover cluster, and then configure a software update point to use the NLB, but this configuration requires that you perform additional steps during WSUS setup. Note The maximum number of WSUS servers that can be configured as part of a network load balancing cluster is four. Use the following sections to configure an active software update point to use an NLB cluster: Prepare the network environment for network load balanced software update point site systems. Install WSUS 3.0 (on each server that will host the software update point site system role). Install the software update point site system role (on each server that will be part of the software update point network load balancing cluster). Configure the Windows Server network load balancing cluster for installed software update site systems. Configure the active software update point component for the Configuration Manager site as the software update point network load balancing cluster.

Configure WSUS for Network Load Balancing

Prepare the Network Environment for NLB Software Update Point Site Systems
Use the following procedure to prepare the network environment for the software update point to use an NLB cluster. To prepare the network environment for NLB software update point site systems 1. Create or identify a domain user account to be used as the Software Update Point Connection account. 2. Add the computer accounts of each site system that will be configured as part of the software update point NLB cluster to the local Administrators group on each server that will be part of the NLB cluster. Note The computer accounts for the cluster nodes must be able to write to the WSUS database. If the local Administrators group is removed from the SysAdmin role on the SQL server, the computer accounts will not be able to write to the WSUS database, and the software update point will fail to install until the computer accounts are added to the SysAdmin role. 3. Create a DFS share or a standard network shared folder that is available to all of the WSUS servers that will be part of the software update point NLB cluster to be used as the
1849

WSUS resource content share. Each of the remote WSUS servers should be given change permissions on the root of the shared folder (all standard NTFS permissions except for Full Control). If the share is created on one of the site systems that will be part of the NLB cluster, the Network Access Account for the site system must have change permissions on the root of the shared folder. The user account used to run WSUS Setup must also have the same permissions to the share. 4. Identify the computer running SQL Server to host the WSUS database. The WSUS database can be installed on the same SQL Server database server instance that hosts the site database or a different SQL Server database server. Note For a list of supported SQL Server versions that you can use for site systems in Configuration Manager, see SQL Server Site Database Configurations. 5. The WSUS 3.0 Administration console must be installed on the primary site server to allow the site server and remote Configuration Manager consoles to configure and synchronize with WSUS. 6. If the Configuration Manager site is configured to communicate by using SSL authentication, Web server signing certificates must be configured on each of the software update point site systems that will be configured as part of the NLB. For more information about configuring Web server signing certificates for network load balanced software update points, see PKI Certificate Requirements for Configuration Manager.

Install WSUS 3.0 (on each server that will host the software update point site system role)
Note The following procedure must be performed on each server that will be part of the software update point NLB cluster. To install WSUS 3.0 to support the Configuration Manager software update point site system role 1. On a server that will be part of the software update point NLB cluster, create the following folder: <Program Files directory>\Update Services. 2. Install WSUS 3.0 on each server that will be a member of the software update point NLB cluster. For more information about installing WSUS, see Install the WSUS 3.0 SP2 Server Software Though the User Interface in the Windows Server Update Services documentation library. During installation, consider the following settings: On the Select Update Source page, select the Store updates locally check box and enter the path <Program Files directory>\Update Services. On the Database Options page, do one of the following. If you are running WSUS Setup on the server hosting the WSUS SQL Server database, select Use an existing database server on this computer select the
1850

instance name to be used from the drop-down list. If you are running WSUS Setup on a computer that will not host the WSUS SQL Server database, select Use an existing database server on a remote computer and enter the FQDN of the SQL Server that will host the WSUS database followed by the instance name (if not using the default instance). Warning If another WSUS Server that will be part of the NLB cluster has been configured to use the same SQL Server database server, select Use existing database. 3. Add the Software Update Point Connection Account to the local WSUS Administrators group on the server. 4. On the SQL Server computer that hosts the WSUS database, provide dbo_owner rights on the SUSDB database for the Software Update Point Connection Account. 5. Configure Internet Information Services (IIS) to enable content share access. a. Open the Internet Information Services (IIS) Manager console. b. Expand <server name>, expand Sites, and then expand the Site node for the WSUS Web site (either Default Web Site or WSUS Administration). c. Configure the virtual directory Content to use the UNC share name of the share created in step 3 of the To prepare the network environment for NLB software update point site systems procedure in this topic.

d. Configure the credentials used to connect to the virtual directory with the user name and password of the Software Update Point Connection Account created in step 1 of the To prepare the network environment for NLB software update point site systems procedure in this topic. 6. Configure SSL authentication in Internet Information Services (IIS). Important This step is only required if the software update point will be configured to communicate by using SSL. If you are not configuring the software update point to use SSL, skip to step 6. a. Open Internet Information Services (IIS) Manager. b. Expand Web Sites, and then expand the WSUS administration Web site (either Default Web Site or WSUS Administration). c. Configure the following virtual directories of the WSUS administration Web site to use SSL:APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService.

d. Close Internet Information Services (IIS) Manager. e. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system node >. 7. Move the local content directory to the WSUS resource content share created in step 3 of the To prepare the network environment for NLB software update point site systems procedure in this topic.
1851

Important This step must be followed for each of the front-end WSUS servers that are not on the same server as the WSUS resource content share a. Open a command window and navigate to the WSUS tools directory on the WSUS server: cd Program Files\Update Services\Tools b. On the first WSUS server to be configured, at the command prompt, type the following command: wsusutil movecontent<WSUSContentsharename><logfilename> Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure. c. On the successive WSUS servers to be configured, at the command prompt type the following command: wsusutil movecontent<WSUSContentsharename><logfilename>/skipcopy Where <WSUSContentsharename> is the name of the WSUS content resource location share to which the content should be moved, and logfilename is the name of the log file that will be used to record the content move procedure. Note To verify that the content move was successful, review the log file created during the procedure and use registry editor to review the HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup|ContentDir registry key to ensure that the value has been changed to the WSUS content resource location share name.

Install the Software Update Point Site System Role

Use the following procedure on each software update point that will be part of the software update point NLB cluster. To install the software update point site system role on servers that will be part of the network load balancing cluster 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and click Servers and Site System Roles. 3. Add the software update point site system role to a new or existing site system server by using the associated step: Note For more information about installing site system roles, see Install and Configure
1852

Site System Roles for Configuration Manager. New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Existing site system server: Click the server in which you want to install the software update point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the software update point to an existing site system server, verify the values that were previously configured. 5. On the System Role Selection page, select Software update point from the list of available roles, and then click Next. 6. On the Software Update Point page, specify whether the site server will use a proxy server when software updates are synchronized and when downloading software update files, and whether to use credentials to connect to the proxy server. Click Next. 7. On the Active Settings page, click Next, and then click Close to exit the wizard and create the non-active software update point.

Configure the Windows Server Network Load Balancing Cluster for Installed Software Update Point Site Systems
To configure the Windows Server network load balancing cluster for installed software update point site systems 1. To configure the Windows Server NLB cluster for installed software update point site systems, follow the instructions for deploying NLB for the operating system running on the site system. For Windows Server 2008 and Windows Server 2008 R2, see the Network Load Balancing Deployment Guide. 2. After you verify that the NLB cluster is operating successfully, you can configure the active software update point to use the NLB cluster.

Configure the Active Software Update Point to Use an NLB Cluster

Use the following procedure to configure the active software update point for the site to use an NLB cluster. To configure the active software update point to use an NLB cluster
1853

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and click Servers and Site System Roles. 3. On the Home tab, click Configure Site Components, and then click Software Update Point. The Software Update Point Component Properties opens. 4. On the General tab, select Use Network Load Balancing cluster for active software update point. 5. 6. Click Settings and configure the following NLB settings: a. NLB address type: Select FQDN. b. Intranet FQDN or IP address: Enter the FQDN that you created in step 6 of Prepare the Network Environment for NLB Software Update Point Site Systems. Click OK. 7. Click Set, and then select to configure the Software Update Point Connection Account to use the Windows user account that you created in step 1 of the To prepare the network environment for NLB software update point site systems procedure in this topic. Select Existing account to specify a Windows user account that has previously been configured as a Configuration Manager account or select New account to specify a Windows user account that is not currently configured as a Configuration Manager account. The user is displayed in the Accounts subfolder of the Security node in the Administration workspace with the Software Update Point Connection Account name. Click OK 8. Determine the communication settings that you want to use for the active software update point, and then click OK.

See Also
Configuring Software Updates in Configuration Manager

How to Determine the Port Settings Used by WSUS

When you install and configure a software update point in System Center 2012 Configuration Manager, the port settings used by the Microsoft Windows Server Update Services (WSUS) server must be specified. Use one of the following procedures to determine the port settings used by WSUS. To determine the port settings in IIS 6.0 1. On the WSUS server, open Internet Information Services (IIS) Manager.
1854

2. Expand Web Sites, right-click the Web site for the WSUS server, and then click Properties. 3. Click the Web Site tab. The HTTP port setting is displayed in TCP port, and the HTTPS port setting is displayed in SSL port. To determine the port settings used in IIS 7.0 1. On the WSUS server, open Internet Information Services (IIS) Manager. 2. Expand Sites, right-click the Web site for the WSUS server, and then click Edit Bindings. In the Site Bindings dialog, the HTTP and HTTPS port values are displayed in the Port column.

See Also
Configuring Software Updates in Configuration Manager

How to Enable CRL Checking for Software Updates

By default, the certificate revocation list (CRL) is not checked when verifying the signature on System Center 2012 Configuration Manager software updates. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check. If used, CRL checking must be enabled on the Configuration Manager consoles that process software updates. To enable CRL checking On the computer performing the CRL check, from the product DVD, run the following from a command prompt: \SMSSETUP\BIN\X64\<language>\UpdDwnldCfg.exe /checkrevocation. For example, for English (US) you would run \SMSSETUP\BIN\X64\00000409\UpdDwnldCfg.exe /checkrevocation

See Also
Configuring Software Updates in Configuration Manager

1855

Operations and Maintenance for Software Updates in Configuration Manager

The overall process for software updates in System Center 2012 Configuration Manager includes four main operational phases: synchronization, compliance assessment, deployment, and monitoring. The synchronization phase is the process of synchronizing the software update metadata from Microsoft Update and inserting it into the site server database. The compliance assessment phase is the process that client computers perform to scan for compliance of software updates and report the compliance state for the software updates. The deployment phase is the process of manually or automatically deploying the software updates to clients. Finally, the monitoring phase is the process of follow-on monitoring for software update deployment compliance. Important Before software update compliance assessment data is displayed in the Configuration Manager console and before you can deploy the software updates to clients, you must carefully plan for the software updates in your hierarchy and configure the software update dependences to meet the needs of your environment. For more information about planning for software updates, see Planning for Software Updates in Configuration Manager. For more information about configuring software updates, see Configuring Software Updates in Configuration Manager. The following sections in this topic will help you with the operational phases for software updates in Configuration Manager: Synchronize Software Updates Download Software Updates Manage Software Update Settings Review Software Updates Information Software Update Details Content Information Custom Bundle Information Supersedence Information Set Maximum Run Time Enable Network Access Protection (NAP) Evaluation Set Custom Severity

Configure Software Updates Settings

Add Software Updates to an Update Group Deploy Software Updates Manually Deploy Software Updates Automatically Deploy Software Updates

Monitor software updates

1856

Synchronize Software Updates

Software update synchronization in Configuration Manager is the process of retrieving the software update metadata that meets the criteria that you configure. The software update point on the central administration site, or on a stand-alone primary site, retrieves the metadata from Microsoft Update on a predetermined schedule. Alternatively, you can manually initiate metadata synchronization from the Configuration Manager console. After the software update synchronization is complete at a central administration site, the site sends the child primary sites a synchronization request that instructs them to initiate synchronization. For more information about software update synchronization, see the Software Updates Synchronization section in the Introduction to Software Updates in Configuration Manager topic. You configure software update synchronization to run on a schedule as part of the properties for the software update point on the top-level site. After you configure the synchronization schedule you will typically not change the schedule as part of normal operations. However, you can manually initiate software update synchronization when it is necessary. For information about configuring the software update synchronization schedule, see the Synchronize Software Updates section in the Configuring Software Updates in Configuration Manager topic. Use the following procedure to manually initiate software update synchronization. To manually initiate software updates synchronization on the central administration site 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click All Software Updates or Software Update Groups. 3. On the Home tab, in the Create group, click Synchronize Software Updates. Click Yes to confirm that you want to initiate the synchronization process. After you initiate the synchronization process, you can use the Configuration Manager console to monitor the process for all software update points in your hierarchy. Use the following procedure to monitor the software update synchronization process. To monitor the software update synchronization process 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Software Update Point Synchronization Status. The results pane displays the software update points in your Configuration Manager hierarchy. From this view, you can monitor the synchronization status for all software update points. To obtain more detailed information about the synchronization process, review the wsyncmgr.log file, which is located in <ConfigMgrInstallationPath>\Logs on each site server.

1857

Download Software Updates

There are several methods available to you for downloading software updates in Configuration Manager. When you create an automatic deployment rule or manually deploy software updates, the software updates are downloaded to the content library on the site server, and then copied to the content library on the distribution points that are associated with the configured deployment package. If you want to download the software updates before you deploy them, you can use the Download Updates Wizard. Doing this will enable you to verify that the software updates are available on distribution points before you deploy the software updates to client computers. Note For information about monitoring content status, see the Content Status Monitoring section in this topic. Use the following procedure to download software updates by using the Download Software Updates Wizard. To download software updates 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Software Updates. 3. Choose the software update to download by using one of the following methods: Select one or more software update groups from Software Update Groups, and then, on the Home tab, in the Update Group group, click Download. Select one or more software updates from All Software Updates, and then, on the Home tab, in the Update group, click Download. Note On the All Software Updates node, Configuration Manager displays only software updates with a Critical and Security classification that have been released in the last 30 days. Tip Click Add Criteria to filter the software updates that are displayed in the All Software Updates node, save search criteria that you often use, and then manage saved searches on the Search tab. The Download Software Updates Wizard opens. 4. On the Deployment Package page, configure the following settings: a. Select deployment package: Choose this setting to select an existing deployment package for the software updates that are in the deployment. Note Software updates that have already been downloaded to the selected deployment package will not be downloaded again. b. Create a new deployment package: Select this setting to create a new deployment
1858

package for the software updates that are in the deployment. Configure the following settings: Name: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. Description: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click Next. 5. On the Distribution Points page, specify the distribution points or distribution point groups that will host the software update files, and then click Next. For more information about distribution points, see Planning for Content Management in Configuration Manager. Note The Distribution Points page is available only when you create a new software update deployment package. 6. On the Distribution Settings page, specify the following settings: Distribution priority: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium
1859

priority. Distribute the content for this package to preferred distribution points : Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see Planning for Preferred Distribution Points and Fallback in Planning for Content Management in Configuration Manager. Prestaged distribution point settings: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: Automatically download content when packages are assigned to distribution points: Use this setting to ignore the prestage settings and distribute content to the distribution point. Download only content changes to the distribution point : Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. Manually copy the content in this package to the distribution point : Use this setting to always prestage content on the distribution point. This is the default setting.

For more information about prestaging content to distribution points, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Click Next. 7. On the Download Location page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: Download software updates from the Internet: Select this setting to download the software updates from the location on the Internet. This is the default setting. Download software updates from a location on the local network : Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. Note When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click Next. 8. On the Language Selection page, specify the languages for which the selected software updates are to be downloaded, and then click Next. Configuration Manager downloads the software updates only if they are available in the selected languages. Software
1860

updates that are not language-specific are always downloaded. 9. On the Summary page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 10. On the Completion page, verify that the software updates were successfully downloaded, and then click Close.

Manage Software Update Settings

The software update properties provide information about software updates and associated content. You can also use these properties to configure settings for software updates. When you open the properties for multiple software updates, only the Maximum Run Time and Custom Severity tabs are displayed. The NAP Evaluation tab is also displayed if all selected software updates have been downloaded. Use the following procedure to open software update properties. To open software update properties 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click All Software Updates. 3. Select one or more software updates, and then, on the Home tab, click Properties in the Properties group. Note On the All Software Updates node, Configuration Manager displays only the software updates that have a Critical and Security classification and that have been released in the last 30 days.

Review Software Updates Information

In software update properties, you can review detailed information about a software update. The detailed information is not displayed when you select more than one software update. The following sections describe the information that is available for a selected software update.

Software Update Details

In the Update Details tab, you can view the following summary information about the selected software update: Bulletin ID: Specifies the bulletin ID that is associated with security software updates. You can find security bulletin details by searching on the bulletin ID at the Microsoft Security Bulletin Search Web page. Article ID: Specifies the article ID for the software update. The referenced article provides more detailed information about the software update and the issue that the software update fixes or improves.
1861

Date revised: Specifies the date that the software update was last modified. Maximum severity rating: Specifies the vendor-defined severity rating for the software update. Description: Provides an overview of what condition the software update fixes or improves. Applicable languages: Lists the languages for which the software update is applicable. Affected products: Lists the products for which the software update is applicable.

Content Information
In the Content Information tab, review the following information about the content that is associated with the selected software update: Content ID: Specifies the content ID for the software update. Downloaded: Indicates whether Configuration Manager has downloaded the software update files. Language: Specifies the languages for the software update. Source Path: Specifies the path to the software update source files. Size (MB): Specifies the size of the software update source files.

Custom Bundle Information

In the Custom Bundle Information tab, review the custom bundle information for the software update. When the selected software update contains bundled software updates that are contained in the software update file, they are displayed in the Bundle information section. This tab does not display bundled software updates that are displayed in the Content Information tab, such as update files for different languages.

Supersedence Information
On the Supersedence Information tab, you can view the following information about the supersedence of the software update: This update has been superseded by the following updates: Specifies the software updates that supersede this update, which means that the updates listed are newer. In most cases, you will deploy one of the software updates that supersedes the software update. The software updates that are displayed in the list contain hyperlinks to webpages that provide more information about the software updates. When this update is not superseded, None is displayed. This update supersedes the following updates: Specifies the software updates that are superseded by this software update, which means this software update is newer. In most cases, you will deploy this software update to replace the superseded software updates. The software updates that are displayed in the list contain hyperlinks to web pages that provide more information about the software updates. When this update does not supersede any other update, None is displayed.

1862

Configure Software Updates Settings

In the properties, you can configure software update settings for one or more software updates. You can configure most software update settings only at the central administration site or standalone primary site. The following sections will help you to configure settings for software updates.

Set Maximum Run Time

In the Maximum Run Time tab, set the maximum amount of time a software update is allotted to complete on client computers. If the update takes longer than the maximum run-time value, Configuration Manager creates a status message and stops monitoring the deployment for the software updates installation. You can configure this setting only on the central administration site or a stand-alone primary site. Configuration Manager also uses this setting to determine whether to initiate the software update installation within a configured maintenance window. If the maximum run-time value is greater than the available remaining time in the maintenance window, the software updates installation is postponed until the start of the next maintenance window. When there are multiple software updates to be installed on a client computer with a configured maintenance window (timeframe), the software update with the lowest maximum run time installs first, then the software update with the next lowest maximum run time installs next, and so on. Before it installs each software update, the client verifies that the available maintenance window will provide enough time to install the software update. After a software update starts installing, it will continue to install even if the installation goes beyond the end of the maintenance window. For more information about maintenance windows, see the Configure Maintenance Windows section in the Configuring Settings for Client Management in Configuration Manager topic. On the Maximum Run Time tab, you can view and configure the following settings: Maximum run time: Specifies the maximum number of minutes allotted for a software update installation to complete before the installation is no longer monitored by Configuration Manager. This setting is also used to determine whether there is enough available time remaining to install the update before the end of a maintenance window. The default setting is 60 minutes for service packs and 5 minutes for all other software update types. Values can range from 5 to 9999 minutes. Important Be sure to set the maximum run time value smaller than the configured maintenance window time. Otherwise, the software update installation will never initiate.

Enable Network Access Protection (NAP) Evaluation

Use the settings on the NAP Evaluation tab to specify whether the software update is required for compliance when using NAP. You can enable NAP evaluation to include the software update in a NAP policy that will become effective on clients according to the configured schedule. When the policy becomes effective, these clients might have restricted access until they comply with the selected software update. Network restriction and remediation behavior depends upon how the

1863

policies are configured on the Windows Network Policy Server. You can configure this setting only on the central administration site or a stand-alone primary site. You can configure the following settings on the NAP Evaluation tab: Set the effective data for all selected objects: Specifies whether the selected software updates are included in the NAP policy and evaluated on clients. This setting is displayed only when you select more than one software update. Enable NAP evaluation: Specifies whether the selected software updates are included in the NAP policy and evaluated on clients. As soon as possible: Specifies that the software update is included in the NAP policy and becomes effective on clients as soon as possible. Date and time: Specifies that the software update is included in the NAP policy and becomes effective on clients on the specified date and time.

Client Behavior When Effective Date Becomes Current The effective date is when a Configuration Manager NAP policy becomes active on specified clients. When the effective date occurs, the client computer will assess its compliance status by verifying whether it requires the software update that is listed in the policy. If it is not compliant, the required software update can be enforced through remediation. The client might have restricted network access until remediation is successful. Remediation and restriction are controlled by policies configured on the Microsoft Windows Network Policy Server. Considerations for Configuring the Effective Date Most Configuration Manager clients will have the required software updates installed through the normal software update deployment. It is a precautionary measure to set an effective date after the deadline for a software update deployment in order to handle the few computers that do not install the software update through standard operating procedures. However, unlike the standard software update process, NAP has the ability to restrict network access until the software updates in the Configuration Manager NAP policy are installed. Setting an aggressive effective date has the following risks: More clients might have restricted network access until remediation is successful. This, in turn, increases the load on remediation servers, such as the distribution points that host the software updates, and the software update points. The deployment packages that contain the required software updates might not have sufficient time to replicate to the remediation distribution points before the effective date occurs.

You can configure the effective date in a Configuration Manager NAP policy to be a date in the future, or As soon as possible. Select As soon as possible only if one of the following applies: The Windows Network Policy Server will not restrict network access for non-compliant computers. The risk of a non-compliant computer having full network access is greater than the risk of it having restricted network access and being unable to remediate in the event that the software update is not yet replicated to the remediation distribution points.
1864

Set Custom Severity

In the properties for a software update, you can use the Custom Severity tab to configure custom severity values for the software updates. This may be necessary if the predefined severity values do not meet your needs. The custom values are listed in the Custom Severity column in the Configuration Manager console. You can sort the software updates by the defined custom severity values and can also create queries and reports that can filter on these values. You can configure this setting only on the central administration site or stand-alone primary site. You can configure the following settings on the Custom Severity tab. Custom severity: Sets a custom severity value for the software updates. Select Critical, Important, Moderate, or Low from the list. By default, the custom severity value is empty.

Add Software Updates to an Update Group

Software update groups provide you with an effective method to organize software updates in your environment. You can manually add software updates to a software update group or automatically add software updates to a software update group by using an automatic deployment rule. You can also deploy a software update group manually or deploy the group automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and Configuration Manager will automatically deploy them. Use the following procedures to add software updates to a new or existing software update group. To add software updates to a new software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and then click All Software Updates. 3. Select the software updates to be added to the new software update group. 4. On the Home tab, in the Update group, click Create Software Update Group. 5. Specify the name for the software update group and optionally provide a description. Use a name and description that provide enough information for you to determine what type of software updates are in the software update group. To proceed, click Create. 6. Click Software Update Groups to display the new software update group. 7. Select the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates that are included in the group. To add software updates to an existing software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and then click All Software Updates. 3. Select the software updates that you want to add to the new software update group.

1865

Note On the All Software Updates node, by default, Configuration Manager displays only software updates with a Critical and Security classification and that were released in the last 30 days. 4. On the Home tab, in the Update group, click Edit Membership. 5. Select the software update group into which you want to add the software updates. 6. Click the Software Update Groups node to display the software update group. 7. Select the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates that are included in the software update group.

Deploy Software Updates

The software update deployment phase is the process of deploying the software updates. Typically, you add software updates to a software update group and then deploy the software update group to clients. When you create the deployment, the software update policy is sent to client computers, the software update content files are downloaded from a distribution point to the local cache on the client computer, and then the software updates are available for installation on the client. Clients on the Internet download content from Microsoft Update. Note Starting in Configuration Manager SP1, you can configure a client on the intranet to download software updates from Microsoft Update if a distribution point is not available. Note Unlike other deployment types, software updates are all downloaded to the client cache regardless of the maximum cache size setting on the client. For more information about the client cache setting, see the Configure the Client Cache for Configuration Manager Clients section in the How to Manage Clients in Configuration Manager topic. If you configure a required software update deployment, the software updates are automatically installed at the scheduled deadline. Alternatively, the user on the client computer can schedule or initiate the software update installation prior to the deadline. After the attempted installation, client computers send state messages back to the site server to report whether the software update installation was successful. For more information about software update deployments, see the Software Update Deployment Workflows section in the Introduction to Software Updates in Configuration Manager topic. There are two main scenarios for deploying software updates: manual deployment and automatic deployment. Typically, you will initially manually deploy software updates to create a baseline for your client computers, and then you will manage software updates on clients by using automatic deployment. The following sections provide information and procedures for manual and automatic deployment workflows for software updates.
1866

Manually Deploy Software Updates

A manual software update deployment is the process of selecting software updates from the Configuration Manager console and manually initiating the deployment process. Or, you can add selected software updates to an update group, and then manually deploy the update group. You will typically use manual deployment to get your client devices up-to-date with required software updates before you create automatic deployment rules that will manage ongoing monthly software update deployments. You will also use a manual method to deploy out-of-band software updates. The following sections provide the general workflow for manual deployment of software updates.

Step 1: Specify Search Criteria for Software Updates

There are potentially thousands of software updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying software updates is to identify the software updates that you want to deploy. For example, you could provide criteria that retrieves all software updates that are required on more than 50 client devices and that have a Security or Critical software update classification. Important The maximum number of software updates that can be included in a single software update deployment is 1000. To specify search criteria for software updates 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click All Software Updates. The synchronized software updates are displayed. Note On the All Software Updates node, Configuration Manager displays only software updates with a Critical and Security classification and have been released in the last 30 days. 3. In the search pane, filter to identify the software updates that you need by using one or both of the following steps: In the search text box, type a search string that will filter the software updates. For example, type the article ID or bulletin ID for a specific software update, or enter a string that would appear in the title for several software updates. Click Add Criteria, select the criteria that you want to use to filter software updates, click Add, and then provide the values for the criteria.

4. Click Search to filter the software updates. Tip You have the option to save the filter criteria on the Search tab and in the Save group.
1867

Step 2: Create a Software Update Group that Contains the Software Updates
Software update groups provide an effective method for you to organize software updates in preparation for deployment. You can manually add software updates to a software update group or Configuration Manager can automatically add software updates to a new or existing software update group by using an automatic deployment rule. Use the following procedures to manually add software updates to a new software update group. To manually add software updates to a new software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Software Updates. 3. Select the software updates that are to be added to the new software update group. 4. On the Home tab, in the Update group, click Create Software Update Group. 5. Specify the name for the software update group and optionally provide a description. Use a name and description that provide enough information for you to determine what type of software updates are in the software update group. To proceed, click Create. 6. Click the Software Update Groups node to display the new software update group. 7. Select the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates that are included in the group.

Step 3: Download the Content for the Software Update Group

Optionally, before you deploy the software updates, you can download the content for the software updates that are included in the software update group. You might choose to do this so you can verify that the content is available on the distribution points before you deploy the software updates. This will help you to avoid any unexpected issues with the content delivery. You can skip this step and the content will be downloaded and copied to the distribution points as part of the deployment process. Use the following procedure to download the content for software updates in the software update group. To download content for the software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click Software Update Groups. 3. Select the software update group for which you want to download content. 4. On the Home tab, in the Update Group group, click Download. The Download Software Updates Wizard opens. 5. On the Deployment Package page, configure the following settings: a. Select deployment package: Select this setting to use an existing deployment package for the software updates in the deployment. Note
1868

Software updates that have already been downloaded to the selected deployment package are not downloaded again. b. Create a new deployment package: Select this setting to create a new deployment package for the software updates in the deployment. Configure the following settings: Name: Specifies the name of the deployment package. This must be a unique name that describes the package content. It is limited to 50 characters. Description: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. Click Next. 6. On the Distribution Points page, select the distribution points or distribution point groups that are used to host the software update files defined in the new deployment package, and then click Next. 7. On the Distribution Settings page, specify the following settings: Distribution priority: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Distribution packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. Distribute the content for this package to preferred distribution points: Use this
1869

setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. Prestaged distribution point settings: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: Automatically download content when packages are assigned to distribution points: Use this setting to ignore the prestage settings and distribute content to the distribution point. Download only content changes to the distribution point : Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. Manually copy the content in this package to the distribution point : Use this setting to always prestage content on the distribution point. This is the default setting.

For more information about prestaging content to distribution points, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Click Next. 8. On the Download Location page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: Download software updates from the Internet: Select this setting to download the software updates from the location on the Internet. This is the default setting. Download software updates from a location on the local network : Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. Note When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. Click Next. 9. On the Language Selection page, specify the languages for which the selected software updates are to be downloaded, and then click Next. Configuration Manager downloads the software updates only if they are available in the selected languages. Software updates that are not language-specific are always downloaded.
1870

10. On the Summary page, verify the settings that you selected in the wizard, and then click Next to download the software updates. 11. On the Completion page, verify that the software updates were successfully downloaded, and then click Close. 12. To monitor the content status for the software updates, click Monitoring in the Configuration Manager console. 13. In the Monitoring workspace, expand Distribution Status, and then click Content Status. 14. Select the software update package that you previously identified to download the software updates in the software update group. 15. On the Home tab, in the Content group, click View Status.

Step 4: Deploy the Software Update Group

After you determine which software updates you intend to deploy and add these software updates to a software update group, you can manually deploy the software updates in the software update group. Use the following procedure to manually deploy the software updates in a software update group. To manually deploy the software updates in a software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click Software Update Groups. 3. Select the software update group that you intend to deploy. 4. On the Home tab, in the Deployment group, click Deploy. The Deploy Software Updates Wizard opens. 5. On the General page, configure the following settings: Name: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment, and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: Microsoft Software Updates - <date><time> Description: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. Software Update/Software Update Group: Verify that the displayed software update group, or software update, is correct. Select Deployment Template: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar
1871

deployments and to save time. Collection: Specify the collection for the deployment, as applicable. Members of the collection receive the software updates that are defined in the deployment. Type of deployment: Specify the deployment type for the software update deployment. Select Required to create a mandatory software update deployment in which the software updates are automatically installed on clients before a configured installation deadline. Select Available to create an optional software update deployment that is available for users to install from Software Center. Important After you create the software update deployment, you cannot later change the type of deployment. Use Wake-on-LAN to wake up clients for required deployments: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. Warning Before you can use this option, computers and networks must be configured for Wake On LAN. Detail level: Specify the level of detail for the state messages that are reported by client computers. Schedule evaluation: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. Software available time: Select one of the following settings to specify when the software updates will be available to clients: As soon as possible: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. Specific time: Select this setting to make the software updates in the deployment available to clients at a specific date and time. When the deployment is created, the client policy is updated and clients are made aware of the deployment at their next client policy polling cycle. However, the software updates in the deployment are not available for installation until after the specified date and time.

6. On the Deployment Settings page, configure the following settings:

7. On the Scheduling page, configure the following settings:

Installation deadline: Select one of the following settings to specify the installation
1872

deadline for the software updates in the deployment. Note You can configure the installation deadline setting only when Type of deployment is set to Required on the Deployment Settings page. As soon as possible: Select this setting to automatically install the software updates in the deployment as soon as possible. Specific time: Select this setting to automatically install the software updates in the deployment at a specific date and time. Note The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Starting in Configuration Manager SP1, you can configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic. 8. On the User Experience page, configure the following settings: User notifications: Specify whether to display notification of the software updates in Software Center on the client computer at the configured Software available time and whether to display user notifications on the client computers. When Type of deployment is set to Available on the Deployment Settings page, you cannot select Hide in Software Center and all notifications. Deadline behavior: Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see the Configure Maintenance Windows section in the Configuring Settings for Client Management in Configuration Manager topic. Device restart behavior: Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. Important Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. . Write filter handling for Windows Embedded devices: For Configuration
1873

Manager SP1 only: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. You can configure the Deadline behavior and Device restart behavior settings only when Type of deployment is set to Required on the Deployment Settings page. 9. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when Type of deployment is set to Required on the Deployment Settings page. Warning You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 10. On the Download Settings page, configure the following settings: Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. Allow clients to share content with other clients on the same subnet : Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see the Planning for BranchCache Support section in the Planning for Content Management in Configuration Manager topic. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify whether to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on
1874

this page. For more information, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. 11. If you have performed Step 3: Download the Content for the Software Update Group, then the Deployment Package, Distribution Points, and Language Selection pages are not displayed, and you can skip to step 15 of the wizard. Important Software updates that have been previously downloaded to the content library on the site server are not downloaded again. This is true even when you create a new deployment package for the software updates. If all software updates have already been previously downloaded, the wizard skips to the Language Selection page (step 15). 12. On the Deployment Package page, select an existing deployment package or configure the following settings to specify a new deployment package: a. Name: Specify the name of the deployment package. This must be a unique name that describes the package content. It is limited to 50 characters. b. Description: Specify a description that provides information about the deployment package. The description is limited to 127 characters. c. Package source: Specify the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. d. Sending priority: Specify the sending priority for the deployment package. Configuration Manager uses the sending priority for the deployment package when it sends the package to distribution points. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order
1875

in which they were created. If there is no backlog, the package will process immediately regardless of its priority. 13. On the Distribution Points page, specify the distribution points or distribution point groups that will host the software update files. For more information about distribution points, see Planning for Content Management in Configuration Manager. 14. On the Download Location page, specify whether to download the software update files from the Internet or from your local network. Configure the following settings: Download software updates from the Internet: Select this setting to download the software updates from a specified location on the Internet. This setting is enabled by default. Download software updates from a location on the local network: Select this setting to download the software updates from a local folder or shared network folder. This setting is useful when the computer that runs the wizard does not have Internet access. The software updates can be preliminarily downloaded from any computer that has Internet access and stored in a location on the local network for subsequent access for installation.

15. On the Language Selection page, select the languages for which the selected software updates are downloaded. The software updates are downloaded only if they are available in the selected languages. Software updates that are not language specific are always downloaded. By default, the wizard selects the languages that you have configured in the software update point properties. At least one language must be selected before proceeding to the next page. When you select only languages that are not supported by a software update, the download will fail for the software update. 16. On the Summary page, review the settings. To save the settings to a deployment template, click Save As Template, enter a name and select the settings that you want to include in the template, and then click Save. To change a configured setting, click the associated wizard page and change the setting. Warning The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or (single quotation mark). 17. Click Next to deploy the software update. After you have completed the wizard, Configuration Manager downloads the software updates to the content library on the site server, distributes the software updates to the configured distribution points, and then deploys the software update group to clients in the target collection. For more information about the deployment process, see the Software Update Deployment Process section in the Introduction to Software Updates in Configuration Manager topic.

Automatically Deploy Software Updates

You can automatically deploy software updates by adding new software updates to an update group that has an active deployment or by using automatic deployment rules.

1876

Add software updates to a deployed update group

After you create and deploy a software update group, you can add software updates to the update group and they will also be automatically deployed. Important When you add software updates to an existing software update group that has already been deployed, it might take several minutes before the additional software updates are added to the deployment. Use the following procedure to add software updates to an existing update group. To add software updates to an existing software update group 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, click Software Updates. 3. Select the software updates that are to be added to the new software update group. 4. On the Home tab, in the Update group, click Edit Membership. 5. Select the software update group to which you want to add the software updates as members. 6. Click the Software Update Groups node to display the software update group. 7. Click the software update group, and in the Home tab, in the Update group, click Show Members to display a list of the software updates in the group.

Create an Automatic Deployment Rule

You can automatically approve and deploy software updates by using an automatic deployment rule. This is a common method of deployment for monthly software updates ("Patch Tuesday") and for managing definition updates. When the automatic deployment rule runs, the software updates that meet a specified criteria are added to a software update group, the content files for the software updates are downloaded and copied to distribution points, and the software updates are deployed to client devices in the target collection. Warning Before you create an automatic deployment rule for the first time, verify that software updates synchronization has completed at the site. This is particularly important when you run Configuration Manager with a non-English language because software update classifications are displayed in English before the first synchronization, and then displayed in the localized language after software update synchronization completes. Rules that you create before you synchronize software updates might not work properly after synchronization because the text string might not match. Use the following procedure to create an automatic deployment rule. To create an automatic deployment rule
1877

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Software Updates, and click Automatic Deployment Rules. 3. On the Home tab, in the Create group, click Create Automatic Deployment Rule. The Create Automatic Deployment Rule Wizard opens. 4. On the General page, configure the following settings: Name: Specify the name for the automatic deployment rule. The name must be unique, help to describe the objective of the rule, and identify it from others in the Configuration Manager site. Description: Specify a description for the automatic deployment rule. The description should provide an overview of the deployment rule and any other relevant information that helps to identify and differentiate the rule among others in the Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. Select Deployment Template: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties that can then be used when creating automatic deployment rules. These templates help to ensure consistency across similar deployments and to save time. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can select from two built-in software update deployment templates from the Automatic Deployment Rule Wizard. The Definition Updates template provides common settings to use when you deploy definition software updates. The Patch Tuesday template provides common settings to use when you deploy software updates on a monthly cycle. Collection: Specifies the target collection to be used for the deployment. Members of the collection receive the software updates that are defined in the deployment. Decide whether to add software updates to a new or existing software update group. In most cases, you will probably choose to create a new software update group when the automatic deployment rule is run. However, you might choose to use an existing group if the rule runs on a more aggressive schedule. For example, if you will run the rule daily for definition updates, then you could add the software updates to an existing software update group. Enable the deployment after this rule is run: Specify whether to enable the software update deployment after the automatic deployment rule runs. Regarding this specification, consider the following: When you enable the deployment, the software updates that meet the criteria defined in the rule are added to a software update group, the software update content is downloaded as necessary, the content is copied to the specified distribution points, and the software updates are deployed to the clients in the target collection. When you do not enable the deployment, the software updates that meet the criteria defined in the rule are added to a software update group and the software
1878

updates deployment policy is configured but the software updates are not downloaded or deployed to clients. This situation provides you time as needed to prepare to deploy the software updates, verify that the software updates that meet the criteria are adequate, and then enable the deployment at a later time. 5. On the Deployment Settings page, configure the following settings: Use Wake-on-LAN to wake up clients for required deployments: Specifies whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled. Warning Before you can use this option, you must configure computers and networks for Wake On LAN. Detail level: Specify the level of detail for the state messages that are reported by client computers. Important When you deploy definition updates, set the detail level to Error only to have the client report a state message only when a definition update fails to be delivered to the client. Otherwise, the client will report a large number of state messages that might impact performance on the site server. License terms setting: Specify whether to automatically deploy software updates with associated license terms. Some software updates include license terms, such as a service pack. When you automatically deploy software updates, the license terms are not displayed and there is not an option to accept the license terms. You can choose to automatically deploy all software updates regardless of an associated license terms or only deploy software updates that do not have associated license terms. Warning To review the license terms for a software update, you can select the software update in the All Software Updates node of the Software Library workspace, and then on the Home tab, in the Update group, click Review License. To find software updates with associated license terms, you can add the License Terms column to the results pane in the All Software Updates node, and then click the heading for the column to sort by the software updates with license terms. 6. On the Software Updates page, configure the criteria for the software updates that the automatic deployment rule retrieves and adds to the software update group. Important
1879

The limit for software updates in the automatic deployment rule is 1000 software updates. To ensure that the criteria that you specify on this page retrieves less than 1000 software updates, consider setting the same criteria on the All Software Updates node in the Software Library workspace. 7. On the Evaluation Schedule page, specify whether to enable the automatic deployment rule to run on a schedule. When enabled, click Customize to set the recurring schedule. Important The software update point synchronization schedule is displayed to help you determine the frequency of the evaluation schedule. You should never set the evaluation schedule with a frequency that exceeds the software updates synchronization schedule. The start time configuration for the schedule is based on the local time of the computer that runs the Configuration Manager console. Note To manually run the automatic deployment rule, select the rule, and then click Run Now on the Home tab in the Automatic Deployment Rule group. Before you manually run the automatic deployment rule, verify that software updates synchronization has been run since the last time you ran the rule. Important The automatic deployment rule evaluation can run as often as three times per day. 8. On the Deployment Schedule page, configure the following settings: Schedule evaluation: Specify whether Configuration Manager evaluates the available time and installation deadline times by using UTC or the local time of the computer that runs the Configuration Manager console. Software available time: Select one of the following settings to specify when the software updates are available to clients: As soon as possible: Select this setting to make the software updates that are included in the deployment available to the client computers as soon as possible. When you create the deployment with this setting selected, Configuration Manager updates the client policy. Then, at the next client policy polling cycle, clients become aware of the deployment and can obtain the updates that are available for installation. Specific time: Select this setting to make the software updates that are included in the deployment available to the client computers at a specific date and time. When you create the deployment with this setting enabled, Configuration Manager updates the client policy. Then, at the next client policy polling cycle, clients become aware of the deployment. However, the software updates in the deployment are not available for installation until after the configured date and time.

Installation deadline: Select one of the following settings to specify the installation deadline for the software updates in the deployment:
1880

As soon as possible: Select this setting to automatically install the software updates in the deployment as soon as possible. Specific time: Select this setting to automatically install the software updates in the deployment at a specific date and time. Configuration Manager determines the deadline to install software updates by adding the configured Specific time interval to the Software available time. Note The actual installation deadline time is the displayed deadline time plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Starting in Configuration Manager SP1, you can configure the Computer Agent client setting Disable deadline randomization to disable the installation randomization delay for required software updates. For more information, see the Computer Agent section in the About Client Settings in Configuration Manager topic.

9. On the User Experience page, configure the following settings: User notifications: Specify whether to display notification of the software updates in Software Center on the client computer at the configured Software available time and whether to display user notifications on the client computers. Deadline behavior: Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see the Configure Maintenance Windows section in the Configuring Settings for Client Management in Configuration Manager topic. Device restart behavior: Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. Important Suppressing system restarts can be useful in server environments or in cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. Write filter handling for Windows Embedded devices: For Configuration Manager SP1 only. When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and
1881

the changes persist on the device. Note When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 10. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. Warning You can review recent software updates alerts from the Software Updates node in the Software Library workspace. 11. On the Download Settings page, configure the following settings: Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. Allow clients to share content with other clients on the same subnet : Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see the Planning for BranchCache Support section in the Planning for Content Management in Configuration Manager topic. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify whether to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, deployment package, and the settings on this page. For more information, see the Planning for Preferred Distribution Points and Fallback section in the Planning for Content Management in Configuration Manager topic. 12. On the Deployment Package page, select an existing deployment package or configure the following settings to create a new deployment package: a. Name: Specify the name of the deployment package. This must be a unique name that describes the package content. It is limited to 50 characters. b. Description: Specify a description that provides information about the deployment
1882

package. The description is limited to 127 characters. c. Package source: Specifies the location of the software update source files. Type a network path for the source location, for example, \\server\sharename\path, or click Browse to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. Note The deployment package source location that you specify cannot be used by another software deployment package. Security The SMS Provider computer account and the user that is running the wizard to download the software updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location in order to reduce the risk of attackers tampering with the software update source files. Important You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. d. Sending priority: Specify the sending priority for the deployment package. Configuration Manager uses the sending priority for the deployment package when it sends the package to distribution points. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. 13. On the Distribution Points page, specify the distribution points or distribution point groups that will host the software update files. For more information about distribution points, see Planning for Content Management in Configuration Manager. Note This page is available only when you create a new software update deployment package. 14. On the Download Location page, specify whether to download the software update files from the Internet or from your local network. Configure the following settings: Download software updates from the Internet: Select this setting to download the software updates from a specified location on the Internet. This setting is enabled by default. Download software updates from a location on the local network : Select this setting to download the software updates from a local directory or shared folder. This setting is useful when the computer that runs the wizard does not have Internet access. Any computer with Internet access can preliminarily download the software updates and store them in a location on the local network that is accessible from the
1883

computer that runs the wizard. 15. On the Language Selection page, select the languages for which the selected software updates are downloaded. The software updates are downloaded only if they are available in the selected languages. Software updates that are not language specific are always downloaded. By default, the wizard selects the languages that you have configured in the software update point properties. At least one language must be selected before proceeding to the next page. When you select only languages that are not supported by a software update, the download will fail for the software update. 16. On the Summary page, review the settings. To save the settings to a deployment template, click Save As Template, enter a name and select the settings that you want to include in the template, and then click Save. To change a configured setting, click the associated wizard page and change the setting. Warning The template name can consist of alphanumeric ASCII characters as well as \ (backslash) or (single quotation mark). 17. Click Next to create the automatic deployment rule. After you have completed the wizard, the automatic deployment rule will run. It will add the software updates that meet the specified criteria to a software update group, download the software updates to the content library on the site server, distribute the software updates to the configured distribution points, and then deploy the software update group to clients in the target collection. For more information about the deployment process, see the Software Update Deployment Process section in the Introduction to Software Updates in Configuration Manager topic.

Monitor software updates

To help you to monitor software updates objects, processes, and compliance information, the Configuration Manager console provides the following: Alerts for Software updates Software update synchronization status Software update deployment status Software update reports Content distribution status for software update files

Alerts for Software Updates

You can configure alerts for software updates to notify administrative users when compliance levels for software update deployments are below the configured percentage. You can configure alerts for software update deployments in the following locations: Automatic deployment rule setting: You can configure the alerts settings in the Automatic Deployment Rule Wizard and in the properties for the automatic deployment rule.

1884

Deployment setting: You can configure the alerts settings in the Deploy Software Updates Wizard and in deployment properties.

After you configure the alert settings, if the specified conditions occur, Configuration Manager generates an alert. You can review software update alerts at the following locations: 1. Review recent alerts in the Software Updates node in the Software Library workspace. 2. Manage the configured alerts in the Alerts node in the Monitoring workspace.

Software Updates Synchronization Status

After you initiate the synchronization process, you can monitor the synchronization process from the Configuration Manager console for all software update points in your hierarchy. Use the following procedure to monitor the software update synchronization process. To monitor the software updates synchronization process 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Software Update Point Synchronization Status. The software update points in your Configuration Manager hierarchy are displayed in the results pane. From this view, you can monitor the synchronization status for all software update points. To see more detailed information about the synchronization process, you can review the wsyncmgr.log file, which is located in < ConfigMgrInstallationPath>\Logs on each site server.

Software Update Deployment Status

After you deploy the software updates in a software update group or deploy an individual software update, you can monitor the deployment status. Use the following procedure to monitor the deployment status for a software update group or software update. To monitor deployment status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. Click the software update group or software update for which you want to monitor the deployment status. 4. On the Home tab, in the Deployment group, click View Status.

Software Updates Reports

The state messages for software updates provide information about the compliance of software updates and about the evaluation and enforcement state of software update deployments. You can run software update reports to display these state messages. There are more than 30 predefined software update reports available. They are organized in several categories and can be used to report on specific information about software updates and deployments. In addition to
1885

using the preconfigured reports, you can also create custom software update reports according to the needs of your enterprise. For more information, see Operations and Maintenance for Reporting in Configuration Manager.

Monitoring Content
You can monitor content in the Configuration Manager console to review the status for all package types in relation to the associated distribution points. This can include the content validation status for the content in the package, the status of content assigned to a specific distribution point group, the state of content assigned to a distribution point, and the status of optional features for each distribution point (content validation, PXE, and multicast).

Content Status Monitoring

The Content Status node in the Monitoring workspace provides information about content packages. You can review general information about the package, distribution status for the package, and detailed status information about the package. Use the following procedure to view content status. To monitor content status 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Distribution Status, and then click Content Status. The packages are displayed. 3. Select the package for which to view detailed status information. 4. On the Home tab, click View Status. Detailed status information for the package is displayed.

Distribution Point Group Status

The Distribution Point Group Status node in the Monitoring workspace provides information about distribution point groups. You can review general information about the distribution point group, such as distribution point group status and compliance rate, as well as detailed status information for the distribution point group. Use the following procedure to view distribution point group status. To monitor distribution point group status 1. In the Configuration Manager console, click Monitoring. 2. In the monitoring workspace, expand Distribution Status, and then click Distribution Point Group Status. The distribution point groups are displayed. 3. Select the distribution point group for which to view detailed status information. 4. On the Home tab, click View Status. Detailed status information for the distribution point group is displayed.

1886

Distribution Point Configuration Status

The Distribution Point Configuration Status node in the Monitoring workspace provides information about the distribution point. You can review which attributes are enabled for the distribution point, such as the PXE, Multicast, and content validation. You can also view detailed status information for the distribution point. Use the following procedure to view distribution point configuration status. To monitor distribution point configuration status 1. In the Configuration Manager console, click Monitoring. 2. In the monitoring workspace, expand Distribution Status, and then click Distribution Point Configuration Status. The distribution points are displayed. 3. Select the distribution point for which to view distribution point status information. 4. In the results pane, click the Details tab. Status information for the distribution point is displayed.

See Also
Software Updates in Configuration Manager

Security and Privacy for Software Updates in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for software updates in System Center 2012 Configuration Manager.

Security Best Practices for Software Updates

Use the following security best practices when you deploy software updates to clients:
Security best practice More information

Do not change the default permissions on software update packages.

By default, software update packages are set to allow administrators Full Control and users to have Read access. If you change these permissions, it might allow an attacker to add, remove, or delete software updates.
1887

Security best practice

More information

Control access to the download location for software updates.

The computer accounts for the SMS Provider, the site server, and the administrative user who will actually download the software updates to the download location require Write access to the download location. Restrict access to the download location to reduce the risk of attackers tampering with the software updates source files in the download location. In addition, if you use a UNC share for the download location, secure the network channel by using IPsec or SMB signing to prevent tampering of the software updates source files when they are transferred over the network.

Use UTC for evaluating deployment times.

If you use local time instead of UTC, users could potentially delay installation of software updates by changing the time zone on their computers Identify and follow the security best practices for the version of WSUS that you use with Configuration Manager. Important If you configure the software update point to enable SSL communications for the WSUS server, you must configure virtual roots for SSL on the WSUS server.

Enable SSL on WSUS and follow the best practices for securing Windows Server Update Services (WSUS).

Enable CRL checking.

By default, Configuration Manager does not check the certificate revocation list (CRL) to verify the signature on software updates before they are deployed to computers. Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and incurs additional processing on the computer performing the CRL check. For more information about how to enable CRL checking for software updates, see How to Enable CRL Checking for Software Updates.

1888

Security best practice

More information

Configure WSUS to use a custom website.

When you install WSUS on the software update point, you have the option to use the existing IIS Default Web site or to create a custom WSUS website. Create a custom website for WSUS so that IIS hosts the WSUS services in a dedicated virtual website instead of sharing the same web site that is used by the other Configuration Manager site systems or other applications. For more information, see the Configuring WSUS to Use a Custom Web Site section in the Planning for Software Updates in Configuration Manager topic.

Network Access Protection (NAP): Do not rely on NAP to secure a network from malicious users.

Network Access Protection is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the networks overall integrity. For example, if a computer has all the software updates required by the Configuration Manager NAP policy, the computer is considered compliant, and it will be granted the appropriate access to the network. Network Access Protection does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent. Use DHCP NAP in a secured, testing environment or for monitoring purposes only. When you use DHCP NAP, attackers can modify the statement of health packets between the client and the NAP health policy server, and users can circumvent the NAP process. Misconfigured NAP policy could result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of misconfiguration. Configure the Configuration Manager NAP client agent and Configuration Manager System Health Validator points to use
1889

Network Access Protection (NAP): Do not use DHCP NAP enforcement in a production environment.

Network Access Protection (NAP): Use consistent NAP policies throughout the hierarchy to minimize confusion.

Security best practice

More information

the same settings throughout the hierarchy, or through additional hierarchies in the organization if clients might roam between them. Important If a Configuration Manager client with the Network Access Protection client agent enabled roams into a different Configuration Manager hierarchy and has its client statement of health validated by a System Health Validator point from outside its hierarchy, the validation process will fail the site check. This will result in a client health state of unknown, which by default is configured on the NAP health policy server as non-compliant. If the NAP health policy server has network policies configured for limited network access, these clients cannot be remediated and risk being unable to access the full network. An exemption policy on the NAP health policy server could give Configuration Manager clients that roam outside their Configuration Manager hierarchy unrestricted network access. Network Access Protection (NAP): Do not enable Network Access Protection as a client setting immediately on new Configuration Manager sites. Although the site servers publish the Configuration Manager health state reference to a domain controller when Configuration Manager NAP policies are modified, this new data might not be immediately available for retrieval by the System Health Validator point until Active Directory replication has completed. If you enable Network Access Protection on Configuration Manager clients before replication has completed, and if your NAP health policy server will give noncompliant clients limited network access, you can potentially cause a denial of service attack
1890

Security best practice

More information

against yourself. Network Access Protection (NAP): If you store the health state reference in a designated forest, specify two different accounts for publishing and retrieving the health state reference. When you designate an Active Directory forest to store the health state reference, specify two different accounts because they require different sets of permissions: The Health State Reference Publishing Account requires Read, Write, and Create permissions to the Active Directory forest that stores the health state reference. The Health State Reference Querying Account requires only Read permission to the Active Directory forest that stores the health state reference. Do not grant this account interactive logon rights.

Network Access Protection (NAP): Do not rely on Network Access Protection as an instantaneous or real-time enforcement mechanism.

There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may be on the order of several hours or more due to a variety of factors, including the settings of various configuration parameters.

Privacy Information for Software Updates

Software updates scans your client computers to determine which software updates you require, and then sends that information back to the site database. During the software updates process, Configuration Manager might transmit information between clients and servers that identify the computer and logon accounts. Configuration Manager maintains state information about the software deployment process. State information is not encrypted during transmission or storage. State information is stored in the Configuration Manager database and it is deleted by the database maintenance tasks. No state information is sent to Microsoft. The use of Configuration Manager software updates to install software updates on client computers might be subject to software license terms for those updates, which is separate from the Software License Terms for Microsoft System Center 2012 Configuration Manager. Always review and agree to the Software Licensing Terms prior to installing the software updates by using Configuration Manager. Configuration Manager does not implement software updates by default and requires several configuration steps before information is collected.
1891

Before you configure software updates, consider your privacy requirements.

See Also
Software Updates in Configuration Manager

Technical Reference for Software Updates in Configuration Manager

Technical Reference Topics
Technical Reference for the Icons Used for Software Updates Example Scenario for Using Configuration Manager to Deploy and Monitor the Security Software Updates Released Monthly by Microsoft

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Software Updates in Configuration Manager

Technical Reference for the Icons Used for Software Updates

Synchronized software updates are displayed in the Configuration Manager console, and the first column for each software update contains an icon that indicates a specific state. Software update groups are also represented with an icon that provides information about the state of the software updates contained in the group. This section provides information about the software update icons and what each icon represents.

Icons for Software Updates

Synchronized software updates are represented by one of the following icons.

Normal Icon
The icon with the green arrow represents a normal software update. Description: Normal software updates have been synchronized and are available for software deployment.
1892

Operational Concerns: There are no operational concerns.

Expired Icon
The icon with the black X represents an expired software update. You can also identify expired software updates by viewing the Expired column for the software update when it displays in the Configuration Manager console. Description: Expired software updates were previously deployable to client computers, but once a software update is expired, new deployments can no longer be created for the software updates. Expired software updates contained in active deployments continue to be available to clients. Operational Concerns: Replace expired software updates when possible. When software updates become expired, Configuration Manager does not remove the software updates contained within active software update deployments. Configuration Manager continues to assess software update compliance on expired software updates in deployments, but they are considered not required for reporting purposes.

Superseded Icon
The icon with the yellow star represents a superseded software update. You can also identify superseded software updates by viewing the Superseded column for the software update when it displays in the Configuration Manager console. Description: Superseded software updates have been replaced with newer versions of the software update. Typically, a software update that supersedes another software update does one or more of the following: Enhances, improves, or adds to the fix provided by one or more previously released software updates. Improves the efficiency of its software update file package, which clients install if the software update is approved for installation. For example, the superseded software update might contain files that are no longer relevant to the fix or to the operating systems now supported by the new software update, so those files are not included in the superseding software update's file package. Updates newer versions of a product, or in other words, is no longer applicable to older versions or configurations of a product. Software updates can also supersede other software updates if modifications have been made to expand language support. For example, a later revision of a product update for Microsoft Office might remove support for an older operating system, but add additional support for new languages in the initial software update release.

On the Supersedence Rules tab in the Software Update Point Component properties, you can specify how to manage superseded software updates. For more information, see the
1893

Supersedence Rules section in the Planning for Software Updates in Configuration Manager topic. Operational Concerns: When possible, deploy the superseding software update to client computers instead of the superseded software update. You can display a list of the software updates that supersede the software update on the Supersedence Information tab in the software update properties.

Invalid Icon
The icon with the red X represents an invalid software update. Description: Invalid software updates are in an active deployment, but for some reason the content (software update files) is not available. The following are scenarios in which this state can occur: You successfully deploy the software update, but the software update file is removed from the deployment package and is no longer available. You create a software update deployment at a site and the deployment object is successfully replicated to a child site, but the deployment package has not successfully replicated to the child site.

Operational Concerns: When the content is missing for a software update, clients are unable to install the software update until the content becomes available on a distribution point. You can redistribute the content to distribution points by using the Redistribute action. When content is missing for a software update in a deployment created at a parent site, the software update must be replicated or redistributed to the child site. For more information about content redistribution, see the Redistribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Metadata-Only Icon
The icon with the blue arrow represents a metadata-only software update. Description: Metadata-only software updates are available in the Configuration Manager console for reporting. You cannot deploy or download metadata-only software updates because a software update file is not associated with the software updates metadata. Operational Concerns: Metadata-only software updates are available for reporting purposes and are not intended for software update deployment.

Icons for Software Update Groups

Software update groups are represented by one of the following icons.
1894

Normal Icon
The icon with the green arrow represents a software update group that contains only normal software updates. Operational Concerns: There are no operational concerns.

Expired Icon
The icon with the black X represents a software update group that contains one or more expired software updates. Operational Concerns: Remove or replace expired software updates in the software update group when possible.

Superseded Icon
The icon with the yellow star represents a software update group that contains one or more superseded software updates. Operational Concerns: Replace the superseded software update in the software update group with the superseding software update when possible.

Invalid Icon
The icon with the red X represents a software update group that contains one or more invalid software updates. Operational Concerns: When the content is missing for a software update, clients are unable to install the software update until the content becomes available on a distribution point. You can redistribute the content to distribution points by using the Redistribute action. When content is missing for a software update in a deployment created at a parent site, the software update needs to replicated or redistributed to the child site. For more information about content redistribution, see the Redistribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic.

See Also
Technical Reference for Software Updates in Configuration Manager

Example Scenario for Using Configuration Manager to Deploy and Monitor the Security
1895

Software Updates Released Monthly by Microsoft

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how you can use software updates in Microsoft System Center 2012 Configuration Manager to deploy and monitor the security software updates that Microsoft releases monthly. In this scenario, John is the Configuration Manager administrator at Woodgrove Bank. John needs to create a software update deployment strategy with the following conditions and requirements: Active software update deployment occurs one week after Microsoft releases the security software updates on the second Tuesday of each month. This event is typically referred to as Patch Tuesday. Software updates are downloaded and staged on distribution points. Then a deployment is tested to a subset of clients before John fully deploys the software updates in his production environment. John must be able to monitor the software updates' compliance by month or by year.

This scenario assumes that the software update point infrastructure has already been implemented. Use the information in the following table to plan for and configure software updates in System Center 2012 Configuration Manager.
Process Reference

Review the key concepts for software updates. Plan for software updates. This information helps you to plan for capacity considerations, determine the software update point infrastructure, software update point installation, synchronization settings, and client settings for software updates. Configure software updates. This information helps you to install and configure software update points in your hierarchy and helps to configure and synchronize software updates. Important

Introduction to Software Updates in Configuration Manager Planning for Software Updates in Configuration Manager

Configuring Software Updates in Configuration Manager

1896

Process

Reference

John configures the software updates synchronization schedule to occur on the second Wednesday of each month to ensure that he retrieves the latest security software updates from Microsoft.

The following sections in this topic provide example procedural steps to help you to deploy and monitor System Center 2012 Configuration Manager security software updates in your organization: Step 1: Create a Software Update Group for Yearly Compliance Step 2: Create an Automatic Deployment Rule for the Current Month Step 3: Verify That Software Updates Are Ready to Deploy Step 4: Deploy the Software Update Group Step 5: Monitor Compliance for Deployed Software Updates Step 6: Add Monthly Software Updates to the Yearly Update Group

Step 1: Create a Software Update Group for Yearly Compliance

John creates a software update group that he can use to monitor compliance for all of the security software updates that he releases in 2012. He performs the steps in the following table.
Process Reference

From the All Software Updates node in the Configuration Manager console, John adds criteria to display only security software updates that are released or revised in year 2012 that meet the following criteria: Criteria: Date Released or Revised Condition: is greater than or equal to specific date Value: 1/1/2012 Criteria: Update Classification Value: Security Updates Criteria: Expired Value: No

No additional information

1897

Process

Reference

John adds all of the filtered software updates to a new software update group with the following requirements: Name: Compliance Group - Microsoft Security Updates 2012 Description: Software updates

For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 2: Create an Automatic Deployment Rule for the Current Month

John creates an automatic deployment rule for the security software updates that are released by Microsoft for the current month. He performs the steps in the following table.
Process Reference

John creates an automatic deployment rule with For more information about creating an the following requirements: automatic deployment rule, see the Automatically Deploy Software Updates section 1. On the General tab, John configures the in the Operations and Maintenance for following: Software Updates in Configuration Manager He specifies Monthly Security topic. Updates for the name. He selects a test collection with limited clients. He selects Create a new Software Update Group. He verifies that Enable the deployment after this rule is run is not selected.

2. On the Deployment Settings tab, John selects the default settings. 3. On the Software Updates page, John configures the following property filters and search criteria: Date Released or Revised Last 1 month. Update Classification Security Updates.

4. On the Evaluation page, John enables the rule to run on a schedule for the second Thursday of every month. John also verifies
1898

Process

Reference

that his synchronization schedule is set to run on the second Wednesday of every month. 5. John uses the default settings on the Deployment Schedule, User Experience, Alerts, and Download Settings pages. 6. On the Deployment Package page, John specifies a new deployment package. 7. John uses the default settings on the Download Location and Language Selection pages.

Step 3: Verify That Software Updates Are Ready to Deploy

On the second Thursday of every month, John verifies that the software updates are ready to deploy. He performs the step in the following table.
Process Reference

John verifies that software updates synchronization completed successfully.

For more information about creating an automatic deployment rule, see the Automatically Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

Step 4: Deploy the Software Update Group

After John verifies that the software updates are ready to deploy, he deploys the software updates. He performs the steps in the following table.
Process Reference

John creates two test deployments for the new software update group. He considers the following environments for each deployment:

For more information about how to deploy software updates, see the Deploy Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.
1899

Process

Reference

Workstation test deployment: John considers the following for the workstation test deployment: He specifies a deployment collection that contains a subset of workstation clients to verify the deployment. He configures the deployment settings that are appropriate for the workstation clients in his environment.

Server test deployment: John considers the following for the server test deployment: He specifies a deployment collection that contains a subset of server clients to verify the deployment. He configures the deployment settings that are appropriate for the server clients in his environment. For more information about how to monitor a software update deployment, see the Monitor Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic. No additional information

John verifies that the test deployments have successfully deployed.

John updates the two deployments with new collections that include his production workstations and servers.

Step 5: Monitor Compliance for Deployed Software Updates

John monitors compliance of his software update deployments. He performs the step in the following table.
Process Reference

John monitors the software updates deployment status in the Configuration Manager console and checks the software update deployment reports available from the console.

For the steps to monitor a software update deployment, see the Monitor Software Updates section in the Operations and Maintenance for Software Updates in Configuration Manager topic.
1900

Step 6: Add Monthly Software Updates to the Yearly Update Group

John adds the software updates from the monthly software update group to the yearly software update group. He performs the step in the following table.
Process Reference

John selects the software updates from the monthly software update group and adds the software updates to the software updates group that he created for yearly compliance. He tracks the software update compliance and creates various reports for his management.

For the steps to add software updates to an update group, see the Add Software Updates to an Update Group section in the Operations and Maintenance for Software Updates in Configuration Manager topic.

John has successfully completed his monthly deployment for security software updates. He continues to monitor and report on software update compliance to ensure that the clients in his environment are within acceptable compliance levels.

Recurring Monthly Process to Deploy Software Updates

After the first month that John deploys software updates, he performs steps three through six to deploy the monthly security software updates released by Microsoft.

See Also
Technical Reference for Software Updates in Configuration Manager

Operating System Deployment in Configuration Manager

Operating system deployment provides Microsoft System Center 2012 Configuration Manager administrative users with a tool for creating operating system images that they can deploy to computers that are managed by Configuration Manager and to unmanaged computers by using bootable media such as a CD set, DVD, or USB flash drives. The operating system image, in a Windows Imaging Format (WIM) format file, contains the required version of a Windows operating system and any line-of-business applications that have to be installed on the computer.

1901

Operating system deployment provides the following functionality: You can capture an image of the operating system that you want to deploy. You can capture and restore user state by using the User State Migration Tool (USMT). You can deploy the operating system image to a collection of computers. You can create task sequences that perform multiple actions on a computer at the commandline level that do not require user intervention.

Operating System Deployment Topics

The following topics provide information to help you deploy operating systems in System Center 2012 Configuration Manager: Introduction to Operating System Deployment in Configuration Manager Planning to Deploy Operating Systems in Configuration Manager Configuring Configuration Manager for Operating System Deployments Operations and Maintenance for Deploying Operating Systems in Configuration Manager Security and Privacy for Deploying Operating Systems in Configuration Manager Technical Reference for Deploying Operating Systems in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Deploying Software and Operating Systems in System Center 2012 Configuration Manager

Introduction to Operating System Deployment in Configuration Manager

The following sections explain some of the concepts that are used to deploy operating systems in your System Center 2012 Configuration Manager environment: The Operating System Deployment Process Methods Used to Deploy Operating Systems Capturing and Deploying an Operating System Image Installing Device Drivers on Destination Computers Media Used to Deploy Operating Systems Managing User State Unknown Computer Deployments Supporting User Device Affinity Deploying Operating Systems to NAP-enabled Environments
1902

Whats New in Configuration Manager Whats New in Configuration Manager SP1 Whats New in System Center 2012 R2 Configuration Manager

For an example scenario that shows how you might deploy an operating system, see Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager.

The Operating System Deployment Process

Configuration Manager provides several methods that you can use to deploy an operating system. Regardless of the deployment method that you use, there are several actions that you must take. These actions include the following: Identify any Windows device drivers that are required to run the boot image or the operating system image that you have to deploy. Identify the boot image that you want to use to start the destination computer. Configuration Manager provides two default boot images. Capture an image of the operating system that you want to deploy by using a task sequence. Distribute the boot image, operating system image, and any related content to a distribution point. Create a task sequence that deploys the boot image and the operating system image. Deploy the task sequence to the collection that contains the destination computer. If there are multiple computers in the collection, the task sequence is deployed to each computer in the collection.

Methods Used to Deploy Operating Systems

There are several methods that you can use to deploy operating systems to Configuration Manager client computers. PXE initiated deployments: PXE-initiated deployments let client computers request a deployment over the network. In this method of deployment, the operating system image and a Windows PE boot image are sent to a distribution point that is configured to accept PXE boot requests. For more information about PXE-initiated deployments, see Planning for PXEInitiated Operating System Deployments in Configuration Manager. Multicast deployments: Multicast deployments conserve network bandwidth by concurrently sending data to multiple clients instead of sending a copy of the data to each client over a separate connection. In this method of deployment, the operating system image is sent to a distribution point. This in turn deploys the image when client computers request the deployment. For more information about deploying operating systems to multiple clients, see Planning a Multicast Strategy in Configuration Manager. Bootable Media Deployments: Bootable media deployments let you deploy the operating system when the destination computer starts. When the destination computer starts, it retrieves the task sequence, the operating system image, and any other required content from the network. Because that content is not included on the media, you can update the content without having to re-create the media.
1903

For more information about bootable media, see the Operating System Deployments by Using Bootable Media section of the Planning for Media Operating System Deployments in Configuration Manager topic. Stand-alone Media Deployments: Stand-alone media deployments let you deploy operating systems in the following conditions: In environments where it is not practical to copy an operating system image or other large packages over the network. In environments without network connectivity or low bandwidth network connectivity.

For more information about stand-alone media, see the Operating System Deployments by Using Stand-Alone Media section of the Planning for Media Operating System Deployments in Configuration Manager topic. Pre-staged Media deployments: Pre-staged media deployments let you deploy an operating system to a computer that is not fully provisioned. The pre-staged media is a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment. Later, when the computer starts in the System Center 2012 Configuration Manager environment, the computer starts by using the boot image provided by the media, and then connects to the site management point for available task sequences that complete the download process. This method of deployment can reduce network traffic because the boot image and operating system image are already on the destination computer. Starting at Configuration Manager SP1, you can specify applications, packages, and driver packages to include in the pre-staged media. For more information about pre-staged media, see the Operating System Deployments by Using Prestaged Media section of the Planning for Media Operating System Deployments in Configuration Manager topic. Note For information about the advantages and disadvantages of each method, see Determine the Operating System Deployment Method to Use in Configuration Manager.

Capturing and Deploying an Operating System Image

There are three basic actions that you have to take when you want to use Configuration Manager to deploy an operating system image to a collection of one or more destination computers: 1. Build and capture an image and distribute it to distribution points. 2. Create and configure the task sequence that installs the operating system image. 3. Deploy the task sequence.

1904

Create the Image and Distribute it to Distribution Points

Operating system images are WIM files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. The operating system image is built and captured from a reference computer that you configure with all the required operating system files, support files, software updates, tools, and other software applications. You can build the reference computer manually or use a task sequence to automate some or all of the build steps. Similar to other Configuration Manager content, the operating system image is distributed to the distribution point as a package. When the package arrives at the distribution point, the content of the package is stored on the distribution point. For more information about operating system images, see Planning for Deploying Operating System Images in Configuration Manager.

Create and Configure the Appropriate Deployment Task Sequence

After you have created the reference computer and captured an operating system image from that computer, you can use a task sequence to configure how to deploy that image to a destination computer. For information about how you can use task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Deploy the Task Sequence

After you create your task sequences, you can deploy the task sequence to the collections that contain the destination computers. For information about how to deploy a task sequence, see the How to Deploy a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic. Tip You can use System Center 2012 Configuration Manager Upgrade Assessment Tool to determine whether the operating system on computers that are managed by Configuration Manager can run Windows 7 or Windows 8. Download the Upgrade Assessment Tool from the Microsoft Download Center site. For more information, see Configuration Manager Upgrade Assessment Tool.

Installing Device Drivers on Destination Computers

You can install device drivers on destination computers without including them in the operating system image that is being deployed. Configuration Manager provides a driver catalog that contains references to all the device drivers that you import into Configuration Manager. The driver catalog is located in the Software Library workspace and consists of two nodes: Drivers and Driver Packages. The Drivers node lists all the drivers that you have imported into
1905

the driver catalog. You can use this node to discover the details about each imported driver, to change what driver package or boot image a driver belongs to, to enable or disable a driver, and more. The Driver Packages node lists all the driver packages that you create. You can create these packages when you import drivers into the driver catalog, or you can create them directly in the Driver Packages node. For more information about how to use the driver catalog when you deploy operating systems, see Planning a Device Driver Strategy in Configuration Manager. For information about how to manage the driver catalog, see How to Manage the Driver Catalog in Configuration Manager.

Installing Additional Packages with the Operating System

When you deploy an operating system, you can also install applications, deployment tools, packages, and software update on the destination computer. The following task sequence steps are used to install these packages: Install Application Install Deployment Tools Install Package Install Software Updates

For more information about how to add steps to task sequences, see the How to Edit a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

Media Used to Deploy Operating Systems

You can create several kinds of media that can be used to deploy operating systems. This includes capture media that is used to capture operating system images and stand-alone, prestaged, and bootable media that is used to deploy an operating system. By using media, you can deploy operating systems on computers that do not have a network connection or that have a low bandwidth connection to your Configuration Manager site. For more information about how to use media, see Planning for Media Operating System Deployments in Configuration Manager.

Managing User State

When you deploy operating systems, you can save the user state from the destination computer, deploy the operating system, and then restore the user state after the operating systems is deployed. This process is typically used when you upgrade the operating system on a Configuration Manager client computer. The user state information is captured and restored by using task sequences. When the user state information is captured, the information can be stored in one of the following ways:
1906

You can store the user state data remotely by configuring a state migration point. The Capture task sequence sends the data to the state migration point. Then, after the operating system is deployed, the Restore task sequence retrieves the data and restores the user state on the destination computer. You can store the user state data locally to a specific location. In this scenario, the Capture task sequence copies the user data to a specific location on the destination computer. Then, after the operating system is deployed, the Restore task sequence retrieves the user data from that location. You can specify hard links that can be used to restore the user data to its original location. In this scenario, the user state data remains on the drive when the old operating system is removed. Then, after the operating system is deployed, the Restore task sequence uses the hard links to restore the user state data to its original location.

For more information about capturing and restoring user state, see How to Manage the User State in Configuration Manager.

Unknown Computer Deployments

You can deploy an operating system to computers that are not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. These computers are referred to as unknown computers. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

For more information about how to configure Configuration Manager for unknown computer deployments, see How to Manage Unknown Computer Deployments in Configuration Manager.

Supporting User Device Affinity

When you deploy an operating system, you can associate users with the destination computer to support user device affinity actions. When you associate a user with the destination computer, the administrative user can later perform actions on whichever computer is associated with that user, such as deploying an application to the computer of a specific user. However, when you deploy an operating system, you cannot deploy the operating system to the computer of a specific user. For more information about how to associate the destination computer to users, see How to Associate Users with a Destination Computer. For more information about how to manage user device affinity, see How to Manage User Device Affinity in Configuration Manager.

1907

Deploying Operating Systems to NAP-enabled Environments

You can deploy operating systems in environments that use Network Access Protection (NAP). NAP provides a mechanism to manage the compliance of software updates on Configuration Manager clients. When you deploy operating systems to the destination computers, you must make sure that the NAP enforcement mechanism and the Windows Network Access Protection Service are enabled and interact correctly with the Configuration Manager client on the destination computer. For more information about how to deploy operating systems to NAP-enabled environments, see Planning for Operating System Deployments in a NAP-Enabled Environment.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed since Configuration Manager 2007: You can apply Windows Updates by using Component-Based Servicing to update the WIM files that are stored in the Image node of the Software Library workspace. The Task Sequence Media Wizard includes steps to add prestart command files (formerly pre-execution hooks) to pre-staged media, bootable media, and stand-alone media. For more information about how to deploy operating systems, including using prestart commands when you create media, see one of the following sections in the How to Deploy Operating Systems by Using Media in Configuration Manager topic: How to Create Prestaged Media How to Create Bootable Media How to Create Stand-alone Media

When you create media that deploys an operating system, you can configure the Task Sequence Media Wizard to suppress the Task Sequence wizard during operating system installation. This configuration enables you to deploy operating systems without end-user intervention. For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager.

You can define a deployment in a prestart command that overrides existing deployments to the destination computer. Use the SMSTSPreferredAdvertID task sequence variable to configure the task sequence to use the specific Offer ID that defines the conditions for the deployment. You can use the same task sequence media to deploy operating systems to computers anywhere in the hierarchy.

1908

For more information about how to create media by using the Task Sequence Media Wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager. The Capture User State task sequence action and the Restore User State task sequence steps support new features from the User State Migration Tool (USMT) version 4. For more information about capturing and restoring the user state, see How to Manage the User State in Configuration Manager. You can use the Install Application task sequence step to deploy applications when you deploy an operating system. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager. You can associate a user with the computer where the operating system is deployed to support user device affinity actions. For more information about creating an association between users and the destination computer, see How to Associate Users with a Destination Computer. For more information about how to manage user device affinity, see How to Manage User Device Affinity in Configuration Manager. The functionality of the PXE service point and its configuration is moved to the distribution point to increase scalability. For more information about creating a distribution point that accepts PXE requests, see the Creating Distribution Points that Accept PXE Requests section of the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. CMTrace, the Configuration Manager log viewer tool, is added to all boot images that are added to the Software Library. For more information about boot images, see Planning for Boot Image Deployments in Configuration Manager.

Whats New in Configuration Manager SP1

The following items are new or have changed for operating system deployment in Configuration Manager SP1: Changes to Configuration Manager Setup: Configuration Manager SP1 uses the Windows Assessment and Deployment Kit (Windows ADK) instead of Windows Automated Installation Kit (Windows AIK) to deploy an operating system. Before you run Setup, you must download and install Windows ADK on the site server and the provider computer. The USMT for Windows 8 is installed as part of the Windows ADK. At the top-level site, Setup automatically creates the package for this new version of USMT at the site. Setup automatically updates default boot images at the site. You must manually update any custom boot images. The default task sequences were changed to optimize the deployment of operating systems starting with Windows 7.
1909

Changes to task sequences:

Support for computers that are in Unified Extensible Firmware Interface (UEFI) mode. The task sequence sets the SMSTSBootUEFI built-in task sequence variable when it detects a computer that is in UEFI mode. The default task sequence automatically partitions the computer based on whether it was booted in UEFI mode or BIOS mode (conditioned based on the value of the _SMSTSBootUEFI variable). The build and capture task sequence was updated to apply an operating system image instead of running Setup.exe for installation. You can still run Setup.exe for Windows 8 deployments by editing the task sequence in the task sequence editor. Support for operating system deployments to devices with limited available disk space, such as embedded devices. You can configure the Apply Operating System Image step to install the image directly from a distribution point even if the task sequence deployment is configured to download content to the task sequence cache first. You can control the behavior of write filters on Windows Embedded devices when you deploy task sequences. Note For information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Changes to how you create prestaged media: You can specify applications, packages, and driver packages to deploy with the operating system. When you deploy the task sequence by using prestaged media, the wizard checks the local task sequence cache for valid content first, and if the content cannot be found or has been revised, the content is downloaded from the distribution point. Note For information about how to create prestaged media, see the How to Create Prestaged Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Changes to BitLocker support: Use the Pre-provision BitLocker task sequence step to encrypt the disk drive from Windows PE and only encrypt the space that is used by data. The result is much faster encryption times. For more information, see the Pre-provision BitLocker section in the Task Sequence Steps in Configuration Manager topic. TPM and PIN is now available as one of the key management options for the current operating system drive in the Enable BitLocker task sequence step. For more information, see the Enable BitLocker section in the Task Sequence Steps in Configuration Manager topic.

You can configure the Windows PE scratch space in the boot image properties. For more information, see the How to Modify a Boot Image section in the How to Manage Boot Images in Configuration Manager topic. Added language neutral boot images:
1910

You can use the SMSTSLanguageFolder built-in variable to change the language for information displayed by Windows PE. Languages are auto-detected and used when boot images are started from Software Center. Note For information about boot image deployments, see Planning for Boot Image Deployments in Configuration Manager.

Added the following task sequence built-in variables: SMSTSPersistContent: Use this variable to temporarily persist content in the task sequence cache. SMSTSPostAction: Use this variable to run a command after the task sequence is completed. SMSTSLanguageFolder: Use this variable to change the display language of a language neutral boot image. OSDPreserveDriveLetter: This variable determines whether or not the task sequence uses the drive letter on the operating system image WIM file. In Configuration Manager with no service pack, the drive letter on the WIM file was used when it applied the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the location that you specify for the Destination setting in the Apply Operating System task sequence step. For more information about the Apply Operating System task sequence step, see the Apply Operating System Image section in the Task Sequence Steps in Configuration Manager topic. SMSTSDownloadProgram: Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download. SMSTSAssignmentsDownloadInterval: Use this variable to specify the number of seconds to wait before the client tries to download the task sequence policy since the last attempt that returned no policies. You can set this variable by using a prestart command from media or PXE. SMSTSAssignmentsDownloadRetry: Use this variable to specify the number of times a client will attempt to download the task sequence policy after no policies are found on the first attempt. You can set this variable by using a prestart command from media or PXE. _SMSTSBootUEFI: The task sequence sets the _SMSTSBootUEFI variable when it detects a computer that boots in UEFI mode. _SMSTSWTG: Specifies if the computer is running as a Windows To Go device. Note For more information about built-in task sequence variables, see the Task Sequence Built-in Variables in Configuration Manager topic.

Changes to software update installation to offline operating system images:

1911

Ability to continue updating an image even when one or more software updates cannot be installed. Software updates are copied from the content library on the site server instead of the package source.

Ability to provision Windows To Go in Configuration Manager. Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows To Go drive the same as you pre-stage media in Configuration Manager. For more information about how to provision Windows To Go, see How to Provision Windows To Go in Configuration Manager. New site maintenance task (Delete Aged Unknown Computers) to delete information about unknown computers from the site database when it has not been updated for a specified time. For more information about site maintenance tasks, see the Planning for Maintenance Tasks for Configuration Manager section in the Planning for Site Operations in Configuration Manager topic. Better monitoring and status for task sequence content and task sequence deployments. New deployment setting lets you deploy task sequences that are available only in Windows PE. You can manage Windows PE optional components from the Optional Components tab in the properties for boot images. You can export and import driver packages from the Driver Packages node in the Software Library workspace.

Whats New in System Center 2012 R2 Configuration Manager

The following items are new or have changed for operating system deployment in System Center 2012 R2 Configuration Manager: Support for Windows Server 2012 R2 and Windows 8.1. For more information about supported operating system versions, see Prerequisites For Deploying Operating Systems in Configuration Manager. Support for boot images created by using the Windows Automated Installation Kit (Windows AIK) for Windows 7 SP1 and based on Windows PE 3.1. For more information about customizing and adding boot images to Configuration Manager, see How to Customize WinPE Boot Images to Use in Configuration Manager. Added support for PXE boot of IA32 UEFI computers. For more information about operating system requirement for a PXE-enabled distribution point, see the Operating System Requirements for Typical Site System Roles section of the Supported Configurations for Configuration Manager topic. Ability to create prestaged content files for task sequence content. The Create Prestaged Content action creates a compressed, prestaged content file that contains the files and associated metadata for the content in the task sequence. By default, Configuration Manager detects and adds the dependencies associated with the task sequence to the prestaged content file. You can then manually import the content at a site server, secondary site, or
1912

distribution point. For more information about prestaged content, see the Determine Whether To Prestage Content section in the Planning for Content Management in Configuration Manager topic. Added virtual hard disk management from the Configuration Manager console. You can create and modify virtual hard disks, and upload them to Virtual Machine Manager. New task sequence steps: Run PowerShell Script: This task sequence step runs the specified Windows PowerShell script on the target computer. Check Readiness: This task sequence step verifies that the target computer meets the specified deployment prerequisite conditions. Set Dynamic Variables: This task sequence step gathers information and sets specific task sequence variables with the information. Then, it evaluates defined rules and sets task sequence variables based on the variables and values configured for rules that evaluate to true. Note For more information about task sequence steps, see Task Sequence Steps in Configuration Manager. New task sequence built-in variables: SMSTSDownloadRetryCount: Use this variable to specify the number of times that Configuration Manager attempts to download content from a distribution point. SMSTSDownloadRetryDelay: Use this variable to specify the number of seconds that Configuration Manager waits before it retries to download content from a distribution point. TSErrorOnWarning: Use this variable to specify whether the task sequence engine treats the requirements not met warning from an application as a fatal error. You can set this variable to True or False. False is the default behavior. SMSTSMPListRequestTimeout: Use this variable to specify how much time a task sequence waits before it retries to install an application after it fails to retrieve the management point list from location services. By default, the task sequence waits one minute before it retries the step. This variable is applicable only to the Install Application task sequence step. _TSAppInstallStatus: The task sequence sets the _TSAppInstallStatus variable with the installation status for the application during the Install Application task sequence step. The task sequence sets the variable with one of the following values: Undefined: Set when the Install Application task sequence step has not been run. Error: Set when at least one application failed because of an error during the Install Application task sequence step. Warning: Set when no errors occur during the Install Application task sequence step, but one or more applications, or a required dependency, did not install because a requirement was not met. Success: Set when there are no errors or warning detected during the Install Application task sequence step.
1913

Note For more information about built-in task sequence variables, see Task Sequence Built-in Variables in Configuration Manager.

See Also
Operating System Deployment in Configuration Manager

Planning to Deploy Operating Systems in Configuration Manager

This section provides the planning tasks that System Center 2012 Configuration Manager requires to deploy an operating system, including information about the prerequisites that are required to deploy an operating system and information about how to determine which deployment method to use.

Operating System Deployment Planning Topics

Use the following topics to help you plan how to deploy operating systems in Configuration Manager: Prerequisites For Deploying Operating Systems in Configuration Manager Supported Operating Systems and Hard Disk Configurations for Operating System Deployment Determine the Operating System Deployment Method to Use in Configuration Manager Planning Site System Roles for Operating System Deployments in Configuration Manager Planning for Deploying Operating System Images in Configuration Manager Planning for Capturing Operating System Images in Configuration Manager Planning for Boot Image Deployments in Configuration Manager Planning a Device Driver Strategy in Configuration Manager Planning for PXE-Initiated Operating System Deployments in Configuration Manager Planning a Multicast Strategy in Configuration Manager Planning for Media Operating System Deployments in Configuration Manager Planning a Task Sequences Strategy in Configuration Manager Planning for Operating System Deployments in a NAP-Enabled Environment Planning for Operating System Deployment Interoperability

Other Resources for This Product

TechNet Library main page for System Center 2012 Configuration Manager
1914

Operating System Deployment in Configuration Manager

Prerequisites For Deploying Operating Systems in Configuration Manager

Operating system deployment in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table provides information about external tools, installation kits, and operating systems that are required to deploy operating systems in Configuration Manager.
Dependency More information

User State Migration Tool (USMT)

Configuration Manager uses a USMT package that points to USMT source files to capture and restore the user state as part of your operating system deployment. Starting in Configuration Manager SP1, Configuration Manager Setup at the toplevel site automatically creates the USMT package. In Configuration Manager without a service pack, you must create the USMT package in the Packages node under Application Management in the Software Library workspace. The required version of USMT is dependent on the operating system version that you deploy. The following table provides information about the required USMT versions.
Destination Operating System USMT version

Windows 8.1 Windows 8 Windows 7

2

USMT 5.0 USMT 5.0 USMT 5.0 USMT 4.0 USMT 3.0.1

Windows Vista SP2 Windows XP SP3

1

You can only deploy Windows 8.1 from a site server that is running System Center 2012 R2 Configuration Manager.
2

You can only deploy Windows 8 from a site server that is running Configuration Manager SP1. You can install the USMT versions at the following locations: USMT 5.0 is distributed in Windows Assessment and Deployment Kit
1915

Dependency

More information

(Windows ADK) for Windows 8 or Windows ADK for Windows 8.1. USMT 4.0 is distributed in Windows Automated Installation Kit (Windows AIK). USMT 3.0.1 is available from the Microsoft Download Center.

For more information about common user state migration scenarios, see the following: For USMT 5.0, see Common Migration Scenarios. For USMT 4.0, see Common Migration Scenarios.

For more information about capturing and restoring user state, see How to Manage the User State in Configuration Manager. Windows PE Windows PE is a Windows operating system with limited services that is used during the pre-installation and deployment of Windows operating systems. The following table provides a list of the Configuration Manager versions, the supported version of Windows AIK or Windows ADK, the Windows PE version on which the boot image is based that can be customized from the Configuration Manager console, and the Windows PE versions on which the boot image is based that you can customize by using DISM and then add the image to Configuration Manager.
Configuration Manager version Windows AIK or Windows AD K Version Windows PE versions for boot images customizable from the Configuration Manager console Supported Windows PE versions for boot images not customizable from the Configuration Manager console

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with S P1 System Center 2012 Configuration Manager with S P1 and cumulative update 2 System Center 2012 Configuration Manager with S

Windows AIK for Windows 7 Windows ADK for Windows 8 Windows ADK for Windows 8 Windows ADK for

Windows PE 3 Windows PE 4 Windows PE 4 Windows PE 4

None

None

Windows PE 3. 1 1 Windows PE 3. 1 1 and

1916

Dependency

More information

P1 and cumulative update 3 System Center 2012 R2 Configuration Manager

Windows 8 Windows Windows PE ADK for 5 Windows 8.1

Windows PE 5 Windows PE 3. 1 1

You can only add a boot image to Configuration Manager when it is based on Windows PE 3.1. Install the Windows AIK Supplement for Windows 7 SP1 to upgrade Windows AIK for Windows 7 (based on Windows PE 3) with the Windows AIK Supplement for Windows 7 SP1 (based on Windows PE 3.1). You can download Windows AIK Supplement for Windows 7 SP1 from the Microsoft Download Center. For more information about how to customize a boot image and then add it to Configuration Manager, see How to Customize Windows PE Boot Images to Use in Configuration Manager. For more information about the boot images that provide Windows PE, see Planning for Boot Image Deployments in Configuration Manager. For System Center 2012 R2 Configuratio n Manager only: Windows ADK for Windows 8.1 Windows ADK is a set of tools and documentation that support the configuration and deployment of Windows operating systems. Starting in Configuration Manager SP1, Configuration Manager uses Windows ADK to automate Windows installations, capture Windows images, migrate user profiles and data, and so on. The following features of the Windows ADK must be installed on site server of the top-level site of the hierarchy, on the site server of each primary site in the hierarchy, and on the SMS Provider site system server:
1

User State Migration Tool (USMT) Windows Deployment Tools

Windows Preinstallation Environment (Windows PE)

USMT is not required on the SMS Provider site system server. Note You must manually install the Windows ADK on each computer that will host a central administration site or primary site server before you install the Configuration Manager site.

For more information about Windows ADK, see Windows Deployment with the Windows ADK.. For Configuratio n Windows ADK is a set of tools and documentation that support the configuration and deployment of Windows operating systems. Starting in Configuration Manager SP1, Configuration Manager uses Windows ADK to automate Windows
1917

Dependency

More information

Manager SP 1 only: Windows ADK for Windows 8

installations, capture Windows images, migrate user profiles and data, and so on. The following features of the Windows ADK must be installed on site server of the top-level site of the hierarchy, and on the site server of each primary site in the hierarchy: User State Migration Tool (USMT) Windows Deployment Tools Windows Preinstallation Environment (Windows PE) Note You must manually install the Windows ADK on each computer that will host a central administration site or primary site server before you install the Configuration Manager site. Before you can upgrade Configuration Manager with no service pack, you must first uninstall the Windows Automated Installation Kit (Windows AIK) before you can install the Windows ADK. For more information about Windows ADK, see Windows Deployment with the Windows ADK.. Note Cumulative update 3 for Configuration Manager SP1 adds support for Windows 8.1 and Windows Server 2012 R2 as clients. Configuration Manager SP1 with cumulative update 3 provides limited support for operating system deployment for these operating systems. This is because the Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1 is not supported with Configuration Manager SP1. However, all of the standard capture and deployment methods (such as PXE, boot media, standalone-media) are supported. Maintenance actions for images (such as applying software updates to an operating system image or boot image) that require the new Windows ADK are not supported. Those actions must be performed offline on a computer that has the Windows ADK for Windows 8.1 installed. For information about cumulative update 3, see Description of Cumulative Update 3 for System Center 2012 Configuration Manager Service Pack.

For Configuratio n Manager with no service pack only: Windows Automated

Windows AIK is a set of tools and documentation that support the configuration and deployment of Windows operating systems. Configuration Manager with no service pack, uses Windows AIK to automate Windows installations, capture Windows images, migrate user profiles and data, and so on. For more information about Windows AIK, see Windows Automated Installation Kit for Windows 7. Note When you use Configuration Manager without service pack to install a
1918

Dependency

More information

Installation Kit (Windows AIK) for Windows 7

central administration site or primary site, Configuration Manager automatically installs the Windows AIK on the site server if Windows AIK is not already installed.

Internet For more information about this requirement, see the Prerequisites for Site Information System Roles section in the Supported Configurations for Configuration Manager Services topic. (IIS) on the site system servers to run the distribution point, state migration point, and management point

Windows Deployment Services (WDS) Dynamic Host Configuratio n Protocol (DHCP) Supported operating systems and hard disk configuration s Windows device drivers

WDS is needed for PXE deployments and when you use multicast to optimize bandwidth in your deployments. For more information, see Windows Deployment Services in this topic. DHCP is required for PXE deployments. You must have a functioning DHCP server with an active host to deploy operating systems by using PXE. For more information about PXE deployments, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. For more information about the operating system versions and hard disk configurations that are supported by Configuration Manager when you deploy operating systems, see Supported Operating Systems and Hard Disk Configurations for Operating System Deployment.

Windows device drivers can be used when you install the operating system on the destination computer and when you run Windows PE by using a boot image. For more information about device drivers, see Planning a Device Driver Strategy in Configuration Manager.

1919

Configuration Manager Dependencies

The following table provides information about Configuration Manager operating system deployment prerequisites.
Dependency More information

Operating system image

Depending on the method that you plan to use to deploy operating system images, there are several dependencies that must be considered. For more information about these dependencies, see Determine the Operating System Deployment Method to Use in Configuration Manager. To deploy a device driver, you must import the device driver, enable it, and make it available on a distribution point that the Configuration Manager client can access. For more information about the driver catalog, see Planning a Device Driver Strategy in Configuration Manager. Management points transfer information between client computers and the Configuration Manager site. The client uses a management point to run any task sequences that are required to complete the operating system deployment. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager

Driver catalog

Management point

Distribution point

Distribution points are used in most deployments to store the data that is used to deploy an operating system, such as the operating system image or device driver packages. Task sequences typically retrieve data from a distribution point to deploy the operating system. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager For more information about how to install distribution points and manage content, see
1920

Dependency

More information

Configuring Content Management in Configuration Manager PXE-enabled distribution point To deploy PXE-initiated deployments, you must configure a distribution point to accept PXE requests from clients. For more information about how to configure the distribution point, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. To optimize your operating system deployments by using multicast, you must configure a distribution point to support multicast. For more information about how to configure the distribution point to support multicast, see Planning a Multicast Strategy in Configuration Manager. When you capture and restore user state data for side-by-side and refresh deployments, you must configure a state migration point to store the user state data on another computer. For more about how to configure the state migration point, see Install Site System Roles For information about how to capture and restore user state, see How to Manage the User State in Configuration Manager. Reporting services point To use Configuration Manager reports for operating system deployments, you must install and configure a reporting services point. For more information, see Configuring Reporting in Configuration Manager. Security permissions for operating system deployments The Operating System Deployment Manager security role is a built-in role that cannot be changed. However, you can copy the role, make changes, and then save these changes as a new custom security role. Here are some of the permissions that apply directly to operating system deployments: Boot Image Package: Create, Delete, Modify, Modify Folder, Move Object, Read,
1921

Multicast-enabled distribution point

State migration point

Dependency

More information

Set Security Scope Device Drivers: Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report Driver Package: Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Operating System Image: Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Operating System Installation Package : Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope Task Sequence Package: Create, Create Task Sequence Media, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, Set Security Scope

For more information about custom security roles, see the Create Custom Security Roles section in the Configuring Security for Configuration Manager topic. Security scopes for operating system deployments Use security scopes to provide administrative users with access to the securable objects used in operating system deployments, such as operating system and boot images, driver packages, and task sequence packages. For more information about security scopes, see Planning for Security Scopes in the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic.

Windows Deployment Services

Windows Deployment Services (WDS) must be installed on the same server as the distribution points that you configure to support PXE or multicast. Whether you must install WDS manually or if it is already installed on the server depends on the operating system of the server. Windows Server 2008: WDS is included in the operating system. Important
1922

PXE and multicast are not supported on computers running Windows Server 2008 or Windows Server 2008 R2 that is installed with the Server Core installation option. The Server Core installation option installs a minimal environment that avoids extra overhead and limits the roles that can be performed by the server, including WDS, which is required for PXE deployments and multicast. Windows Server 2003 (minimum version of SP2: The Windows Deployment Services role can be added by using Add or Remove Programs.

For PXE deployments, WDS is the service that performs the PXE boot. When the distribution point is installed and enabled for PXE, Configuration Manager installs a provider into WDS that uses the WDS PXE boot functions. Note The installation of WDS might fail if the server requires a restart. Other WDS configurations that must be considered include the following: The WDS installation on the server requires that the administrator is a member of the Local Administrators group. The WDS server must be either a member of an Active Directory domain or a domain controller for an Active Directory domain. All Windows domain and forest configurations support WDS.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Supported Operating Systems and Hard Disk Configurations for Operating System Deployment
Use the information in this topic to identify the operating systems and disk configurations that support the capture, creation, and deployment of operating system images by using System Center 2012 Configuration Manager.

Supported Operating Systems

All operating systems listed as supported client operating systems under Operating System Requirements for Configuration Manager Client Installation are supported for operating system deployments with the following exceptions: Clients that use the mobile device client. Windows XP Embedded Windows Storage Server 2003
1923

Windows Storage Server 2008 IA-64-based architecture computers

The following operating systems do not support the Apply operating system from an original installation source option in the Apply Operating System Image task sequence step. These operating systems must be captured by using a reference computer before being deployed to the destination computer: Windows Embedded for Point of Service 1.0 Windows Embedded for Point of Service 1.1 with SP3 Windows Embedded Standard 2009 Windows Embedded POSReady 2009 Windows Embedded Standard 7 with SP1 Windows Embedded POSReady 7 Windows Fundamentals for Legacy PCs Windows XP Tablet PC SP3 Windows Thin PC

Supported Disk Configurations

The hard disk configuration combinations on the reference and destination computers that are supported for Configuration Manager operating system deployment are shown in the following table.
Reference computer hard disk configuration Destination computer hard disk configuration

Basic disk Simple volume on a dynamic disk

Basic disk Simple volume on a dynamic disk

Configuration Manager supports capturing an operating system image only from computers that are configured with simple volumes. There is no support for the following hard disk configurations: Spanned volumes Striped volumes (RAID 0) Mirrored volumes (RAID 1) Parity volumes (RAID 5)

The following table shows an additional hard disk configuration on the reference and destination computers that is not supported with Configuration Manager operating system deployment.
Reference computer hard disk Configuration Destination computer hard disk configuration

Basic disk

Dynamic disk

1924

See Also
Planning to Deploy Operating Systems in Configuration Manager

Determine the Operating System Deployment Method to Use in Configuration Manager

There are different methods that you can use to deploy an operating system in your System Center 2012 Configuration Manager environment. Use the following tables to identify some of the installation considerations to help you determine which method to use to deploy operating systems.

PXE-Initiated Deployments
Dependencies Advantages Disadvantages Reference

Distribution point that supports PXE deployments. Windows Deployment Services installation. Firewall port configuration.

This method works well when no user is present at the destination computer and for data center environments. You can associate users with the destination computer to support usercentric management.

Optional PXE deployments require user intervention. DHCP considerations when the DHCP server is installed on the same server as the PXEenabled distribution point.

Planning for PXEInitiated Operating System Deployments in Configuration Manager

Bootable Media-Initiated Deployments

Dependencies Advantages Disadvantages Reference

Appropriate image architecture must be available on a distribution point that Configuration Manager clients

Works well for bare metal operating system deployment scenarios (no operating system

Requires a physical Plan How to Use presence at the Bootable Media destination How to Create computer. Bootable Media

1925

Dependencies

Advantages

Disadvantages

Reference

can access.

is installed). You can associate users with the destination computer to support usercentric management. As a security best practice, you can protect the media with a strong password.

Stand-alone Media-Initiated Deployments

Dependencies Advantages Disadvantages Reference

Media set of USB flash drive, CD, or DVD that contains the necessary installation files.

Use this method for computers that connect to Configuration Manager by using a low bandwidth connection. Computers do not require a connection to the System Center 2012 Configuration Manager site. As a security best practice, you can protect the media with a strong password.

All files required for the installation must be contained on the media. All device drivers required for the installation must be on the media. You cannot set an expiration date on the media.

Plan How to Use Stand-alone Media How to Create Stand-alone Media

Prestaged Media Deployments

Dependencies Advantages Disadvantages Reference

Computers must be able to access an appropriate

Supports the preloading of the operating system

You must connect to a Configuration Manager site to

Plan How to Use Prestaged Media How to Create

1926

Dependencies

Advantages

Disadvantages

Reference

image architecture on a distribution point. Boot image must have the network and mass storage drivers that computers require to complete the deployment process.

image and boot image, which is suitable for a factory or a staging center. Speeds up the onsite deployment time. Works with current task sequences to provide up-to-date deployments. As a best practice, you can passwordprotect the media for security purposes. You can associate users with the destination computer to support usercentric management.

create the media. The destination computer can be used only at the same Configuration Manager site where the media was created.

Prestaged Media

Side-by-Side Deployments
Dependencies Advantages Disadvantages Reference

State migration point site role. You must create a computer association between the source and destination computer.

When you use the state migration point role, the user state can be saved to another computer and then restored to the new computer.

State migration point must have sufficient hard disk space to store the user state data.

How to Manage the User State in Configuration Manager

1927

Configuration Manager Initiated Deployments

Dependencies Advantages Disadvantages Reference

Destination computer must be a System Center 2012 Configuration Manager client.

You can deploy an operating system image without creating additional media.

The client computer must have a connection to a Configuration Manager site. Destination computers must be Configuration Manager clients.

Planning for Deploying Operating System Images in Configuration Manager

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning Site System Roles for Operating System Deployments in Configuration Manager
The same planning steps that you consider when you set up other System Center 2012 Configuration Manager site system roles also apply when you configure roles for operating system deployments. For example, if you plan to have more than one site system role on a server, consider the combined effect of all the site system roles on network performance, memory, disk storage, processor usage, and other server resources. Operating system deployments primarily affect these resources for distribution points and state migration points. Use the following sections to help plan for distribution points and state migration points.

Distribution Points
Make sure that you have enough distribution points to support the deployment of operating systems to computers and verify the placement of these distribution points in the hierarchy. This kind of planning is basically the same as you would use for the deployment of other Configuration Manager packages. However, there are some considerations that are specific to operating system deployment.
1928

One consideration is the number of computers that can be deployed at one time from a single distribution point. You must consider the processing speed and disk I/O of the distribution point, the available bandwidth on the network, and the effect that the size of the image package has on these resources. For example, on a 100 megabyte (MB) Ethernet network, the maximum number of computers that can process a 4 gigabyte (GB) image package in one hour is 11 computers if you do not consider any other server resource factors.
8 Megabits transfers 1 Megabyte of data 100 Megabits/sec = 12.5 Megabytes/sec = 750 Megabytes/min = 45 Gigabytes/hour = 11 images @ 4GB per image

In reality, the number might be far less. So if you must deploy to a specific number of computers within a specific time frame, distribute the image package to an appropriate number of distribution points. For planning information about distribution points, see Planning for Content Management in Configuration Manager. Important Another consideration is that when you deploy operating system deployment task sequences to a collection of computers, Configuration Manager does not distinguish Configuration Manager site servers from other destination computers in the collection. If you deploy the task sequence to a collection that contains a site server, the site server runs the task sequence in the same way that any other computer in the collection runs the task sequence. Ensure that you remove the site system role from the site server before you deploy an operating system image to it, and then assign the site system role back to the site server after the operating system is deployed. In addition, if you distribute an image to a distribution point, the server has to receive its image package from a remote distribution point. You cannot distribute an image to a distribution point on the server and then deploy the task sequence that installs the operating system to the server.

PXE-Enabled Distribution Points

To deploy an operating system by using PXE, you must designate a distribution point that can respond to the PXE boot requests. The distribution point can then respond to the PXE boot request and determine the appropriate deployment actions to take. For more information about how to deploy operating systems by using PXE, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager.

Multicast-Enabled Distribution Points

To deploy an operating system to multiple computers simultaneously, you must configure a distribution point that supports multicast. For more information about how to use multicast to deploy operating systems, see Planning a Multicast Strategy in Configuration Manager.

1929

State Migration Point

The state migration point stores user state data that is captured on one computer and then restored on another computer. You must store the user state data on the state migration point when you use a side-by-side deployment. However, when you use the same computer, such as a deployment where you refresh the operating system on the destination computer, you can store the data on the same computer or on the state migration point. For some computer deployments, when you create the state store, Configuration Manager automatically creates an association between the state store and the destination computer. As you plan for the state migration point, consider the following factors.

User State Size

The size of the user state directly affects disk storage on the state migration point and network performance during the migration. Consider the size of the user state and the number of computers to migrate. Consider also what settings to migrate from the computer. For example, if My Documents is already backed up to a server, then perhaps you do not have to migrate it as part of the image deployment. Avoiding unnecessary migrations can keep the overall size of the user state smaller and decrease the effect it would otherwise have on network performance and disk storage on the state migration point.

User State Migration Tool

To capture and restore the user state during the deployment of the operating systems, you must use a User State Migration Tool (USMT) package that points to the USMT source files. You must create this package in the Software Library/Application Management/Packages folder. Configuration Manager uses USMT 4.0, which is distributed in Windows Automated Installation Kit (Windows AIK), to capture the user state from one operating system and then restores it to another operating system. For a description of different migration scenarios for USMT 4.0, see Common Migration Scenarios.

Retention Policy
When you configure the state migration point, you can specify the length of time to keep the user state data that is stored on it. The length of time to keep the data on the state migration point depends on two considerations: The effect that the stored data has on disk storage. The potential requirement to keep the data for a time in case you must migrate the data again.

State migration occurs in two phases: Capturing the data and restoring the data. When you capture the data, the user state data is collected and saved to the state migration point. When you restore the data, the user state data is retrieved from the state migration point, written to the destination computer, and then the Release State Store task sequence step
1930

releases the stored data. When the data is released, the retention timer starts. If you select the option to delete migrated data immediately, the user state data is deleted as soon as it is released. If you select the option to keep the data for a certain period of time, the data is deleted when that period of time elapses after the state data is released. The longer you set the retention period, the more disk space you are likely to require.

Selecting Drives
When you configure the state migration point, you must specify the drive on the server to store the user state migration data. You select a drive from a fixed list of drives. However, some of these drives might represent non-writable drives, such as the CD drive, or a non-network share drive. In addition, some drive letters might not be mapped to any drives on the computer. You must specify a writable, shared drive when you configure the state migration point.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for Deploying Operating System Images in Configuration Manager

There are three basic actions that you must take when you use System Center 2012 Configuration Manager to deploy an operating system image to destination computers: Build and capture an image and distribute it to distribution points. Create and configure the task sequence that will install the operating system image. Deploy the task sequence.

Create the Image and Distribute it to Distribution Points

Operating system images are .WIM format files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. The operating system image is built and captured from a reference computer that you configure with all the required operating system files, support files, software updates, tools, and other software applications. You can build the reference computer manually, or use a task sequence to automate some or all of the build steps. For more information about how to capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager.

1931

Create and Configure the Appropriate Deployment Task Sequence

After you have created the reference computer and captured an operating system image from that computer, you can use a task sequence to configure how to deploy that image to your destination computers. For information about how you can use deployment task sequences, see Planning a Task Sequences Strategy in Configuration Manager.

Deploy the Task Sequence

After you create your task sequences, you can deploy the task sequence to the collection that contains the destination computers. For information about how to deploy a task sequence, see the How to Deploy a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic.

Creating Packages for Operating System Deployments

You must create several Configuration Manager packages to support the building of a reference computer and the deployment of an operating system image to a destination computer. The following packages are required to build a reference computer: Operating system installation package Configuration Manager client installation package Sysprep package (Windows XP SP3 and Server 2003 SP2 only) Driver packages Other packages

Use the following table to find more information about the packages used to support building the reference computer.
Package More information

Operating System Installation package

The Operating System Installation Package must contain all the files necessary to install the desired Windows operating system on a reference computer. You create this package as you would any other Configuration Manager package. The task sequence will reference the source files as needed. Sysprep is a Windows system preparation tool that facilitates image creation, and the preparation of an image for deployment to
1932

Sysprep package

Package

More information

multiple destination computers. If the operating system version you are running is Windows Vista, Sysprep is already available on the computer and you do not need to specify a package. If the operating system version you are running is Windows XP or earlier, you must specify a package that contains the version of Sysprep and all its support files (no subfolders) that are appropriate for that operating system version. This package does not require a program. Configuration Manager uses the Sysprep files contained in the package. For more information about using Sysprep, see the Sysprep documentation for the version of Sysprep that supports the version of the operating system running on the reference computer. Driver package If the reference computer requires device drivers that are not included with the operating system, you must create the packages that contain the necessary Windows drivers to support hardware on the reference computer. Typically, a manufacturer supplies an INF file and other supporting files for a device driver, and sometimes an installation script as well. Refer to the documentation supplied by the manufacturer of the device driver to ensure that you create a package that includes all supporting files. You can use the following sets of task sequence steps to install driver packages: Auto Apply Drivers. This step allows you to automatically match and install device drivers as part of an operating system deployment. For information about the task sequence variables associated with this step, see Auto Apply Drivers Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. Apply Driver Package. This step allows you
1933

Package

More information

to make all device drivers in a specific driver package available for use by Windows setup. For information about the task sequence variables associated with this step, see Apply Driver Package Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. The following packages are needed to deploy an image to a destination computer: Operating system image package Configuration Manager client installation package USMT packages (for user state backup and restore only) Other packages

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for Capturing Operating System Images in Configuration Manager

To capture the operating system image that you want to deploy in your System Center 2012 Configuration Manager environment, you must use a reference computer.

Configuring the Reference Computer

You can configure the reference computer manually, or you can completely automate the configuration of the reference computer and capture an operating system image. The extent to which you configure the reference computer manually is up to you. You can completely automate the configuration of the reference computer by using a build and capture task sequence, you can manually configure certain aspects of the reference computer and then automate the rest using task sequences, or you can manually configure the reference computer without using task sequences. After you have captured an image from a reference computer, do not capture another operating system image from the reference computer because registry entries are created during the initial configuration. Create a new reference computer each time that you capture the operating system image. If you plan to use the same reference computer to create future operating system images,

1934

first uninstall the Configuration Manager client, and then reinstall the Configuration Manager client. The following table outlines advantages and disadvantage for an automated and manual configuration of the reference computer.
Reference computer Advantages Disadvantages

Automated configuration

The configuration can be completely unattended, which eliminates the requirement for an administrator or user to be present. You can reuse the task sequence to repeat the configuration of additional reference computers with a high level of confidence. You can modify the task sequence to accommodate differences in reference computers without having to recreate the entire task sequence.

The initial action to build a task sequence can take a long time to create and test. If the reference computer requirements change significantly, it can take a long time to rebuild and retest the task sequence.

Manual configuration

You do not have to create a task sequence or take the time to test and troubleshoot the task sequence. You can install directly from CDs without putting all the software packages (including Windows itself) into a Configuration Manager package.

The accuracy of the reference computer configuration depends on the administrator or user who configurs the computer. You must still verify and test that the reference computer is configured correctly. You cannot reuse the configuration method. Requires a person to be actively involved throughout the process.

The following table lists the basic items to consider when you configure a reference computer.
Reference computer configuration items More information

Operating system to deploy

The reference computer must be installed with

1935

Reference computer configuration items

More information

the operating system that you intend to deploy to your destination computers. For more information about the operating systems that you can deploy, see Supported Operating Systems and Hard Disk Configurations for Operating System Deployment. Appropriate service pack Make sure that the operating system running on the reference computer has the most current service pack applied. Install all software applications that you want included in the operating system image that you capture from the reference computer. You can also install software applications when you deploy the captured operating system image to your destination computers. The reference computer must be configured as a member of a workgroup. The System Preparation (Sysprep) tool is a technology that you can use with other deployment tools to install Windows operating systems onto new hardware. Sysprep prepares a computer for disk imaging or delivery to a customer by configuring the computer to create a new computer security identifier (SID) when the computer is restarted. In addition, Sysprep cleans up user and computer-specific settings and data that must not be copied to a destination computer. Important On Windows XP computers, you must copy the appropriate Sysprep files (sysprep.exe and setupcl.exe) to the C:\Sysprep folder on the reference computer. This is especially important if you deploy the image to more than one destination computer. On newer operating systems, the files are already available and no action is required. You can manually Sysprep the reference
1936

Appropriate software updates

Workgroup membership Appropriate version of Sysprep or another migration tool.

Reference computer configuration items

More information

computer by running the following command:

Sysprep /quiet /generalize /reboot

You can automate Sysprep by using the Prepare Windows for Capture task sequence step or capture media. For more information about how to create capture media, see the How to Create Capture Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic. Important The Prepare Windows for Capture task sequence step attempts to reset the local administrator password on the reference computer to a blank value before Sysprep runs. If the Local Security policy Password must meet complexity requirements is enabled, this task sequence step fails to reset the administrator password. In this scenario, disable this policy before you run the task sequence. For more information about Sysprep for Windows 8 and Windows Server 2012, see the System Preparation (Sysprep) Technical Reference topic. Appropriate tools and scripts required to mitigate installation scenarios You can install the application compatibility tools and scripts on the reference computer that are required to troubleshoot known installation scenarios on destination computers when you deploy the captured operating system image to your destination computers. You can configure the reference computer with the desktop customization properties that you want to include when you capture the operating system image from the reference computer. Desktop properties include wall paper, organizational branding, and a standard default user profile.

Appropriate desktop customization, such as wall paper, branding, and default user profile

1937

Operating System Image Deployment Considerations

Before you deploy an operating system image in Configuration Manager, consider the following factors to plan the deployment: Operating system image size Cache size of the Configuration Manager client Capturing the user and computer state Windows User State Migration Tool (USMT) package Task sequence deployment

Operating System Image Size

The size of an operating system image can be quite large. For example, the image size for Windows 7 is 3 gigabytes (GB) or more. The size of the image and the number of computers that you simultaneously deploy the operating system to affects the network performance and available bandwidth. Ensure that you test the network performance to better gauge the affect that the image deployment might have and the time it takes to complete the deployment. Configuration Manager activities that affect network performance include distributing the image to a distribution point, distributing the image from one site to another, and downloading the image to the Configuration Manager client. Also ensure that you plan for sufficient disk storage space on the distribution points that host the operating system images.

Client Cache Size

When Configuration Manager clients download content, they automatically use Background Intelligent Transfer Service (BITS) if it is available. When you deploy a task sequence that installs an operating system, you can set an option on the deployment so that Configuration Manager clients download the full image to a local cache before the task sequence runs. In general, when a Configuration Manager client must download a package, or in this scenario, an operating system image, but there is not enough space in the cache, the client checks the other packages in the cache to determine whether deleting any or all of the oldest packages will free enough disk space to accommodate the new package. If deleting any or all of the oldest packages does not free enough disk space, the client does not download the new package and the deployment fails. This scenario might occur if the cache has a large package that an administrative user has configured to persist in the cache. If deleting any or all of the oldest packages does free enough space in the cache, the client deletes them, and then downloads the new package into the cache. The default cache size on Configuration Manager clients might not be large enough for most operating system image deployments. If you plan to download the full image to the client cache,

1938

you must adjust the Configuration Manager client cache size on the destination computers to accommodate the size of the image that you are deploying. For more information about how to manage the client cache, see the Configure the Client Cache for Configuration Manager Clients section in the How to Manage Clients in Configuration Manager topic.

Capturing the User and Computer State Settings

If you plan to capture the user and computer state settings as part of your operating system deployment, you must decide whether to store the data remotely on a state migration point or locally on the destination computer. For more information about how to manage the user state, see How to Manage the User State in Configuration Manager.

Task Sequence Deployments

The task sequence that you create can deploy the operating system image on a Configuration Manager client computer in one of the following ways: Download the image and its content first to the Configuration Manager client cache from a distribution point and then install it. Install the image and its content immediately from the distribution point. Install the image and its content as it is required from the distribution point

By default, when you create the deployment for the task sequence, the image is downloaded first to the Configuration Manager client cache and then installed. For more information about task sequences, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic. If you select to download the image to the Configuration Manager client cache before you run the image, and the task sequence contains a step to repartition the hard drive, the repartition step fails because repartitioning the hard drive erases the contents of the Configuration Manager client cache. If the task sequence must repartition the hard drive, you must run the image installation from the distribution point by using the Run program from distribution point option when you deploy the task sequence.

Deploy the Operating System Image Manually

You can create a stand-alone CD, DVD set, or a USB flash drive to deploy the operating system manually to a destination computer. However, the size of the image might affect your choice of the type of stand-alone media that you create. For more information about how to create standalone media, see the How to Create Stand-alone Media section in the How to Create Stand-alone Media. In addition, if Configuration Manager does not currently manage the destination computer, you must add the computer to the Configuration Manager database before you initiate the operating system deployment process. You cannot use stand-alone media to deploy an operating system to an unknown computer. This requirement applies whether the computer has an existing operating
1939

system or not. For more information about how to import a new computer into Configuration Manager, see the How to Add a Computer to the Configuration Manager Database section in the How to Deploy Operating Systems in Configuration Manager topic.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for Boot Image Deployments in Configuration Manager

Boot images are used to install the operating system on the destination computers in your System Center 2012 Configuration Manager environment. They contain a version of Windows PE that installs the operating system, as well as any additional device drivers that are required. Windows PE is a minimal operating system with limited components and services that prepare the destination computer for Windows installation.

Default Boot Images

Configuration Manager provides two boot images: One to support x86 platforms and one to support x64 platforms. These images use the following source path: \\ServerName>\SMS_SiteCode\osd\boot\<x64 or i386. All images that use this source path, including boot images that you add, are considered default boot images. When you upgrade Configuration Manager to a new version, the source boot image files (boot.wim) are updated with files from the supported version of Windows ADK. For example, if you upgrade System Center 2012 Configuration Manager SP1 to System Center 2012 R2 Configuration Manager, the source boot image files are updated from the Windows ADK for Windows 8 version to the Windows ADK for Windows 8.1 version.

Distributing Boot Images

Boot images are distributed to distribution points in the same way as you distribute other content. Consider the following factors when you deploy boot images: When deployed as part of a task sequence to a Configuration Manager client, the image is copied to and booted from the hard drive of the destination computer. For information about how to create task sequences, see the How to Create Task Sequences section in the How to Manage Task Sequences in Configuration Manager topic. When deployed by using bootable media, the destination computer boots from the media and loads Windows PE on the destination computer. For information about how to create

1940

bootable media, see the How to Create Bootable Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. It is important that the boot image contain any network adapter (NIC) drivers and mass storage drivers that are required to successfully run on the destination computer. Boot images are stored as WIM files. Ensure that they are always stored in a physically secure location. CMTrace is added to all boot images that are added to the Software Library. When you are in Windows PE, you can find CMTrace in the following locations:
X:\SMS\BIN\x64 X:\SMS\BIN\i386

Updating Boot Images

You can update boot images by adding or removing device drivers to the image or by editing the properties that are associated with the boot image. The device drivers that you add or remove can include new network adapters or mass storage device drivers. Consider the following factors when you update boot images: Device drivers that you add to a boot image must be imported and enabled in the device driver catalog before they can be added to the boot image. When you update a boot image, the boot image does not change any of the associated packages that the boot image references. After you make changes to a boot image, you must update the distribution points that contain a version of the boot image so that the most current version of the boot image is available. For more information, see Update Content on Distribution Points. Important You cannot schedule an update of the distribution point. You must update the distribution point manually.

Creating Boot Images for Computers that Boot in UEFI Mode

When you create a boot image for computers that boot in UEFI mode, use a boot image that matches the architecture of the computer (x86 for x86-based computers or x64-based computers). You cannot use an x86 boot image for both architectures for computers that boot in UEFI mode.

Locating Boot Images

The boot images that you can use to deploy operating systems are located in the Boot Images node of the Software Library workspace in the Configuration Manager console. It is available in

1941

the Software Library workspace of the Configuration Manager console. For more information on boot images, see How to Manage Boot Images in Configuration Manager. In addition to the tasks that you can perform from the Boot Images node, such as adding a new boot image and distributing a boot image to a destination point, you can use the Properties page of each boot image object to perform the following tasks.
Task Tab reference

Change the name, version, or comments that are associated with the boot image. View the properties of the boot image that are defined by the boot image file. Add or remove the device drivers that are used by the boot image. Enable command prompt support, enable prestart commands and specify the files associated with the command, and change the Windows PE background. Change the image index and content setting.

General tab Images tab Drivers tab Customization tab

Data Source tab

Specify how the boot image is stored on the Data Access tab distribution points where the image is deployed. Specify how the boot image is distributed to sites from distribution points. View the locations where the boot image is assigned. View which administrative users have permissions on the boot image. Distribution Setting tab Content Locations tab Security tab

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning a Device Driver Strategy in Configuration Manager

Configuration Manager provides a driver catalog that you can use to manage the Windows device drivers in your System Center 2012 Configuration Manager environment. You can use the driver
1942

catalog to import device drivers into Configuration Manager, to group them in packages, and to distribute those packages to distribution points where you can access them when you deploy an operating system. Device drivers can be used when you install the full operating system on the destination computer and when you install Windows PE by using a boot image. Windows device drivers consist of a Setup Information File (INF) file and any additional files that are required to support the device. When an operating system is deployed, Configuration Manager obtains the hardware and platform information for the device from its INF file.

Importing Windows Device Drivers

You must import device drivers into the driver catalog before you can use them when you deploy an operating system. To better manage your device drivers, import only those device drivers that you plan to install as part of your operating system deployment. However, you can also store multiple versions of device drivers in the driver catalog to provide an easy way to upgrade existing device drivers when hardware device requirements change on your network. For more information about how to import device drivers, see the How to Import Windows Device Drivers section in the How to Manage the Driver Catalog in Configuration Manager topic.

Device Driver Categories

When you import device drivers, you can assign the device drivers to a category. Device driver categories help group similarly used device drivers together in the driver catalog. For example, you can assign all network adapter device drivers to a specific category. Then, when you create a task sequence that includes the Auto Apply Drivers step, you can specify a specific category of device drivers. Configuration Manager then scans the hardware and selects the applicable drivers from that category to stage on the system for Windows Setup to use.

Creating Driver Packages

You can group similar device drivers in packages to help streamline operating system deployments; for example, you might decide to create a driver package for each computer manufacturer on your network. You can create a driver package while you are importing drivers into the driver catalog, or you can create them directly in the Driver Packages node. After the driver package is created, it must be distributed to distribution points from which Configuration Manager client computers can install the drivers as they are required. Driver packages also provide you the flexibility to distribute device driver content to only those distribution points that require them. When you create a driver package, the source location of the package must point to an empty network share that is not used by another driver package, and the SMS Provider must have Read and Write permissions to that location.

1943

For information about how to create a driver package from the Driver Packages node, see the How to Create Driver Packages section in the How to Manage the Driver Catalog in Configuration Manager topic. When you add device drivers to a driver package, Configuration Manager copies the device driver to the driver package source location. You can add only device drivers that have been imported and that are enabled in the driver catalog to a driver package. For information about how to add a device driver to a driver package, see the How to Add and Remove Device Drivers That Are Associated with Driver Packages and Boot Images section in the How to Manage the Driver Catalog in Configuration Manager topic. If you want to copy a subset of the device drivers from an existing driver package, create a new driver package, add the subset of device drivers to the new package, and then distribute the new package to a distribution point.

Adding Device Drivers to Boot Images

You can add Windows device drivers that have been imported into the driver catalog to boot images. Use the following guidelines when you add device drivers to a boot image: Add only mass storage and network adapter device drivers to boot images because other types of drivers are not generally required. Drivers that are not required increase the size of the boot image unnecessarily. Add only device drivers for Windows 7 to a boot image because the required version of Windows PE is based on Windows 7. Ensure that you use the correct device driver for the architecture of the boot image. Do not add an x86 device driver to an x64 boot image.

For information about how to add a device driver to boot images, see the How to Add and Remove Device Drivers That Are Associated with Driver Packages and Boot Images section in the How to Manage the Driver Catalog in Configuration Manager topic.

Installing Device Drivers by Using Task Sequences

Use task sequences to automate how the operating system is deployed. Each step in the task sequence can perform a specific action, such as installing a device driver. You can use the following two task sequence steps to install device drivers while you are deploying operating systems: Auto Apply Drivers. This step lets you automatically match and install device drivers as part of an operating system deployment. You can configure the task sequence step to install only the best matched driver for each detected hardware device, or specify that the task sequence step installs all compatible drivers for each detected hardware device, and then let Windows Setup choose the best driver. In addition, you can specify a category of device drivers to limit the drivers that are available for this step.

1944

Apply Driver Package. This step lets you make all device drivers in a specific driver package available for Windows Setup. In the specified driver packages, Windows Setup searches for the device drivers that are required. Also use this step if you require device drivers as part of your stand-alone media deployment.

When you use these task sequence steps, you can also specify how the device drivers are installed on the computer where you deploy the operating system.

Driver Catalog Reports

You can use several reports in the Driver Management reports category to determine general information about the device drivers in the driver catalog. For more information about reports, see Reporting in Configuration Manager.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for PXE-Initiated Operating System Deployments in Configuration Manager

There are several configuration decisions to consider before you use the pre-execution environment (PXE) to initiate the deployment of the operating system in your System Center 2012 Configuration Manager environment.

PXE Deployments and Windows Deployment Services

Windows Deployment Services (WDS) must be installed on the same server as the distribution point that you use to deploy the operating system. For more information about WDS and other operating system deployment prerequisites, see Prerequisites For Deploying Operating Systems in Configuration Manager.

Configuring Distribution Points to Support PXEInitiated Deployments

To initiate an operating system deployment by using PXE, you must configure a distribution point to accept PXE requests from the destination computers where the operating system is deployed. There are two ways to configure a distribution point to support PXE requests. You can set the appropriate PXE settings when you install the distribution point by using the Create Site System

1945

Server Wizard, or you can configure the PXE setting on an existing distribution point by using the Property page for the distribution point. For distribution point considerations that are not specific to PXE, see the Plan for Distribution Points section in the Planning for Content Management in Configuration Manager topic. You can configure the following PXE options for the distribution point: You must specify that the distribution point supports PXE requests from clients. You can specify if Windows Deployment Services is enabled or disabled for the distribution point. You can specify that the distribution point accepts PXE requests from unknown computers. Unknown computers are computers that are not managed by Configuration Manager: the Configuration Manager client is not installed on the computer or the computer is not imported into the Configuration Manager database. For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager. You can specify that a password is required to start the PXE boot. You can specify user device affinity for the destination computer. This setting allows you to associate a user with the destination computer after the operating system is deployed. For more information about how Configuration Manager uses user device affinity, see the Deploying Applications in Configuration Manager section of the Introduction to Application Management in Configuration Manager topic. You can specify that the distribution point responds to PXE requests on all network interfaces, which is the default, or if it responds to PXE requests on only specific network interfaces. You can specify how long the distribution point delays, in seconds, before it reacts to a PXE request.

For more information about operating system requirements for a PXE-enabled distribution point, see the Operating System Requirements for Typical Site System Roles section of the Supported Configurations for Configuration Manager topic.

Distributing Boot Images to the Distribution Point

You must have both an x86 and an x64 PXE-enabled boot image deployed to the distribution point for the PXE deployment to succeed. The packages for these boot images must specify that they will be deployed to distribution points that support PXE requests. When this is done, Configuration Manager distributes the boot image to the RemoteInstall folder on the distribution point. In addition, when this setting is disabled, the image is removed from the RemoteInstall folder. For information about how to create a PXE enable boot image, see the How to Create a PXE enabled Boot Image section in the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. Note

1946

The boot image is copied or removed locally by the distribution point when it updates the RemoteInstall folder. The boot image is not sent over the network when the folder is updated.

PXE Deployments
When you deploy operating systems by using PXE, you have the following options: Required deployment: Required deployments will use PXE without any user intervention. The user will not be able to bypass the PXE boot. However, if the user cancels the PXE boot before the distribution point responds, the operating system will not be deployed. Available deployment: Available deployments require that the user is present at the destination computer so that they can press the F12 key to continue the PXE boot process. If the user is not present to press F12, the computer will boot into the current operating system or from the next available boot device. Re-deploy a deployment: You can re-deploy a required PXE deployment by clearing the status of the last PXE deployment assigned to a Configuration Manager collection or a computer. This action resets the status of that deployment and re-deploys the most recent required deployments.

Security The PXE protocol is not secure. Ensure that the PXE server and the PXE client are located on a physically secure network, such as in a data center to prevent unauthorized access to your site.

Windows Deployment Service and Dynamic Host Configuration Protocol (DHCP)

Consider the following configuration issues if you plan to co-host the distribution point on a server running DHCP. You must have a functioning DHCP server with an active scope. Windows Deployment Services uses PXE, which requires a DHCP server. DHCP and Windows Deployment Services both require port number 67. If you co-host Windows Deployment Services and DHCP, you can move DHCP or the distribution point that is configured for PXE to a separate server. Or, you can use the following procedure to configure the Windows Deployment Services server to listen on a different port. To configure the Windows Deployment Services server to listen on a different port 1. Modify the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Pro viders\WDSPXE 2. Set the registry value to: UseDHCPPorts = 0 3. For the new configuration to take effect, run the following command on the server:
1947

WDSUTIL /Set-Server /UseDHCPPorts:No /DHCPOption60:Yes

A DNS server is required to run Windows Deployment Services. The following UDP ports must be open on the Windows Deployment Services server. Port 67 (DHCP) Port 69 (TFTP) Port 4011 (PXE) Note In addition, if DHCP authorization is required on the server, you need DHCP client port 68 to be open on the server.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning a Multicast Strategy in Configuration Manager

Multicast is a network optimization method that you can use in your System Center 2012 Configuration Manager environment where multiple clients are likely to download the same operating system image at the same time. When multicast is used, multiple computers simultaneously download the operating system image as it is multicast by the distribution point, rather than having the distribution point send a copy of the data to each client over a separate connection.

Multicast Deployment Process

The following flowchart shows the process that you must follow to deploy operating systems by using multicast.

1948

Multicast and Windows Deployment Services

Windows Deployment Services (WDS) must be installed on the same server as the distribution point that you use to multicast the operating systems image. For more information about WDS and other operating system deployment prerequisites, see Prerequisites For Deploying Operating Systems in Configuration Manager.

Enable a Distribution Point to Support Multicast

To deploy operating system images by using multicast, you must provide a distribution point that supports multicast deployments. There are two ways to configure a distribution point to support multicast deployments. You can set the multicast settings when you install the distribution point by using the Create Site System Server Wizard, or you can configure the multicast settings on an existing distribution point by using the Property page for the distribution point. For more information about how to configure the distribution point and configure the operating system image to support multicast, see How to Manage Multicast in Configuration Manager. When you create a distribution point there are other configuration issues that need to be considered in addition to configuring the distribution point for multicast support. For more information about the attributes that you can configure for your distribution point, see Planning for Content Management in Configuration Manager.
1949

Specify When the Operating System Image is Available

You can further conserve bandwidth by configuring when the operating system image is deployed from the distribution point. This consolidates the client requests into a specific time frame, which optimizes the benefits of multicast but might require clients to wait before the operating system package is available. The multicast session starts when it replies to a service location request from a client computer. The distribution point can be configured to require a specified number of requests before it begins to multicast, or it can wait a specified number of minutes after the first request before it begins to multicast. The multicast session ends when the maximum number of client requests is reached. Clients can join a multicast session already in progress. When the multicast is complete, the client will then download missing portions of the package.

Deploying Content when Running a Task Sequence

When you deploy the task sequence that multicasts the operating system, the content referenced by the task sequence must be downloaded locally from the distribution point to the destination computers. When you deploy your task sequence you can specify that the content is downloaded locally when it is needed by the task sequence or that all the content is downloaded before the task sequence is run. These deployment options are specified on the Distribution Points page when you deploy the task sequence. For more information about how to specify that the content is downloaded locally from the distribution point, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for Media Operating System Deployments in Configuration Manager

You can use media to capture an operating system image from a reference computer or to deploy an operating system to a destination computer in your System Center 2012 Configuration Manager environment. The media that you create can be a CD, DVD set, or a USB flash drive. Media is used mostly to deploy operating systems on destination computers that do not have a network connection or that have a low bandwidth connection to your Configuration Manager site. However, deployment media is also used to start an operating system deployment outside of an
1950

existing Windows operating system. This second use of deployment media is important for times when there is no operating system on the destination computer, the operating system is in a nonoperable state, or the administrative user wants to repartition the hard disk on the destination computer. Deployment media includes bootable media, stand-alone media, and prestaged media. The content of the deployment media varies, depending on what type of media that you use. For example, stand-alone media contains the task sequence that deploys the operating system while other types of media retrieve task sequences from the management point.

Capture Media for Operating System Images

Capture media allows you to capture an operating system image from a reference computer. Capture media contains the boot image that starts the reference computer and the task sequence that captures the operating system image. For information about how to create capture media, see the How to Create Capture Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Bootable Media Operating System Deployments

Bootable media contains only the boot image, optional prestart commands and their required files, and Configuration Manager binaries. When the destination computer starts, it connects to the network and retrieves the task sequence, the operating system image, and any other required content from the network. Because the task sequence is not on the media, you can change the task sequence or content without having to recreate the media. Important The packages on bootable media are not encrypted. The administrative user must take the appropriate security measures, such as adding a password to the media, to ensure that the package contents are secured from unauthorized users. For information about how to create bootable media, see the How to Create Bootable Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Prestaged Media Operating System Deployments

Prestaged media allows you to prestage bootable media and an operating system image to a hard disk prior to the provisioning process. The prestaged media is a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment. Prestaged media contains the boot image used to start the destination computer and the operating system image that is applied to the destination computer. The task sequence that deploys the operating system is not included in the media. Prestaged media is applied to the hard drive of a new computer before the computer is sent to the end user. When the computer starts for the first time after the prestaged media has been applied, the computer starts Windows PE
1951

and connects to a management point to locate the task sequence that completes the operating system deployment process. Important The packages on prestaged media are not encrypted. The administrative user must take the appropriate security measures, such as adding a password to the media, to ensure that the package contents are secured from unauthorized users. Starting in Configuration Manager SP1, you can also specify applications, packages, and driver packages to include as part of the prestaged media. When you deploy a task sequence that uses prestaged media, the wizard checks the local task sequence cache for valid content first, and if the content cannot be found or has been revised, the wizard downloads the content from the distribution point. For information about how to create prestaged media, see the How to Create Prestaged Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Stand-Alone Media Operating System Deployments

Stand-alone media contains everything that is required to deploy the operating system. This includes the task sequence and any other required content. Because everything that is required to deploy the operating system is stored on the stand-alone media, the disk space required for stand-alone media is significantly larger than the disk space required for other types of media. The following actions are not supported for stand-alone media: Automatic application of device drivers from the driver catalog. Installing software updates. Installing software before deploying an operating system. Installing dependencies for applications that are specified as part of the task sequence. Associating users with the destination computer to support user device affinity.

For information about how to create stand-alone media, see the How to Create Stand-alone Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Using the Install Package Step in Stand-Alone Media

The central administration site does not have the necessary client configuration policies that are required to enable the software distribution agent during the execution of the task sequence. When you create stand-alone media for a task sequence at the central administration site, and the task sequence includes an Install Package step, the following error might appear in the CreateTsMedia.log file:
WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

1952

For stand-alone media that includes an Install Package step, you must create the stand-alone media at a primary site that has the software distribution agent enabled or add a Run Command Line step after the Setup Windows and ConfigMgr step and before the first Install Package step. The Run Command Line step runs a WMIC command to enable the software distribution agent before the first Install package step runs. You can use the following in your Run Command Line task sequence step: Command Line: WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local", PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE For more information about creating stand-alone media, see How to Create Stand-alone Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

Media Considerations When Using Site Systems Configured for HTTPS

When your management point and distribution points are configured to use HTTPS communication, you must create boot media and prestaged media at a primary site, not the central administration site. Also, consider the following to help you determine whether to configure the media as dynamic or site-based: To configure the media as dynamic media, all primary sites must have the root CA of the site from which you created the media. You can import the root CA to all primary sites in your hierarchy. When primary sites in your Configuration Manager hierarchy use different root CAs, you must use site-based media at each site.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning a Task Sequences Strategy in Configuration Manager

You can create task sequences that perform a variety of tasks within your System Center 2012 Configuration Manager environment. These tasks range from capturing an operating system on a reference computer to deploying the operating system to one or more destination computers. The actions of the task sequence are defined in the individual steps of the sequence. When the task sequence is run, the actions of each step are performed at the command-line level without requiring user intervention.

1953

You can deploy a task sequence to a collection that contains computers; however, you cannot deploy a task sequence to a user collection.

Task Sequence Steps and Actions

Steps are the basic components of a task sequence. They can contain commands that configure and capture the operating system of a reference computer, or they can contain commands that install the operating system, drivers, the Configuration Manager client, and software on the destination computer. The commands of a task sequence step are defined by the actions of the step. There are two types of actions. An action that you define by using a command-line string is referred to as a custom action. An action that is predefined by Configuration Manager is referred to as a built-in action. A task sequence can perform any combination of custom and built-in actions. Task sequence steps can also include conditions that control how the step behaves, such as stopping the task sequence or continuing the task sequence if an error occurs. Conditions are added to the step by including a task sequence variable to the step. For example, you could use the SMSTSLastActionRetCode variable to test the condition of the previous step. Variables can be added to a single step or a group of steps. Task sequence steps are processed sequentially, which includes the action of the step and any conditions that are assigned to the step. When Configuration Manager starts to process a task sequence step, the next step is not started until the previous action has completed. A task sequence is considered complete when all its steps have been completed or when a failed step causes Configuration Manager to stop running the task sequence before all its steps are completed. For example, if the step of a task sequence cannot locate a referenced image or package on a distribution point, the task sequence contains a broken reference and Configuration Manager stops running the task sequence at that point unless the failed step has a condition to continue when an error occurs. Important By default, a task sequence fails after one step or action fails. If you want the task sequence to continue after a task sequence step fails, edit the task sequence, click the Options tab, and then select Continue on error. For more information about the steps that can be added to a task sequence, see Task Sequence Steps in Configuration Manager.

Task Sequence Groups

Groups are multiple steps within a task sequence. A task sequence group consists of a name, an optional description, and any optional conditions that are evaluated as a unit before that task sequence continues with the next step. Groups can be nested within each other, and a group can contain a mixture of steps and subgroups. Groups are useful for combining multiple steps that share a common condition.
1954

Important By default, a task sequence group fails when any step or embedded group within the group fails. If you want the task sequence to continue when a step or embedded group fails, edit the task sequence, click the Options tab, and then select Continue on error. The following table shows how the Continue on error option works when you group steps. In this example, there are two groups of task sequences that contain three task sequence steps each.
Task sequence group or step Continue on error setting

Task Sequence Group 1 Task Sequence Step 1 Task Sequence Step 2 Task Sequence Step 3 Task Sequence Group 2 Task Sequence Step 4 Task Sequence Step 5 Task Sequence Step 6

Continue on error selected. Continue on error selected. Not set. Not set. Not set. Not set. Not set. Not set.

If task sequence step 1 fails, the task sequence continues with task sequence step 2. If task sequence step 2 fails, the task sequence does not run task sequence step 3 but continues to run task sequence steps 4 and 5, which are in a different task sequence group. If task sequence step 4 fails, no more steps are run, and the task sequence fails because the Continue on error setting was not configured for task sequence group 2.

You must assign a name to task sequence groups, although the group name does not have to be unique. You can also provide an optional description for the task sequence group.

Task Sequence Variables

Task sequence variables are a set of name and value pairs that supply configuration and operating system deployment settings for computer, operating system, and user state configuration tasks on a Configuration Manager client computer. Task sequence variables provide a mechanism to configure and customize the steps in a task sequence. When you run a task sequence, many of the task sequence settings are stored as environment variables. You can access or change the values of built-in task sequence variables, and you can create new task sequence variables to customize the way a task sequence runs on a destination computer.

1955

You can use task sequence variables in the task sequence environment to perform the following actions: Configure settings for a task sequence action Supply command-line arguments for a task sequence step Evaluate a condition that determines whether a task sequence step or group is run Provide values for custom scripts used in a task sequence

For example, you might have a task sequence that includes a Join Domain or Workgroup task sequence step. The task sequence might be deployed to different collections, where the membership of the collection is determined by domain membership. In that case, you can specify a per-collection task sequence variable for each collections domain name and then use that task sequence variable to supply the appropriate domain name in the task sequence.

Creating Task Sequence Variables

You can add new task sequence variables to customize and control the steps in a task sequence. For example, you can create a task sequence variable to override a setting for a built-in task sequence step. You can also create a custom task sequence variable to use with conditions, command lines, or custom steps in the task sequence. When you create a task sequence variable, the task sequence variable and the associated value is preserved within the task sequence environment, even when the sequence restarts the destination computer. The variable and its value can be used within the task sequence across different operating system environments. For example, it can be used in a full Windows operating system and in the Windows PE environment. The following table describes the methods to create a task sequence variable and additional usage information.
Create method Usage

Setting fields in task sequence steps by using the Task Sequence Editor

Specifies default values for the task sequence step. The variable and value are accessible only when the step runs in the task sequence. They are not part of the overall sequence environment, and they are not accessible by other task sequence steps in the task sequence. For a list of the built-in variables and their associated actions, see Task Sequence Action Variables in Configuration Manager.

Adding a set task sequence variable step in a task sequence

Specifies the task sequence variable and value in the task sequence environment when the task sequence step is run as part of a task sequence. All subsequent task sequence steps
1956

Create method

Usage

can access the environment variable and its value. Defining a per-collection variable Specifies task sequence variables and values for a collection of computers. All task sequences targeted to the collection can access the task sequence variables and their values. Specifies task sequence variables and values for a particular computer. All task sequences targeted to the computer can access the task sequence variables and their values. Specifies task sequence variables and values for the task sequence that is run from the media that can access the task sequence variable and its value.

Defining a per-computer variable

Adding a task sequence variable on the Customization page of the Task Sequence Media Wizard

To override the default value for a built-in task sequence variable, you must define a task sequence variable with the same name as the built-in task sequence variable. For a list of built-in task sequence variables with the associated actions and usage, see Task Sequence Built-in Variables in Configuration Manager. You can delete a task sequence variable from the task sequence environment by using the same methods as creating a task sequence variable. In this case, to delete a variable from the task sequence environment, you set the task sequence variable value to an empty string. You can combine methods to set an environment task sequence variable to different values for the same sequence. In an advanced scenario, you might set the default values for steps in a sequence using the Task Sequence Editor and then set a custom variable value using the different creation methods. The following list describes the rules that determine which value is used when a task sequence variable is created by using more than one method. 1. The Set Task Sequence Variable step overrides all other creation methods. 2. Per-computer variables take precedence over per-collection variables. If you specify the same task sequence variable name for a per-computer variable and a per-collection variable, the per-computer variable value is used when the destination computer runs the deployed task sequence. 3. Task sequences can be run from media. Use the media variables in place of per-collection or per-computer variables. If the task sequence is running from media, per-computer and percollection variables do not apply and are not used. Instead, task sequence variables defined on the Customization page of the Task Sequence Media wizard are used to set values specific to a task sequence that runs from media 4. If a task sequence variable value is not set in the overall sequence environment, built-in actions use the default value for the step, as set in the Task Sequence Editor.
1957

In addition to overriding values for built-in task sequence step settings, you can also create a new environment variable for use in a task sequence step, script, command line, or condition. When you specify a name for a new task sequence variable, follow these guidelines: The task sequence variable name that you specify can contain letters, numbers, the underscore character (_), and a hyphen (-). Task sequence variable names have a minimum length of 1 character and a maximum length of 256 characters. User defined variables must begin with a letter (A-Z or a-z). User-defined variable names cannot begin with the underscore character. Only read-only task sequence variables are preceded by the underscore character Note Read-only task sequence variables can be read by task sequence steps in a task sequence but they cannot be set. For example, you can use a read-only task sequence variable as part of the command line for a Run Command Line task sequence action variable, but you cannot set a read-only variable by using the Set Task Sequence Variable action variable. Task sequence variable names are not case sensitive. For example, OSDVAR and osdvar represent the same task sequence variable. Task sequence variable names cannot begin or end with a space or contain embedded spaces. Spaces that are left at the beginning or the end of a task sequence variable name are ignored.

The following table displays examples of valid and non-valid user-specified task sequence variables.
Examples of valid user-specified variable nNames Examples of non valid user-specified variable names

MyVariable

1Variable User-specified task sequence variables cannot begin with a number.

My_Variable

MyV@riable User-specified task sequence variables cannot contain the @ symbol.

My_Variable_2

_MyVariable User-specified task sequence variables cannot begin with an underscore.

General limitations for task sequence variables: Task sequence variable values cannot exceed 4,000 characters.

1958

You cannot create or override a read-only task sequence variable. Read-only variables are designated by names that start with an underscore character (_). You can access the value of read-only task sequence variables in your task sequence; however, you cannot change their associated values. Task sequence variable values can be case sensitive depending on the usage of the value. In most cases, task sequence variable values are not case sensitive. However, some values can be case sensitive such as a variable that contains a password. There is no limit to how many task sequence variables can be created. However, the number of variables is limited by the size of the task sequence environment. For Configuration Manager with no service pack and Configuration Manager SP1, the total size of the task sequence environment cannot exceed 10 MB. Starting in System Center 2012 R2 Configuration Manager, the client uses available memory more efficiently and total size limit for the task sequence environment was increased to 32 MB.

Accessing Task Sequence Environment Variables

After you specify the task sequence variable and its value by using one of the methods from the previous section, you can use the environment variable value in your task sequences. You can access default values for built-in task sequence variables, specify a new value for a built-in variable, or use a custom task sequence variable in a command line or script. The following table outlines task sequence operations that can be performed by accessing the task sequence environment variables.
Task sequence operation Usage

Configure action settings

You can specify that a task sequence step setting is provided by a variable value when the sequence runs. To supply a task sequence step setting by using a task sequence environment variable, use the Task Sequence Editor to edit the step and specify the variable name as the field value. The variable name must be enclosed in percent signs (%) to indicate that it is an environment variable.

Supply command-line arguments

You can specify part or all of a custom command line by using an environment variable value. To supply a command-line setting by using an environment variable, use the variable name as part of the Command Line field of the Run Command Line task sequence step. The variable name must be enclosed in percent
1959

Task sequence operation

Usage

signs (%). For example, the following command line uses a built-in environment variable to write the computer name to C:\File.txt.
Cmd /C %_SMSTSMachineName% > C:\File.txt

Evaluate a step condition

You can use built-in or custom task sequence environment variables as part of a task sequence step or group condition. The environment variable value will be evaluated before the task sequence step or group runs. To add a condition that evaluates a variable value, do the following: 1. Select the step or group that you want to add the condition to. 2. On the Options tab for the step or group, select Task Sequence Variable from the Add Condition drop down. 3. In the Task Sequence Variable dialog box, specify the name of the variable, the condition that is tested, and the value of the variable.

Provide information for a custom script

Task Sequence variables can be read and written by using the Microsoft.SMS.TSEnvironment COM object while the task sequence is running. The following example illustrates a Visual Basic script file that queries the _SMSTSLogPath task sequence variable to get the current log location. The script also sets a custom variable.
dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment")

dim logPath

' You can query the environment to get an existing variable. logPath = env("_SMSTSLogPath")

1960

Task sequence operation

Usage

' You can also set a variable in the OSD environment. env("MyCustomVariable") = "varname"

For more information about how to use task sequence variables in scripts, refer to the SDK documentation

Computer and Collection Variables

You can configure task sequences to run on multiple computers or collections simultaneously. You can specify unique per-computer or per-collection information, such as specify a unique operating system product key or join all the members of a collection to a specified domain. You can assign task sequence variables to a single computer or a collection. When the task sequence starts to run on the target computer or collection, the values specified are applied to the target computer or collection. You can specify task sequence variables for a single computer or a collection. When the task sequence starts to run on the target computer or collection, the variables specified are added to the environment and the values are available to all task sequence steps in the task sequence. Warning If you use the same variable name for both a per-collection and per-computer variable, the computer variable value takes precedence over the collection variable. Task sequence variables that you assign to collections take precedence over built-in task sequence variables. For more information about how to create task sequence variables for computers and collections, see How to Create Task Sequence Variables for Computers and Collections

Task Sequence Media Variables

You can specify task sequence variables for task sequences that are run from media. When using media to deploy the operating system you add the task sequence variables and specify their values when you create the media; the variables and their values are stored on the media. Note Task sequences are stored on stand-alone media. However, all other types of media, such as prestaged media, retrieve the task sequence from a management point.

1961

You can specify task sequence variables on the Customization page of the Task Sequence Media Wizard. For information about how to create media, see How to Deploy Operating Systems by Using Media in Configuration Manager. Tip The task sequence writes the package ID and prestart command-line, including the value for any task sequence variables, to the CreateTSMedia.log log file on the computer that runs the Configuration Manager console. You can review this log file to verify the value for the task sequence variables.

Creating Task Sequences

You create task sequences by using the Create Task Sequence Wizard. The wizard can create built-in task sequences that perform specific tasks or custom task sequences that can perform many different tasks. For example, you can create task sequences that build and capture an operating system image of a reference computer, install an existing operating system image on a destination computer, or create a custom task sequence that performs a customized task. You can use custom task sequences to perform specialized operating system deployments or to perform other custom tasks. For more information about how to create task sequences, see the How to Create Task Sequences section of the How to Manage Task Sequences in Configuration Manager topic.

Editing a Task Sequence

You edit the task sequence by using the Task Sequence Editor. The editor can make the following changes to the task sequence: You can add or remove steps from the task sequence. You can change the order of the steps of the task sequence. You can add or remove groups of steps. You can specify whether the task sequence continues when an error occurs. You can add conditions to the steps and groups of a task sequence. Important If the task sequence has any unassociated references to a package or a program as a result of the edit, you must correct the reference, delete the unreferenced program from the task sequence, or temporarily disable the failed task sequence step until the broken reference is corrected or removed. For more information about how to edit task sequences, see the How to Edit a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic.

1962

Deploying a Task Sequence

You can deploy a task sequence to destination computers that are in any Configuration Manager collection. This includes the All Unknown Computers collection that is used to deploy operating systems to unknown computers. However, you cannot deploy a task sequence to user collections. Important Do not deploy task sequences that install operating systems to inappropriate collections, such as the All Systems collection. Be sure that the collection that you deploy the task sequence to contains only those computers where you want the operating system to be installed. Each destination computer that receives the task sequence runs the task sequence according to the settings specified in the deployment. The task sequences itself does not contain associated files or programs. Any files that are referenced by a task sequence must already be present on the destination computer or reside on a distribution point that clients can access. In addition, the task sequence installs the packages that are referenced by programs, even if the program or package is already installed on the destination computer. Note In comparison to packages and programs, if the task sequence installs an application, the application installs only if the requirement rules for the application are met and the application is not already installed, based on the detection method that is specified for the application. The Configuration Manager client runs a task sequence deployment when it downloads client policy. To initiate this action rather than wait until the next polling cycle, see Initiate Policy Retrieval for a Configuration Manager Client. Starting in Configuration Manager SP1, when you deploy task sequences to Windows Embedded devices that are write filter enabled, you can specify whether to disable the write filter on the device during the deployment and then restart the device after the deployment. If the write filter is not disabled, the task sequence is deployed to a temporary overlay and it will not be available when the device restarts. Note When you deploy a task sequence to a Windows Embedded device, ensure that the device is a member of a collection that has a configured maintenance window. This allows you to manage when the write filter is disabled and enabled, and when the device restarts. If clients download task sequences outside of a maintenance window, the task sequence is downloaded twice. In this scenario clients will download the task sequence, disable the write filters, restart the computer, and then download the task sequence again because the task sequence was downloaded to the temporary overlay which is cleared when the device restarts.
1963

For more information about how to deploy task sequences, see the How to Deploy a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic.

Exporting and Importing Task Sequences

Configuration Manager lets you export and import task sequences. When you export a task sequence, you can include the objects that are referenced by the task sequence. These include an operating system image, a boot image, a client agent package, a driver package, and applications that have dependencies. Note The export and import process for task sequences is very similar to the export and import process for applications in Configuration Manager. For more information about how to export and import task sequences, see the How to Export and Import Task Sequences section of the How to Manage Task Sequences in Configuration Manager topic.

Running Task Sequences

By default task sequences always run by using the Local System account. The task sequence command-line step provides the ability to run the task sequence as a different account. When the task sequence is run, the Configuration Manager client first checks for any referenced packages before it starts the steps of the task sequence. If a referenced package is not validated or is not available on a distribution point, the task sequence returns an error for the associated task sequence step. If a distributed task sequence is configured to download and run, all dependent packages and applications are downloaded to the Configuration Manager client cache. The required packages and applications are obtained from distribution points, and if the Configuration Manager client cache size is too small or the package or application cannot be found, the task sequence fails and a status message is generated. You can also specify that the client downloads the content only when it is required when you select Download content locally when needed by running task sequence, or you can use the Run program from distribution point option to specify that the client installs the files directly from the distribution point without downloading them into the cache first. The Run program from distribution point option is available only if the referenced packages have the setting Copy the content in this package to a package share on distribution points enabled on the Data Access tab of the Package properties. If a dependent package or application cannot be located by the client running the task sequence, the client immediately sends an error when the deployment is configured as Available. However, if the deployment is configured as Required, the Configuration Manager client waits and retries to download the content until the deadline, in case the content is not yet replicated to a distribution point that the client can access.

1964

When a task sequence completes successfully or fails, Configuration Manager records this in the Configuration Manager client history. You cannot cancel or stop a task sequence after it is initiated on a computer. Important If a task sequence step requires the client computer to restart, the client must be able to boot to a formatted disk partition. Otherwise, the task sequence fails regardless of any error handling that is specified by the task sequence. When a dependent object of a task sequence, such as a software distribution package, is updated to a newer version, any task sequence that references the package is automatically updated and it references the newest version, regardless of how many updates have been deployed. Note Before a Configuration Manager client runs a task sequence, the client checks all task sequences for possible dependencies and the availability of those dependencies on a distribution point. If the client finds a deleted object that the task sequence depends on, the client generates an error and does not run the task sequence.

Run a Program Before the Task Sequence is Run

You can select a program that runs before the task sequence is run. To specify a program to run first, open the Properties dialog box for the task sequence and select the Advanced tab to set the following options: Important To run a program before the task sequence is run, all content for the task sequence and program must be available on a package share for the package. You configure the package share on the Data Access tab in the properties for the package. Run another program first: Specify that you want another program to run before the task sequence is run. Important This setting applies only to task sequences that run in the full operating system. Configuration Manager ignores this setting if the task sequence is started by using PXE or boot media. Package: Specify the package that contains the program. Program: Specify the program to run. Always run this program first: Specify that you want Configuration Manager to run this program every time it runs the task sequence on the same client. By default, after a program is run successfully, the program is not run again if the task sequence is rerun on the same client.

If the selected program fails to run on a client, the task sequence is not run.

1965

Running Task Sequences in a Maintenance Window

You can specify when the task sequence can run by defining a maintenance window for the collection that contains your destination computers. Maintenance windows are configured with a start date, a start and finish time, and a recurrence pattern. In addition, when you set the schedule for the maintenance window you can specify that the maintenance window applies only to task sequences. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. Important When you configure a maintenance window to run a task sequence, once the task sequences starts it continues to run even if the maintenance window closes. The task sequence will either complete successfully or fail.

Task Sequences and the Network Access Account

Although task sequences run only in the context of the Local System account, you might need to configure the Network Access Account in the following circumstances: You must configure the Network Access Account correctly or the task sequence will fail if it tries to access Configuration Manager packages on distribution points to complete its task. For more information about the Network Access account, see the Configure the Network Access Account section of the Configuring Content Management in Configuration Manager topic. Note The Network Access Account is never used as the security context for running programs, installing applications, installing updates, or running task sequences; however, the Network Access account is used to access the associated resources on the network. When you use a boot image to initiate an operating system deployment, Configuration Manager uses the Windows PE environment, which is not a full operating system. The Windows PE environment uses an automatically generated, random name that is not a member of any domain. If you do not configure the Network Access Account correctly, the computer might not have the necessary permissions to access the required Configuration Manager packages to complete the task sequence.

Creating Media for Task Sequences

You can write task sequences and their related files and dependencies to several types of media. This includes writing to removable media such as a DVD or CD set or a USB flash drive for capture, stand-alone, and bootable media, or writing to a Windows Imaging Format (WIM) file for prestaged media. You can create the following types of media:
1966

Capture media. Capture media captures an operating system image that is configured and created outside the Configuration Manager infrastructure. Capture media can contain custom programs that can run before a task sequence runs. The custom program can interact with the desktop, prompt the user for input values, or create variables to be used by the task sequence. For more information about capture media, see the Capturing an Operating System Image by Using Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Stand-alone media. Stand-alone media contains the task sequence and all associated objects that are necessary for the task sequence to run. Stand-alone media task sequences can run when Configuration Manager has limited or no connectivity to the network. Standalone media can be run in the following ways: If the destination computer is not booted, the Windows PE image that is associated with the task sequence is used from the stand-alone media and the task sequence begins. The stand-alone media can be manually started if a user is logged on to the network and initiates the installation. Important The steps of a stand-alone media task sequence must be able to run without any retrieving any data from the network; otherwise, the task sequence step that tries to retrieve the data fails. For example, a task sequence step that requires a distribution point to obtain a package fails; however if the necessary package is contained on the stand-alone media, the task sequence step succeeds. For more information about stand-alone media, see the Operating System Deployments by Using Stand-Alone Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Bootable media. Bootable media contains the required files to start a destination computer so that it can connect to the Configuration Manager infrastructure to determine which task sequences to run based on its membership to a collection. The task sequence and dependent objects are not contained on the media; instead, they are obtained over the network from the Configuration Manager client. This method is useful for new computers or bare-metal deployments, or when no Configuration Manager client or operating system is on the destination computer. For more information about bootable media, see the Operating System Deployments by Using Bootable Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.

Prestaged media. Prestaged media deploys an operating system image to a destination computer that is not provisioned. The prestaged media is stored as a Windows Imaging Format (WIM) file that can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not connected to the Configuration Manager environment. For more information about prestaged media, see the Operating System Deployments by Using Prestaged Media section of the Planning for Media Operating System Deployments in Configuration Manager topic.
1967

When you create media, specify a password for the media to control access to the files that are contained on the media. If you specify a password, a user must be present to enter the password at the target computer when the task sequence is run. When you run a task sequence by using media, the specified computer chip architecture contained on the media will not be recognized and the task sequence attempts to run even if the architecture specified does not match what is actually installed on the target computer. If the chip architecture contained on the media does not match the chip architecture installed on the target computer, the installation fails. For more information about how to deploy operating systems by using media, see Planning for Media Operating System Deployments in Configuration Manager

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for Operating System Deployments in a NAP-Enabled Environment

When you deploy an operating system and the System Center 2012 Configuration Manager client into an environment that uses Network Access Protection (NAP), you must take additional configuration steps. Failing to configure an operating system deployment correctly for Network Access Protection can result in the newly deployed computers having restricted network access with failed remediation. Clients that run Windows Vista and Windows Server 2008 natively support Network Access Protection, whereas computers running Windows XP do not natively support Network Access Protection and require the installation of an additional Network Access Protection client. For more information about the Network Access Protection Client for Windows XP, see the Network Access Protection website. Network Access Protection supports a number of enforcement mechanisms, such as IPsec, 802.1X, VPN, and DHCP. Each enforcement mechanism requires its respective Network Access Protection enforcement client to be enabled and the Windows Network Access Protection Service started and configured for automatic startup. For more information about the prerequisites to use Network Access Protection with software updates in Configuration Manager, see Prerequisites for Software Updates in Configuration Manager. Use the steps in the following sections to ensure that the enforcement mechanism and the Windows Network Access Protection Service is enabled and will interact correctly with the Configuration Manager client when you deploy an operating system into a NAP-enabled environment.

1968

The Reference Computer Is Configured for Network Access Protection

The following scenario is appropriate if all your operating system deployments are in a NAPenabled environment, using the same NAP-enforcement mechanism: 1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization. 2. If the operating system is Windows XP, install the Network Access Protection Client for Windows XP. 3. Enable the appropriate Network Access Protection enforcement clients. 4. Configure the Windows Network Access Protection service to start automatically, and start the service. 5. Capture the operating system image by using capture media. 6. Create a task sequence that references the captured image. 7. Deploy the task sequence to the destination computers. With this configuration, the Network Access Protection enforcement client and Windows Network Access Protection Service start automatically in the newly deployed computer because they are part of the image. Also, they will already be running when the Configuration Manager client installs, ensuring that the Configuration Manager client can bind to the Windows Network Access Protection Service.

The Reference Computer Is Not Configured for Network Access Protection

The following scenario would be appropriate if only some of your computers are installed into a NAP-enabled environment or if you must add the configuration for Network Access Protection to an existing captured image: 1. Configure the reference computer with the operating system, service packs, security updates, applications, settings, tools and desktop customization. 2. Capture the operating system image by using capture media. 3. Create a deployment task sequence that references the captured image. 4. If the operating system is Windows XP, add a task sequence step that will run in the newly deployed operating system to install the Network Access Protection Client for Windows XP. 5. Add a custom task sequence step that runs in the newly deployed operating system to enable the appropriate Network Access Protection enforcement clients. Note Use the command-line utility, netsh nap client set enforcement <enforcement ID> enable. For more information, see the Windows Network Access Protection documentation. For ongoing configuration, ensure that Group Policy configures the enforcement clients.
1969

6. Add a task sequence step that runs in the newly deployed operating system to configure the Windows Network Access Protection Service to start automatically, and start the service. Note For ongoing configuration, ensure that Group Policy configures this service. 7. Add a task sequence step to restart the computer. Note This restart is required to ensure that the enforcement clients and the Windows Network Access Protection Service are already running when the Configuration Manager client starts, and ensures that the Configuration Manager client can correctly bind to the Windows Network Access Protection Service. 8. Deploy the task sequence to the destination computers.

See Also
Planning to Deploy Operating Systems in Configuration Manager

Planning for Operating System Deployment Interoperability

When different Microsoft System Center 2012 Configuration Manager sites in a single hierarchy use different service pack versions, some Configuration Manager functionality is not available. Typically, functionality from the newer service pack version of Configuration Manager is not accessible at sites or by clients that run a lower service pack version. For more information, see Interoperability between Different Versions of Configuration Manager. Consider the following when you upgrade the top-level site in your hierarchy and other sites in your hierarchy run Configuration Manager with no service pack: Client installation package The source for the default client installation package is automatically upgraded to the Configuration Manager SP1 version and all distribution points in the hierarchy are updated with the new client installation package, even on distribution points at sites in the hierarchy that have not yet been upgraded to SP1. Clients that run SP1 cannot be assigned to sites that have not yet been upgraded to SP1. Assignment is blocked at the management point. When you upgrade the top-level site to Configuration Manager SP1, the default boot images (x86 and x64) are automatically updated to Windows ADK-based boot images, which use Windows PE 4. The files that are associated with the default boot images are updated with the Configuration Manager SP1 version of the files.

Boot images

1970

To prevent task sequences from failing, make sure that the version of the boot image corresponds to the version of the Configuration Manager client installation package that you configure in the task sequence. For example, a Windows AIK-based boot image that uses Windows PE 3 must correspond to the Configuration Manager with no service pack client installation package version. A Windows ADK-based boot image must correspond to the Configuration Manager SP1 client installation package version. Avoid the use of dynamic media when your site hierarchy contains sites with different versions of Configuration Manager. Instead, use site-based media to contact a specific management point until all sites are upgraded to the same version of Configuration Manager. You can import and use Windows AIK-based boot images only in a Configuration Manager site that does not have Service Pack 1 installed. You can import and use Windows ADK-based boot images only in a Configuration Manager site that has Service Pack 1 installed.

While you are actively upgrading sites in your hierarchy from Configuration Manager with no service pack to Configuration Manager SP1, use the following sections to help you with operating system deployments.

Configuration Manager SP1 Sites in a Mixed Hierarchy

When you upgrade a site to Configuration Manager SP1, task sequences that reference the default client installation package will automatically start to deploy the Configuration Manager SP1 client version. Task sequences that reference a custom client installation package will continue to deploy the version of the client that is contained in that custom package (likely the Configuration Manager with no service pack client version), and must be updated to avoid task sequence deployment failures. When you have a task sequence that is configured to use a custom client installation package, you must update the task sequence step to use the Configuration Manager SP1 version of the client installation package or update the custom package to use the Configuration Manager SP1 client installation source. Important Do not deploy a task sequence that references the Configuration Manager SP1 client installation package to clients in a Configuration Manager with no service pack site. When clients assigned to a Configuration Manager with no service pack site are upgraded to the Configuration Manager SP1 client version, Configuration Manager blocks the assignment to the Configuration Manager with no service pack site. Therefore, the client is longer assigned to any site and will be unmanaged until you manually assign the client to a Configuration Manager SP1 site or reinstall the Configuration Manager with no service pack version of the client on the computer. At Configuration Manager SP1 sites, deploy a task sequence that references a Windows ADKbased boot image, which you can only create or modify at a Configuration Manager SP1 site. Verify that the Configuration Manager SP1 boot images contain the desired customizations, and
1971

then update all distribution points in your Configuration Manager SP1 sites with the new boot images.

Configuration Manager with No Service Pack in a Mixed Hierarchy

When you have upgraded your central administration site to Configuration Manager SP1, you must take the following steps to ensure that operating system deployment task sequences that you deploy to clients assigned to a Configuration Manager with no service pack site (not yet upgraded to Configuration Manager SP1) do not leave those clients in an unmanaged state. Create a task sequence that you will use to deploy to clients only in a Configuration Manager with no service pack site. Likely, you will make a copy of a task sequence that you use to deploy to clients in a Configuration Manager SP1 site and then modify the task sequence so you can deploy it to clients in a Configuration Manager with no service pack site. Then, configure the task sequence to reference a custom client installation package that uses the Configuration Manager with no service pack client installation source. If you do not already have a custom client installation package that references the Configuration Manager with no service pack client installation source then you must manually create one. Configuration Manager SP1 adds a deployment option to make task sequence deployments available to only media and PXE. This option is not recognized by Configuration Manager clients with no service pack. Therefore, those clients will still run any deployments that are configured to use this option as long as they are included in the collection that is targeted by the deployment. Avoid using this deployment option until you have upgraded all clients in your hierarchy to Configuration Manager SP1. Important Failure to understand the implications of this interoperability consideration could result in data loss. Deploy a task sequence that references a Windows AIK-based boot image at Configuration Manager with no service pack sites. You can only create or modify a Windows AIK-based boot image at a Configuration Manager with no service pack site. Verify that the Configuration Manager with no service pack boot images contain the desired customizations, and if required, update all distribution points in your Configuration Manager with no service pack sites with the manually updated boot images.

Configuring Configuration Manager for Operating System Deployments

To deploy operating systems in System Center 2012 Configuration Manager, you might be required to perform various Configuration Manager configuration tasks based on the deployment method that you choose.

1972

Operating System Deployment Configuration Topics

Use the following topics to help you configure your Configuration Manager site: How to Manage Operating System Images and Installers in Configuration Manager How to Manage Boot Images in Configuration Manager How to Manage the Driver Catalog in Configuration Manager How to Manage Task Sequences in Configuration Manager How to Manage the User State in Configuration Manager How to Manage Unknown Computer Deployments in Configuration Manager How to Associate Users with a Destination Computer How to Manage Multicast in Configuration Manager How to Manage Virtual Hard Disks in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

How to Manage Operating System Images and Installers in Configuration Manager

Use the procedure in this topic to add an operating system image or an operating system install package to a System Center 2012 Configuration Manager site. The operating system images and install packages can then be distributed to distribution points where they can be used to deploy operating systems to destination computers.

How to Add an Operating System Image or Operating System Installer

Use the following procedures to add an operating system image or an operating system installer to a site. To add an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. On the Home tab, in the Create group, click Add Operating System Image to start the Add Operating System Image Wizard.
1973

4. On the Data Source page, specify the network path to the operating system image. For example, specify \\server\path\OS.WIM for the operating system image WIM file. 5. On the General page, specify the following information, and then click Next. This information is useful for identification purposes when you add multiple operating system images to the same site. Name: Specify the name of the image. By default, the name of the image is taken from the WIM file. Version: Specify the version of the image. Comment: Specify a brief description of the image.

6. Complete the wizard. You can now distribute the operating system image to the distribution points that are accessed by your deployment task sequences. To add an operating system installer 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Installers. 3. On the Home tab, in the Create group, click Add Operating System Installer to start the Add Operating System Wizard. 4. On the Data Source page, specify the network path to the installation source files of the operating system installer. For example, specify the UNC \\server\path to where the installation source files are located. 5. On the General page, specify the following information, and then click Next. This information is useful for identification purposes when you have multiple operating system installers. Name: Specify the name of the operating system installer. Version: Specify the version of the operating system installer. Comment: Specify a brief description of the operating system installer.

6. Complete the wizard. You can now distribute the operating system installer to the distribution points that are accessed by your deployment task sequences.

Apply Software Updates to an Operating System Image

Periodically, new software updates are released that are applicable to the operating system in your operating system image. You can apply applicable software updates to an image on a specified schedule. On the schedule that you specify, Configuration Manager applies the software updates that you select to the operating system image, and then optionally distributes the updated image to distribution points.
1974

Information about the operating system image is stored in the site database, including the software updates that were applied at the time of the import. Software updates that have been applied to the image since it was initially added are also stored in the site database. When you start the wizard to apply software updates to the operating system image, the wizard retrieves a list of applicable software updates that have not yet been applied to the image for you to select. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: In Configuration Manager with no service pack, when Configuration Manager failed to apply a software update, it would stop the process and not apply any additional software updates. Starting in Configuration Manager SP1, you can select the Continue on error setting for Configuration Manager to continue to apply software updates even when there is an error applying one or more of the software updates that you selected. Note In Configuration Manager with no service pack, the software updates are copied from the source location for each software update. Starting in Configuration Manager SP1, the software updates are copied from the content library on the site server. Use the following procedure to apply software updates to an operating system image. To apply software updates to an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. Select the operating system image to which to apply software updates. 4. On the Home tab, in the Operating System Image group, click Schedule Updates to start the wizard. 5. On the Choose Updates page, select the software updates to apply to the operating system image, and then click Next. 6. On the Set Schedule page, specify the following settings, and then click Next. a. Schedule: Specify the schedule for when the software updates are applied to the operating system image. b. Continue on error: For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Select this option to continue to apply software updates to the image even when there is an error. c. Distribute the image to distribution points: Select this option to update the operating system image on distribution points after the software updates are applied.

7. On the Summary page, verify the information, and then click Next. 8. On the Completion page, verify that the software updates were successfully applied to the operating system image.

1975

Additional Actions to Manage Operating System Images or Operating System Installers

After operating system images and operating system installers are added to a site, you can perform additional actions by selecting an object in the Operating System Images or Operating System Installers list. These actions include the following:
Action Description

Distribute Content

Starts the Distribute Content Wizard to distribute the selected object to specific distribution points. Starts the Update Distribution Points Wizard to update the content on the distribution points where the selected object is distributed. The package version is incremented and the distribution points are updated with only the files that have changed in the package. Starts the Create Prestaged Content File Wizard. For information about how to create a prestaged content file, see Prestage Content on a Distribution Point. Opens the Manage Access Accounts dialog box where you can add an access account to the selected object, edit the access rights for an account, or remove an access account from the selected object. For more information about Package Access Accounts, see Technical Reference for Accounts Used in Configuration Manager

Update Distribution Points

Create Prestaged Content File

Manage Access Accounts

Move

Moves the selected object to another folder.

See Also
Configuring Configuration Manager for Operating System Deployments

1976

How to Manage Boot Images in Configuration Manager

Use the procedures in this topic to manage the boot images in your System Center 2012 Configuration Manager environment. These images are used to boot the destination computer when you deploy an operating system. Use the following sections to manage boot images: How to Add Boot Images How to Specify where Boot Images are Distributed How to Modify a Boot Image Configure Multiple Languages for Boot Image Deployment Additional Actions to Manage Boot Images

How to Add Boot Images

Boot images in Configuration Manager with no service pack use Windows PE based on Windows 7 and are created by using Windows Automated Installation Kit (Windows AIK). Starting in Configuration Manager SP1, boot images use Windows PE based on Windows 8 and are created by using the Windows Assessment and Deployment Kit (Windows ADK). An error occurs when you try to add a boot image that was not created by using the appropriate tools. For example, in Configuration Manager SP1 you will encounter an error if you try to add an image that was created by using Windows AIK. Also, if you deploy a task sequence that uses boot images created by using Windows ADK to a site that continues to run Configuration Manager with no service pack, the task sequence will fail. For more information about boot images in a Configuration Manager hierarchy with sites that run both Configuration Manager SP1 and Configuration Manager with no service pack, see Planning for Operating System Deployment Interoperability Each version of Microsoft System Center 2012 Configuration Manager supports boot images from specific versions of the Windows Automated Installation Kit (Windows AIK) or the Windows Assessment and Deployment Kit (Windows ADK). During site installation, Configuration Manager automatically adds boot images that are based on a Windows PE version from the supported version of Windows AIK or Windows ADK. Depending on the version of Configuration Manager, you might be able to add boot images based on a different Windows PE version from the supported version of Windows AIK or Windows ADK. The following table provides a list of the Configuration Manager versions, the supported version of Windows AIK or Windows ADK, the Windows PE version of the boot image that Configuration Manager adds to the Configuration Manager console during site installation, and the Windows PE versions of boot images that you can add to the Configuration Manager console.

1977

Configuration Manager version

Windows AIK or Windows ADK Version

Windows PE version of the boot image that Configuration Manager adds to the Configuration Manager console during site installation

Windows PE versions of boot images that you can add to the Configuration Manager console

System Center 2012 Configuration Manager with no service pack System Center 2012 Configuration Manager with SP1 System Center 2012 Configuration Manager with SP1 and cumulative update 2 System Center 2012 Configuration Manager with SP1 and cumulative update 3 System Center 2012 R2 Configuration Manager
1

Windows AIK for Windows 7

Windows PE 3

none

Windows ADK for Windows PE 4 Windows 8 Windows ADK for Windows PE 4 Windows 8 Windows ADK for Windows PE 4 Windows 8 Windows ADK for Windows PE 5 Windows 8.1

none Windows PE 3.1

1

Windows PE 3.1 and Windows PE 5 Windows PE 3.1

1

You can only add a boot image to Configuration Manager when it is based on Windows PE 3.1. Install the Windows AIK Supplement for Windows 7 SP1 to upgrade Windows AIK for Windows 7 (based on Windows PE 3) with the Windows AIK Supplement for Windows 7 SP1 (based on Windows PE 3.1). You can download Windows AIK Supplement for Windows 7 SP1 from the Microsoft Download Center. To add a boot image, you must know the path to where the boot image file (.WIM file) is located. If the WIM file contains multiple boot images, you can select the boot image that you want to add from the WIM file. Use the following procedure to add a boot image. To add a boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. On the Home tab, in the Create group, click Add Boot Image to start the Add Boot Image Wizard.
1978

4. On the Data Source page, specify the following options, and then click Next. In the Path box, specify the path to the boot image WIM file. Click Browse to locate a specific boot image file. The specified path must be a valid network path in the UNC format. For example: \\servername\<sharename>\bootimage.wim. Select the required boot image from the Boot Image drop-down list. If the WIM file contains multiple boot images, each image is listed. In the Name box, specify a unique name for the boot image. In the Version box, specify a version number for the boot image. In the Comment box, specify a brief description of how the boot image is used.

5. On the General page, specify the following options, and then click Next.

6. Complete the wizard. The boot image is now listed in the Boot Image node of the Configuration Manager console. However, before you can use the boot image to deploy an operating system you must distribute the boot image to distribution points, distribution point groups, or to collections that are associated with distribution point groups. Note When you select the Boot Image node in the Configuration Manager console, the Size (KB) column displays the decompressed size for each boot image. However, when Configuration Manager sends a boot image over the network, it sends a compressed copy of the image, which is typically much smaller than the size listed in the Size (KB) column.

How to Specify where Boot Images are Distributed

To distribute the boot image you must specify where the Configuration Manager client will access the boot image. You can specify single distribution points, distribution point groups, or collections that are associated with distribution point groups. For more information about distributing content in Configuration Manager, see Distribute Content on Distribution Points. Use the following procedure to specify where the boot image is distributed. To specify where the boot image is distributed 1. In the Boot Images node, select the boot image objects that you want to deploy. 2. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 3. On the General page, in the Content box, select the boot image that you want to distribute, and then click Next. 4. On the Content Destination page, click Add, and then select Collections, Distribution Point, or Distribution Point Group to display a list of the available collections that are associated with distribution point groups, distribution points, and distribution point groups.
1979

5. Select the collections, distribution points, and distribution point groups where the boot image will be distributed, and then click OK. 6. Click Next. 7. Complete the wizard.

How to Modify a Boot Image

You can modify the settings of the boot images that are listed under the Boot Image node. This includes the boot images that you create and the default boot images that are provided by Configuration Manager. These settings are configured by using the Properties page of the boot image object. Many of the boot image settings are self-explanatory, such as the Name, Version, and Comment settings on the General tab of the Properties page. Use the following procedure to change the properties of a boot image. To modify the properties of a boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. Select the boot image that you want to modify. 4. On the Home tab, in the Properties group, click Properties to open the Properties dialog box for the boot image. 5. Set any of the following settings to change the behavior of the boot image: On the Images tab, if you have changed the properties of the boot image by using an external tool, click Reload. On the Drivers tab, add the Windows device drivers that are required to boot Windows PE. Consider the following when you add device drivers: As a best practice, add only NIC and Mass Storage Drivers to the boot image unless there are requirements for other drivers to be part of Windows PE. Because Windows PE already comes with many drivers built in, add only NIC and Mass Storage Drivers that are not supplied by Windows PE. Make sure that the drivers that you add to the boot image are Windows 7 or Windows Server 2008 R2 drivers, and that they match the architecture of the boot image. Note You must import device drivers into the drivers catalog before you add them to a boot image. For information about how to import device drivers, see the How to Import Windows Device Drivers section in the How to Manage the Driver Catalog in Configuration Manager topic. On the Customization tab, select any of the following settings: Select the Enable Prestart Commands check box to specify a command to run
1980

before the task sequence is run. When prestart commands are enabled, you can then specify the command line that is run, whether support files are required to run the command, and the source location of those support files. Tip Add cmd /c to the start of the command line to avoid the need to specify the exact location on the media for the prestart command files. Tip During task sequence media creation, the task sequence writes the package ID and prestart command-line, including the value for any task sequence variables, to the CreateTSMedia.log log file on the computer that runs the Configuration Manager console. You can review this log file to verify the value for the task sequence variables. Set the Windows PE Background settings to specify whether you want to use the default Windows PE background or a custom background. Select the Enable command support (testing only) check box to open a command prompt by using the F8 key while the boot image is deployed. This is useful for troubleshooting while you are testing your deployment. Using this setting in a production deployment is not advised. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:

Configure the Windows PE scratch space, which is temporary storage (RAM drive) used by Windows PE. For example, when an application is run within Windows PE and needs to write temporary files, Windows PE redirects the files to the scratch space in memory to simulate the presence of a hard disk. By default, Windows PE allocates 32 megabytes (MB) of writeable memory.
On the Data Source tab, update any of the following settings: Set the Image path and Image index boxes to change the source file of the boot image. Select the Update distribution points on a schedule check box to create a schedule for when the boot image package is updated. Select the Persist content in client cache check box if you do not want the content of this package to age out of the client cache to make room for other content. Select the Enable binary differential replication check box to specify that only changed files are distributed when the boot image package is updated on the distribution point. This setting minimizes the network traffic between sites, especially when the boot image package is large and the changes are relatively small. Select the Deploy this boot image from the PXE service point check box if the boot image is used in a PXE deployment.
1981

Note For more information about PXE deployments, see Planning for PXEInitiated Operating System Deployments in Configuration Manager. On the Data Access tab, select any of the following settings: Set the Package share settings if you want clients to install the content in this package from the network. Set the Package update settings to specify how you want Configuration Manager to disconnect users from the distribution point. Configuration Manager might be unable to update the boot image when users are connected to the distribution point. In the Distribution priority list, specify the priority level that you want Configuration Manager to use when multiple packages are distributed to the same distribution point. Select the Distribute the content for this package to preferred distribution points check box if you want to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point distributes the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. Note For more information about preferred distribution points and on-demand content, see the Planning for Preferred Distribution Points and Fallback section of the Planning for Content Management in Configuration Manager topic. Set the Prestaged distribution point settings to specify how you want the boot image to be distributed to distribution points that are enabled for prestaged content. Note For more information about prestaged content, see the Prestage Content section of the Operations and Maintenance for Content Management in Configuration Manager topic. On the Content Locations tab, select the distribution point or distribution point group and perform any of the following actions: Click Redistribute to distribute the boot image to the selected distribution point or distribution point group again. Click Validate to check the integrity of the boot image package on the selected distribution point or distribution point group.

On the Distribution Settings tab, select any of the following settings:

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: On the Optional Components tab, specify the components that are added to
1982

Windows PE for use with Configuration Manager. For more information about available optional components, see the Building a Windows PE Image with Optional Components topic in the Windows 8 documentation library. On the Security tab, select an administrative user and change the operations that they can perform.

6. After you have configured the properties, click OK.

Configure Multiple Languages for Boot Image Deployment

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: In Configuration Manager with no service pack, while in Windows PE, text displayed by the task sequence is always in the language of Windows PE. To support multiple languages, you must create and deploy multiple boot images. Starting in Configuration Manager SP1, boot images are language neutral. This allows you to use one boot image that will display the task sequence text in multiple languages, while in Windows PE, if you include the appropriate language support from the Windows PE Optional Components and set the appropriate task sequence variable to indicate which language can be displayed. The language of the operating system that you deploy is independent from the language that is displayed when in Windows PE, regardless of the Configuration Manager version. The language that is displayed to the user is determined as follows: When a user runs the task sequence from an existing operating system, Configuration Manager automatically uses the language configured for the user. When the task sequence automatically runs as the result of a mandatory deployment deadline, Configuration Manager uses the language of the operating system. For operating system deployments that use PXE or media, you can set the language ID value in the SMSTSLanguageFolder variable as part of a prestart command. When the computer boots to Windows PE, messages are displayed in the language that you specified in the variable. If there is an error accessing the language resource file in the specified folder or you do not set the variable, messages are displayed in the Windows PE language. Note When the media is protected with a password, the text that prompts the user for the password is always displayed in the Windows PE language. Use the following procedure to set the Windows PE language for PXE or media-initiated operating system deployments. To set the Windows PE language for a PXE or media-initiated operating system deployment 1. Verify that the appropriate task sequence resource file (tsres.dll) is in the corresponding language folder on site server before you update the boot image. For example, the
1983

English resource file is in the following location: <ConfigMgrInstallationFolder>\OSD\bin\x64\00000409\tsres.dll. 2. As part of your prestart command, set the SMSTSLanguageFolder environment variable to the appropriate language ID. The language ID must be specified by using decimal and not hexadecimal. For example, to set the language ID to English, you would specify a decimal value of 1033 instead of the hexadecimal value of 00000409 used for the folder name.

Additional Actions to Manage Boot Images

In addition to adding boot images and specifying where they can be distributed, you can perform the actions on the boot images listed in the Boot Image list. These actions include the following:
Action Description

Delete

Removes the image from the Boot Image node and also removes the image from the associated distribution points. Starts the Update Distribution Points Wizard. This action updates the boot image on the distribution points where it has been distributed. The package version is incremented and the distribution points are updated with only the files that have changed in the package. Starts the Create Prestaged Content File Wizard to prestage the boot image content. For information about how to create a prestaged content file, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Opens the Manage Access Accounts dialog box where you can add an access account to a boot image, edit the access rights for an account, or remove an access account from a boot image. For more information about the Package Access Account, see Technical Reference for Accounts Used in Configuration Manager.

Update Distribution Points

Create Prestaged Content File

Manage Access Accounts

Move

Moves the boot image to another folder.

1984

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage the Driver Catalog in Configuration Manager

Use the procedures and information in this topic to manage the device drivers that are required to deploy operating systems in your System Center 2012 Configuration Manager environment. The procedures include how to import device drivers into the driver catalog, how to add and remove device drivers for driver packages and boot images, how to create driver packages, and how to install drivers on computers during the installation of the operating system. Use the following sections for more information about how to manage the driver catalog in Configuration Manager: Managing Device Drivers Managing Driver Packages How to Install Device Drivers on Computers by Using Task Sequences

For information about planning how to use the driver catalog when you deploy operating systems, see Planning a Device Driver Strategy in Configuration Manager.

Managing Device Drivers

Use these procedures and additional information to manage device drivers to perform the following: Import device drivers into the driver catalog. Add or remove device drivers to and from driver packages and boot images. Additional actions that manage device drivers.

How to Import Windows Device Drivers into the Driver Catalog

As part of the import process for the device driver, Configuration Manager reads the provider, class, version, signature, supported hardware, and supported platform information that is associated with the device. By default, the driver is named after the first hardware device that it supports; however, you can rename the device driver later. The supported platforms list is based on the information in the INF file of the driver. Because the accuracy of this information can vary, manually verify that the device driver is supported after it is imported into the driver catalog. In addition, when you import device drivers into the catalog, you can add the device drivers to driver packages or to boot image packages. Important

1985

You cannot import device drivers directly into a subfolder of the Drivers node. To import a device driver into a subfolder, first import the device driver into the Drivers node, and then move the driver to the subfolder. Use the following procedure to import Windows device drivers. To import Windows device drivers into the driver catalog 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Drivers. 3. On the Home tab, in the Create group, click Import Driver to start the Import New Driver Wizard. 4. On the Locate Driver page, specify the following options, and then click Next: Import all drivers in the following network path (UNC) : To import all the device drivers that are contained in a specific folder, specify the network path to the device driver folder. For example: \\servername\folder. Import a specific driver: To import a specific driver from a folder, specify the network path (UNC) to the Windows device driver .INF or mass storage Txtsetup.oem file of the driver. Specify the option for duplicate drivers: Select how you want Configuration Manager to manage driver categories when a duplicate device drive is imported. Important When you import drivers, the site server must have Read permission to the folder, or the import fails. 5. On the Driver Details page, specify the following options, and then click Next: In the list of drivers, select the drivers that you want to import into the driver catalog. Enable these drivers and allow computers to install them: Select this setting to let computers install the device drivers. By default, this check box is selected. Important If a device driver is causing a problem or you want to suspend the installation of a device driver, you can disable the device driver by clearing the Enable these drivers and allow computers to install them check box. You can also disable drivers after they have been imported. To assign the device drivers to an administrative category for filtering purposes, such as "Desktops" or "Notebooks" categories, click Categories and select an existing category or create a new category. You can also use the category assignment to configure which device drivers that are applied to the deployment by the Auto Apply Drivers task sequence step.

6. On the Add Driver to Packages page, specify the following settings, and then click Next: Important
1986

This setting can help you when you use a task sequence to automate the deployment of the operating system. To install driver packages as part of a task sequence, use the Auto Apply Drivers and Apply Driver Package task sequence steps. Select the driver packages that are used to distribute the device drivers. Optionally, click New Package to create a new driver package. When you create a new driver package, you must provide a network share that is not in use by other driver packages. Clear the Update distribution points when finished check box if you do not want to update distribution points when the device drivers are added to the driver package. By default, this check box is selected because your device drivers cannot be used until they are distributed to distribution points.

7. On the Add Driver to Boot Images page, specify the following options, and then click Next: Note Add only mass storage and network device drivers to the boot images for operating system deployment scenarios. Specify the boot images that can install the imported device drivers. To update distribution points when the device drivers are added to the boot image, select the Update distribution points when finished check box. You cannot use device drivers until they are distributed to distribution points.

8. Complete the wizard.

How to Add and Remove Device Drivers That Are Associated with Driver Packages and Boot Images
Use the following procedures to modify driver packages and boot images. To add or remove device drivers, locate the drivers in the Drivers node, and then edit the packages or boot images that the selected drivers are associated with. Use the following procedure to add or remove device drivers associated with a driver package. To add or remove device drivers associated with driver packages 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Drivers. 3. In the Drivers node, select the device drivers that you want to add to the driver package. 4. On the Home tab, in the Driver group, click Edit, and then click Driver Packages. 5. To add a device driver, select the check box of the driver packages to which you want to add the device drivers. To remove a device driver, clear the check box of the driver packages from which you want to remove the device driver. If you are adding device drivers that are associated with driver packages, you can
1987

optionally create a new package, by clicking New Package, which opens the New Driver Package dialog box. 6. If you do not want to update the distribution points where the driver package is stored, clear the Update distribution points when finished check box. By default, the distribution points are updated when the driver package is updated. 7. Click OK. Use the following procedure to add or remove device drivers associated with a boot image. To add or remove device drivers associated with a boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Drivers. 3. In the Drivers node, select the device drivers that you want to add to the driver package. 4. On the Home tab, in the Driver group, click Edit, and then click Boot images. 5. To add a device driver, select the check box of the boot image to which you want to add the device drivers. To remove a device driver, clear the check box of the boot image from which you want to remove the device driver. 6. If you do not want to update the distribution points where the boot image is stored, clear the Update distribution points when finished check box. By default, the distribution points are updated when the boot image is updated. 7. Click OK.

Additional Actions to Manage Device Drivers

You can perform additional actions to manage device drivers when you select one or more device drivers from the Drivers node. These actions include the following:
Action Description

Categorize Delete

Clears, manages, or sets an administrative category for the selected device drivers. Removes the device driver from the Drivers node and also removes the driver from the associated distribution points. Prohibits the device driver from being installed. You can temporarily disable device drivers so that Configuration Manager client computers and task sequences cannot install them when you are deploying operating systems. Lets Configuration Manager client computers and task sequences install the device driver
1988

Disable

Enable

Action

Description

when the operating system is deployed. Move Properties Moves the device driver to another folder in the Drivers node. Opens the Properties dialog box where you can review and change the properties of the device driver. For example, you can change the name and description of the device driver, enable the device driver, and specify which platforms the device driver can be run on.

Managing Driver Packages

Use the following procedure and additional information to create and manage driver packages.

How to Create Driver Packages

Use the following procedure to create a new driver package. You must add device drivers to a driver package and distribute them to distribution points before Configuration Manager clients can install the drivers. Important To create a driver package, you must have an empty network folder that is not used by another driver package. In most cases, you must create a new folder before you perform this procedure. Note When you use task sequences to install drivers, limit the number of drivers that are included in your driver packages. For installing drivers on computers running Windows XP, create driver packages that contain fewer than 150 device drivers. For computers running Windows Vista and later, create driver packages that contain less than 500 device drivers.

Use the following procedure to create a driver package. To create a driver package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Driver Packages. 3. On the Home tab, in the Create group, click Create Driver Package.
1989

4. In the Name box, specify a descriptive name for the driver package. 5. In the Comment box, enter an optional description for the driver package. Ensure that the description provides information about the contents or the purpose of the driver package. 6. In the Path box, specify an empty source folder for the driver package. Enter the path to the source folder in Universal Naming Convention (UNC) format. Each driver package must use a unique folder. Important The site server account must have Read and Write permissions to the specified source folder. The new driver package does not contain any drivers. The next step is to add drivers to the package. If the Driver Packages node contains several packages, you can add folders to the node to separate the packages into logical groups. To view the associated general, data source, distribution point, data access, and security information for the driver package, click Properties.

Additional Actions to Manage Driver Packages

You can perform additional actions to manage driver packages when you select one or more driver packages from the Driver Packages node. These actions include the following:
Action Description

Create Prestage Content file

Creates files that can be used to manually import content and its associated metadata. Use prestaged content when you have low network bandwidth between the site server and the distribution points where the driver package is stored. Removes the driver package from the Driver Packages node. Distributes the driver package to distribution points, distribution point groups, and distribution point groups that are associated with collections. Adds, modifies, or removes access accounts for the driver package. For more information about Package Access Accounts, see Technical Reference for
1990

Delete Distribute Content

Manage Access Accounts

Action

Description

Accounts Used in Configuration Manager. Move Update Distribution Points Moves the driver package to another folder in the Driver Packages node. Updates the device driver package on all the distribution points where the package is stored. This action copies only the content that has changed after the last time it was distributed. Opens the Properties dialog box where you can review and change the content and properties of the device driver. For example, you can change the name and description of the device driver, enable the device driver, and specify on which platforms the device driver can be run.

Properties

How to Install Device Drivers on Computers by Using Task Sequences

You can add steps to task sequences that install device drivers on the destination computer during the operating system deployment. You can specify the device drivers to install, or you can let Configuration Manager search the driver categories to determine the drivers to install. For more information about task sequences, see Planning a Task Sequences Strategy in Configuration Manager. Use the following procedure to install device drivers as part of the operating system deployment. You can use the one of the following Driver task sequence steps: Auto Apply Drivers Apply Driver Package To install device driver by using task sequences 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequences node, select the task sequence that you want to modify to install the device driver, and then click Edit. 4. Move to the location where you want to add the Driver steps, click Add, and then select Drivers. 5. Add the Auto Apply Drivers step if you want the task sequence to install all the device drivers or the specific categories that are specified. Specify the options for the step on the
1991

Properties tab and any conditions for the step on the Options tab. Add the Apply Driver Package step if you want the task sequence to install only those device drivers from the specified package. Specify the options for the step on the Properties tab and any conditions for the step on the Options tab. Important You can also select Disable this step on the Options tab to disable the step if you must troubleshoot the task sequence. 6. Click OK to save the task sequence.

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage Task Sequences in Configuration Manager

Use task sequences to automatically perform tasks in your System Center 2012 Configuration Manager environment. These tasks can deploy an operating system image to a destination computer, build and capture an operating system image from a set of operating system installation files, and capture and restore user state information. Use the following sections to manage task sequences: Where Task Sequences are Located in the Configuration Manager Console How to Create Task Sequences How to Edit a Task Sequence How to Distribute the Content that is Referenced by a Task Sequence How to Deploy a Task Sequence How to Export and Import Task Sequences How to Create Task Sequence Variables for Computers and Collections Additional Actions to Manage Task Sequences

For information about how to plan your task sequence strategy, see Planning a Task Sequences Strategy in Configuration Manager. Important When you create or edit a deployment task sequence that ends in WinPE, make sure that the last step in the task sequence restarts the destination computer to the full operating system of the destination computer so that the task sequence exits correctly. If the destination computer is not restarted in this scenario, the client cannot be managed by Configuration Manager.

1992

Where Task Sequences are Located in the Configuration Manager Console

Task sequences are located in the Software Library workspace, from the Operating Systems node. Under the Operating Systems node are several nodes that contain the objects that you use to deploy operating systems. One of these is the Task Sequence node that contains all the task sequences that you can use to deploy operating systems. You can create a flat list of task sequence or you can create subfolders to manage or group task sequences. The Task Sequence node, including any subfolders that you create, is replicated throughout the Configuration Manager hierarchy.

How to Create Task Sequences

Create task sequences by using the Create Task Sequence Wizard. This wizard can create the following types of task sequences:
Task sequence type More information

Task sequences that install an existing image package

When you create this type of task sequence, the Create Task Sequence Wizard adds steps to the task sequence and then groups those steps into groups. This type of task sequence is referred to as a build and capture task sequence. The build and capture task sequence is run on a reference computer where the task sequence creates an operating system image that is based on a set of operating system source files. The operating system image can then be deployed by a deployment task sequence that includes the Apply Operating System Image step.

Task sequences that build and capture an operating system image

Custom task sequences that perform actions that are specific to your environment

When you create this type of task sequence, the Create Task Sequence Wizard does not add any steps to the task sequence. You must add steps to the task sequence after it is created.

Use the following procedures to create the different types of task sequences. To create a task sequence that installs an existing image package
1993

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, click Install an existing Image package, and then click Next. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence. Boot image: Specify the boot image that installs the operating system on the destination computer. The boot image contains a contain a version of Windows PE that is used to install the operating system, as well as any additional device drivers that are required. Important The architecture of the boot image must be compatible with the hardware architecture of the destination computer. 6. On the Install Windows page, specify the following settings, and then click Next. Image package: Specify the package that contains the operating system image to install. Image: If the operating system image package has multiple images, specify the index of the operating system image to install. Partition and format the target computer installing the operating system: Specify whether you want the task sequence to partition and format the destination computer before the operating system is installed. Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys and standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system image is deployed. Disable local administrator account: Specify whether the local administrator account is disabled when the operating system image is deployed. Always use the same administrator password: Specify whether the same password is used for the local administrator account on all computers where the operating system image is deployed.
1994

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup. Join a domain: Specify whether to add the destination computer to a domain. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest, but you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, specify the Configuration Manager client package to install on the destination computer, and then click Next. 9. On the State Migration page, specify the following information, and then click Next. Capture user settings: Specify whether the task sequence captures the user state. For more information about how to capture and restore the user state, see How to Manage the User State in Configuration Manager. Tip Two deployment scenarios where you might want to capture user state: Side-by-side deployments where you want to migrate the user state from one computer to another computer. Update deployments where you want to capture and restore the user state on the same computer. Capture network settings: Specify whether the task sequence captures network settings from the destination computer. You can capture the membership of the domain or workgroup in addition to the network adapter settings. Capture Microsoft Windows settings: Specify whether the task sequence captures Windows settings from the destination computer before the operating system image is installed. You can capture the computer name, registered user and organization name, and the time zone settings.

10. On the Include Updates page, specify whether to install required software updates, all software updates, or no software updates, and then click Next. If you specify to install software updates, Configuration Manager installs only those software updates that are targeted to the collections that the destination computer is a member of. 11. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify
1995

that the task sequence continues if the installation of a specific application fails. 12. Complete the wizard. To create a task sequence that builds and captures an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Build and capture a reference operating system image. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence, such as a description of the operating system that is created by the task sequence. Boot image: Specify the boot image that installs the operating system image. Important The architecture of the boot image must be compatible with the hardware architecture of the destination computer. 6. On the Install Windows page, specify the following settings, and then click Next. Package: Specify the Operating System Installers package that is referenced by the operating system image. This package contains the files that are required to install the operating system. Edition: Specify the Windows edition for this package. If the Operating System Installers package contains multiple editions, you must select the appropriate edition for the Windows product code that is specified by the associated Product Key. Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys and standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system is deployed. Disable local administrator account: Specify whether the local administrator account is disabled when the operating system is deployed. Always use the same administrator password: Specify whether the same password is used for the local administrator account on all computers where the
1996

operating system is deployed. 7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup when the operating system is deployed. Join a domain: Specify whether to add the destination computer to a domain when the operating system is deployed. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest, but you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, specify the Configuration Manager client package that contains the source files to install the Configuration Manager client, add any additional properties needed to install the client, and then click Next. For more information about properties that can be used to install a client, see About Client Installation Properties in Configuration Manager. 9. On the Include Updates page, specify whether to install required software updates, all software updates, or no software updates, and then click Next. If you specify to install software updates, Configuration Manager installs only those software updates that are targeted to the collections that the destination computer is a member of. 10. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify that the task sequence continues if the installation of a specific application fails. 11. On the System Preparation page, specify the following settings, and then click Next. Package: Specify the Configuration Manager package that contains the appropriate version of Sysprep to use to capture the reference computer settings. If the operating system version that you are running is Windows Vista or later, Sysprep is automatically installed on the computer and you do not have to specify a package. If the operating system version that you are running is Windows XP SP3 or Windows Server 2003 SP2, you must specify a package that contains the version of Sysprep and its support files that is appropriate for that operating system version. This package does not require a program. Configuration Manager uses the Sysprep files contained in the package. 12. On the Images Properties page, specify the following settings for the operating system image, and then click Next.
1997

Created by: Specify the name of the user who created the operating system image. Version: Specify a user-defined version number that is associated with the operating system image. Description: Specify a user-defined description of the operating system computer image. Path: Specify a shared network folder where the output .WIM file is stored. This file contains the operating system image that is based on the settings that you specify by using this wizard. If you specify a folder that contains an existing .WIM file, the existing file is overwritten. Use the following account to access the output folder: Specify the Windows account that has permissions to the network share where the image is stored. You must copy the image to the location that is specified.

13. On the Capture Image page, specify the following settings, and then click Next.

14. Complete the wizard. To create a custom task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Create a new custom task sequence. 5. On the Task Sequence Information page, specify a name for the task sequence, a description of the task sequence, and an optional boot image for the task sequence to use, and then complete the wizard. After you complete the Create Task Sequence Wizard, Configuration Manager adds the custom task sequence to the Task Sequences node. You can now edit this task sequence to add task sequence steps to it.

How to Edit a Task Sequence

You can modify a task sequence by adding or removing task sequence steps, adding or removing task sequence groups, or by changing the order of the steps. Use the following procedure to modify an existing task sequence. Important When you edit a task sequence that was created by using the Create Task Sequence Wizard, the name of the step can be the action of the step or the type of the step. For example, you might see a step that has the name Partition disk 0, which is the action for a step of type Format and Partition Disk. All task sequence steps are documented by their type, not necessarily by the name of the step that is displayed in the Editor.
1998

To edit a task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to edit. 4. On the Home tab, in the Task Sequence group, click Edit, and then perform any of the following operations: To add a task sequence step, click Add, select the type of the step, and then click the task sequence step that you want to add. For example, to add the Run Command Line step click Add, select General, and then click Run Command Line. For a list of all task sequence steps and their type, see the table that follows this procedure. To add a group to the task sequence, click Add, and then click New Group. After you add a group you can then add steps to the group. To change the order of the steps and groups in the task sequence, select the step or group that you want to re-order, and then use the Move Item Up or Move Item Down icons. You can move only one step or group at a time. To remove a step or group, select the step or group and click Remove.

5. Click OK to save the changes. The following table lists the task sequence steps that you can add to a task sequence. For more information about a specific task sequence step, click the task sequence step in this table.
Task sequence step Type of step Supported operating system Description

Apply Data Image

Images

Windows PE only

Copies the data image to the specified destination partition.

Apply Driver Package

Drivers

Windows PE only

Downloads all the drivers in the driver package and installs them on the Windows operating system. Specifies the network or workgroup configuration information for the destination computer.
1999

Apply Network Settings

Settings

Windows PE or standard operating system

Apply Operating System Image Apply Windows Settings

Images

Windows PE only

Installs an operating system on the destination computer. Configures the Windows settings for the destination computer. Matches and installs drivers as part of the operating system deployment. Captures Microsoft network settings from the computer that runs the task sequence. Captures one or more images from a reference computer and store them in a WIM file on the specified network share. Uses the User State Migration Tool (USMT) to capture user state and settings from the computer that runs the task sequence. Captures the Windows settings from the computer that runs the task sequence. Creates a connection to a shared network folder. Converts a physical
2000

Settings

Windows PE only

Auto Apply Drivers

Drivers

Windows PE only

Capture Network Settings

Settings

Standard operating system only

Capture Operating System Image

Images

Windows PE only

Capture User State

User State

Windows PE or standard operating system (Windows PE only for offline deployments)

Capture Windows Settings

Settings

Windows PE or standard operating system

Connect To Network Folder Convert Disk to

General

Windows PE or standard operating system Windows PE or

Disk

Dynamic

standard operating system Disk Standard operating system only

disk from a basic disk type to a dynamic disk type. Disables the BitLocker encryption on the current operating system drive, or on a specific drive. Enables BitLocker encryption on at least two partitions on the hard drive Formats and partitions a specified disk on a destination computer. Installs one or more applications on the destination computer. Installs the Configuration Manager package that contains the Sysprep deployment tools. install the one or more Configuration Manager software packages on the destination computer. Installs software updates on the destination computer. Adds the destination computer to a workgroup or domain. Uses the Configuration Manager client that is installed on the reference computer
2001

Disable BitLocker

Enable BitLocker

Disk

Standard operating system only

Format and Partition Disk Install Application

Disk

Windows PE only

General

Standard operating system only Standard operating system only

Install Deployment Tools

Images

Install Package

General

Standard operating system only

Install Software Updates Join Domain or Workgroup Prepare ConfigMgr Client for Capture

General

Standard operating system only Standard operating system only Standard operating system only

General

Images

and prepares this client for capture as part of the imaging process. Prepare Windows for Capture Images Standard operating system only Specifies the Sysprep options to use to capture an operating system image on the reference computer. Notifies the state migration point that the capture or restore action is complete. Request access to a state migration point during the capture or restoration of user state. Restarts the computer that runs the task sequence. Initiates the User State Migration Tool (USMT) to restore user state and settings to the destination computer. Runs the specified command line. Sets the value of a variable to use with the task sequence. Performs the transition from Windows PE to the new operating system.

Release State Store

User State

Standard operating system only

Request State Store

User State

Standard operating system or Windows PE (for offline deployments) Windows PE or standard operating system Standard operating system only

Restart Computer

General

Restore User State

User State

Run Command Line

General

Windows PE or standard operating system Windows PE or standard operating system Windows PE only

Set Task Sequence Variable Setup Windows and ConfigMgr

General

Images

2002

How to Distribute the Content that is Referenced by a Task Sequence

Before clients run a task sequence that references content, you must distribute that content to distribution points. At any time, you can select the task sequence and distribute its content to build a new list of reference packages for distribution. The content that is distributed is the content that is currently referenced by the task sequence and does not automatically include any changes made to the task sequence. Use the following procedure to distribute the content that is referenced by a task sequence. To distribute referenced content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to distribute. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the correct task sequence is selected for distribution, and then click Next. 6. On the Content page, verify the content to distribute, such as the boot image referenced by the task sequence, and then click Next. 7. On the Content Destination page, specify the collections, distribution point, or destination point group where you want to distribute the task sequence contents, and then click Next. Important If the task sequence that you selected references content that is already distributed to a specific distribution point, that distribution point is not listed by the wizard. 8. Complete the wizard. Starting in System Center 2012 R2 Configuration Manager, you can prestage the content in a task sequence. Configuration Manager creates a compressed, prestaged content file that contains the files, associated dependencies, and associated metadata for the content that you select. Then, you can then manually import the content at a site server, secondary site, or distribution point. For more information about how to prestage content files, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

How to Deploy a Task Sequence

Use the following procedure to deploy a task sequence to the computers in a collection.
2003

Note The status messages for the task sequence deployment are displayed in the Message window on a primary site, but they are not displayed on a central administration site. To deploy a task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to deploy. 4. On the Home tab, in the Deployment group, click Deploy. Note If Deploy is not available, the task sequence has a reference that is not valid. Correct the reference and then try to deploy the task sequence again. 5. On the General page, specify the following information, and then click Next. Task sequence: Specify the task sequence that you want to deploy. By default, this box displays the task sequence that you selected. Collection: Specify the collection that contains the computers that will run the task sequence. Important Do not deploy task sequences that install operating systems to inappropriate collections, such as the All Systems collection. Be sure that the collection that you select contains only those computers that you want to run the task sequence. Comments (optional): Specify additional information that describes this deployment of the task sequence.

6. On the Deployment Settings page, specify the following information, and then click Next. Purpose: From the drop-down list, choose one of the following options: Available: If the task sequence is deployed to a user, the user sees the published task sequence in the Application Catalog and can request it on demand. If the task sequence is deployed to a device, the user will see it in the Software Center and can install it on demand. Required: The task sequence is deployed automatically, according to the configured schedule. However, a user can track the task sequence deployment status (if it is not hidden) and install the task sequence before the deadline by using the Software Center.

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Deploy automatically according to schedule whether or not a user is logged on : This option is not available when you deploy a task sequence.
2004

Note In System Center 2012 Configuration Manager SP1, this option is named Pre-deploy software to the users primary device. Send wake-up packets: If the deployment purpose is set to Required and this option is selected, a wake-up packet will be sent to computers before the deployment is installed to wake the computer from sleep at the installation deadline time. Before you can use this option, computers and networks must be configured for Wake On LAN. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs: When you have a task sequence that installs an application but does not deploy an operating system, you can specify whether to allow clients to download content after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. Note While using a metered Internet connection might work for task sequences that do not deploy an operating system, it is not supported. Require administrator approval if users request this application : This option is not available when you deploy a task sequence. Specify when to make this task sequence available. The available options are different depending on which version of Configuration Manager you are running. Make available to boot media and PXE: For Microsoft System Center 2012 Configuration Manager with no service pack only:

Specify whether the task sequence can be run when you deploy an operating system by using boot media or PXE boot. When you select this option, the Download all content locally before starting task sequence on the Distribution points page is not available.
For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:

Make available to the following: Specify whether the task sequence is available to Configuration Manager clients, media, or PXE.
Important Use the Only media and PXE (hidden) setting for automated task sequence deployments. Select Allow unattended operating system deployment and set the SMSTSPreferredAdvertID variable as part of the media to have the computer automatically boot to the deployment
2005

with no user interaction. For more information about task sequence variables, see Task Sequence Built-in Variables in Configuration Manager 7. On the Scheduling page, specify the following information, and then click Next. Schedule when this deployment will become available: Specify the date and time when the task sequence is available to run on the destination computer. When you select the UTC check box, this setting ensures that the task sequence is available for multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. If the start time is earlier than the required time, the client downloads the task sequence at the start time that you specify. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer. When you select the UTC check box, this setting ensures that the task sequence expires on multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. Assignment schedule: Specify when the required task sequence is run on the destination computer. You can add multiple schedules. You can specify the date and time when the schedule starts, whether the task sequence runs weekly, monthly, or on a custom interval, and if the task sequence runs after an event such as logging on or logging off the computer. Note If you schedule a start time for a required task sequence that is earlier than the date and time when the task sequence is available, the Configuration Manager client downloads the task sequence at the scheduled start time, even though the task sequence is available at an earlier time. Rerun behavior: Specify when the task sequence is rerun. You can specify one of the following options. Never rerun deployed program: The task sequence does not rerun on the client if the task sequence has been previously run on the client. The task sequence does not rerun even if it originally failed or if the task sequence files have been changed. Always rerun program: The task sequence is always rerun on the client when the deployment is scheduled, even if the task sequence has successfully run previously. This setting is particularly useful when you use recurring deployments in which the task sequence is routinely updated. Important Although this option is set by default, it has no affect until you assign a required deployment. Available deployments can always be rerun by a user. Rerun if failed previous attempt: The task sequence is rerun when the deployment is scheduled only if the task sequence failed to run previously. This
2006

setting is particularly useful for required deployments so that they will automatically retry to run according to the assignment schedule if the last attempt to run was unsuccessful. Rerun if succeeded on previous attempt: The task sequence is rerun only if it has previously run successfully on the client. This setting is useful when you use recurring deployments in which the task sequence is routinely updated, and each update requires that the previous update is installed successfully. Note Because a user can rerun an available task sequence deployment, make sure that before you deploy an available task sequence in a product environment, you carefully evaluate and test what happens if a user reruns the task sequence multiple times. 8. On the User Experience page, specify the following information, and then click Next. Allow user to run the program independently of assignments: Specify whether the user is allowed to run a required task sequence independently from the deployment assignments. Show Task Sequence progress: Specify whether the Configuration Manager client displays the progress of the task sequence. Software installation: Specify whether the user is allowed to install software outside a configured maintenance windows after the scheduled time. System restart (if required to complete the installation) : Specify whether the user is allowed to restart the computer after a software installation outside a configured maintenance window after the assignment time. Allow task sequence to run for client on the Internet: Specify whether the task sequence is allowed to run on an Internet-based client that Configuration Manager detects to be on the Internet. Operations that install software, such as an operating system, are not supported with this setting. Use this option only for generic scriptbased task sequences that perform operations in the standard operating system. Embedded Devices: For Configuration Manager SP1 only. When you deploy task sequences to Windows Embedded devices that are write filter enabled, you can specify to install the task sequence on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Note When you deploy an application to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. 9. On the Alerts page, specify the alert settings that you want for this task sequence deployment, and then click Next. 10. On the Distribution Points page, specify the following information, and then click Next. Deployment options: Specify one of the following options:
2007

Note When you use multicast to deploy an operating system the content must be downloaded to the destination computers either as it is needed or before the task sequence is run. Specify that clients download content from the distribution point to the destination computer as it is needed by the task sequence. Specify that clients download all the content from the distribution point to the destination computer before the task sequence is run. This option is not shown if you specified that the task sequence is available to PXE and boot media deployments (see the Deployment Settings page). Specify that clients run the content from the distribution point. This option is available only when all packages associated with the task sequence is enabled to use a package share on the distribution point. To enable content to use a package share, see the Data Access tab in the Properties for each package.

When no local distribution point is available, use a remote distribution point : Specify whether clients can use distribution points that are on slow and unreliable networks to download the content that is required by the task sequence.

11. Complete the wizard.

How to Export and Import Task Sequences

You can export and import task sequences with or without their related objects, such as such an operating system image, a boot image, a client agent package, a driver package, and applications that have dependencies. Consider the following when you export and import task sequences. Passwords that are stored in the task sequence are not exported. If you export and import a task sequence that contains passwords, you must edit the imported task sequence and specify any passwords again. Ensure that you specify passwords for Join Domain or Workgroup, map network drive, and Run Command Line actions. As a best practice, when you have multiple primary sites, import task sequences at the central administration site.

Use the following procedures to export and import a task sequence. To export task sequences 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequences that you want to export. If you select more than one task sequence, they are stored in one export file. 4. On the Home tab, in the Task Sequence group, click Export to start the Export Task Sequence Wizard.
2008

5. On the General page, specify the following settings, and then click Next. In the File box, specify the location and name of the export file. If you enter the file name directly, be sure to include the .zip extension to the file name. If you browse for the export file, the wizard automatically adds this file name extension. Clear the Export all task sequence dependencies check box if you do not want to export task sequence dependencies. By default, the wizard scans for all the related objects and exports them with the task sequence. This includes any dependencies for applications. Clear the Export all content for the selected task sequences and dependencies check box if you do not want to copy the content from the package source to the export location. If this check box is selected, the Import Task Sequence Wizard uses the import path as the new package source location. In the Administrator comments box, add a description of the task sequences to export.

6. Complete the wizard. The wizard creates the following output files: If you do not export content: a .zip file. If you export content: a .zip file and a folder named export_files, where export is the name of the .zip file that contains the exported content.

If you include content when you export a task sequence, make sure that you copy the .zip file and the export_files folder, or your import will fail. To import task sequences 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Import Task Sequence to start the Import Task Sequence Wizard. 4. On the General page, specify the exported .zip file, and then click Next. 5. On the File Content page, select the action that you require for each object that you import. This page shows all the objects that Configuration Manager will import. If the object has never been imported, select Create New. If the object has been previously imported, select one of the following actions: Ignore Duplicate (default): This action does not import the object. Instead, the wizard links the existing object to the task sequence. Overwrite: This action overwrites the existing object with the imported object. For applications, you can add a revision to update the existing application or create a new application.

6. Complete the wizard. After you import the task sequence, edit the task sequence to specify any passwords that were in the original task sequence. For security reasons, passwords are not exported.
2009

How to Create Task Sequence Variables for Computers and Collections

You can define custom task sequence variables for computers and collections. Variables that are defined for a computer are referred to as per-computer task sequence variables. Variables defined for a collection are referred to as per-collection task sequence variables. If there is a conflict, per-computer variables take precedence over per-collection variables. This means that task sequence variables that are assigned to a specific computer automatically have a higher priority than variables that are assigned to the collection that contains the computer. For example, if collection ABC has a variable assigned to it and computer XYZ, which is a member of collection ABC, has a variable with the same name assigned to it, the variable that is assigned to computer XYZ has higher priority than that of the variable that is assigned to collection ABC. You can hide per-computer and per-collection variables so that they are not visible in logs or in the Configuration Manager console. If you no longer want these variables to be hidden, you must delete them and redefine them without selecting the option to hide them. You can manage per-computer variables at a primary site or at a central administration site. Configuration Manager does not support more than 1,000 assigned variables for a computer. Warning When you use per-collection variables for task sequences, consider the following: Because changes to collections are always replicated throughout the hierarchy, any changes that you make to collection variables will apply to not just members of the current site but to all members of the collection throughout the hierarchy. When you delete a collection, this action also deletes the task sequence variables that are configured for the collection.

Use the following procedures to create task sequence variables for a computer or collection. To create task sequence variables for a computer 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand the collection that contains the computer that you want to add the variable to. 3. Select the computer and click Properties. 4. In the Properties dialog box, click the Variables tab. 5. For each variable that you want to create, click the New icon in the <New> Variable dialog box and specify the name and the value of the task sequence variable. Clear the Do not display this value in the Configuration Manager console check box if you want to hide the variables so that they are not visible in logs or in the Configuration Manager console. 6. After you have added all the variables to the computer, click OK.

2010

To create task sequence variables for a collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, select the collection that you want to add the variable to and click Properties. 3. In the Properties dialog box, click the Collection Variables tab. 4. For each variable that you want to create, click the New icon In the <New> Variable dialog box and specify the name and the value of the task sequence variable. Clear the Do not display this value in the Configuration Manager console check box if you want to hide the variables so that they are not visible in logs or in the Configuration Manager console. 5. Optionally, specify the priority for Configuration Manager to use when the task sequence variables are evaluated. 6. After you have added all the variables to the collection, click OK.

Additional Actions to Manage Task Sequences

You can manage task sequences by using additional actions when you select the task sequence by using the following procedure. To select a task sequence to manage 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you want to manage, and then select one of the available options. Use the following table for more information about some of the additional actions to manage task sequences.
Action Description

Copy

Makes a copy of the selected task sequence. You might find this action useful when you want to create a new task sequence that is based on an existing task sequence. When you make a copy of a task sequence in a folder, the copy is listed in that folder until you refresh the task sequence node. After the refresh, the copy appears in the root folder.

Disable

Disables the task sequence so that it cannot run on computers. Disabled task sequences
2011

Action

Description

can be deployed to computers, but computers do not run the task sequence until it is enabled. Enable Enables the task sequence so that it can be run. You do not need to redeploy a deployed task sequence after it is enabled. For System Center 2012 R2 Configuration Manager only: Starts the Create Prestaged Content File Wizard to prestage the task sequence content. For information about how to create a prestaged content file, see the Prestage Content section in the Operations and Maintenance for Content Management in Configuration Manager topic. Move Properties Moves the selected task sequence to another folder. Opens the Properties dialog box for the selected task sequence. Use this dialog box to change the behavior of the task sequence object. However, you cannot change the steps of the task sequence by using this dialog box.

Create Prestaged Content File

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage the User State in Configuration Manager

You can use System Center 2012 Configuration Manager task sequences to capture and restore the user state data in operating system deployment scenarios where you want to retain the user state of the current operating system. For example: Side-by-side deployments where you want to capture the user state from one computer to restore it on another computer. Update deployments where you want to capture and restore the user state on the same computer.
2012

Use the following sections to manage the user state in Configuration Manager: User State Capture and Restore Workflows Storing User State Data How to Configure the State Migration Point Role How to Create a Computer Association for Side-by-Side Deployment How to Create a USMT Package How to Capture and Restore User State Data How to Restore the User State Data when the Operating System Deployment Fails For USMT 5.0, see Common Migration Scenarios. For USMT 4.0, see Common Migration Scenarios.

For more information about common user state migration scenarios, see the following:

User State Capture and Restore Workflows

The following illustrations show the actions that are associated with the capture and restoration of user state for a computer.

Storing User State Data

When you capture user state, you can store the user state data on the destination computer (suitable for update deployments) or on a user state migration point (required for side-by-side deployment). To store the user state on a user state migration point, you must use a Configuration Manager site system server that hosts the state migration point site system role. To store the user state on the destination computer, you must configure your task sequence to store the data locally using links. Note The links that are used to store the user state locally are referred to as hard-links. Hardlinks is a USMT 4.0 feature that scans the computer for user files and settings and then creates a directory of hard-links to those files. The hard-links are then used to restore the user data after the new operating system is deployed. Important You cannot use a state migration point and use hard-links to store the user state data at the same time. To store the user state data on a state migration point, you must perform the following steps: 1. Configure a state migration point to store the user state data. 2. Create a computer association between the source computer and the destination computer. You must create this association before you capture the user state on the source computer.
2013

3. Add steps to your task sequence that captures the user state data and then stores it on the state migration point. 4. Add steps to your task sequence that retrieves the user state data from the state migration point and then restores the data on the destination computer. To store the user state data on the destination computer for update deployments, you must perform the following steps: Add steps to your task sequence that capture and store the user state data to a local folder using links. Add steps to your task sequence that restores the user state using those links. Note The user state data that the hard-links reference remains on the computer after the task sequence removes the old operating system. This is the data that is used to restore the user state when the new operating system is deployed.

How to Configure the State Migration Point Role

You can use the following methods to configure a state migration point to store the user state data: Use the Create Site System Server Wizard to create a new site system server for the state migration point. Use the Add Site System Roles Wizard to add a state migration point to an existing server. When you use these wizards, you are prompted to provide the following information for the state migration point: The folders to store the user state data. The maximum number of clients that can store data on the state migration point. The minimum free space for the state migration point to store user state data. The deletion policy for the role. You can specify that the user state data is deleted immediately after it is restored on a computer, or after a specific number of days after the user data is restored on a computer. Whether you want the state migration point to respond only to requests to restore user state data. When you enable this option, you cannot use the state migration point to store user state data.

For more information about how to install site system roles, see the Install Site System Roles section of the Install and Configure Site System Roles for Configuration Manager topic.

How to Create a Computer Association for Sideby-Side Deployment

Create a computer association to define a relationship between a source computer and a destination computer for side-by-side deployments. The source computer is an existing computer
2014

that Configuration Manager manages. When you deploy the new operating system to the destination computer, the source computer contains the user state that is migrated to the destination computer. To create a computer association 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click User State Migration. 3. On the Home tab, in the Create group, click Create Computer Association. 4. On the Computer Association tab of the Computer Association Properties dialog box, specify the source computer that has the user state to capture, and the destination computer on which to restore the user state data. 5. On the User Accounts tab, specify the user accounts to migrate to the destination computer. Specify one of the following settings: Capture and restore all user accounts: This setting captures and restores all user accounts. Use this setting to create multiple associations to the same source computer. Capture all user accounts and restore specified accounts: This setting captures all user accounts on the source computer and only restores the accounts that you specify on the destination computer. In addition, you can use this setting when you want to create multiple associations to the same source computer. Capture and restore specified user accounts: This setting captures and restores only the accounts that you specify. You cannot create multiple associations to the same source computer when you select this setting.

How to Create a USMT Package

To store the user state data locally or on a state migration point, you must create a package that contains the USMT source files that you want to use. This package is specified when you add the Capture User State step to your task sequence. Use the following procedure to create a USMT package by using the Create Package and Program Wizard. For more information on the Create Package and Program Wizard, see the How to Create a Package and Program by using the Create Package and Program Wizard section of the How to Create Packages and Programs in Configuration Manager topic. To create a USMT package 1. On the Package page of the Create Package and Program Wizard, select This package contains source files and browse to the USMT folder in the WAIK folder. Only one USMT package is required for x64 and x86 computers, so browse to the root USMT folder. Typically the path to the USMT folder is C:\Program Files\WAIK\tools\USMT. 2. On the Program Type page of the wizard, select Do not create a program.
2015

3. Complete the wizard.

How to Capture and Restore User State Data

To capture and restore the user state, you must first create a task sequence, and then edit the task sequence to add the following task sequence steps: Request State Store: This step is needed only if you store the user state on the state migration point. Capture User State: This step captures the user state data and stores it on the state migration point or locally using links. Restore User State: This step restores the user state data on the destination computer. It can retrieve the data from a user state migration point or from the destination computer. Release State Store: This step is needed only if you store the user state on the state migration point. This step removes this data from the state migration point. You must use the User State Migration Tool (USMT) to complete the capture and restore steps. When you migrate user state from Windows XP to Windows XP, you must use USMT 3.0.1. For all other supported user state migration scenarios, you must use USMT 4.0. Use the following procedures to add the task sequence steps needed to capture the user state and restore the user state. For more information about how to create a task sequence and how to edit a task sequence, see the following sections in the How to Manage Task Sequences in Configuration Manager topic: How to Create Task Sequences How to Edit a Task Sequence To add task sequence steps to capture the user state 1. In the Task Sequence list, select a task sequence, and then click Edit. 2. If you are using a state migration point to store the user state, add the Request State Store step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Request State Store. Specify the following properties and options for the Request State Store step, and then click Apply. On the Properties tab, specify the following options: Enter a name and description for the step. Click Capture state from the computer. In the Number of retries box, specify the number of times the task sequence attempts to capture the user state data if an error occurs. In the Retry delay (in seconds) box, specify how many seconds that the task sequence waits before it retries to capture the data. Select the If computer account fails to connect to state store, use the Network Access account check box to specify whether to use the Configuration Manager Network Access Account capture the user state data.
2016

For more information about the Network Access Account, see the Configure the Network Access Account section of the Configuring Content Management in Configuration Manager topic. On the Options tab, specify the following options: Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue if an error occurs.

3. Add the Capture User State step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Capture User State. Specify the following properties and options for the Capture User State step, and then click OK. Important When you add this step to your task sequence, also set the OSDStateStorePath task sequence variable to specify where the user state data is stored. If you store the user state locally, do not specify a root folder as that can cause the task sequence to fail. When you store the user data locally always use a folder or subfolder. For information about this variable, see Capture User State Task Sequence Action Variables. On the Properties tab, specify the following options: Enter a name and description for the step. Specify the package that contains the USMT source file used to capture the user state data. Specify the user profiles to capture: Click Capture all user profiles with standard options to capture all user profiles. Click Customize user profile capture to specify individual user profiles to capture.

Select Enable verbose logging to specify how much information to write to log files if an error occurs. Select Skip files that use the Encrypting File System (EFS) . Select Copy by using file system access to specify the following settings: Continue if some files cannot be captured: This setting allows the task sequence step to continue the migration process even if some files cannot be captured. If you disable this option and a file cannot be captured, the task sequence step fails. This option is enabled by default. Capture locally by using links instead of by copying files: This setting allows you to use the hard link migration feature that is available in USMT 4.0. This setting is ignored if you use versions of USMT that are earlier than USMT 4.0. Capture in off-line mode (Windows PE only): This setting allows you to capture use state from Windows PE without booting to the existing operating system. This setting is ignored if you use versions of USMT that are earlier than
2017

USMT 4.0. Select Capture by using Volume Copy Shadow Services (VSS). This setting is ignored if you use versions of USMT that are earlier than USMT 4.0. Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue if an error occurs.

On the Options tab, specify the following options:

Deploy this task sequence to capture the user state on a destination computer. For information about how to deploy task sequences, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager. To add task sequence steps to restore the user state 1. In the Task Sequence list, select a task sequence, and then click Edit. 2. Add the Restore User State step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Restore User State. This step establishes a connection to the state migration point. Specify the following properties and options for the Restore User State step, and then click OK. On the Properties tab, specify the following properties: Enter a name and description for the step. Specify the package that contains the USMT to restore the user state data. Specify the user profiles to restore: Click Restore all captured user profiles with standard options to restore all user profiles. Click Customize user profile capture to restore individual user profiles.

Select Restore local computer user profiles to provide a new password for the restored profiles. You cannot migrate passwords for local profiles. Note When you have local user accounts, and you use the Capture User State step and select Capture all user profiles with standard options, you must select the Restore local computer user profiles setting in the Restore User State step or the task sequence will fail.

Select Continue if some files cannot be restored if you want the Restore User State step to continue if a file cannot be restored. If you store the user state by using local links and the restore is not successful, the administrative user can manually delete the hard-links that were created to store the data or the task sequence can run the USMTUtils tool. If you use USMTUtils to delete the hard-link, add a Restart Computer step after you run USMTUtils.

Select Enable verbose logging to specify how much information to write to log files if an error occurs.
2018

On the Options tab, specify the following options: Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue if an error occurs.

3. If you are using a state migration point to store the user state, add the Release State Store step to the task sequence. In the Task Sequence Editor dialog box, click Add, point to User State, and then click Release State Store. Specify the following properties and options for the Release State Store step, and then click OK. Important The task sequence action that runs before the Release State Store step must be successful before the Release State Store step is started. On the Properties tab, enter a name and description for the step. On the Options tab, specify the following options. Select the Continue on error check box if you want the task sequence to continue to the next step if this step fails. Specify any conditions that must be met before the task sequence can continue when an error occurs.

Deploy this task sequence to restore the user state on a destination computer. For information about deploying task sequences, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

How to Restore the User State Data when the Operating System Deployment Fails
If the operating system deployment fails, use the USMT 4.0 LoadState feature to retrieve the user states data was captured during the deployment process. This includes data that is stored on a state migration point or data that is saved locally on the destination computer. For more information on this USMT feature, see LoadState Syntax.

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage Unknown Computer Deployments in Configuration Manager

Use the information in this topic to deploy operating systems to unknown computers in your System Center 2012 Configuration Manager environment. An unknown computer is a computer
2019

that is not managed by Configuration Manager. This means that there is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not been discovered by Configuration Manager

You can deploy operating systems to unknown computers by using PXE deployments, bootable media, or prestaged media.

Unknown Computer Deployment Workflow

Here is the basic workflow that you need to follow to deploy an operating system to an unknown computer: Select an unknown computer object to use in the deployment. You can deploy the operating system to one of the unknown computer objects in the All Unknown Computers collection or you can add the objects in the All Unknown Computer collection to another collection. Configuration Manager provides two unknown computer objects in the All Unknown Computers collection. One object is for x86 computers and the other object is for x64 computers. Note The x86 Unknown Computer object is for computers that are only x86 capable. The x64 Unknown Computer object is for computers that are x86 and x64 capable, In other words, these objects describe the architecture of the destination computer. They do not describe the operating system that you want to deploy on the destination computer. Configure a PXE enabled distribution point or media to support unknown computer deployments. Before you enable unknown computer support for an operating system deployment, ensure that the site system meets all the prerequisites for unknown computer support. Important If you use a PXE deployment to provision an unknown computer, the unknown computer attempts to run required task sequences. Any required task sequences that include operations such as Apply Operating System Image or Format and Partition Disk automatically PXE boot the computer and attempt to run. In this scenario all data is destroyed on the unknown computer. Deploy the task sequence that deploys the operating system to the collection that contains the unknown computer object that you want to use.

Unknown Computer Installation Process

When a computer is first booted from PXE or from media, Configuration Manager checks to see if a record for that computer exists in the Configuration Manager database. If there is a record,
2020

Configuration Manager then checks to see if there are any task sequences deployed to the record. If there is not a record, Configuration Manager checks to see if there are any task sequences deployed to an unknown computer object. In either case, Configuration Manager then performs one of the following actions: If there is an available task sequence, Configuration Manager prompts the user to run the task sequence. If there is a required task sequence, Configuration Manager automatically runs the task sequence. If a task sequence is not deployed for the record, Configuration Manager generates an error that there is no deployed task sequence for the destination computer.

In addition, when an unknown computer is booted, Configuration Manager recognizes the computer as an unprovisioned computer rather than an unknown computer. This means that the computer can now receive the task sequences that were deployed to the unknown computer object. The deployed task sequence then installs an operating system image that must include the Configuration Manager client. After the Configuration Manager client is installed, a record for the computer is created and the computer is listed in the appropriate Configuration Manager collection. If the computer fails to install the operating system image or the Configuration Manager client, an Unknown record for the computer is created and the computer appears in the All Systems collection. Note During the installation of the operating system image, the task sequence can retrieve collection variables but not computer variables from this computer.

Enabling Unknown Computer Support

Use the following table to enable unknown computer support for PXE deployments, bootable media, and prestaged media.
Deployment type Configuration More information

PXE deployment

Select the Enable unknown computer support check box on the PXE tab for a distribution point that is enabled for PXE. Select the Enable unknown computer support check box on the Security page of the Create Task Sequence Media Wizard.

See the Creating Distribution Points that Accept PXE Request section in the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. For information about how to create bootable media, see the How to Create Bootable Media section of the How to Deploy Operating Systems by Using Media in Configuration
2021

Bootable media

Deployment type

Configuration

More information

Manager topic. Prestaged media Select the Enable unknown computer support check box on the Security page of the Create Task Sequence Media Wizard. For information about how to create prestaged media, see the How to Create Prestaged Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Associate Users with a Destination Computer

When you use System Center 2012 Configuration Manager to deploy operating system you can associate users with the destination computer where the operating system is deployed. This configuration includes specifying the following: That a single user is the primary user of the destination computer. That multiple users are the primary users of the destination computer.

User device affinity supports user-centric management for when you deploy applications. When you associate a user with the destination computer on which to install an operating system, an administrative user can later deploy applications to that user and the applications automatically install on the destination computer. However, although you can configure support for user device affinity when you deploy operating systems, you cannot use user device affinity to deploy operating systems. For more information about user device affinity, see the following documentation: User Device Affinity in the Deploying Applications in Configuration Manager section in the Introduction to Application Management in Configuration Manager topic How to Manage User Device Affinity in Configuration Manager

2022

How to Specify a User When You Deploy Operating Systems

The following table lists the actions that you can take to integrate user device affinity into your operating system deployments. You can integrate user device affinity into PXE deployments, bootable media deployments, and prestaged media deployments.
Action More information

Create a task sequence that includes the SMSTSAssignUsersMode variable

Add the SMSTSAssignUsersMode variable to the beginning of your task sequence by using the Set Task Sequence Variable task sequence step. This variable specifies how the task sequence handles the user information. Set the variable to one of the following values: Auto: The task sequence automatically creates a relationship between the user and destination computer and deploys the operating system. Pending: The task sequence creates a relationship between the user and the destination computer, but waits for approval from the administrative user before the operating system is deployed. Disabled: The task sequence does not associate a user with the destination computer and continues to deploy the operating system.

This variable can also be set on a computer or collection. Create a prestart command that gathers the user information The prestart command can be a Visual Basic (VB) script that has an input box, or it can be an HTML application (HTA) that validates the user data that is entered. The prestart command must set the SMSTSUdaUsers variable that is used when the task sequence is run. This variable can be set on a computer, a collection, or a task sequence variable. Use the following format when you add multiple users: domain\user1, domain\user2, domain\user3. Configure how distribution points and media When you configure a distribution point to
2023

Action

More information

associate the user with the destination computer

accept PXE boot requests and when you create bootable or prestaged media by using the Create Task Sequence Media Wizard, you can specify how the distribution point or media supports associating users with the destination computer where the operating system is deployed. Configuring user device affinity support does not have a built-in method to validate the user identity. This can be important when a technician is entering the information on behalf of the user when the technician provisions the computer. In addition to setting how the user information is handled by the task sequence, configuring these options on the distribution point and media provides the ability to restrict the deployments that are started from a PXE boot or from a specific piece of media. For information about how to configure the distribution point, see How to Deploy Operating Systems by Using PXE in Configuration Manager. For information about how to create media, see the How to Create Bootable Media and How to Create Prestaged Media sections in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.

See Also
Configuring Configuration Manager for Operating System Deployments

How to Manage Multicast in Configuration Manager

Use the procedures in this topic to support multicast in your System Center 2012 Configuration Manager environment. These procedures configure the distribution point to support multicast and configure the operating system image for multicast.
2024

Configuring a Distribution Point to support Multicast

Before you deploy the operating system, you must configure a distribution point to support multicast. Use the following procedure to modify an existing distribution point to support multicast. For more information about how to create a new distribution point, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic. To enable multicast for a distribution point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Overview, and then select the Distribution Points node. 3. Select the distribution point that you want to use to multicast the operating system image. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Multicast tab, and configure the following options: Enable Multicast: You must select this option for the distribution point to support multicast. Multicast service point connection account: Specify an account to connect to the database if you cannot use the computer account of the distribution point. Multicast address settings: Specify the IP addresses to send data to the destination computers. By default, the IP address is obtained from a DHCP server that is enabled to distribute multicast addresses. Depending on the network environment, you can specify a range of IP addresses between 239.0.0.0 and 239.255.255.255. Important These IP addresses must be accessible by the destination computers that request the operating system image. This means that routers and firewalls in between the destination computer and the site server must be configured to allow multicast traffic. UDP Port Range: Specify the range of UDP ports to send data to the destination computers. Important These ports must be accessible by the destination computers that request the operating system image. This means that routers and firewalls in between the destination computer and the site server must be configured to allow multicast traffic. Enabled scheduled multicast: Specify how Configuration Manager controls when to start deploying operating systems to destination computers. Click Enabled scheduled multicast, and then select the following options.
2025

In the Session start delay box, specify how many minutes that Configuration Manager waits before it responds to the first deployment request. In the Minimum session size box, specify how many requests must be received before Configuration Manager starts to deploy the operating system. Transfer rate: Select the transfer rate to download data to the destination computers. Maximum clients: Specify the maximum number of destination computers that can download the operating system from this distribution point.

6. Click OK.

Configuring the Operating System Image for Multicast Deployments

Before you distribute the operating system image to a multicast-enabled distribution point, you must configure the operating system image package to support multicast. Use the following procedure to set the multicast options for an existing operating system image package. For information about how to capture an operating system image package from a reference computer, see the How to Build a Reference Computer section in the How to Deploy Operating Systems in Configuration Manager topic. To modify an operating system image package to use multicast 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. Select the operating system image that you want to distribute to the multicast-enabled distribution point. 4. On the Home tab, in the Properties group, click Properties. 5. Select the Distribution Settings tab, and configure the following options: Allow this package to be transferred via multicast (WinPE only) : You must select this option for Configuration Manager to simultaneously deploy operating system images. Encrypt multicast packages: Specify whether the image is encrypted before it is sent to the distribution point. Use this option if the package contains sensitive information. If the image is not encrypted, the contents of the package will be visible in clear text on the network and might be read by an unauthorized user. Transfer this package only via multicast: Specify whether you want the distribution point to deploy the image only during a multicast session. If you select Transfer this package only via multicast, you must also specify Download content locally when needed by running task sequence as the deployment option for the operating system image. You can specify the deployment options for the image when you deploy the operating system image, or you can specify them later by editing the properties of the deployment. The deployment
2026

options are on the Distribution Points tab of the Properties page of the deployment object. 6. Click OK.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

Operations and Maintenance for Deploying Operating Systems in Configuration Manager

This section contains step-by-step procedures that are used to deploy operating systems in your System Center 2012 Configuration Manager environment.

Operating System Deployment Topics

How to Deploy Operating Systems in Configuration Manager How to Deploy Operating Systems by Using Media in Configuration Manager How to Deploy Operating Systems by Using PXE in Configuration Manager How to Deploy Operating Systems to Offline Computers in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

How to Deploy Operating Systems in Configuration Manager

Use the procedures and information in this topic to help you deploy operating systems in your System Center 2012 Configuration Manager environment. To deploy an operating system, you must build a reference computer and add computers to the Configuration Manager database. You can then deploy the operating system, and optionally, perform a side-by-side deployment. Use the following sections for more information: How to Build a Reference Computer How to Add a Computer to the Configuration Manager Database How to Deploy Operating System Images to a Computer
2027

How to Perform a Side-by-Side Operating System Deployment

How to Build a Reference Computer

You can configure the reference computer manually, or you can build the reference computer and capture the operating system image by using a build and capture task sequence. Note If you build the reference computer manually, you can capture the operating system image by using capture media. For more information about capture media, see the How to Create Capture Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. To build the reference computer manually 1. Identify the computer to use as the reference computer. 2. Configure the reference computer with the appropriate operating system and any other software that is required to create the operating system image that you want to deploy. Warning At a minimum, install the appropriate operating system and service pack, support drivers, any required software updates, and the appropriate version of Sysprep. 3. Configure the reference computer to be a member of a workgroup. 4. Reset the local Administrator password on the reference computer so that the password value is blank. 5. For computers that run Windows XP, copy the appropriate Sysprep files (sysprep.exe and setupcl.exe) to the C:\Sysprep folder on the reference computer. This step is not required for computers that run an operating system version that is at least Windows Vista SP2. 6. Run Sysprep by using the command: sysprep /quiet /generalize /reboot To build a reference computer by using a build and capture task sequence 1. Identify the computer to use as the reference computer. 2. In the Configuration Manager console, click Software Library. 3. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 4. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 5. On the Create a New Task Sequence page, select Build and capture a reference operating system image and complete the wizard. For more information about the settings on each page of this wizard, see the How to Create Task Sequences section of the How to Manage Task Sequences in Configuration Manager topic. 6. To add additional steps to the task sequence, select the task sequence that you created
2028

and click Edit. For information about how to edit a task sequence, see the How to Edit a Task Sequence section of the How to Manage Task Sequences in Configuration Manager topic. 7. If the reference computer is a Configuration Manager client, deploy the build and capture task sequence to the collection that contains the reference computer. For information about how to deploy the operating system image, see How to Deploy Operating System Images to a Computer. Note If the task sequence has a disk partitioning task sequence step, do not select the Download Program option when you deploy the task sequence. 8. If the reference computer is not a Configuration Manager client, run the Create Task Sequence Media Wizard to create bootable media that can install the image on the reference computer. For information about how to create bootable media, see the How to Create Bootable Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager. 9. Alternatively, you can create bootable media such as CD , DVD, or USB Flash drive to manually run the task sequence on the reference computer.

How to Add a Computer to the Configuration Manager Database

To deploy an operating system to a new computer that is not currently managed by Configuration Manager without using stand-alone media, the new computer must be added to the Configuration Manager database before you deploy the operating system. Although Configuration Manager can automatically discover computers on your network that have a Windows operating system installed, if the computer has no operating system installed, you must import the new computer information by using the Import Computer Information Wizard. This wizard supports importing information about a single computer, or importing information about one or more computers from an external .csv file. Consider the following factors when you add computers to the Configuration Manager database: If the computer that you import is already in the Configuration Manager database, the computer information that you import overwrites the existing computer information. When you add computers by using a file or when you add a single computer, do not specify data in raw byte format. If the computer information is entered by using raw byte format, the computer import will fail. If you add computers by using a computer information file, you must create the file before you run the Import Computer Information Wizard. Create the file by using the comma separated values (CSV) format. Use the following format when you enter the computer information, with each property value in a separate column.
NEWCOMP1,55555555-5555-5555-5555-555555555555,05:06:07:08:09:0A

2029

If you import a computer and then provision the operating system of the computer manually, Configuration Manager considers the computer to be a new client and not the imported computer. If you import a computer to override an existing client and then re-image the operating system for the client by using Configuration Manager, Configuration Manager considers the computer to be a new client. If you import a computer and then provision it by using a PXE-initiated deployment, Configuration Manager matches the computer to the imported computer.

Use the following procedures to import multiple computers by using a computer information file or to import a single computer. To import computer information from a file 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Overview, and then click Devices. 3. On the Home tab, in the Create group, click Import Computer information to start the Import Computer Information Wizard. 4. On the Select Source page, select Import computers using a file, and then click Next. 5. On the Choose Mapping page, specify the following options, and then click Next. In the Import file box, specify the .csv file that contains the computer information. If the file contains column headings, select the This file has column headings check box. When this check box is selected, the first line of the file is ignored. To change a property that is associated with a column of the file, select the column number and then use Assign as to reassign the property that is associated with the column. Note You can use each Configuration Manager property only once. The Name field must be assigned to one column, and you must also specify a Computer Name, SMBIOS GUID, or MAC Address column. Although both values might be used, each property must be assigned to only one column. You can optionally specify the source computer that is assigned to one column. You can import only one MAC address per computer. The Ignore and Variable options can be assigned to multiple columns. Ignore is the default option. If you assign a column as a Variable, you must also enter the variable to be used. 6. On the Data Preview page, review the computer information provided by the file. If the file does not contain valid data for the properties that you specified, you must exit the wizard and correct the information in the file or select a file that has valid data. Important If the computer information file contains duplicate MAC addresses, the wizard will succeed, but Configuration Manager adds only the last computer with the
2030

duplicate MAC address to the Configuration Manager database. 7. On the Choose Target Collection page, specify the collections to add the computers to. By default, the computers are assigned to the All Systems collection. To add the computers to a specific collection, click Browse. The imported computers are statically added to the specified collection. If you do not want to add the computers to any additional collections, select Do not add computers to a collection. 8. Complete the wizard. To import computer information for a single computer 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Overview, and then click Devices. 3. On the Home tab, in the Create group, click Import Computer information to start the Import Computer information Wizard. 4. On the Select Source page, select Import single computer, and then click Next. 5. On the Single Computer page, specify the following settings, and then click Next. Computer Name: Specify the name of the computer. Specify either the MAC address (12 hex characters) or the SMBIOS GUID (32 hex characters) of the computer, or both the MAC address and SMBIOS GUID of the computer. Specify the SMBIOS GUID of the computer in UUID format. Warning If the SMBIOS GUID is specified, do not enter the GUID in raw byte format. Source computer: Optionally, specify a reference computer to obtain the user state and the settings to migrate to the new computer. If you specify a reference computer, you must specify the user accounts to migrate to the new computer when you create an association between the computer to add and the reference computer. Note For more information about how to create the association, see the To Create a Computer Association procedure in the How to Perform a Side-by-Side Operating System Deployment section of this topic. 6. On the Data Preview page, review the data that is mapped to a Configuration Manager property, and then click Next. 7. On the Choose Target Collection page, specify whether you want to add the computer to the All Systems collection or to a specific collection, and then click Next. 8. Complete the wizard.

2031

How to Deploy Operating System Images to a Computer

You use task sequences to deploy operating system images to destination computers. This means that you must create a task sequence that references the boot image used to boot the destination computer, the operating system image that you want to install on the destination computer, and any other additional content, such as other applications, that you want installed. Then you must deploy the task sequence to the collection that contains the destination computer. For information about creating and deploying task sequences, see the How to Manage Task Sequences in Configuration Manager topic.

How to Perform a Side-by-Side Operating System Deployment

You can use Configuration Manager to perform a side-by-side computer deployment. Side-byside computer deployments are useful for computer upgrade scenarios when you want to move the user state and files from an existing computer to a destination computer that has an updated operating system. To perform a side-by-side deployment 1. Import the new destination computer into the Configuration Manager database. See, How to Add a Computer to the Configuration Manager Database 2. Create a computer association between the existing computer and the destination computer. See the How to Create a Computer Association for Side-by-Side Deployment section in the How to Manage the User State in Configuration Manager topic. 3. Capture the user state from the existing computer. See the How to Capture and Restore User State Data When You Use a State Migration Point section in the How to Manage the User State in Configuration Manager topic. 4. Create a task sequence to deploy the operating system to the destination computer. How to Manage Task Sequences in Configuration Manager 5. Restore the user state on the destination computer. See the How to Capture and Restore User State Data When You Use a State Migration Point section in the How to Manage the User State in Configuration Manager topic.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

2032

How to Deploy Operating Systems by Using Media in Configuration Manager

Use the procedures in this topic to create capture, bootable, prestaged, and stand-alone media in your System Center 2012 Configuration Manager environment. Important If you use a Configuration Manager console that is not on the site server and your operating system is earlier than Windows 7, your computer must have the Configuration Manager client and Windows AIK installed. If these are not installed, the Create Task Sequence Media Wizard fails. Use the following sections to help you capture an operating system image or deploy an operating system by using the different types of media: How to Create Capture Media How to Create Bootable Media How to Create Prestaged Media How to Create Stand-alone Media

For planning information, see Planning for Media Operating System Deployments in Configuration Manager.

How to Create Capture Media

Use capture media to capture an operating system image from a reference computer. Capture media contains the boot image that starts the reference computer and the task sequence that captures the operating system image. For more information about capture media, see the Capture Media for Operating System Images section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create capture media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: The boot image used to start the reference computer must be distributed to a distribution point. In addition, the architecture of the boot image that is distributed must be appropriate for the architecture of the reference computer. For example, an x64 reference computer can boot and run an x86 or x64 boot image. However, an x86 reference computer can boot and run only an x86 boot image. To run the Create Task Sequence Media Wizard, you must have read access rights to the content library on the distribution point where the boot image is located. The wizard retrieves the boot image from the distribution point when it creates the media. When you create capture media for a USB flash drive, the flash drive must be connected to the computer where the wizard is run, and the USB flash drive must be detectable by Windows as a removal device. The wizard writes directly to the flash drive when it creates the media.
2033

Important If the administrative user needs to start the USB flash drive media from within an existing Windows Vista and later operating system, they need to manually run the TSMBAutorun.exe program. The TSMBAutorun.exe program is located in the following folder: \sms\bin\<architecture folder>\TSMBAutorun.exe Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, you must create a folder for the output files created by the wizard. Media that is created for a CD or DVD set is written as .iso files directly to the folder. If multiple media is needed the wizard adds a sequence number to the name of each output file that is created.

Use the following procedure to create capture media. To create capture media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, select Capture media, and then click Next. 5. On the Media Type page, specify the following options, and then click Next. Select whether the media is a flash drive or a CD/DVD set. If you select USB flash drive, you must also specify the drive where you want the content stored. If you select CD/DVD set, specify the capacity of the media and the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.iso If the capacity of the media is too small to store the entire content, you must store the content on multiple CDs or DVDs. When multiple media is required, Configuration Manager automatically adds a sequence number to the name of each output file that it creates. Note If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or share as soon as you proceed to the next page of the wizard. The existing image is deleted even if you then cancel the wizard. 6. On the Boot image page, specify the following information, and then click Next. Important The architecture of the boot image that you specify must be appropriate for the architecture of the reference computer. For example, an x64 reference computer
2034

can boot and run an x86 or x64 boot image. However, an x86 reference computer can boot and run only an x86 boot image. In the Boot image box, specify the boot image to start the reference computer. In the Distribution point box, specify the distribution point where the boot image resides. The wizard retrieves the boot image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution point. 7. Complete the wizard.

How to Create Bootable Media

Bootable media contains only the boot image, optional prestart commands and their required files, and Configuration Manager binaries. For more information about bootable media, see the Bootable Media Operating System Deployments section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create bootable media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: The boot image used to start the destination computer must be distributed to a distribution point. In addition, the architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. To run the Create Task Sequence Media Wizard, you must have read access rights to the content library on the distribution point where the boot image is located. The wizard retrieves the boot image from the distribution point when it creates the media. When you create bootable media for a USB flash drive, the flash drive must be connected to the computer where the wizard is run, and the USB flash drive must be detectable by Windows as a removal device. The wizard writes directly to the flash drive when it creates the media. Important If the administrative user needs to start the USB flash drive media from within an existing Windows Vista and later operating system, they need to manually run the TSMBAutorun.exe program. The TSMBAutorun.exe program is located in the following folder: \sms\bin\<architecture folder>\TSMBAutorun.exe Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, you must create a folder for the output files created by the wizard. Media that is created for a CD or DVD set is written as .iso files directly to the folder. If multiple media is needed the wizard adds a sequence number to the name of each output file that is created.
2035

Use the following procedure to create bootable media. To create bootable media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following options, and then click Next. Select Bootable media. Optionally, if you want to only allow the operating system to be deployed without requiring user input, select Allow unattended operating system deployment. Important When you select this option, the user is not prompted for network configuration information or for optional task sequences. However, the user is still prompted for a password if the media is configured for password protection. 5. On the Media Management page, specify one of the following options, and then click Next. Select Dynamic media if you want to allow a management point to redirect the media to another management point, based on the client location in the site boundaries. Select Site-based media if you want the media to contact only the specified management point. Select whether the media is a flash drive or a CD/DVD set. If you select USB flash drive, you must also specify the drive where you want the content stored. If you select CD/DVD set, specify the capacity of the media and the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.iso If the capacity of the media is too small to store the entire content, you must store the content on multiple CDs or DVDs. When multiple media is required, Configuration Manager adds a sequence number to the name of each output file that it creates. Note If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or share as soon as you proceed to the next page of the wizard. The existing image is deleted even if you then cancel the wizard. 7. On the Security page, specify the following options, and then click Next.
2036

6. On the Media Type page, specify the following options, and then click Next.

Select the Enable unknown computer support check box to allow the media to deploy an operating system to a computer that is not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

Select the Protect the media with a password check box and enter a strong password to help protect the media from unauthorized access. When you specify a password, the user must provide that password to use the bootable media. Important As a security best practice, always assign a password to help protect the bootable media.

For HTTP communications, select Create self-signed media certificate, and then specify the start and expiration date for the certificate. For HTTPS communications, select Import PKI certificate, and then specify the certificate to import and its password. For more information about this client certificate that is used for boot images, see PKI Certificate Requirements for Configuration Manager.

User Device Affinity: To support user-centric management in Configuration Manager, specify how you want the media to associate users with the destination computer. For more information about how operating system deployment supports user device affinity, see How to Associate Users with a Destination Computer. Specify Allow user device affinity with auto-approval if you want the media to automatically associate users with the destination computer. This functionality is based on the actions of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Specify Allow user device affinity pending administrator approval if you want the media to associate users with the destination computer after approval is granted. This functionality is based on the scope of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and the destination computer, but waits for approval from an administrative user before the operating system is deployed. Specify Do not allow user device affinity if you do not want the media to associate users with the destination computer. In this scenario, the task sequence does not associate users with the destination computer when it deploys the operating system.

8. On the Boot image page, specify the following options, and then click Next. Important
2037

The architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. In the Boot image box, specify the boot image to start the destination computer. In the Distribution point box, specify the distribution point where the boot image resides. The wizard retrieves the boot image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution point. If you create site-based bootable media (you selected Site-based media on the Media Management page of the wizard), in the Management point box, specify a management point from a primary site. If you create dynamic bootable media (you selected Dynamic media on the Media Management page of the wizard), in the Associated management points box, specify the primary site management points to use, and a priority order for the initial communications. Specify the variables that the task sequence uses to deploy the operating system. Specify any prestart commands that you want to run before the task sequence runs. Prestart commands are a script or an executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. For more information about prestart commands for media, see the Prestart Commands for Task Sequence Media in Configuration Manager topic. Tip During task sequence media creation, the task sequence writes the package ID and prestart command-line, including the value for any task sequence variables, to the CreateTSMedia.log log file on the computer that runs the Configuration Manager console. You can review this log file to verify the value for the task sequence variables. Optionally, select the Files for the prestart command check box to include any required files for the prestart command. 10. Complete the wizard.

9. On the Customization page, specify the following options, and then click Next.

How to Create Prestaged Media

Prestaged media contains the boot image and operating system image that you can use to provision a computer. However prestaged media does not contain the task sequence that is used in the deployment process. For more information about prestaged media, see the Prestaged

2038

Media Operating System Deployments section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create prestaged media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: The boot image used to start the destination computer must be distributed to a distribution point. In addition, the architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. To run the Create Task Sequence Media Wizard, you must have read access rights to the content library on the distribution point where the boot image and operating system image are located. The wizard retrieves the boot images from the distribution points when it creates the media. Ensure that the boot image contains the network and mass storage drivers that are required to provision the destination computer. The package that contains the operating system image that is deployed to the destination computer must be distributed to a distribution point. In the task sequence used by the media, do not set a condition for the Apply Operating System action. The hard drive of the destination computer must be formatted before the prestaged media is staged onto the hard drive of the computer. If the hard drive is not formatted when the media is applied, the task sequence that deploys the operating system will fail when it attempts to start the destination computer. Note The Create Task Sequence Media Wizard sets the following task sequence variable condition on the media: _SMSTSMedia = OEMMedia. You can use this condition throughout your task sequence. Use the following procedure to create prestaged media. To create prestaged media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following information, and then click Next. Select Prestaged media. Optionally, if you want to allow the operating system to be deployed without requiring user input, select Allow unattended operating system deployment. When you select this option the user is not prompted for network configuration information or for optional task sequences. However, the user is still prompted for a password if the
2039

media is configured for password protection. 5. On the Media Management page, specify the following information, and then click Next. Select Dynamic media if you want to allow a management point to redirect the media to another management point, based on the client location in the site boundaries. Select Site-based media if you want the media to contact only the specified management point. Created by: Specify who created the media. Version: Specify the version number of the media. Comment: Specify a unique description of what the media is used for. Media file: Specify the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.wim Select the Enable unknown computer support check box to allow the media to deploy an operating system to a computer that is not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

6. On the Media Properties page, specify the following information, and then click Next.

7. On the Security page, specify the following information, and then click Next.

Select the Protect the media with a password check box and enter a strong password to help protect the media from unauthorized access. When you specify a password, the user must provide that password to use the prestaged media. Important As a security best practice, always assign a password to help protect the prestaged media.

For HTTP communications, select Create self-signed media certificate, and then specify the start and expiration date for the certificate. For HTTPS communications, select Import PKI certificate, and then specify the certificate to import and its password. For more information about this client certificate that is used for boot images, see PKI Certificate Requirements for Configuration Manager.

User Device Affinity: To support user-centric management in Configuration Manager, specify how you want the media to associate users with the destination computer. For more information about how operating system deployment supports user device affinity, see How to Associate Users with a Destination Computer. Specify Allow user device affinity with auto-approval if you want the media to automatically associate users with the destination computer. This functionality is based on the actions of the task sequence that deploys the operating system. In
2040

this scenario, the task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Specify Allow user device affinity pending administrator approval if you want the media to associate users with the destination computer after approval is granted. This functionality is based on the scope of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and the destination computer, but waits for approval from an administrative user before the operating system is deployed. Specify Do not allow user device affinity if you do not want the media to associate users with the destination computer. In this scenario, the task sequence does not associate users with the destination computer when it deploys the operating system.

8. On the Boot image page, specify the following information, and then click Next. Important The architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. In the Boot image box, specify the boot image to start the destination computer. In the Distribution point box, specify the distribution point where the boot image resides. The wizard retrieves the boot image from the distribution point and writes it to the media. Note You must have Read access rights to the content library on the distribution point. If you create site-based bootable media (you selected Site-based media on the Media Management page of the wizard), in the Management point box, specify a management point from a primary site. If you create dynamic bootable media (you selected Dynamic media on the Media Management page of the wizard), in the Associated management points box, specify the primary site management points to use and a priority order for the initial communications. In the Image package box, specify the package that contains the operating system image. If the package contains multiple operating system images, in the Image index box, specify the image to deploy. In the Distribution point box, specify the distribution point where the operating system image package resides. The wizard retrieves the operating system image from the distribution point and writes it to the media.

9. On the Images page, specify the following information, and then click Next.

2041

Note You must have Read access rights to the content library on the distribution point. 10. On the Customization page, specify the following information, and then click Next. Specify the variables that the task sequence uses to deploy the operating system. Specify any prestart commands that you want to run before the task sequence runs. Prestart commands are a script or an executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. For more information about prestart commands for media, see the Prestart Commands for Task Sequence Media in Configuration Manager topic. Tip During task sequence media creation, the task sequence writes the package ID and prestart command-line, including the value for any task sequence variables, to the CreateTSMedia.log log file on the computer that runs the Configuration Manager console. You can review this log file to verify the value for the task sequence variables. 11. Complete the wizard.

How to Create Stand-alone Media

Stand-alone media contains all the necessary information to deploy the operating system without requiring a connection to a Configuration Manager site. For more information about stand-alone media, see the Stand-alone Media Operating System Deployments section in the Planning for Media Operating System Deployments in Configuration Manager topic. You create stand-alone media by using the Create Task Sequence Media Wizard. Before you run the wizard, be sure that all the following conditions are met: You must have a task sequence that is associated with a boot image. Content that is required by the task sequence must be distributed to a distribution point and you must have Read access rights to the content library of that distribution point. The wizard gathers the information from the distribution point when it creates the stand-alone media. When you create stand-alone media for a USB flash drive, the flash drive must be connected to the computer where the wizard is run, and the USB flash drive must be detectable by Windows as a removal device. The wizard writes directly to the flash drive when it creates the media. Important If the administrative user needs to start the USB flash drive media from within an existing Windows Vista and later operating system, they need to manually run the TSMBAutorun.exe program. The TSMBAutorun.exe program is located in the following folder: \sms\bin\<architecture folder>\TSMBAutorun.exe
2042

Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, you must create a folder for the output files created by the wizard. Media that is created for a CD or DVD set is written as .iso files directly to the folder. If multiple media is needed the wizard adds a sequence number to the name of each output file that is created. Automatic application of device drivers from the driver catalog. Installing software updates. Installing software before an operating system deployment. Associating users with the destination computer to support user device affinity. Installing dependencies for applications that are specified as part of the task sequence.

Configuration Manager does not support the following actions for stand-alone media:

Use the following procedure to create stand-alone media for a USB flash drive or a CD/DVD set. To create stand-alone media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following options, and then click Next. Select Stand-alone media. Optionally, if you want to allow the operating system to be deployed without requiring user input, select Allow unattended operating system deployment. When you select this option the user is not prompted for network configuration information or for optional task sequences. However, the user is still prompted for a password if the media is configured for password protection.

5. On the Media Type page, specify the following options, and then click Next. Important Stand-alone media uses a FAT32 file system. You cannot create stand-alone media on a USB flash drive whose content contains a file over 4 GB in size. Select whether the media is a flash drive or a CD/DVD set. If you select USB flash drive, you must also specify the drive where you want to store the content. If you select CD/DVD set, specify the capacity of the media and the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.iso If the capacity of the media is too small to store the entire content, you must store the content on multiple CDs or DVDs. When multiple media is required, Configuration Manager adds a sequence number to the name of each output file that it creates. In addition, if you deploy an application along with the operating system and the application cannot fit on a single media, Configuration Manager stores the application
2043

across multiple media. When the stand-alone media is run, Configuration Manager prompts the user for the next media where the application is stored. Note If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or share as soon as you proceed to the next page of the wizard. The existing image is deleted, even if you then cancel the wizard. 6. On the Security page, enter a strong password to help protect the media, and then click Next. If you specify a password, the password is required to use the media. Important On stand-alone media, only the task sequence steps and their variables are encrypted. The remaining content of the media is not encrypted, so do not include any sensitive information in task sequence scripts. Store and implement all sensitive information by using task sequence variables. 7. On the Stand-Alone CD/DVD page, specify the task sequence that deploys the operating system, and then click Next. The wizard lets you select only those task sequences that are associated with a boot image. 8. On the Distribution Points page, specify the distribution points that contain packages that are required by the task sequence, and then click Next. Note You must have Read access rights to the content library on the distribution points. 9. On the Customization page, specify the following information, and then click Next. Specify the variables that the task sequence uses to deploy the operating system. Specify any prestart commands that you want to run before the task sequence. Prestart commands are a script or an executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. For more information about prestart commands for media, see the Prestart Commands for Task Sequence Media in Configuration Manager topic. Optionally, select the Files for the prestart command check box to include any required files for the prestart command. Tip During task sequence media creation, the task sequence writes the package ID and prestart command-line, including the value for any task sequence variables, to the CreateTSMedia.log log file on the computer that runs the Configuration Manager console. You can review this log file to verify the value for the task sequence variables. 10. Complete the wizard.

2044

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Deploy Operating Systems by Using PXE in Configuration Manager

Use the procedures in this topic to support PXE-initiated deployments in your System Center 2012 Configuration Manager environment. These procedures include how to configure a distribution point to accept PXE boot requests from clients, how to create the boot images that must be distributed to a PXE-enabled distribution point, and how to create an exclusion list to ensure that specified computers do not run a Configuration Manager PXE deployment. Use the following sections for more information: Configuring Distribution Points to Accept PXE Requests How to Create a PXE-enabled Boot Image How to Create an Exclusion List for PXE Deployments

Configuring Distribution Points to Accept PXE Requests

To deploy operating systems to Configuration Manager clients that make PXE boot requests, you must use one or more distribution points that are configured to respond to the PXE boot requests. The distribution point then responds to the PXE boot request and determines the appropriate deployment actions to take. You can add the distribution point site role to a new site system server or add the site role to an existing site system server. This site can be a primary or secondary site server. Important Before you install the distribution point, ensure that Windows Deployment Service is installed on the site system server. For information about how to install Windows Deployment Services for when you deploy operating system by using PXE, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. To create a distribution point that accepts PXE boot requests, see the Install and Configure the Distribution Point section in the Configuring Content Management in Configuration Manager topic. Use the following procedure to modify an existing distribution point so that it can accept PXE requests. To modify an existing distribution point to accept PXE requests 1. If there is a risk that critical computers might accidentally PXE boot, create an exclusion
2045

list and specify the MAC addresses of these computers. For more information, see How to Create an Exclusion List for PXE Deployments in this topic. 2. In the Configuration Manager console, click Administration. 3. In the Administration workspace, expand Overview and click Distribution points. 4. Select the distribution point to configure, and then, on the Home tab in the Properties group, click Properties. 5. On the property page for the distribution point, click the PXE tab. 6. To enable this distribution point to respond to the PXE boot requests, select the Enable PXE support for clients check box. 7. To confirm that you want Configuration Manager to use the ports that are required for PXE deployments, in the Review Required Ports for PXE dialog box, click Yes. 8. To enable Windows Deployment Services so that it responds to PXE service requests, select the Allow this distribution point to respond to incoming PXE requests check box. Use this check box to enable and disable the service without removing the PXE functionality from the distribution point. 9. To deploy operating systems to computer that are not managed by Configuration Manager, select the Enable unknown computer support check box. 10. To provide additional security for your PXE deployments, select the Require a password when computers use PXE check box, and then specify a strong password. 11. In the User Device Affinity list, specify how you want the distribution point to associate users with the destination computer for PXE deployments. Select Do not use user device affinity to not associated users with the destination computer. Select Allow user device affinity with manual approval to wait for approval from an administrative user before users are associated with the destination computer. Select Allow user device affinity with automatic approval to automatically associate users with the destination computer without waiting for approval.

For more information about user device affinity, see How to Associate Users with a Destination Computer 12. Specify that the distribution point responds to PXE requests from all network interfaces or from specific network interfaces. If the distribution point responds to specific network interface, you must provide the MAC address for each network interface. 13. Specify, in seconds, how long the delay is for the distribution point before it responds to computer requests when multiple PXE-enabled distribution points are used. By default, the Configuration Manager PXE service point responds first to network PXE requests. 14. Click OK to update the properties of the distribution point.

How to Create a PXE-enabled Boot Image

Before you use PXE to deploy an operating system, you must create the boot images to support a PXE deployment. You must have both an x86 PXE-enabled boot image and an x64 PXEenabled boot image that are distributed to one or more PXE-enabled distribution points.
2046

Use the following procedure to create boot images for PXE deployments. To create a PXE-enabled boot image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. On the Home tab, in the Create group, click Add Boot Image to start the Add Boot Image Wizard. 4. On the Data Source page, specify the following options, and then click Next. In the Path box, specify the boot image WIM file. Click Browse to locate a specific boot image file. The specified path must be a valid network path in the UNC format. For example: \\servername\<sharename>\bootimage.wim. Select the boot image that you want from the Boot Image drop-down list. If the WIM file contains multiple boot images, each image is listed. In the Name box, specify a unique name for the boot image. In the Version box, specify a version number for the boot image. In the Comment box, specify a brief description of how the boot image is used.

5. On the General page, specify the following options, and then click Next.

6. Complete the wizard. 7. Select the boot image that you just created. 8. On the Home tab, in the Properties group, click Properties, and then select the Data Source tab. 9. Select the Deploy this boot image from the PXE service point check box. 10. Click OK. You can now distribute these boot images to any distribution point that accepts PXE requests.

How to Create an Exclusion List for PXE Deployments

When you use PXE to deploy operating systems, you can create an exclusion list to limit which computers are included in the deployment. The exclusion list contains MAC addresses of the computers that you want the distribution point to ignore if these computers send a PXE boot request. These computers do not receive the deployment task sequences that Configuration Manager uses for PXE deployment. Use the following steps to create the PXE exclusion list. To create the exclusion list
2047

1. Create a text file on the distribution point that is enabled for PXE. As an example, name this text file pxeExceptions.txt. 2. Use a standard text editor, such as Notepad, and add the MAC addresses of the computers to be ignored by the PXE-enabled distribution point. Separate the MAC address values by colons, and enter each address on a separate line. For example:
01:23:45:67:89:ab

3. Save the text file on the PXE-enabled distribution point site system server. The text file can be saved to any location on the server. 4. Edit the registry of the PXE-enabled distribution point to create a MACIgnoreListFile registry key that contains the string value of the full path to the location of the text file on the PXE-enabled distribution point site system server. Use the following registry path: HKLM\Software\Microsoft\SMS\DP Warning If you use the Registry Editor incorrectly, you might cause serious problems that might require you to reinstall the operating system. Microsoft cannot guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use the Registry Editor at your own risk. There is no need to restart the server after you make this registry change.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

How to Deploy Operating Systems to Offline Computers in Configuration Manager

Use the procedure in this topic to deploy operating systems to computers that are offline in your System Center 2012 Configuration Manager environment. For example, you can deploy an operating system to a computer that is not connected to the network or to a computer that is connected by a low bandwidth connection. In this scenario, the destination computer does not have an existing Configuration Manager client installed on the destination computer. Use stand-alone media to deploy operating systems to offline computers because everything that is required to deploy the operating system is on the media. You create stand-alone media by using the Create Task Sequence Media Wizard. For information about how to create stand-alone media, see the How to Create Stand-alone Media section of the How to Deploy Operating Systems by Using Media in Configuration Manager topic. Use the following procedure to deploy an operating system to an offline computer. To deploy an operating system to an offline computer
2048

1. Insert the stand-alone media into the offline computer. 2. Initiate the installation of the operating system from the stand-alone media. If there is no existing operating system on the destination computer, insert or attach the stand-alone media to the computer and restart the computer by using the installation media. Important The media that you use to deploy the operating system must be bootable.

See Also
Operations and Maintenance for Deploying Operating Systems in Configuration Manager

Security and Privacy for Deploying Operating Systems in Configuration Manager

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for operating system deployment in System Center 2012 Configuration Manager.

Security Best Practices for Operating System Deployment

Use the following security best practices for when you deploy operating systems with Configuration Manager:
Security best practice More information

Implement access controls to protect bootable media

When you create bootable media, always assign a password to help secure the media. However, even with a password, only files that contain sensitive information are encrypted and all files can be overwritten. Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate.

2049

Security best practice

More information

Note In Configuration Manager SP1, to help prevent a client from installing content or client policy that has been tampered with, the content is hashed and must be used with the original policy. If the content hash fails or the check that the content matches the policy, the client will not use the bootable media. Only the content is hashed; the policy is not but it is encrypted and secured when you specify a password, which makes it more difficult for an attacker to successfully modify the policy. Use a secured location when you create media for operating system images If unauthorized users have access to the location, they can tamper with the files that you create and also use all the available disk space so that the media creation fails. When you require a password to import the client authentication certificate that you use for bootable media, this helps to protect the certificate from an attacker. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the certificate file. If the client certificate is compromised, block the certificate from Configuration Manager and revoke it if it is a PKI certificate To deploy an operating system by using bootable media and PXE boot, you must have a client authentication certificate with a private key. If that certificate is compromised, block the certificate in the Certificates node in the Administration workspace, Security node. For more information about the difference between blocking a certificate and revoking it, see Comparing Blocking Clients and Revoking Client Certificates. When the SMS Provider is on a computer or computers other than the site server, secure the communication channel to protect boot images When boot images are modified and the SMS Provider is running on a server that is not the site server, the boot images are vulnerable to attack. Protect the network channel between
2050

Protect certificate files (.pfx) with a strong password and if you store them on the network, secure the network channel when you import them into Configuration Manager

Security best practice

More information

these computers by using SMB signing or IPsec. Enable distribution points for PXE client communication only on secure network segments When a client sends a PXE boot request, you have no way to ensure that the request is serviced by a valid PXE-enabled distribution point. This scenario has the following security risks: A rogue distribution point that responds to PXE requests could provide a tampered image to clients. An attacker could launch a man-in-themiddle attack against the TFTP protocol that is used by PXE and send malicious code with the operating system files, or she could create a rogue client to make TFTP requests directly to the distribution point. An attacker could use a malicious client to launch a denial of service attack against the distribution point.

Use defense in depth to protect the network segments where clients will access distribution points for PXE requests. Warning Because of these security risks, do not enable a distribution point for PXE communication when it is in an untrusted network, such as a perimeter network. Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces Require a password to PXE boot If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might expose the PXE service to untrusted networks When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot process, to help safeguard against rogue clients joining the Configuration Manager hierarchy. Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if
2051

Do not include line of business applications or software that contains sensitive data into an

Security best practice

More information

image that will be used for PXE boot or multicast

rogue computer downloads the operating system image.

Do not include line of business applications or software that contains sensitive data in software packages that are installed by using task sequences variables

When you deploy software packages by using task sequences variables, software might be installed on computers and to users who are not authorized to receive that software.

When you migrate user state, secure the network channel between the client and the state migration point by using SMB signing or IPsec Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports Manually delete folders on state migration point when they are decommissioned

After the initial connection over HTTP, user state migration data is transferred by using SMB. If you do not secure the network channel, an attacker can read and modify this data. The latest version of USMT provides security enhancements and greater control for when you migrate user state data. When you remove a state migration point folder in the Configuration Manager console on the state migration point properties, the physical folder is not deleted. To protect the user state migration data from information disclosure, you must manually remove the network share and delete the folder. If you configure the deletion policy on the state migration point to remove data that is marked for deletion immediately, and if an attacker manages to retrieve the user state data before the valid computer does, the user state data would be deleted immediately. Set the Delete after interval to be long enough to verify the successful restore of user state data. Configuration Manager does not automatically remove computer associations. Help to protect the identify of user state data by manually deleting computer associations that are no longer required. Configuration Manager Backup does not include the user state migration data.
2052

Do not configure the deletion policy to delete user state immediately

Manually delete computer associations when the user state migration data restore is complete and verified

Manually back up the user state migration data on the state migration point

Security best practice

More information

Remember to enable BitLocker after the operating system is installed

If a computer supports BitLocker, you must disable it by using a task sequence step if you want to install the operating system unattended. Configuration Manager does not enable BitLocker after the operating system is installed, so you must manually re-enable BitLocker. Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client authentication certificate and sensitive data. Ensure that the reference computer that you use to capture operating system images is in a secure environment with appropriate access controls so that unexpected or malicious software cannot be installed and inadvertently included in the captured image. When you capture the image, ensure that the destination network file share location is secure so that the image cannot be tampered with after it is captured. When the reference computer has current security updates, it helps to reduce the window of vulnerability for new computers when they first start up. Although provisioning unknown computers provides a convenient method to deploy new computers on demand, it can also allow an attacker to efficiently become a trusted client on your network. Restrict physical access to the network, and monitor clients to detect unauthorized computers. Also, computers responding to PXE-initiated operating system deployment might have all data destroyed during the operating system deployment, which could result in a loss of availability of systems that are inadvertently reformatted. For every operating system deployment package, you have the option to enable
2053

Implement access controls to protect the prestaged media

Implement access controls to protect the reference computer imaging process

Always install the most recent security updates on the reference computer

If you must deploy operating systems to an unknown computer, implement access controls to prevent unauthorized computers from connecting to the network

Enable encryption for multicast packages

Security best practice

More information

encryption when Configuration Manager transfers the package by using multicast. This configuration helps prevent rogue computers from joining the multicast session and helps prevent attackers from tampering with the transmission. Monitor for unauthorized multicast-enabled distribution points When you export task sequences to a network location, secure the location and secure the network channel If attackers can gain access to your network, they can configure rogue multicast servers to spoof operating system deployment. Restrict who can access the network folder. Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering with the exported task sequence. To prevent tampering of the data when it is transferred over the network, use Internet Protocol security (IPsec) or server message block (SMB) between the computer that runs the Configuration Manager console and the computer running Virtual Machine Manager. Take the following precautionary steps if you use the Task Sequence Run As Account: Use an account with the least possible permissions. Do not use the Network Access account for this account. Never make the account a domain administrator. Never configure roaming profiles for this account. When the task sequence runs, it will download the roaming profile for the account, which leaves the profile vulnerable to access on the local computer. Limit the scope of the account. For example, create different Task Sequence Run As Accounts for each task sequence, so that if one account is compromised, only the client computers to which that account
2054

For System Center 2012 R2 Configuration Manager only: Secure the communication channel when you upload a virtual hard disk to Virtual Machine Manager. If you must use the Task Sequence Run As Account, take additional security precautions

In addition:

Security best practice

More information

has access are compromised. If the command line requires administrative access on the computer, consider creating a local administrator account solely for the Task Sequence Run As Account on all computers that will run the task sequence, and delete the account as soon as it is no longer required.

Restrict and monitor the administrative users who are granted the Operating System Deployment Manager security role

Administrative users who are granted the Operating System Deployment Manager security role can create self-signed certificates that can then be used to impersonate a client and obtain client policy from Configuration Manager.

Security Issues for Operating System Deployment

Although operating system deployment can be a convenient way to deploy the most secure operating systems and configurations for computers on your network, it does have the following security risks: Information disclosure and denial of service If an attacker can obtain control of your Configuration Manager infrastructure, she could run any task sequences, which might include formatting the hard drives of all client computers. Task sequences can be configured to contain sensitive information, such as accounts that have permissions to join the domain and volume licensing keys. Impersonation and elevation of privileges Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network access. Another important security consideration for operating system deployment is to protect the client authentication certificate that is used for bootable task sequence media and for PXE boot deployment. When you capture a client authentication certificate, this gives an attacker an opportunity to obtain the private key in the certificate and then impersonate a valid client on the network. If an attacker obtains the client certificate that is used for bootable task sequence media and for PXE boot deployment, this certificate can be used to impersonate a valid client to Configuration Manager. In this scenario, the rogue computer can download policy, which can contain sensitive data. If clients use the Network Access Account to access data stored on the state migration point, these clients effectively share the same identity and could access state migration data from

2055

another client that uses the Network Access Account. The data is encrypted so only the original client can read it, but the data could be tampered with or deleted. The state migration point does not use authentication in Configuration Manager with no service pack In Configuration Manager with no service pack, the state migration point does not authenticate connections, so anybody can send data to the state migration point and anybody can retrieve data that is stored on there. Although only the original computer can read the retrieved user state data, do not consider this data secured. In Configuration Manager SP1, client authentication to the state migration point is achieved by using a Configuration Manager token that is issued by the management point. In addition, Configuration Manager does not limit or manage the amount of data that is stored on the state migration point and an attacker could fill up the available disk space and cause a denial of service. If you use collection variables, local administrators can read potentially sensitive information Although collection variables offer a flexible method to deploy operating systems, this might result in information disclosure.

Privacy Information for Operating System Deployment

In addition to deploying operating systems to computers with no operating system, Configuration Manager can be used to migrate users files and settings from one computer to another. The administrator configures which information to transfer, including personal data files, configuration settings, and browser cookies. The information is stored on a state migration point and is encrypted during transmission and storage. The information is allowed to be retrieved by the new computer associated with the state information. If the new computer loses the key to retrieve the information, a Configuration Manager administrator with the View Recovery Information right on computer association instance objects can access the information and associate it with a new computer. After the new computer restores the state information, it deletes the data after one day by default. You can configure when the state migration point removes data marked for deletion. The state migration information is not stored in the site database and is not sent to Microsoft. If you use boot media to deploy operating system images, always use the default option to password-protect the boot media. The password encrypts any variables stored in the task sequence, but any information not stored in a variable might be vulnerable to disclosure. Operating system deployment can use task sequences to perform many different tasks during the deployment process, which includes installing applications and software updates. When you configure task sequences, you should also be aware of the privacy implications of installing software. If you upload a virtual hard disk to Virtual Machine Manager without first using Sysprep to clean the image, the uploaded virtual hard disk could contain personal data from the original image.
2056

Configuration Manager does not implement operating system deployment by default and requires several configuration steps before you collect user state information or create task sequences or boot images. Before you configure operating system deployment, consider your privacy requirements.

See Also
Operating System Deployment in Configuration Manager

Technical Reference for Deploying Operating Systems in Configuration Manager

This section contains reference material for example scenarios and material for when you plan and write task sequences in System Center 2012 Configuration Manager.

Technical Reference Topics

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager Task Sequence Variables in Configuration Manager Task Sequence Steps in Configuration Manager Task Sequence Scenarios in Configuration Manager How to Provision Windows To Go in Configuration Manager Prestart Commands for Task Sequence Media in Configuration Manager How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager How to Customize Windows PE Boot Images to Use in Configuration Manager How to Pre-Provision BitLocker on Windows 7

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Operating System Deployment in Configuration Manager

2057

Example Scenario for PXE-Initiated Operating System Deployment by Using Configuration Manager
Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The example scenario in this topic describes how to deploy an operating system in System Center 2012 Configuration Manager. In this scenario, Adam, the Configuration Manager administrative user for Trey Research, must upgrade the operating system to Windows 7 on several Windows XP computers. In this scenario, Adam does not have to save the user data from the computers that will receive the new operating system because. Trey Research has a policy to store all user data on network shares.

Deployment Process
To capture and deploy the operating system, Adam follows the process described in the following table.
Process More information

As he plans for the deployment, Adam makes the following decisions: He plans to use PXE to deploy the new operating system. He will install and configure Windows 7 on a computer that has no operating system installed. Then, he will use capture media to capture the operating system image. The capture media will use a USB flash drive to store his capture media. He will use the boot images that are supplied by Configuration Manager. He must distribute the boot images that start the reference computer in order to capture the operating system image and to start the destination computers to install the operating system.

For more information about PXE deployments, see Planning for PXE-Initiated Operating System Deployments in Configuration Manager. For more information about planning how to capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager For more information about planning boot images deployments, see Planning for Boot Image Deployments in Configuration Manager

Adam obtains a computer that has no operating For more information about planning how to
2058

Process

More information

system installed. He refers to this as a bare metal computer. This is his reference computer, which he configures as follows: He installs and configures Windows 7 to match his company requirements. He does not install the Configuration Manager client. He will install the client when he deploys the operating system image.

capture the operating system image, see Planning for Capturing Operating System Images in Configuration Manager

In preparation to deploy the operating system image, Adam uses the Configuration Manager console to perform the following steps: Adam creates a collection and then adds the computers that will receive the new operating system. He will deploy his deployment task sequence to that collection. Then the computers in the collection will run the task sequence to install the operating system. Adam configures distribution points that can respond to PXE boot requests. Adam creates a boot image that will be used by the capture media. Adam creates an x86 PXE-enabled boot image and an x64 PXE-enabled boot image. Configuration Manager requires both PXE-enabled boot images.

For more information about how to create a collection that contains computers, see the To create a device collection section in the How to Create Collections in Configuration Manager topic. For more information about configuring distribution points to accept PXE boot requests, see the Configuring Distribution Points to Support PXE-Initiated Deployments section in the Planning for PXE-Initiated Operating System Deployments in Configuration Manager topic. For more information about PXE-enabled boot images, see the How to Create a PXE-enabled Boot Image section in the How to Deploy Operating Systems by Using PXE in Configuration Manager topic. For more information about how to distribute boot images, see the How to Specify where Boot Images are Distributed section in the How to Manage Boot Images in Configuration Manager topic.

Adam distributes boot images to the PXEenabled distribution point with the following steps: Before Adam creates his capture media, he distributes the boot image that the media uses to start the reference computer. Before Adam runs his deployment task sequence, he distributes the PXE-enabled boot images that will start the destination computer during the deployment task sequence.

Adam creates capture media to capture the operating system image from the reference computer and also creates a deployment task

For more information about capture media, see the How to Create Capture Media section in the How to Deploy Operating Systems by Using
2059

Process

More information

sequence to deploy the captured operating system image: Adam inserts a USB flash drive into the computer and runs the Create Task Sequence Media wizard. When prompted by the wizard, he specifies where the operating system image is stored. Adam runs the Create Task Sequence Wizard. On the Create New Task Sequence page, he selects the option to create a task sequence that installs an existing operating system image package.

Media in Configuration Manager topic. For more information about how to create a task sequence to install an existing operating system image package, see the How to Create Task Sequences section in the How to Manage Task Sequences in Configuration Manager topic.

Adam inserts the USB flash drive into the No additional information. reference computer and starts the computer. The capture media starts the reference computer by using the boot image referenced by the media, and then captures the Windows 7 operating system image. After the operating system image is captured, Adam tests his deployment task sequence by deploying it to a collection that contains a single test computer. This strategy allows him to verify that Windows 7 is installed correctly and that the Configuration Manager client is installed on the computer. When Adam has confirmed that the test deployment is ready for computers on the production network, he deploys his deployment task sequence to the collection that contains the destination computers and he monitors the results. To monitor the progress and verify that the operating system deployment was successful, Adam uses alerts and reports. As a result of Adams actions, the computers that were running the Windows XP operating system have been upgraded to Windows 7. For more information about how to deploy the task sequence, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic.

For more information about how to deploy the task sequence, see the How to Deploy a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic. For more information about reports, see Reporting in Configuration Manager.

2060

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

Task Sequence Variables in Configuration Manager

This section contains reference information about action variables and built-in variables that can be used in System Center 2012 Configuration Manager task sequences. Task sequence action variables provide a mechanism to configure and customize individual task sequence steps within a task sequence. Task sequence built-in variables supply configuration settings for computer, operating system, and user state configuration tasks that are performed on the destination computer. For more information about task sequence variables, see Planning a Task Sequences Strategy in Configuration Manager.

Task Sequence Variable Topics

Use the following topics to find information about action variables and built-in variables. Task Sequence Action Variables in Configuration Manager Task Sequence Built-in Variables in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Technical Reference for Deploying Operating Systems in Configuration Manager

Task Sequence Action Variables in Configuration Manager

Task sequence action variables specify configuration settings that are used by a single step in a System Center 2012 Configuration Manager task sequence. By default, the settings used by a task sequence step are initialized before the step is run and available only while the associated task sequence step is run. In other words, the task sequence variable setting is added to the task sequence environment before the task sequence step is run, and the value is removed from the task sequence environment after the task sequence step has run.

Action Variable Example

For example, you can specify a start-in directory for a command-line action by using the Run Command Line task sequence step. This step includes a Start In property whose default value
2061

is stored in the task sequence environment as the WorkingDirectory variable. The WorkingDirectory environment variable is initialized before the Run Command Line task sequence action is run. During the Run Command Line step, the WorkingDirectory value can be accessed through the Start In property. Then after the task sequence step is completed, the value of the WorkingDirectory variable is removed from the task sequence environment. If the sequence contains another Run Command Line task sequence step, the new WorkingDirectory variable is initialized and set to the starting value for that task sequence step. Whereas the default value for a task sequence action setting is present while the task sequence step is run, any new value that you set can be used by multiple steps in the sequence. If you use one of the task sequence variable creation methods to override a built-in variable value, the new value remains in the environment and overrides the default value for other steps in the task sequence. In the previous example, if a Set Task Sequence Variable step is added as the first step of the task sequence and sets the WorkingDirectory environment variable to the value C:\, both Run Command Line steps in the task sequence will use the new starting directory value.

Action Variables for Task Sequence Actions

Configuration Manager task sequence variables are grouped by their associated task sequence action. Use the following links to gather information about the action variables associated with a specific action. The task sequence variables govern how the task sequence action operates. The task sequence action reads and uses the variables that you mark as input variables. Alternatively, you can use the Set Task Sequence Variable action or the TSEnvironment COM object to set the variables at runtime. Only the task sequence action marks variables as output variables, which are read by actions that occur later in the task sequence. Note Not all task sequence actions are associated with a set of task sequence variables. For example, although there are variables associated with the Enable BitLocker action, there are no variables associated with the Disable BitLocker action.

Apply Data Image Task Sequence Action Variables

The variables for this action specify which image of a WIM file is applied to the destination computer and whether to delete the files on the destination partition. For more information about the task sequence step associated with these variables, see Apply Data Image Task Sequence Step.

Details
Action Variable Name Description

OSDDataImageIndex (input)

Specifies the index value of the image that is applied to the destination computer.
2062

Action Variable Name

Description

OSDWipeDestinationPartition (input)

Specifies whether to delete the files located on the destination partition. Valid values: "true" (default) "false"

Apply Driver Package Task Sequence Action Variables

The variables for this action specify information the installation of mass storage drivers and whether to install unsigned drivers. For more information about the task sequence step associated with these variables, see Apply Driver Package Task Sequence Step.

Details
Action Variable Name Description

OSDApplyDriverBootCriticalContentUniqueID (input)

Specifies the content ID of the mass storage device driver to install from the driver package. If this is not specified, no mass storage driver is installed. Specifies the INF file of the mass storage driver to install. Note This task sequence variable is required if the OSDApplyDriverBootCriticalContentUniq ueID is set.

OSDApplyDriverBootCriticalINFFile (input)

OSDApplyDriverBootCriticalHardwareCompo nent (input)

Specifies whether a mass storage device driver is installed, this must be scsi. Note This task sequence variable is required if the OSDApplyDriverBootCriticalContentUniq ueID is set. Specifies the boot critical ID of the mass storage device driver to install. This ID is listed in the "scsi" section of the device drivers txtsetup.oem
2063

OSDApplyDriverBootCriticalID (input)

Action Variable Name

Description

file. Note This task sequence variable is required if the OSDApplyDriverBootCriticalContentUniq ueID is set. OSDAllowUnsignedDriver (input) Specifies whether to configure Windows to allow the installation of unsigned device drivers. This task sequence variable is not used when deploying the Windows Vista and later operating system. Valid values: "true" "false" (default)

Apply Network Settings Task Sequence Action Variables

The variables for this action specify network settings for the destination computer, such as settings for the network adapters of the computer, domain settings and workgroup settings. For more information about the task sequence step associated with these variables, see Apply Network Settings Step.

Details
Action Variable Name Description

OSDAdapter (input)

This task sequence variable is an array variable. Each element in the array represents the settings for a single network adapter on the computer. The settings defined for each adapter are accessed by combining the array variable name with the zero-based network adapter index and the property name. Note If multiple network adapters will be configured with this task sequence action, the properties for the second network adapter are defined by using their index in the variable name; for example, OSDAdapter1EnableDHCP,
2064

Action Variable Name

Description

OSDAdapter1IPAddressList, OSDAdapter1DNSDomain, OSDAdapter1WINSServerList, OSDAdapter1EnableWINS, and so on. For example, the following variable names can be used to define the properties for the first network adapter that will be configured by this task sequence action: OSDAdapter0EnableDHCP true to enable Dynamic Host Configuration Protocol (DHCP) for the adapter. OSDAdapter0IPAddressList Comma-delimited list of IP addresses for the adapter. This property is ignored unless EnableDHCP is set to false. OSDAdapter0SubnetMask Comma-delimited list of subnet masks. This property is ignored unless EnableDHCP is set to false. OSDAdapter0Gateways Comma-delimited list of IP gateway addresses. This property is ignored unless EnableDHCP is set to false. OSDAdapter0DNSDomain - Domain Name System (DNS) domain for the adapter. OSDAdapter0DNSServerList Comma-delimited list of DNS servers for the adapter. OSDAdapter0EnableDNSRegistration true to register the IP address for the adapter in DNS. OSDAdapter0EnableFullDNSRegistration true to register the IP address for the adapter in DNS under the full DNS name for the computer. OSDAdapter0EnableIPProtocolFiltering true to enable IP protocol filtering on the adapter. OSDAdapter0IPProtocolFilterList Comma-delimited list of protocols allowed to run over IP. This property is ignored if EnableIPProtocolFiltering is set to false. OSDAdapter0EnableTCPFiltering true to enable TCP port filtering for the adapter. OSDAdapter0TCPFilterPortList Comma-delimited list of ports to be granted access permissions for TCP. This property is ignored if EnableTCPFiltering is set to false. OSDAdapter0TcpipNetbiosOptions Options for NetBIOS over TCP/IP. Possible values are as follows: 0 Use NetBIOS settings from DHCP server.
2065

Action Variable Name

Description

1 Enable NetBIOS over TCP/IP. 2 Disable NetBIOS over TCP/IP. OSDAdapter0EnableWINS true to use WINS for name resolution. OSDAdapter0WINSServerList Comma-delimited list of WINS server IP addresses. This property is ignored unless EnableWINS is set to true. OSDAdapter0MacAddress Media access controller (MAC) address used to match settings to physical network adapter. OSDAdapter0Name Name of the network connection as it appears in the network connections control panel program. The name is between 0 and 255 characters in length. OSDAdapter0Index Index of the network adapter settings in the array of settings.

OSDAdapterCount (input)

Specifies the number of network adapters installed on the destination computer. When the OSDAdapterCount value is set, all the configuration options for each adapter must be set. For example, if you set the OSDAdapterTCPIPNetbiosOptions value for a specific adapter then all the values for that adapter must also be configured. Caution If this value is not specified, all OSDAdapter values are ignored.

OSDDNSDomain (input) OSDDomainName (input) OSDDomainOUName (input)

Specifies the primary DNS server that is used by the destination computer. Specifies the name of the Windows domain that the destination computer joins. The specified value must be a valid Active Directory Domain Services domain name. Specifies the RFC 1779 format name of the organizational unit (OU) that the destination computer joins. If specified, the value must contain the full path. Example: LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com

OSDEnableTCPIPFiltering

Specifies whether TCP/IP filtering is enabled.

2066

Action Variable Name

Description

(input)

Valid values: "true" "false" (default)

OSDJoinAccount (input) OSDJoinPassword (input) OSDNetworkJoinType (input)

Specifies the network account that is used to add the destination computer to a Windows domain. Specifies the network password that is used to add the destination computer to a Windows domain. Specifies whether the destination computer joins a Windows domain or a workgroup. "0" indicates that the destination computer joins a Windows domain. "1" specifies that the computer joins a workgroup. Valid values: "0" "1"

OSDDNSSuffixSearchOrder (input) OSDWorkgroupName (input)

Specifies the DNS search order for the destination computer.

Specifies the name of the workgroup that the destination computer joins. You must specify either this value or the OSDDomainName value. The workgroup name can be a maximum of 32 characters. Example: "Accounting"

Apply Operating System Image Task Sequence Action Variables

The variables for this action specify settings for the operating system that you want to install on the destination computer. For more information about the task sequence step associated with these variables, see Apply Operating System Image Step.

Details
Action Variable Name Description

OSDConfigFileName

Specifies the file name of the operating system

2067

Action Variable Name

Description

(input) OSDImageIndex (input) OSDInstallEditionIndex (input)

deployment answer file associated with the operating system deployment package. Specifies the image index value of the WIM file that is applied to the destination computer. Specifies the version of Windows Vista or later operating system that is installed. If no version is specified, Windows setup will determine which version to install using the referenced product key. Note Use only a value of zero (0) if the following conditions are true: You are installing a pre-Windows Vista operating system You are installing a volume license edition of Windows Vista or later, and no product key is specified.

Valid values: "0" (default) OSDTargetSystemDrive (output) Specifies the drive letter of the partition that contains the operating system files.

Apply Windows Settings Task Sequence Action Variables

The variables for this action specify Windows settings for the destination computer, such as the computer name, Windows product key, registered user and organization, and the local administrator password. For more information about the task sequence step associated with these variables, see Apply Windows Settings Step.

Details
Action Variable Name Description

OSDComputerName (input)

Specifies the name of the destination computer. Example: "%_SMSTSMachineName%" (default)

2068

Action Variable Name

Description

OSDProductKey (input)

Specifies the Windows product key. Note The specified value must be between 1 and 255 characters. Specifies the default registered user name in the new operating system. Note The specified value must be between 1 and 255 characters.

OSDRegisteredUserName (input)

OSDRegisteredOrgName (input)

Specifies the default registered organization name in the new operating system. Note The specified value must be between 1 and 255 characters.

OSDTimeZone (input) OSDServerLicenseMode (input)

Specifies the default time zone setting that is used in the new operating system. Specifies the Windows Server license mode that is used. Valid values: "PerSeat" "PerServer"

OSDServerLicenseConnectionLimit (input)

Specifies the maximum number of connections allowed. Note The specified number must be in the range between 5 and 9999 connections.

OSDRandomAdminPassword (input)

Specifies a randomly generated password for the administrator account in the new operating system. If set to true, the local administrator account will be disabled on the target computer. If set to false, the local administrator account will be enabled on the target computer, and the local administrator account password will be assigned the value of
2069

Action Variable Name

Description

the variable OSDLocalAdminPassword. Valid values: "true" (default) "false" OSDLocalAdminPassword (input) Specifies the local administrator password. This value is ignored if the Randomly generate the local administrator password and disable the account on all supported platforms option is enabled. Note The specified value must be between 1 and 255 characters.

Auto Apply Drivers Task Sequence Action Variables

The variables for this action specify which Windows drivers are installed on the destination computer and whether unsigned drivers are installed. For more information about the task sequence step associated with these variables, see Auto Apply Drivers Step.

Details
Action Variable Name Description

OSDAutoApplyDriverCategoryList (input)

A comma-delimited list of the driver catalog category unique IDs. If specified, the Auto Apply Driver task sequence action considers only those drivers that are in at least one of these categories when installing drivers. This value is optional, and it is not set by default. The available category IDs can be obtained by enumerating the list of SMS_CategoryInstance objects on the site. Specifies whether Windows is configured to allow unsigned device drivers to be installed. This task sequence variable is not used when deploying Windows Vista and later operating systems. Valid values:
2070

OSDAllowUnsignedDriver (input)

Action Variable Name

Description

"true" "false" (default) OSDAutoApplyDriverBestMatch (input) Specifies what the task sequence action does if there are multiple device drivers in the driver catalog that are compatible with a hardware device. If set to "true, only the best device driver will be installed. If false, all compatible device drivers will be installed, and the operating system will choose the best driver to use. Valid values: "true" (default) "false"

Capture Network Settings Task Sequence Action Variables

The variables for this action specify whether the network adapter settings (TCP/IP, DNS, and WINS) configuration information is captured and whether the workgroup or domain membership information is migrated as part of the operating system deployment. For more information about the task sequence step associated with these variables, see Capture Network Settings.

Details
Action Variable Name Description

OSDMigrateAdapterSettings (input)

Specifies whether the network adapter settings (TCP/IP, DNS, and WINS) configuration information is captured. Examples: "true" (default) "false"

OSDMigrateNetworkMembership (input)

Specifies whether the workgroup or domain membership information is migrated as part of the operating system deployment. Examples: "true" (default)

2071

Action Variable Name

Description

"false"

Capture Operating System Image Task Sequence Action Variables

The variables for this action specify information about the operating system image that is being captured, such as where the image is stored, who created the image, and a description of the image. For more information about the task sequence step associated with these variables, see Capture Operating System Image.

Details
Action Variable Name Description

OSDCaptureAccount (input) OSDCaptureAccountPassword (input) OSDCaptureDestination (input)

Specifies a Windows account name that has permissions to store the captured image on a network share. Specifies the password for the Windows account used to store the captured image on a network share. Specifies the location where the captured operating system image is saved. The maximum directory name length is 255 characters. An optional name of the user who created the image. This name is stored in the WIM file. The maximum length of the user name is 255 characters. An optional user-defined description of the captured operating system image. This description is stored in the WIM file. The maximum length of the description is 255 characters. An optional user-defined version number to assign to the captured operating system image. This version number is stored in the WIM file. This value can be any combination of letters
2072

OSDImageCreator (input)

OSDImageDescription (input)

OSDImageVersion (input)

Action Variable Name

Description

with a maximum length of 32 characters. OSDTargetSystemRoot (input) Specifies the path to the Windows directory of the installed operating system on the reference computer. This operating system is verified as being a supported operating system for capture by Configuration Manager.

Capture User State Task Sequence Action Variables

The variables for this action specify information used by the User State Migration Tool (USMT), such as the folder where the user state is saved, command line options for USMT, and the configuration files used to control the capture of the user profiles. For more information about the task sequence step associated with these variables, see Capture User State.

Details
Action Variable Name Description

OSDStateStorePath (input) OSDMigrateAdditionalCaptureOptions (input)

The UNC or local path name of the folder where the user state is saved. No default. Specifies user state migration tool (USMT) command line options that are used when capturing the user state, but not exposed in the Configuration Manager user interface. The additional options are specified in the form of a string that is appended to the automatically generated USMT command line. Note The USMT options specified with this task sequence variable are not validated for accuracy prior to running the task sequence.

OSDMigrateMode (input)

Allows you to customize the files that are captured by USMT. If this variable is set to Simple, then only the standard USMT configuration files are used. If this variable is set to Advanced, then the task sequence variable OSDMigrateConfigFiles specifies the
2073

Action Variable Name

Description

configuration files that the USMT uses. Valid values: "Simple" "Advanced" OSDMigrateConfigFiles (input) Specifies the configuration files used to control the capture of user profiles. This variable is used only if OSDMigrateMode is set to Advanced. This comma-delimited list value is set to perform customized user profile migration. Example: miguser.xml,migsys.xml,migapps.xml OSDMigrateContinueOnLockedFiles (input) Allows the user state capture to proceed if some files cannot be captured. Valid values: "true" (default) "false" OSDMigrateEnableVerboseLogging (input) Enables verbose logging for the USMT. Valid values: "true" "false" (default) OSDMigrateSkipEncryptedFiles (input) Specifies whether encrypted files are captured. Valid values: "true" "false" (default) _OSDMigrateUsmtPackageID (input) Specifies the package ID of the Configuration Manager package that will contain the USMT files. This variable is required.

Capture Windows Settings Task Sequence Action Variables

The variables for this action specify whether specific Windows settings are migrated to the destination computer, such as the name of the computer, the register organization name, and time zone information. For more information about the task sequence step associated with these variables, see Capture Windows Settings.

2074

Details
Action Variable Name Description

OSDMigrateComputerName (input)

Specifies whether the computer name is migrated. Valid values: "true" (default) "false" If the value is true, then the OSDComputerName variable is set to the NetBIOS name of the computer.

OSDComputerName (output)

Set to the NetBIOS name of the computer. The value is set only if the OSDMigrateComputerName variable is set to true. Specifies whether the computer user and organizational information is migrated. Valid values: "true" (default) "false" If the value is true, then the OSDRegisteredOrgName variable is set to the registered organization name of the computer.

OSDMigrateRegistrationInfo (input)

OSDRegisteredOrgName (output)

Set to the registered organization name of the computer. The value is set only if the OSDMigrateRegistrationInfo variable is set to true. Specifies whether the computer time zone is migrated. Valid values: "true" (default) "false" If the value is true, then the variable OSDTimeZone is set to the time zone of the computer.

OSDMigrateTimeZone (input)

OSDTimeZone (output)

Set to the time zone of the computer. The value is set only if the OSDMigrateTimeZone variable
2075

Action Variable Name

Description

is set to true.

Connect to Network Folder Task Sequence Action Variables

The variables for this action specify information about a folder on a network, such as the account used and password to connect to the network folder, the drive letter of the folder, and the path to the folder. For more information about the task sequence step associated with these variables, see Connect To Network Folder.

Details
Action Variable Name Description

SMSConnectNetworkFolderAccount (input) SMSConnectNetworkFolderDriveLetter (input)

Specifies the administrator account that is used to connect to the network share. Specifies the network drive letter to connect to. This value is optional; if it is not specified, then the network connection is not mapped to a drive letter. Note If this value is specified, the value must be in the range from D: to Z:. In addition, do not use X: as it is the drive letter used by Windows PE during the Windows PE phase. Examples: "D:" "E:"

SMSConnectNetworkFolderPassword (input) SMSConnectNetworkFolderPath (input)

Specifies the network password that is used to connect to the network share. Specifies the network path for the connection. Example: "\\servername\sharename"

2076

Convert Disk to Dynamic Task Sequence Action Variables

The variable for this action specifies the number of the physical disk to convert from a basic to dynamic disk. For more information about the task sequence step associated with these variables, see Convert Disk to Dynamic.

Details
Action Variable Name Description

OSDConvertDiskIndex (input)

Specifies the physical disk number that is converted.

Enable BitLocker Task Sequence Action Variables

The variables for this action specify the recovery password and startup key options used to enable BitLocker on the destination computer. For more information about the task sequence step associated with these variables, see Enable BitLocker.

Details
Action Variable Name Description

OSDBitLockerRecoveryPassword (input)

Instead of generating a random recovery password, the Enable BitLocker task sequence action uses the specified value as the recovery password. The value must be a valid numerical BitLocker recovery password. Instead of generating a random startup key for the key management option Startup Key on USB only, the Enable BitLocker task sequence action uses the Trusted Platform Module (TPM) as the startup key. The value must be a valid, 256-bit Base64-encoded BitLocker startup key.

OSDBitLockerStartupKey (input)

Format and Partition Disk Task Sequence Action Variables

The variables for this action specify information for formatting and partitioning a physical disk, such as the disk number and an array of partition settings. For more information about the task sequence step associated with these variables, see Format and Partition Disk.

2077

Details
Action Variable Name Description

OSDDiskIndex (input) OSDDiskpartBiosCompatibilityMode (input)

Specifies the physical disk number to be partitioned. Specifies whether to disable cache alignment optimizations when partitioning the hard disk for compatibility with certain types of BIOS. This can be necessary when deploying Windows XP or Windows Server 2003 operating systems. For more information, see article 931760 and article 931761 in the Microsoft Knowledge Base. Valid values: "true" "false" (default)

OSDGPTBootDisk (input)

Specifies whether to create an EFI partition on a GPT hard disk so that it can be used as the startup disk on EFI-based computers. Valid values: "true" "false" (default)

OSDPartitions (input)

Specifies an array of partition settings; see the SDK topic for accessing array variables in the task sequence environment. This task sequence variable is an array variable. Each element in the array represents the settings for a single partition on the hard disk. The settings defined for each partition can be accessed by combining the array variable name with the zero-based disk partition number and the property name. For example, the following variable names can be used to define the properties for the first partition that will be created by this task sequence action on the hard disk: Note If multiple partitions will be defined with
2078

Action Variable Name

Description

this task sequence action, the properties for the second partition can be defined by using their index in the variable name; for example, OSDPartitions1Type, OSDPartitions1FileSystem, OSDPartitions1Bootable, OSDPartitions1QuickFormat, OSDPartitions1VolumeName, and so on. OSDPartitions0Type - Specifies the type of partition. This is a required property. Valid values are "Primary", "Extended", "Logical", and "Hidden". OSDPartitions0FileSystem - Specifies the type of file system to use when formatting the partition. This is an optional property; if no file system is specified, the partition will not be formatted. Valid values are "FAT32" and "NTFS". OSDPartitions0Bootable - Specifies whether the partition is bootable. This is a required property. If this value is set to "TRUE" for MBR disks, then this will be made the active partition. OSDPartitions0QuickFormat - Specifies the type of format that is used. This is a required property. If this value is set to "TRUE", a quick format will be performed; otherwise, a full format will be performed. OSDPartitions0VolumeName - Specifies the name that is assigned to the volume when it is formatted. This is an optional property. OSDPartitions0Size - Specifies the size of the partition. Units are specified by the OSDPartitions0SizeUnits variable. This is an optional property. If this property is not specified, the partition is created using all remaining free space. OSDPartitions0SizeUnits - Specifies the units that will be used when interpreting the
2079

Action Variable Name

Description

OSDPartitions0Size task sequence variable. This is an optional property. Valid values are "MB" (default), "GB", and "Percent". OSDPartitions0VolumeLetterVariable Partitions will always use the next available drive letter in Windows PE when they are created. Use this optional property to specify the name of another task sequence variable, which will be used to save the new drive letter for future reference.

OSDPartitionStyle (input)

Specifies the partition style to use when partitioning the disk. "MBR" indicates the master boot record partition style, and "GPT" indicates the GUID Partition Table style. Valid Values: "GPT" "MBR"

Install Software Updates Task Sequence Action Variables

The variable for this action specifies whether to install all updates or only mandatory updates. For more information about the task sequence step associated with these variables, see Install Software Updates.

Details
Action Variable Name (input) Description

SMSInstallUpdateTarget (input)

Specifies whether to install all updates or only mandatory updates. Valid values: "All" "Mandatory"

2080

Join Domain or Workgroup Task Sequence Action Variables

The variables for this action specify information needed to join the destination computer to a Windows domain or workgroup. For more information about the task sequence step associated with these variables, see Join Domain or Workgroup.

Details
Action Variable Name Description

OSDJoinAccount (input) OSDJoinDomainName (input)

Specifies the account that is used by the destination computer to join the Windows domain. This variable is required when joining a domain. Specifies the name of a Windows domain the destination computer joins. Note The length of the Windows domain name must be between 1 and 255 characters.

OSDJoinDomainOUName (input)

Specifies the RFC 1779 format name of the organizational unit (OU) that the destination computer joins. If specified, the value must contain the full path. Example: LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com Note The length of the Windows domain OU name must be between 0 and 32,767 characters. This value is not set if the OSDJoinType variable is set to "1" (join workgroup).

OSDJoinPassword (input)

Specifies the network password that is used by the destination computer to join the Windows domain. If the variable is not specified then a blank password is tried. Note This value is required if the variable OSDJoinType variable is set to "0" (join domain).

OSDJoinSkipReboot (input)

Specifies whether to skip restarting after the destination computer joins the domain or workgroup. Valid values: "true"

2081

Action Variable Name

Description

"false" OSDJoinType (input) Specifies whether the destination computer joins a Windows domain or a workgroup. To join the destination computer to a Windows domain specify "0". To join the destination computer to a workgroup specify "1". Valid values: "0" "1" OSDJoinWorkgroupName (input) Specifies the name of a workgroup that the destination computer joins. Note The length of the workgroup name must be between 1 and 32 characters. Example: "Accounting"

Prepare Windows for Capture Task Sequence Action Variables

The variables for this action specify information used to capture the Windows operating system from the target computer. For more information about the task sequence step associated with these variables, see Prepare ConfigMgr Client for Capture.

Details
Action Variable Name Description

OSDBuildStorageDriverList (input)

Specifies whether sysprep builds a mass storage device driver list. This setting applies to only Windows XP and Windows Server 2003. It will populate the [SysprepMassStorage] section of sysprep.inf with information on all the mass storage drivers that are supported by the image to be captured. Valid values: "true" "false" (default)

OSDKeepActivation

Specifies whether sysprep resets the product

2082

Action Variable Name

Description

(input)

activation flag. Valid values: "true" "false" (default)

OSDTargetSystemRoot (output)

Specifies the path to the Windows directory of the installed operating system on the reference computer. This operating system is verified as being a supported operating system for capture by Configuration Manager.

Release State Store Sequence Action Variables

The variables for this action specify information used to release the stored user state. For more information about the task sequence step associated with these variables, see Release State Store.

Details
Action Variable Name Description

OSDStateStorePath (input)

The UNC or local pathname to the location from which the user state is restored. This value is used by both the Capture User State task sequence action and the Restore User State task sequence action.

Request State Store Task Sequence Action Variables

The variables for this action specify information used to request the stored user state, such as the folder on the state migration point where the user data is stored. For more information about the task sequence step associated with these variables, see Release State Store.

Details
Action Variable Name Description

OSDStateFallbackToNAA (input)

Specifies whether the Network Access Account is used as a fallback when the computer account fails to connect to the state migration
2083

Action Variable Name

Description

point. Valid values: "true" "false" (default) OSDStateSMPRetryCount (input) Specifies the number of times that the task sequence step tries to find a state migration point before the step fails. Note The specified count must be between 0 and 600. OSDStateSMPRetryTime (input) Specifies the number of seconds that the task sequence step waits between retry attempts. The number of seconds can be a maximum of 30 characters. The UNC path to the folder on the state migration point where the user state is stored.

OSDStateStorePath (output)

Restart Computer Task Sequence Action Variables

The variables for this action specify information used to restart the destination computer. For more information about the task sequence step associated with these variables, see Restart Computer.

Details
Action Variable Name Description

SMSRebootMessage (input)

Specifies the message to be displayed to users before restarting the destination computer. If this variable is not set, the default message text is displayed. Note The specified message must not exceed 512 characters. Example: "This computer will be restarted; please save your work."
2084

Action Variable Name

Description

SMSRebootTimeout (input)

Specifies the number of seconds that the warning is displayed to the user before the computer restarts. Specify zero seconds to indicate that no reboot message is displayed. Examples: "0" (default) "5" "10"

Restore User State Task Sequence Action Variables

The variables for this action specify information used to restore the user state of the destination computer, such as pathname of the folder from which the user state is restored and whether the local computer account is restored. For more information about the task sequence step associated with these variables, see Restore User State.

Details
Action Variable Name Description

OSDStateStorePath (input) OSDMigrateContinueOnRestore (input)

The UNC or local pathname of the folder from which the user state is restored. Specifies that the user state restoration continues even if some files cannot be restored. Valid values: "true" (default) "false"

OSDMigrateEnableVerboseLogging (input)

Enables verbose logging for the USMT tool. Note This value is required by the action; it must be set to "true" or "false". Valid values: "true" "false" (default)

OSDMigrateLocalAccounts

Specifies whether the local computer account is

2085

Action Variable Name

Description

(input)

restored. Valid values: "true" "false" (default)

OSDMigrateLocalAccountPassword (input)

If the OSDMigrateLocalAccounts variable is true, this variable must contain the password that is assigned to all local accounts that are migrated. Because the same password is assigned to all migrated local accounts, it is considered a temporary password that will be changed later by some method other than Configuration Manager operating system deployment. Specifies additional user state migration tool (USMT) command line options that are used when restoring the user state. The additional options are specified in the form of a string that is appended to the automatically generated USMT command line. Note The USMT options specified with this task sequence variable are not validated for accuracy prior to running the task sequence.

OSDMigrateAdditionalRestoreOptions (input)

_OSDMigrateUsmtRestorePackageID (input)

Specifies the package ID of the Configuration Manager package that contains the USMT files. This variable is required.

Run Command Line Task Sequence Action Variables

The variables for this action specify information used to run a command from the command line, such as the working directory where the command is run. For more information about the task sequence step associated with these variables, see Run Command Line.

Details

2086

Action Variable Name

Description

SMSTSDisableWow64Redirection (input)

By default, when running on a 64-bit operating system, the program in the command line is located and run using the WOW64 file system redirector so that 32-bit versions of operating system programs and DLLs are found. Setting this variable to true disables the use of the WOW64 file system redirector so that native 64-bit versions of operating system programs and DLLs can be found. This variable has no effect when running on a 32-bit operating system. Specifies the starting directory for a commandline action. Note The specified directory name must not exceed 255 characters. Examples: "C:\" "%SystemRoot%"

WorkingDirectory (input)

SMSTSRunCommandLineUserName (input) SMSTSRunCommandLinePassword (input)

Specifies the account by which the command line is run. The value is a string of the form username or domain\username. Specifies the password for the account specified by the SMSTSRunCommandLineUserName variable.

Setup Windows and ConfigMgr Task Sequence Action Variables

The variable for this action specifies the client installation properties that are used when installing the Configuration Manager client. For more information about the task sequence step associated with these variables, see Setup Windows and ConfigMgr.

Details
Action Variable Name (input) Description

SMSClientInstallProperties

Specifies the client installation properties that

2087

Action Variable Name (input)

Description

(input)

are used when installing the Configuration Manager client.

See Also
Task Sequence Variables in Configuration Manager

Task Sequence Built-in Variables in Configuration Manager

Task sequence built-in variables are provided by System Center 2012 Configuration Manager. Built-in variables provide information about the environment where the task sequence is running, and their values are available throughout the whole task sequence. Typically, built-in variables are initialized before steps are run in the task sequence. For example, the built-in variable _SMSTSLogPath is an environment variable that specifies the path that Configuration Manager components use to write log files while the task sequence runs; any task sequence step can access this environment variable. However, some variables, such as _SMSTSCurrentActionName, are evaluated before each step. The values of built-in variables are generally read-only. The values are read only for built-in variables with a name that begins with an underscore.

Task Sequence Built-in Variable List

The following list describes the built-in variables that are available in Configuration Manager:
Built-in Variable Name Description

_SMSTSAdvertID

Stores the current running task sequence deployment unique ID. It uses the same format as a Configuration Manager software distribution deployment ID. If the task sequence is running from stand-alone media, this variable is undefined. Example: ABC20001

_TSAppInstallStatus

For System Center 2012 R2 Configuration Manager only:

2088

Built-in Variable Name

Description

The task sequence sets the _TSAppInstallStatus variable with the installation status for the application during the Install Application task sequence step. The task sequence sets the variable with one of the following values: 1. Undefined: Set when the Install Application task sequence step has not been run. 2. Error: Set when at least one application failed because of an error during the Install Application task sequence step. 3. Warning: Set when no errors occur during the Install Application task sequence step, but one or more applications, or a required dependency, did not install because a requirement was not met. 4. Success: Set when there are no errors or warning detected during the Install Application task sequence step. _SMSTSBootImageID Stores the Configuration Manager boot image package ID if a boot image package is associated with the current running task sequence. The variable will not be set if no Configuration Manager boot image package is associated. Example: ABC00001 _SMSTSBootUEFI For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: The task sequence sets the SMSTSBootUEFI variable when it detects a computer that is in UEFI mode. _SMSTSClientGUID Stores the value of Configuration Manager client GUID. This variable is not set if the task sequence is running from stand-alone media. Example: 0a1a9a4b-fc56-44f6-b7cd-c3f8ee37c04c
2089

Built-in Variable Name

Description

_SMSTSCurrentActionName

Specifies the name of the currently running task sequence step. This variable is set before the task sequence manager runs each individual step. Example: run command line

_SMSTSDownloadOnDemand

Set to true if the current task sequence is running in download-on-demand mode, which means the task sequence manager downloads content locally only when it must access the content. This variable is set to true when the current task sequence step is running in the Windows PE environment, and it is set to false if not. You can test this task sequence variable to determine the current operating system environment. Stores the return code that was returned by the last action that was run. This variable can be used as a condition to determine if the next step is run. Example: 0

_SMSTSInWinPE

_SMSTSLastActionRetCode

_SMSTSLastActionSucceeded

The variable is set to true if the last action succeeded and to false if the last action failed. If the last action was skipped because the step was disabled or the associated condition evaluated to false, this variable is not reset, which means it still holds the value for the previous action. Specifies the task sequence launch method. The task sequence can have the following values: SMS - specifies that the task sequence is started by using the Configuration Manager client. UFD - specifies that the task sequence is started by using USB media and that the
2090

_SMSTSLaunchMode

Built-in Variable Name

Description

USB media was created in Windows XP/2003. UFD+FORMAT - specifies that the task sequence is started by using USB media and that the USB media was created in Windows Vista or later. CD - specifies that the task sequence is started by using a CD. DVD - specifies that the task sequence is started by using a DVD. PXE - specifies that the task sequence is started from PXE. HD specifies that the task sequence was started from a hard disk (prestaged media only).

_SMSTSLogPath

Stores the full path of the log directory. This can be used to determine where actions are logged. This value is not set when a hard drive is not available. Stores and specifies the computer name. Stores the name of the computer that the task sequence will use to log all status messages. To change the computer name in the new operating system, use the OSDComputerName variable. Example: ABC

_SMSTSMachineName

_SMSTSMDataPath

Specifies the path defined by the SMSTSLocalDataDrive variable. When you define SMSTSLocalDataDrive before the task sequence starts, such as by setting a collection variable, Configuration Manager then defines the _SMSTSMDataPath variable once the Task Sequence starts. Specifies the type of media that is used to initiate the installation. Examples of types of media are Boot Media, Full Media, PXE, and Prestaged Media. Stores the name or IP address of a
2091

_SMSTSMediaType

_SMSTSMP

Built-in Variable Name

Description

Configuration Manager management point. _SMSTSMPPort Stores the management point port number of a Configuration Manager management point. Example: 80 _SMSTSOrgName Stores the branding title name that is displayed in a task sequence progress user interface dialog box. Example: XYZ Organization _SMSTSPackageID Stores the current running task sequence ID. This ID uses the same format as a Configuration Manager software package ID. Example: HJT00001

_SMSTSPackageName

Stores the current running task sequence name specified by the Configuration Manager administrator when the task sequence is created. Example: Deploy Windows 7 task sequence

_SMSTSRunFromDP

Set to true if the current task sequence is running in run-from-distribution-point mode, which means the task sequence manager obtains required package shares from distribution point. Stores the site code of the Configuration Manager site. Example: ABC

_SMSTSSiteCode

_SMSTSType

Specifies the type of the current running task sequence. It can have the following values: 1 - indicates a generic task sequence. 2 - indicates an operating system deployment
2092

Built-in Variable Name

Description

task sequence. _SMSTSTimezone The _SMSTSTimezone variable stores the time zone information in the following format (without spaces): Bias, StandardBias, DaylightBias, StandardDate.wYear, wMonth, wDayOfWeek, wDay, wHour, wMinute, wSecond, wMilliseconds, DaylightDate.wYear, wMonth, wDayOfWeek, wDay, wHour, wMinute, wSecond, wMilliseconds, StandardName, DaylightName Example: For the Eastern Time U.S. and Canada, the value would be 300,0,60,0,11,0,1,2,0,0,0,0,3,0,2,2,0,0,0,Eastern Standard Time,Eastern Daylight Time _SMSTSUseCRL Specifies whether the task sequence uses the certificate revocation list when it uses a Secure Socket Layer (SSL) certificate to communicate with the management point. Specifies whether a task sequence is started by a user. This variable is set only if the task sequence is started from the Software Center. For example, if _SMSTSLaunchMode is set to SMS. The variable can have the following values: true - specifies that the task sequence is manually started by a user from the Software Center. false - specifies that the task sequence is initiated automatically by the Configuration Manager scheduler.

_SMSTSUserStarted

_SMSTSUseSSL

Specifies whether the task sequence uses SSL to communicate with the Configuration Manager management point. If your site is running in native mode, the value is set to true. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager
2093

_SMSTSWTG

Built-in Variable Name

Description

only: Specifies if the computer is running as a Windows To Go device. SMSTSAssignmentsDownloadInterval For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this variable to specify the number of seconds to wait before the client will attempt to download the task sequence policy since the last attempt (which returned no policies). You can set this variable by using a prestart command from media or PXE. SMSTSAssignmentsDownloadRetry For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this variable to specify the number of times a client will attempt to download the task sequence policy after no policies are found on the first attempt. You can set this variable by using a prestart command from media or PXE. SMSTSAssignUsersMode Specifies how a task sequence associates users with the destination computer. Set the variable to one of the following values. Auto: The task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Pending: The task sequence creates a relationship between the specified users and the destination computer, but waits for approval from the administrative user before the relationship is set. Disabled: The task sequence does not associate users with the destination computer when it deploys the operating
2094

Built-in Variable Name

Description

system. SMSTSDownloadProgram For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this variable to specify an Alternate Content Provider, a downloader program that is used to download content instead of the default Configuration Manager downloader, for the task sequence. As part of the content download process, the task sequence checks the variable for a specified downloader program. If specified, the task sequence runs the program to perform the download. SMSTSDownloadRetryCount For System Center 2012 R2 Configuration Manager only: Use this variable to specify the number of times that Configuration Manager attempts to download content from a distribution point. SMSTSDownloadRetryDelay For System Center 2012 R2 Configuration Manager only: Use this variable to specify the number of seconds that Configuration Manager waits before it retries to download content from a distribution point. SMSTSErrorDialogTimeout When an error occurs in a task sequence, a dialog box is displayed that is dismissed automatically after a default time-out value. Use this variable to specify a time-out value in seconds other than the default of 15 minutes. For System Center 2012 R2 Configuration Manager only: Use this variable to specify whether the task sequence engine considers a detected warning as an error during the Application Installation task sequence step. The task sequence sets the _TSAppInstallStatus variable to Warning when one or more applications, or a required
2095

TSErrorOnWarning

Built-in Variable Name

Description

dependency, did not install because a requirement was not met. When you set the TSErrorOnWarning variable to True and the _TSAppInstallStatus variable is set to Warning, it is treated as an error. A value of False is the default behavior. SMSTSLanguageFolder For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this variable to change the display language of a language neutral boot image. SMSTSLocalDataDrive Specifies where temporary files are stored on the destination computer while the task sequence is running. This variable must be set before the task sequence starts, such as by setting a collection variable. Once the task sequence starts, Configuration Manager defines the _SMSTSMDataPath variable once the Task Sequence starts. SMSTSMPListRequestTimeout For System Center 2012 R2 Configuration Manager only: Use this variable to specify how much time a task sequence waits before it retries to install an application after it fails to retrieve the management point list from location services. By default, the task sequence waits one minute before it retries the step. This variable is applicable only to the Install Application task sequence step. SMSTSPersistContent For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this variable to temporarily persist content in the task sequence cache. SMSTSPostAction For System Center 2012
2096

Built-in Variable Name

Description

Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Specifies a command that is run after the task sequence completes. For example, you can use this variable to specify a script that enables write filters on embedded devices after the task sequence deploys an operating system to the device. SMSTSPreferredAdvertID Forces a specific targeted deployment on the destination computer to be run. This can be set through a prestart command from media or PXE. If this variable is set, the task sequence overrides any required deployments. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: This variable determines whether or not the task sequence uses the drive letter captured in the operating system image WIM file when applying that image to a destination computer. In Configuration Manager with no service pack, the drive letter captured in the WIM file is used when applying the operating system image WIM file. In Configuration Manager SP1, you can set the value for this variable to False to use the location that you specify for the Destination setting in the Apply Operating System task sequence step. For more information about the Apply Operating System task sequence step, see the Apply Operating System Image section in the Task Sequence Steps in Configuration Manager topic. SMSTSRebootDelay Specifies how many seconds to wait before the computer restarts. The task sequence manager will display a notification dialog before reboot if this variable is not set to 0. Examples:
2097

OSDPreserveDriveLetter

Built-in Variable Name

Description

0 30 SMSTSRebootMessage Specifies the message to display in the shutdown dialog box when a restart is requested. If this variable is not set, a default message will appear. Example: This computer is being restarted by the task sequence manager. SMSTSRebootRequested Indicates that a restart is requested after the current task sequence step is completed. If a restart is required, just set this variable to true, and the task sequence manager will restart the computer after this task sequence step. The task sequence step must set this task sequence variable if it requires the restart to complete the task sequence step. After the computer is restarted, the task sequence will continue to run from the next task sequence step. Requests a retry after the current task sequence step is completed. If this task sequence variable is set, the SMSTSRebootRequested must also be set to true. After the computer is restarted, the task sequence manager will rerun the same task sequence step. Specifies the primary user of the destination computer. Specify the users by using the following format. Separate multiple users by using a comma (,). Example: domain\user1, domain\user2, domain\user3 For more information about associating users with the destination computer, see How to Associate Users with a Destination Computer.

SMSTSRetryRequested

SMSTSUDAUsers

2098

See Also
Task Sequence Variables in Configuration Manager

Task Sequence Steps in Configuration Manager

The following task sequence steps can be added to a System Center 2012 Configuration Manager task sequence. For information about editing a task sequence, see the How to Modify a Task Sequence section in the How to Manage Task Sequences in Configuration Manager topic. Apply Data Image Task Sequence Step Apply Driver Package Apply Network Settings Step Apply Operating System Image Apply Windows Settings Auto Apply Drivers Capture Network Settings Capture Operating System Image Capture User State Capture Windows Settings Check Readiness
2

Connect To Network Folder Convert Disk to Dynamic Disable BitLocker Enable BitLocker Format and Partition Disk Install Application Install Deployment Tools Install Package Install Software Updates Join Domain or Workgroup Prepare ConfigMgr Client for Capture Prepare Windows for Capture Pre-provision BitLocker Release State Store Request State Store Restart Computer
2099
1


1 2

Restore User State Run Command Line Run PowerShell Script

2 2

Set Dynamic Variables

Set Task Sequence Variable Setup Windows and ConfigMgr

The task sequence step was added in System Center 2012 Configuration Manager SP1. The task sequence step was added in System Center 2012 R2 Configuration Manager.

Apply Data Image Task Sequence Step

Use the Apply Data Image task sequence step to copy the data image to the specified destination partition. This step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Data Image Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Image Package Specify the Image Package that will be used by this task sequence step by clicking Browse. Select the package you want to install in the Select a Package dialog box. The associated property information for each existing image package is displayed at the bottom of the Select a Package dialog box. Use the drop-down list to select the Image you want to install from the selected Image Package. Note This task sequence action treats the image as a data file and does not do any of the setup
2100

necessary to boot the image as an operating system.

Destination Specifies an existing formatted partition and hard disk, specific logical drive letter, or the name of a task sequence variable that contains the logical drive letter. Next available partition Use the next sequential partition that has not been previously targeted by an Apply Operating System or Apply Data Image action in this task sequence. Specific disk and partition Select the Disk number (starting with 0) and the Partition number (starting with 1). Specific logical drive letter Specify the Drive Letter assigned to the partition by Windows PE. Note that this drive letter can be different from the drive letter that the newly deployed operating system will assign. Logical drive letter stored in a variable Specify the task sequence variable containing the drive letter assigned to the partition by Windows PE. This variable would typically be set in Advanced section of the Partition Properties dialog box for the Format and Partition Disk task sequence action.

Delete all content on the partition before applying the image Specifies that all files on the target partition will be deleted before the image is installed. By not deleting the content of the partition, this step can be used to apply additional content to a previously targeted partition.

Apply Driver Package

Use the Apply Driver Package task sequence step to download all of the drivers in the driver package and install them on the Windows operating system. This step is necessary to install boot-critical drivers on pre-Vista operating systems. The Apply Driver Package task sequence step makes all device drivers in a driver package available for use by Windows. This step can be added to a task sequence between the Apply Operating System and the Setup Windows and ConfigMgr steps to make the device drivers in the driver package available to Windows. Typically, the Apply Driver Package step is placed after the Auto Apply Drivers task sequence step. The Apply Driver Package task sequence step is also useful with stand-alone media deployment scenarios. Ensure that similar device drivers are put into a driver package and distribute them to the appropriate distribution points. After they are distributed Configuration Manager client computers can install them. For example, you can put all the device drivers from a manufacturer into a driver package, and then distribute the package to distribution points where the associated computers can access them. This action can also be used to install boot critical mass storage device drivers for Windows XP x64 SP2, Windows XP SP3, and Windows Server 2003 SP2.
2101

This step is useful for stand-alone media and for administrators who want to install a specific set of drivers, including drivers for devices that would not be detected in a Plug-n-Play scan (for example, network printers). Note When deploying pre-Vista operating systems, if the image already has a driver installed for a device on the computer, the Auto Apply Drivers step, the Apply Driver Package step, or any new drivers installed by a task sequence action will not be processed. To ensure the new drivers are installed, in the sysprep.inf file, set the UpdateInstalledDrivers option in the Unattended section to Yes. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Driver Package Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Driver package Specify the driver package that contains the needed device drivers by clicking Browse and launching the Select a Package dialog box. Specify an existing package to be made available. The associated package properties are displayed at the bottom of the dialog box.

Select the mass storage driver within the package that needs to be installed before setup on pre-Windows Vista operating systems Specify any mass storage device drivers that are needed for pre- Windows Vista operating system installations.

2102

Driver Select the mass storage device driver file to be installed before setup on pre-Windows Vista operating system deployments. The drop-down list is populated from the specified package.

Model Specify the boot-critical device that is needed for pre-Windows Vista operating system deployments.

Do unattended installation of unsigned drivers on version of Windows where this is allowed Select this option to allow Windows to install drivers that are unsigned on the reference computer.

Apply Network Settings Step

Use the Apply Network Settings task sequence step to specify the network or workgroup configuration information for the destination computer. The specified values are stored in the appropriate answer file format for use by Windows Setup when the Setup Windows and ConfigMgr task sequence step is run. This task sequence step runs in either a standard operating system or Windows PE. For more information about the task sequence variables for this action, see Apply Network Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

2103

Join a workgroup Select this option to have the destination computer join the specified workgroup. Enter the name of the workgroup on the Workgroup line. This value can be overridden by the value that is captured by the Capture Network Settings task sequence step.

Join a domain Select this option to have the destination computer join the specified domain. Specify or browse to the domain, such as fabricam.com. Specify or browse to a Lightweight Directory Access Protocol (LDAP) path for an organizational unit (i.e. LDAP//OU=computers, DC=Fabricam.com, C=com).

Account Click Set to specify an account with the necessary permissions to join the computer to the domain. In the Windows User Account dialog box you can enter the user name using the following format: Domain\User .

Adapter settings Specify network configurations for each network adapter in the computer. Click New to open the Network Settings dialog box, and then specify the network settings. If network settings were captured in a previous Capture Network Settings task sequence step, the previous settings are applied to the network adapter and the settings specified in this in this step are not applied. If network settings were not previously captured, the settings specified in the Apply Network Settings step are applied to network adapters in Windows device enumeration order.

Apply Operating System Image

Use the Apply Operating System Image task sequence step to install an operating system on the destination computer. This task sequence step performs a set of actions depending on whether it is using an operating system image or an operating system installation package to install the operating system. The Apply Operating System Image step performs the following actions when an operating system image is used. 1. Deletes all content on the targeted volume except for those files under the folder specified by the _SMSTSUserStatePath task sequence variable. 2. Extracts the contents of the specified .wim file to the specified destination partition. 3. Prepares the answer file: a. Creates a new default Windows Setup answer file (sysprep.inf or unattend.xml) for the operating system that is being deployed.
2104

b. Merges any values from the user-supplied answer file. 4. Copies Windows boot loaders into the active partition. 5. Sets up the boot.ini or the Boot Configuration Database (BCD) to reference the newly installed operating system. The Apply Operating System Image step performs the following actions when an operating system installation package is used. 1. Deletes all content on the targeted volume except for those files under the folder specified by the _SMSTSUserStatePath task sequence variable. 2. Prepares the answer file: a. Creates a fresh answer file with standard values created by Configuration Manager. b. Merges any values from the user-supplied answer file. Note Actual installation of Windows is started by the Setup Windows and ConfigMgr task sequence step. After the Apply Operating System task sequence action has run, the OSDTargetSystemDrive task sequence variable is set to the drive letter of the partition containing the operating system files. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Operating System Image Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Access content directly from the distribution point: For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Use this option to specify whether you want the task sequence to access the operating system image directly from the distribution point. For example, you can use this option when you deploy operating systems to embedded devices that have limited storage capacity. When this option is selected, you must also configure the package share settings on the Data Access tab of the package properties. Note This setting overrides the deployment option that is configured on the Distribution Points page in the Deploy Software Wizard only for the operating system image specified in this task sequence step, and not all content for the entire task sequence. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

2105

Name A short user-defined name that describes the action taken in this step.

Description More detailed information about the action taken in this step.

Apply operating system from a captured image Installs an operating system image that has previously been captured. Click Browse to open the Select a package dialog box, and then select the existing image package you want to install. If multiple images are associated with the specified Image package, use the drop-down list to specify the associated image that will be used for this deployment. You can view basic information about each existing image by clicking on the image.

Apply operating system image from an original installation source Installs an operating system using an original installation source. Click Browse to open the Select and Operating System Install Package dialog box, and then select the existing operating system installation package you want to use. You can view basic information about each existing image source by clicking on the image source. The associated image source properties are displayed in the results pane at the bottom of the dialog box. If there are multiple editions associated with the specified package, use the drop-down list to specify the associated Edition that is used.

Use an unattended or sysprep answer file for a custom installation Use this option to provide a Windows setup answer file ( unattend.xml, unattend.txt, or sysprep.inf) depending on the operating system version and installation method. The file you specify can include any of the standard configuration options supported by Windows answer files. For example, you can use it to specify the default Internet Explorer home page. You must specify the package that contains the answer file and the associated path to the file in the package. Note The Windows setup answer file that you supply can contain embedded task sequence variables of the form %varname%, where varname is the name of the variable. The % varname% string will be substituted for the actual variable values in the Setup Windows and ConfigMgr task sequence action. Note however, that such embedded task sequence variables cannot be used in numeric-only fields in an unattend.xml answer file. If you do not supply a Windows setup answer file, this task sequence action will automatically generate an answer file.

2106

Destination Specifies an existing formatted partition and hard disk, specific logical drive letter, or the name of a task sequence variable that contains the logical drive letter. Next available partition Use the next sequential partition that has not been previously targeted by an Apply Operating System or Apply Data Image action in this task sequence. Specific disk and partition Select the Disk number (starting with 0) and the Partition number (starting with 1). Specific logical drive letter Specify the Drive Letter assigned to the partition by Windows PE. Note that this drive letter can be different from the drive letter that the newly deployed operating system will assign. Logical drive letter stored in a variable Specify the task sequence variable containing the drive letter assigned to the partition by Windows PE. This variable would typically be set in Advanced section of the Partition Properties dialog box for the Format and Partition Disk task sequence action.

Apply Windows Settings

Use the Apply Windows Settings task sequence step to configure the Windows settings for the destination computer. The specified values are stored in the appropriate answer file format for use by Windows Setup when the Setup Windows and ConfigMgr task sequence step is run. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Apply Windows Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step

Name

Description More detailed information about the action taken in this step.

2107

User name Specify the registered user name that is associated with the destination computer. This value can be overridden by the value that is captured by the Capture Windows Settings task sequence action.

Organization name Specify the registered organization name that is associated with the destination computer. This value can be overridden by the value that is captured by the Capture Windows Settings task sequence action.

Product key Specify the product key that is used for the Windows installation on the destination computer.

Server licensing Specify the server licensing mode. You can select Per server or Per user as the licensing mode. If you select per Server as the licensing mode you will also need to specify the maximum number of connections that will be permitted per your license agreement. Select Do not specify if the destination computer is not a server or you do not want to specify the licensing mode.

Maximum connections Specify the maximum number of connections that are available for this computer as stated in your license agreement.

Randomly generate the local administrator password and disable the account on all supported platforms (recommended) Select this option to randomly generate a local administrator password. This creates a local administrator password and causes the account to be disabled on supported platforms.

Enable the account and specify the local administrator password Select this option to enable the local administrator account and create the local administrator password. Enter the password on the Password line and confirm the password on the Confirm password line.

Time Zone Specify the time zone to configure on the destination computer. This value can be
2108

overridden by the value that is captured by the Capture Windows Settings task sequence step.

Auto Apply Drivers

Use the Auto Apply Drivers task sequence step to match and install drivers as part of the operating system deployment. The Auto Apply Drivers task sequence step performs the following actions: 1. Scans the hardware and finds the Plug-n-Play IDs for all devices present on the system. 2. Sends the list of devices and their Plug-n-Play IDs to the management point. The management point returns a list of compatible drivers from the driver catalog for each device. The management point considers all drivers regardless of what driver package they might be in. Only those drivers tagged with the specified driver category and those drivers that are not marked as disabled are considered. 3. For each device, the client picks the best driver that is appropriate for the operating system on which it is being deployed and that is on an accessible distribution point. 4. The selected driver or drivers are downloaded from a distribution point and staged on the target operating system. a. For image-based installations, the drivers are placed into the newly deployed operating system image and Windows is configured with where to find the drivers on any Plug-nPlay scan. On Vista and later, the drivers are placed into the operating system driver store. b. For setup-based installations, Windows Setup is configured with where to find the drivers. 5. When the Setup Windows and ConfigMgr task sequence action runs and Windows initially boots, it will find the drivers staged by this action. Important The Auto Apply Drivers task sequence step cannot be used with stand-alone media because Windows Setup will have no connection to the Configuration Manager site. Note When deploying pre-Vista operating systems, if the image already has a driver installed for a device on the computer, the Auto Apply Drivers action, the Apply Driver Package action, or any new drivers installed by a task sequence action will not be processed. To ensure the new drivers will be installed, in the sysprep.inf file, set the UpdateInstalledDrivers option in the Unattended section to Yes. For additional installation about deploying drivers, see Microsoft Support. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Auto Apply Drivers Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.
2109

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Install only the best matched compatible drivers Specifies that the task sequence step installs only the best matched driver for each hardware device detected.

Install all compatible drivers Specifies that the task sequence step installs all compatible drivers for each hardware device detected and allows Windows setup to choose the best driver. This option takes more network bandwidth and disk space because it downloads more drivers, but it can result in a better driver being selected.

Consider drivers from all categories Specifies that the task sequence action searches all available driver categories for the appropriate device drivers.

Limit driver matching to only consider drivers in selected categories Specifies that the task sequence action searches for device drivers in specified driver categories for the appropriate device drivers.

Do unattended installation of unsigned drivers on versions of Windows where this is allowed Allows this task sequence action to install unsigned Windows device drivers. Important This option does not apply to operating systems where driver signing policy cannot be configured.
2110

Capture Network Settings

Use the Capture Network Settings task sequence step to capture Microsoft network settings from the computer running the task sequence. The settings are saved in task sequence variables that will override the default settings you configure on the Apply Network Settings task sequence step. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For more information about the task sequence variables for this action, see Capture Network Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a short user-defined name that describes the action taken in this step.

Name

Description Provides more detailed information about the action taken in this step.

Migrate domain and workgroup membership Captures the domain and workgroup membership information of the destination computer.

Migrate network adapter configuration Captures the network adapter configuration of the destination computer. The captured information includes the global network settings, the number of adapters, and the network settings associated with each adapter. These settings include settings associated with DNS, WINS, IP, and port filters.

2111

Capture Operating System Image

Use the Capture Operating System Image task sequence step to capture one or more images from a reference computer and store them in a WIM file on the specified network share. The Add Operating System Image Package Wizard can then be used to import this .WIM file into Configuration Manager so that it can be used for image-based operating system deployments. Each volume (drive) on the reference computer is captured as a separate image within the .wim file. If the referenced computer has multiple volumes, the resulting WIM file will contain a separate image for each volume. Only volumes that are formatted as NTFS or FAT32 are captured. Volumes with other formats and USB volumes are skipped. The installed operating system on the reference computer must be a version of Windows that is supported by Configuration Manager and must have been prepared by using the SysPrep tool. The installed operating system volume and the boot volume must be the same volume. You must also enter a Windows account that has write permissions to the network share that you selected. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Capture Operating System Image Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Target File system pathname to the location that Configuration Manager uses when storing the captured operating system image.

Description An optional user-defined description of the captured operating system image that is
2112

stored in the .WIM file.

Version An optional user-defined version number to assign to the captured operating system image. This value can be any combination of letters and numbers and is stored in the .WIM file.

Created by The optional name of the user that created the operating system image and is stored in the WIM file.

Capture operating system image account You must enter the Windows account that has permissions to the network share you specified. Click Set to specify the name of that Windows account.

Capture User State

Use the Capture User State task sequence step to use the User State Migration Tool (USMT) to capture user state and settings from the computer running the task sequence. This task sequence step is used in conjunction with the Restore User State task sequence step. With USMT 3.0.1 and later, this option always encrypts the USMT state store by using an encryption key generated and managed by Configuration Manager. For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. You can also use the Capture User State task sequence step with the Request State Store and Release State Store task sequence steps if you want to save the state settings to or restore settings from a state migration point in the Configuration Manager site. The Capture User State task sequence step provides control over a limited subset of the most commonly used USMT options. Additional command-line options can be specified using the OSDMigrateAdditionalCaptureOptions task sequence variable. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Capture User State Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions:
2113

Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

User state migration tool package Enter the Configuration Manager package that contains the version of USMT for this task sequence step to use when capturing the user state and settings. This package does not require a program. When the task sequence step is run, the task sequence will use the version of USMT in the package you specify. Specify a package containing the 32-bit or x64 version of USMT depending upon the architecture of the operating system from which you are capturing the state. Note USMT versions 3.0.1 and 4.0 are supported depending on the version of Windows that you are deploying.

Capture all user profiles with standard options Select this option to migrate all user profile information. This option is selected by default. If you select this option, but do not select the option to Restore local computer user profiles in the Restore User State task sequence step, the task sequence will fail because Configuration Manager cannot migrate the new accounts without assigning them passwords. Also, if you use the New Task Sequence wizard and create a task sequence to Install an existing image package, the resulting task sequence defaults to Capture all user profiles with standard options, but does not select the option to Restore local computer user profiles (i.e. non-domain accounts). Select Restore local computer user profiles and provide a password for the account to be migrated. In a manually created task sequence, this setting is found under the Restore User State step. In a task sequence created by the New Task Sequence wizard, this setting is found under the step Restore User Files and Settings wizard page. If you have no local user accounts, this does not apply.

2114

Customize how user profiles are captured Select this option to specify a custom profile file migration. Click Files to select the configuration files for USMT to use with this step. You must specify a custom .xml file that contains rules that define the user state files to migrate.

Click here to select configuration files: Select this option to select the configuration files in the USMT package you want to use for capturing user profiles. Click the Files button to launch the Configuration Files dialog box. To specify a configuration file, enter the name of the file on the Filename line and click the Add button.

Enable verbose logging Enable this option to generate more detailed log file information. When capturing state, the log Scanstate.log is generated and stored in the task sequence Log folder in the \windows\system32\ccm\logs folder by default.

Skip files using encrypted file system Enable this option if you want to skip capturing files that are encrypted with the Encrypted File System (EFS), including profile files. Depending on the operating system and the USMT version, encrypted files might not be readable after you restore. For more information, see the USMT documentation.

Copy by using file system access Enable this option to specify any of the following settings: Continue if some files cannot be captured: Enable this setting to continue the migration process even if some files cannot be captured. If you disable this option, if a file cannot be captured then the task sequence step will fail. This option is enabled by default. Capture locally by using links instead of by copying files: Enable this setting to use NTFS hard-links to capture files. This setting cannot be specified if you are using versions of USMT that are earlier than USMT 4.0. For more information about migrating data using hard-links, see Hard-Link

Migration Store
Capture in off-line mode (Windows PE only): Enable this setting to capture the user state while in Windows PE instead of the full operating system. This setting cannot be specified if you are using versions of USMT that are earlier than USMT 4.0. For more information about USMT 4.0 and off-line mode, see Offline Migration

2115

Capture by using Volume Copy Shadow Services (VSS) This option allows you to capture files even if they are locked for editing by another application, This option cannot be specified if you are using versions of USMT that are earlier than USMT 4.0.

Capture Windows Settings

Use the Capture Windows Settings task sequence step to capture the Windows settings from the computer running the task sequence. The settings are saved in task sequence variables that will override the default settings you configure on the Apply Windows Settings task sequence step. This task sequence step runs in either Windows PE or a standard operating system. For more information about the task sequence variables for this action, see Capture Windows Settings Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Migrate computer name Select this option to capture the NetBIOS computer name of the computer.

Migrate registered user and organization names Select this option to capture the registered user and organization names from the computer.

2116

Migrate time zone Select this option to capture the time zone setting on the computer.

Check Readiness
This task sequence step was added in System Center 2012 R2 Configuration Manager. Use the Check Readiness task sequence step to verify that the target computer meets the specified deployment prerequisite conditions.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. For this step, do not select this setting or the step will only log the readiness checks and not stop the task sequence when a check fails. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Ensure minimum memory (MB) Select this setting to verify the amount of memory, in megabytes, installed on the target computer meets or exceeds the amount specified. By default, this setting is selected.

Ensure minimum processor speed (MHz) Select this setting to verify that the speed of the processor, in megahertz (MHz), installed in the target computer meets or exceeds the amount specified. By default, this setting is selected.

Ensure minimum free disk space (MB) Select this setting to verify that the amount of free disk space, in megabytes, on the target computer meets or exceeds the amount specified.

2117

Ensure current OS to be refreshed is Select this setting to verify that the operating system installed on the target computer meets the requirement that you specify. By default, this setting is selected with a value of CLIENT.

Connect To Network Folder

Use the Connect to Network Folder task sequence action to create a connection to a shared network folder. This task sequence step runs in a standard operating system or Windows PE. For more information about the task sequence variables for this action, see Connect to Network Folder Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.

Convert Disk to Dynamic

Use the Convert Disk to Dynamic task sequence step to convert a physical disk from a basic disk type to a dynamic disk type. This step runs in either a standard operating system or Windows PE. For more information about the task sequence variables for this action, see Convert Disk to Dynamic Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

2118

Description More detailed information about the action taken in this step.

Disk Number The physical disk number of the disk that will be converted.

Disable BitLocker
Use the Disable BitLocker task sequence step to disable the BitLocker encryption on the current operating system drive, or on a specific drive. This action leaves the key protectors visible in clear text on the hard drive, but it does not decrypt the contents of the drive. Consequently this action is completed almost instantly. Note BitLocker drive encryption provides low-level encryption of the contents of a disk volume. If you have multiple drives encrypted, you must disable BitLocker on any data drives before disabling BitLocker on the operating system drive. This step runs only in a standard operating system. It does not run in Windows PE. Note You can use BitLocker only for client computers running Windows Vista SP2 or later and Windows Server 2008 SP2 or later.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a short user-defined name that describes the action taken in this step.

Name

Description Provides more detailed information about the action taken in this step.

Current operating system drive Disables BitLocker on the current operating system drive.

2119

Specific drive Disables BitLocker on a specific drive. Use the drop-down list to specify the drive where BitLocker is disabled.

Enable BitLocker
Use the Enable BitLocker task sequence step to enable BitLocker encryption on at least two partitions on the hard drive. The first active partition contains the Windows bootstrap code. Another partition contains the operating system. The bootstrap partition must remain unencrypted. Starting in Configuration Manager SP1, you can use the Pre-provision BitLocker task sequence step to enable BitLocker on a drive while in Windows PE. For more information, see the Preprovision BitLocker section in this topic. Note BitLocker drive encryption provides low-level encryption of the contents of a disk volume. The Enable BitLocker step runs only in a standard operating system. It does not run in Windows PE. For more information about the task sequence variables for this action, see Enable BitLocker Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. Note BitLocker is used with computers running Windows Vista SP2 or later and Windows Server 2008 SP2 or later. The Trusted Platform Module (TPM) must be in the following state when you specify TPM Only, TPM and Startup Key on USB or TPM and PIN, before you can run the Enable BitLocker step: Enabled Activated Ownership Allowed

The task sequence step can complete any remaining TPM initialization, because the remaining steps do not require physical presence or reboots. The remaining TPM initialization steps which can be completed transparently by Enable BitLocker (if necessary) include: Create endorsement key pair Create owner authorization value and escrow to Active Directory, which must have been extended to support this value Take ownership Create the storage root key, or reset if already present but incompatible

If you want the Enable BitLocker step to wait until the drive encryption process has been completed before continuing with the next step in the task sequence, select the Wait check box. If
2120

you do not select the Wait check box, the drive encryption process will be performed in the background and task sequence execution will proceed immediately to the next step. BitLocker can be used to encrypt multiple drives on a computer system (both operating system and data drives). To encrypt a data drive, the operating system must already be encrypted and the encryption process must be completed, because the key protectors for the data drives are stored on the operating system drive. As a result, if you encrypt the operating system drive and the data drive in the same process, the wait option must be selected for the step that enables BitLocker for the operating system drive. If the hard drive is already encrypted but BitLocker is disabled then Enable BitLocker re-enables the key protector or protectors and will be completed almost instantly. Re-encryption of the hard drive is not necessary in this case. For more information about the task sequence variables for this action, see Enable BitLocker Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a descriptive name for this task sequence step.

Name

Description Allows you to optionally enter a description for this task sequence step.

Choose the drive to encrypt Specifies the drive to encrypt. To encrypt the current operating system drive, select Current operating system drive and then configure one of the following options for key management: TPM only: Select this option to use only Trusted Platform Module (TPM). Startup Key on USB only: Select this option to use a startup key stored on a USB flash drive. When you select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker startup key is attached to the computer. TPM and Startup Key on USB: Select this option to use TPM and a startup key stored on a USB flash drive. When you select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker startup key is
2121

attached to the computer. TPM and PIN: For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Select this option to use TPM and a personal identification number (PIN). When you select this option, BitLocker locks the normal boot process until the user provides the PIN.

To encrypt a specific, non-operating system data drive, select Specific drive, and then select the drive from the list.

Chose where to create the recovery key To specify where the recovery password is created, select In Active Directory to escrow the password in Active Directory. If you select this option you must extend Active Directory for the site so that the associated BitLocker recovery information is saved. You can decide to not create a password at all by selecting Do not create recovery key. However, creating a password is a best practice.

Wait for BitLocker to complete the drive encryption process on all drives before continuing task sequence execution Select this option to allow the BitLocker drive encryption to be completed prior to running the next step in the task sequence. If this option is selected the entire disk volume will be encrypted before the user is able to log in to the computer. The encryption process can take hours to be completed when a large hard drive is being encrypted. Not selecting this option will allow the task sequence to proceed immediately.

Format and Partition Disk

Use the Format and Partition Disk task sequence step to format and partition a specified disk on the destination computer. Important Every setting you specify for this task sequence step applies to a single specified disk. If you want to format and partition another disk on the destination computer, you must add an additional Format and Partition Disk task sequence step to the task sequence. This task sequence step runs only in Windows PE. It does not run in a standard operating system. For more information about the task sequence variables for this action, see Format and Partition Disk Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section.
2122

In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Disk Number The physical disk number of the disk that will be formatted. The number is based on Windows disk enumeration ordering.

Disk Type The type of the disk that is formatted. There are two options to select from the dropdown list: Standard(MBR) Master Boot Record. GPT GUID Partition Table Note If you change the disk type from Standard (MBR) to GPT, and the partition layout contains an extended partition, all extended and logical partitions will be removed from the layout. You will be prompted to confirm this action before changing the disk type.

Volume Specific information about the partition or volume that will be created, including the following: Name Remaining disk space

To create a new partition, click New to launch the Partition Properties dialog box. You can specify the partition type and size, and specify if this will be a boot partition. To modify an existing partition, click the partition to be modified and then click the properties button. For more information about how to configure hard drive partitions, see one of the following:

How to Configure UEFI/GPT-Based Hard Drive Partitions How to Configure BIOS/MBR-Based Hard Drive Partitions

To delete a partition, select the partition to be deleted and then click Delete.
2123

Install Application
Use the Install Application task sequence step to install applications as part of the task sequence. This step can install a set of applications that are specified by the task sequence step or a set of applications that are specified by a dynamic list of task sequence variables. When this step is run, the application installation begins immediately without waiting for a policy polling interval. The applications that are installed must meet the following criteria: It must run under the local system account and not the user account. It must not interact with the desktop. The program must run silently or in an unattended mode. It must not initiate a restart on its own. The application must request a restart by using the standard restart code, a 3010 exit code. This ensures that the task sequence step will handle the restart correctly. If the application does return a 3010 exit code, the underlying task sequence engine performs the restart. After the restart, the task sequence automatically continues.

When the Install Application step runs, the application checks the applicability of the requirement rules and detection method on the deployment types of the application. Based on the results of this check, the application installs the applicable deployment type. If a deployment type contains dependencies, the dependent deployment type is evaluated and installed as part of the install application step. Application dependencies are not supported for stand-alone media. Note To install an application that supersedes another application, the content files for the superseded application must be available or the task sequence step will fail. For example, Microsoft Visio 2010 is installed on a client or in a captured image. When the Install Application task sequence step is run to install Microsoft Visio 2013, the content files for Microsoft Visio 2010 (the superseded application) must be available on a distribution point or the task sequence will fail. A client or captured image without Microsoft Visio installed will complete the Microsoft Visio 2013 installation without checking for the Microsoft Visio 2010 content files. This task sequence step runs only in a standard operating system. It does not run in Windows PE.

Details
On the Properties tab for this step, you can configure the settings that are described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step.
2124

Specify conditions that must be met for the step to run.

A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Install the following applications This setting specifies the applications that are installed in the order that they are specified. Configuration Manager will filter out any disabled applications or any applications with the following settings. These applications will not appear in the Select the application to install dialog box. Only when a user is logged on Run with user rights

Install applications according to dynamic variable list This setting specifies the base name for a set of task sequence variables that are defined for a collection or for a computer. These variables specify the applications that will be installed for that collection or computer. Each variable name consists of its common base name plus a numerical suffix starting at 01. The value for each variable must contain the name of the application and nothing else. For applications to be installed by using a dynamic variable list, the following setting must be enabled on the General tab of the applications Properties dialog box: Allow this application to be installed from the Install Application task sequence action instead of deploying manually Note You cannot install applications by using a dynamic variable list for stand-alone media deployments. For example, to install a single application by using a task sequence variable called AA01, you specify the following variable: Variable Name Variable Value

AA01

Microsoft Office

To install two applications, you would specify the following variables:

2125

Variable Name

Variable Value

AA01 AA02
The following conditions will affect what is installed:

Microsoft Lync Microsoft Office

If the value of a variable contains any information other than the name of the application. That application is not installed and the task sequence continues. If no variable with the specified base name and "01" suffix are found, no applications are installed. When you select Continue on error on the Options tab of the task sequence step, the task sequence continues when an application fails to install. When the setting is not selected, the task sequence fails and will not install remaining applications.

If an application fails, continue installing other applications in the list This setting specifies that the step continues if an individual application installation fails. If this setting is specified, the task sequence will continue regardless of any installation errors that are returned. If this is not specified an installation fails, the task sequence step will end immediately.

Install Deployment Tools

Use the Install Deployment Tools task sequence step to install the Configuration Manager package that contains the Sysprep deployment tools.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

2126

Sysprep Package This setting specifies the Configuration Manager package that contains the Sysprep deployment tools for the following operating systems: Windows XP SP3 Windows XP X64 SP2 Windows Server 2003 SP2

Install Package
Use the Install Package task sequence step to install software as part of the task sequence. When this step is run, the installation begins immediately without waiting for a policy polling interval The software that is installed must meet the following criteria: It must run under the local system account and not the user account. It should not interact with the desktop. The program must run silently or in an unattended mode. It must not initiate a restart on its own. The software must request a restart using the standard restart code, a 3010 exit code. This ensures that the task sequence step will properly handle the restart. If the software does return a 3010 exit code, the underlying task sequence engine will perform the restart. After the restart, the task sequence will automatically continue.

Programs that use the Run another program first option to install a dependent program are not supported when deploying an operating system. If Run another program first is enabled for the software and the dependent program has already been run on the destination computer, the dependent program will be run and the task sequence will continue. However, if the dependent program has not already been run on the destination computer, the task sequence step will fail. Note The central administration site does not have the necessary client configuration policies that are required to enable the software distribution agent during the execution of the task sequence. When you create stand-alone media for a task sequence at the central administration site, and the task sequence includes an Install Package step, the following error might appear in the CreateTsMedia.log file:
WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, you must create the standalone media at a primary site that has the software distribution agent enabled or add a Run Command Line step after the Setup Windows and ConfigMgr step and before the first Install Package step. The Run Command Line step runs a WMIC command to enable the software distribution agent before the first Install package step runs. You can use the following in your Run Command Line task sequence step:

2127

Command Line: WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local", PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE For more information about creating stand-alone media, see How to Create Stand-alone Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic. This task sequence step runs only in a standard operating system. It does not run in Windows PE.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Install a single software package This setting specifies a Configuration Manager software package. The step will wait until the installation is complete.

Install software packages according to dynamic variable list This setting specifies the base name for a set of task sequence variables that are defined for a collection or for a computer. These variables specify the packages that will be installed for that collection or computer. Each variable name consists of its common base name plus a numerical suffix starting at 001. The value for each variable must contain a package ID and the name of the software separated by a colon. For software to be installed by using a dynamic variable list, the following setting must be enabled on the Advanced tab of the packages Properties dialog box: Allow this program to be installed from the Install Package task sequence without being deployed Note You cannot install software packages by using a dynamic variable list for stand-alone media
2128

deployments. For example, to install a single software package by using a task sequence variable called AA001, you specify the following variable: Variable Name Variable Value

AA001

CEN00054:Install

To install three software packages, you would specify the following variables: Variable Name Variable Value

AA001 AA002 AA003

The following conditions will affect what is installed:

CEN00054:Install CEN00107:Install Silent CEN00031:Install

If the value of a variable is not created in the correct format or it does not specify a valid application ID and name, the installation of the software will fail. If the package Id contains lowercase characters, the installation of that software will fail. If no variables with the specified base name and "001" suffix are found, no packages are installed and the task sequence continues.

If installation of a software package fails, continue installing other packages in the list This setting specifies that the step continues if an individual software package installation fails. If this setting is specified, the task sequence will continue regardless of any installation errors that are returned. If this is not specified an installation fails, the task sequence step will end immediately.

Install Software Updates

Use the Install Software Updates task sequence step to install software updates on the destination computer. The destination computer is not evaluated for applicable software updates until this task sequence step runs. At that time, the destination computer is evaluated for software updates like any other Configuration Manager-managed client. In particular, this step installs only the software updates that are targeted to collections of which the computer is currently a member. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Install
2129

Software Updates Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic. Important This task sequence step cannot suppress restarts if the software update indicates that a restart is required. If you install software updates on a computer that is in a production environment and you need to suppress a restart, do not use a task sequence to install the software update. Use the software update feature of Configuration Manager to install the software update. For more information about the install software update feature, see Software Updates in Configuration Manager.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Mandatory software updates Select this option to install all software updates flagged in Configuration Manager as mandatory for the destination computers that receive the task sequence. Mandatory software updates have administrator-defined deadlines for installation.

All software updates Select this option to install all available software updates targeting the Configuration Manager collection that will receive the task sequence. All available software updates will be installed on the destination computers.

Join Domain or Workgroup

Use the Join Domain or Workgroup task sequence step to add the destination computer to a workgroup or domain.

2130

This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Join Domain or Workgroup Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Join a workgroup Select this option to have the destination computer join the specified workgroup. If the computer is currently a member of a domain, selecting this option will cause the computer to reboot.

Join a domain Select this option to have the destination computer join the specified domain. Optionally, enter or browse for an organizational unit (OU) in the specified domain for the computer to join. If the computer is currently a member of some other domain or a workgroup, this will cause the computer to reboot. If the computer is already a member of some other OU, Active Directory Domain Services does not allow you to change the OU and this setting is ignored.

Enter the account which has permission to join the domain Click Set to enter an account and password that has permissions to join the domain. The account must be entered in the following format: Domain\account

2131

Prepare ConfigMgr Client for Capture

Use the Prepare ConfigMgr Client for Capture step to take the Configuration Manager client on the reference computer and prepares it for capture as part of the imaging process by performing the following tasks: Removes the client configuration properties section from the smscfg.ini file in the Windows directory. These properties include client-specific information including the Configuration Manager GUID and other client identifiers. Deletes all SMS or Configuration Manager machine certificates. Deletes the Configuration Manager client cache. Clears the assigned site variable for the Configuration Manager client. Deletes all local Configuration Manager policy. Removes the trusted root key for the Configuration Manager client.

This task sequence step runs only in a standard operating system. It does not run in Windows PE.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Prepare Windows for Capture

Use the Prepare Windows for Capture task sequence step to specify the Sysprep options to use when capturing an operating system image on the reference computer. This task sequence action runs Sysprep and then reboots the computer into Windows PE boot image specified for the task sequence. The reference computer must not be joined to a domain for this action to be completed successfully. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Prepare

2132

Windows for Capture Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Automatically build mass storage driver list Select this option to have Sysprep automatically build a list of mass storage drivers from the reference computer. This option enables the Build Mass Storage Drivers option in the sysprep.inf file on the reference computer. For more information about this setting, refer to the Sysprep documentation.

Do not reset activation flag Select this option to prevent Sysprep from resetting the product activation flag.

Pre-provision BitLocker
This task sequence step was added in System Center 2012 Configuration Manager SP1 Use the Pre-provision BitLocker task sequence step to enable BitLocker on a drive while in Windows PE. Only the used drive space is encrypted, and therefore, encryption times are much faster. You apply the key management options by using the Enable BitLocker task sequence step after the operating system installs. This step runs only in Windows PE. It does not run in a standard operating system. Important To pre-provision BitLocker, you must deploy a minimum operating system of Windows 7 and TPM must be supported and enabled on the computer.

2133

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specify a short user-defined name that describes the action taken in this step.

Name

Description Specify detailed information about the action taken in this step.

Apply BitLocker to the specified drive Specify the drive for which you want to enable BitLocker. Only the used space on the drive is encrypted.

Skip this step for computers that do not have a TPM or when TPM is not enabled Select this option to skip the drive encryption when the computer hardware does not support TPM or when TPM is not enabled. For example, you can use this option when you deploy an operating system to a virtual machine.

Release State Store

Use the Release State Store task sequence step to notify the state migration point that the capture or restore action is complete. This step is used in conjunction with the Request State Store, Capture User State, and Restore User State task sequence steps to migrate user state data using a state migration point and the User State Migration Tool (USMT). For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. If you requested access to a state migration point to capture user state in the Request State Store task sequence step, this step notifies the state migration point that the capture process is complete and that the user state data is available to be restored. The state migration point sets the access control permissions for the captured state so that it can only be accessed (as readonly) by the restoring computer. If you requested access to a state migration point to restore user state in the Request State Store task sequence step, this task sequence step notifies the state migration point that the

2134

restore process is complete. At this point, whatever retention settings you configured for the state migration point are activated. Important It is a best practice to set Continue on Error on any task sequence steps between the Request State Store step and Release State Store step so that every Request State Store task sequence action has a matching Release State Store task sequence action. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about task sequence variables for this task sequence action, see Release State Store Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Request State Store

Use the Request State Store task sequence step to request access to a state migration point when capturing state from a computer or restoring state to a computer. For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. You can use the Request State Store task sequence step in conjunction with the Release State Store, Capture User State, and Restore User State task sequence steps to migrate computer state using a state migration point and the User State Migration Tool (USMT). Note If you have just established a new state migration point site role (SMP), it can take up to one hour to be available for user state storage. To expedite the availability of the SMP you can adjust any state migration point property setting to trigger a site control file update.
2135

This task sequence step runs in a standard operating system and in Windows PE for offline USMT. For information about the task sequence variables for this task sequence action, see Request State Store Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

Capture state from the computer Finds a state migration point that meets the minimum requirements as configured in the state migration point settings (maximum number of clients and minimum amount of free disk space) but it does not guarantee sufficient space is available at the time of state migration. Selecting this option will request access to the state migration point for the purpose of capturing the user state and settings from a computer. If the Configuration Manager site has multiple state migration points enabled, this task sequence step finds a state migration point that has disk space available by querying the site's management point for a list of state migration points, and then evaluating each until it finds one that meets the minimum requirements.

Restore state from another computer Select this option to request access to a state migration point for the purpose of restoring previously captured user state and settings to a destination computer. If the Configuration Manager site has multiple state migration points, this task sequence step finds the state migration point that has the computer state that was stored for the destination computer.

Number of retries The number of times that this task sequence step will try to find an appropriate state

2136

migration point before failing.

Retry delay (in seconds) The amount of time in seconds that the task sequence step waits between retry attempts.

If computer account fails to connect to a state store, use the network access account. Specifies that the Configuration Manager network access account credentials will be used to connect to the state migration point if the Configuration Manager client cannot access the SMP state store using the computer account. This option is less secure because other computers could use the network access account to access your stored state, but might be necessary if the destination computer is not domain joined.

Restart Computer
Use the Restart Computer task sequence step to restart the computer running the task sequence. After the restart, the computer will automatically continue with the next step in the task sequence. This step can be run in either a standard operating system or Windows PE. For more information about the task sequence variables for this task sequence action, see Restart Computer Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name that describes the action taken in this step.

Name

Description More detailed information about the action taken in this step.

2137

The boot image assigned to this task sequence Select this option for the destination computer to use the boot image that is assigned to the task sequence. The boot image will be used to run subsequent task sequence steps that run in Windows PE.

The currently installed default operating system Select this option for the destination computer to reboot into the installed operating system.

Notify the user before restarting Select this option to display a notification to the user that the destination computer will be restarted. This option is selected by default.

Notification message Enter a notification message that is displayed to the user before the destination computer is restarted.

Message display time-out Specify the amount of time in seconds that a user will be given before the destination computer is restarted. The default amount of time is sixty (60) seconds.

Restore User State

Use the Restore User State task sequence step to initiate the User State Migration Tool (USMT) to restore user state and settings to the destination computer. This task sequence step is used in conjunction with the Capture User State task sequence step. For more information about managing the user state when deploying operating systems, see How to Manage the User State in Configuration Manager. You can also use the Restore User State task sequence step with the Request State Store and Release State Store task sequence steps if you want to save the state settings to or restore settings from a state migration point in the Configuration Manager site. With USMT 3.0 and above, this option always decrypts the USMT state store by using an encryption key generated and managed by Configuration Manager. The Restore User State task sequence step provides control over a limited subset of the most commonly used USMT options. Additional command-line options can be specified by using the OSDMigrateAdditionalRestoreOptions task sequence variable. Important
2138

If you are using the Restore User State task sequence step for a purpose unrelated to an operating system deployment scenario, add the Restart Computer task sequence step immediately following the Restore User State task sequence step. This task sequence step runs only in a standard operating system. It does not run in Windows PE. For information about the task sequence variables for this task sequence action, see Restore User State Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a short user-defined name that describes the action taken in this step.

Name

Description Specifies more detailed information about the action taken in this step.

User state migration tool package Enter the Configuration Manager package that contains the version of USMT for this step to use when restoring the user state and settings. This package does not require a program. When the task sequence step is run, the task sequence will use the version of USMT in the package you specify. Specify a package containing the 32-bit or x64 version of USMT depending upon the architecture of the operating system to which you are restoring the state.

Restore all captured user profiles with standard options Restores the captured user profiles with the standard options. To customize the options that will be restored, select Customize user profile capture.

Customize how user profiles are restored Allows you to customize the files that you want to restore to the destination computer. Click Files to specify the configuration files in the USMT package you want to use for restoring the user profiles. To add a configuration file, enter the name of the file in the Filename box, and then click Add. The configuration files that will be used for the operation are listed in the Files pane. The .xml file you specify defines which user file
2139

will be restored.

Restore local computer user profiles Restores the local computer user (i.e. not domain user) profiles. You will need to assign new passwords to the restored local user accounts because the original local user account passwords cannot be migrated. Enter the new password in the Password box, and confirm the password in the Confirm Password box.

Continue if some files cannot be restored Continues restoring user state and settings even if some files are unable to be restored. This option is enabled by default. If you disable this option and errors are encountered while restoring files, the task sequence step will end immediately with a failure and not all files will be restored.

Enable verbose logging Enable this option to generate more detailed log file information. When restoring state, the log Loadstate.log is generated and stored in the task sequence log folder in the \windows\system32\ccm\logs folder by default.

Run Command Line

Use the Run Command Line task sequence step to run a specified command line. This step can be run in a standard operating system or Windows PE. For information about task sequence variables for this task sequence action, see Run Command Line Task Sequence Action Variables in the Task Sequence Action Variables in Configuration Manager topic.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a short user-defined name that describes the command line that is run.

Name

2140

Description Specifies more detailed information about the command line that is run.

Command line Specifies the command line that is run. This field is required. Including file name extensions are a best practicefor example, .vbs and .exe. Include all required settings files, command-line options, or switches. If the file name does not have a file name extension specified, Configuration Manager tries .com, .exe, and .bat. If the file name has an extension that is not an executable, Configuration Manager tries to apply a local association. For example, if the command line is readme.gif, Configuration Manager starts the application specified on the destination computer for opening .gif files. Examples: setup.exe /a cmd.exe /c copy Jan98.dat c:\sales\Jan98.dat Note Command-line actions, such as output redirection, piping, or copyas in the preceding examplemust be preceded by the cmd.exe /c command to run successfully.

Disable 64-bit file system redirection By default, when running on a 64-bit operating system, the executable in the command line is located and run using the WOW64 file system redirector so that 32-bit versions of operating system executables and DLLs are found. Selecting this option disables the use of the WOW64 file system redirector so that native 64-bit versions of operating system executables and DLLs can be found. Selecting this option has no effect when running on a 32-bit operating system.

Start in Specifies the executable folder for the program, up to 127 characters. This folder can be an absolute path on the destination computer or a path relative to the distribution point folder that contains the package. This field is optional. Examples: c:\officexp i386 Note The Browse button browses the local computer for files and folders, so anything you select this way must also exist on the destination computer in the same location and with the same file and folder names.
2141

Package When you specify files or programs on the command line that are not already present on the destination computer, select this option to specify the Configuration Manager package that contains the appropriate files. The package does not require a program. This option is not required if the specified files exist on the destination computer.

Time-out Specifies a value that represents how long Configuration Manager will allow the command line to run. This value can be from 10 minutes to 999 minutes. The default value is 15 minutes. This option is disabled by default. Important If you enter a value that does not allow enough time for the Run Command Line task sequence step to complete successfully, the task sequence step will fail and the entire task sequence could fail depending on other control settings. If the time-out expires, Configuration Manager will terminate the command-line process.

Run this step as the following account Specifies that the command line is run as a Windows user account other than the local system account.

Account Specifies the Run As Windows user account for the command-line task in the task sequence to be run by this action. The command line will be run with the permissions of the specified account. Click Set to specify the local user or domain account. Important If a Run Command Line task sequence action specifying a user account is executed while in Windows PE, the action will fail because Windows PE cannot be joined to a domain. The failure will be recorded in the smsts.log file.

Run PowerShell Script

This task sequence step was added in System Center 2012 R2 Configuration Manager. Use the Run PowerShell Script task sequence step to run a specified PowerShell script. This step can be run in a standard operating system or Windows PE. To run this step in Windows PE, PowerShell must be enabled in the boot image. You can enable Windows
2142

PowerShell (WinPE-PowerShell) from the Optional Components tab in the properties for the boot image. For more information about how to modify a boot image, see the How to Modify a Boot Image section in the How to Manage Boot Images in Configuration Manager topic. Note PowerShell is not enabled by default on Windows Embedded operating systems.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a short user-defined name that describes the command line that is run.

Name

Description Specifies more detailed information about the command line that is run.

Package Specify the Configuration Manager package that contains the PowerShell script. One package can contain multiple PowerShell scripts.

Script name Specifies the name of the PowerShell script to run. This field is required.

Parameters Specifies the parameters to be passed to the Windows PowerShell script. Configure the parameters as if you were adding them to the Windows PowerShell script from a command line. Important Provide parameters consumed by the script, not for the Windows PowerShell command line. The following example contains valid parameters: -MyParameter1 MyValue1 -MyParameter2 MyValue2 The following example contains invalid parameters. The bold items are Windows PowerShell command-line parameters (-nologo and executionpolicy unrestricted) and not consumed by the script.
2143

-nologo -executionpolicy unrestricted -File MyScript.ps1 -MyParameter1 MyValue1 MyParameter2 MyValue2

PowerShell execution policy Select the PowerShell execution policy enables you to determine which Windows PowerShell scripts (if any) will be allowed to run on the computer. Choose one of the following execution policies: AllSigned: Only scripts signed by a trusted publisher can be run. Undefined: No execution policy is defined. . Bypass: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are not prompted for permission before it runs. Important PowerShell 1.0 does not support Undefined and Bypass execution policies.

Set Dynamic Variables

This task sequence step was added in System Center 2012 R2 Configuration Manager. Use the Set Dynamic Variables task sequence step to perform the following: 1. Gather information from the computer and the environment that it is in, and then set specified task sequence variables with the information. 2. Evaluate defined rules and set task sequence variables based on the variables and values configured for rules that evaluate to true. This step can be run in either a standard operating system or Windows PE. For more information about task sequence variables, see

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name for this task sequence step.

Name

Description More detailed information about the action taken in this step.
2144

Dynamic rules and variables To set a dynamic variable to use in the task sequence, you can add a rule and then specify a value for each variable that you specify for the rule or add one or more variables to set without adding a rule. When you add a rule, you can choose from the following rule categories: Computer: Use this rule category to evaluate values for Asset tag, UUID, serial number, or mac address. You can set multiple values, and if any value is true, then the rule will evaluate to true. For example, the following rule evaluates to true if the Serial Number is 5892087 regardless of whether the MAC address equals 26-7813-5A-A4-22.
IF Serial Number = 5892087 OR MAC address = 26-78-13-5A-A4-22 THEN

Location: Use this rule category to evaluate values for the default gateway. Make and Model: Use this rule category to evaluate values for the make and model of a computer. Both the make and model must evaluate to true for the rule to evaluate to true. Task Sequence Variable: Use this rule category to add a task sequence variable, condition, and value to evaluate. The rule evaluates to true when the value set for the variable meets the specified condition.

You can specify one or more variables that will be set for a rule that evaluates to true or set variables without using a rule. You can select from existing variables or create a custom variable. Existing task sequence variables: Use this setting to select one or more variables from a list of existing task sequence variables. Array variables are not available to select. Custom task sequence variables: Use this setting to define a custom task sequence variable. You can also specify an existing task sequence variable. This is useful to specify an existing variable array, such as OSDAdapter, since variable arrays are not in the list of existing task sequence variables.

After you select the variables for a rule, you must provide a value for each variable. The variable is set to the specified value when the rule evaluates to true. For each variable, you can select Secret value to hide the value of the variable. By default, some existing variables hide values, such as the OSDCaptureAccountPassword task sequence variable. Important When you import a task sequence with the Set Dynamic Variables step, and Secret value is selected for the value of the variable, the value is removed when you import the task sequence. As a result, you must re-enter the value for the dynamic variable after you import the task sequence.

2145

Set Task Sequence Variable

Use the Set Task Sequence Variable task sequence step to set the value of a variable that is used with the task sequence. This step can be run in either a standard operating system or Windows PE. Task sequence variables are read by task sequence actions and specify the behavior of those actions. For more information about specific task sequence variables, see Task Sequence Action Variables in Configuration Manager.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
A short user-defined name for this task sequence step.

Name

Description More detailed information about the action taken in this step.

Task sequence variable A user-defined name for the task sequence variable.

Value The value that is associated with the task sequence variable. The value could be another task sequence variable in %<varname>% syntax.

Setup Windows and ConfigMgr

Use the Setup Windows and ConfigMgr task sequence step to perform the transition from Windows PE to the new operating system. This task sequence step is a required part of any operating system deployment. It installs the Configuration Manager client into the new operating system and prepares for the task sequence to continue execution in the new operating system. This step runs only in WindowsPE. It does not run in a standard operating system. For more information about task sequence variables for this task sequence action, see Setup Windows and ConfigMgr Task Sequence Action Variables.
2146

The Setup Windows and ConfigMgr task sequence action replaces sysprep.inf or unattend.xml directory variables, such as %WINDIR% and %ProgramFiles%, with the WindowsPE installation directory X:\Windows. Task sequence variables specified by using these environment variables will be ignored. Use this task sequence step to perform the following actions: 1. Preliminaries: WindowsPE a. Performs task sequence variable substitution in the sysprep.inf (operating systems earlier than Windows Vista) or the unattend.xml (Windows Vista SP2, Windows Server 2008 SP2, and later operating systems) file. b. Downloads the package that contains the Configuration Manager client and puts it in the deployed image. 2. Set up Windows a. Image-based installation. i. ii. Disables the Configuration Manager client in the image (that is, disables Autostart for the Configuration Manager client service). Updates the registry in the deployed image to ensure that the deployed operating system starts with the same drive letter that it had on the reference computer.

iii. Restarts in the deployed operating system. iv. Windows mini-setup runs by using the previously specified sysprep.inf or unattend.xml file that has all end-user interaction suppressed. Note: If Apply Network Settings specified to join a domain, then that information is in the sysprep.inf or unattend.xml file, and Windows mini-setup performs the domain join. b. Setup.exe-based installation. Runs Setup.exe (Windows Vista SP2 and later operating systems) or WinNT32.exe (operating systems earlier than Windows Vista) which follows the typical Windows setup process: i. ii. Copies the operating system install package specified in an earlier Apply Operating System task sequence to the hard disk drive. Restarts in the newly deployed operating system.

iii. Windows mini-setup runs by using the previously specified sysprep.inf or unattend.xml file that has all user interface settings suppressed. Note: If Apply Network Settings specified to join a domain, then that information is in the sysprep.inf or unattend.xml file, and Windows mini-setup performs the domain join. 3. Set up the Configuration Manager client a. After Windows mini-setup finishes, the task sequence resumes by using an alternative graphical identification and authentication (GINA) library (earlier than Windows Vista) or setupcomplete.cmd (Windows Vista and later). b. Enables or disables the local administrator account, based on the option selected in the Apply Windows Settings step. c. Installs the Configuration Manager client by using the previously downloaded package (1.b) and installation properties specified in the Task Sequence Editor. The client is installed in "provisioning mode" to prevent it from processing new policy requests until the task sequence is completed.
2147

d. Waits for the client to be fully operational. e. If the computer is operating in an environment with Network Access Protection enabled, the client checks for and installs any required updates so that all required updates are present before the task sequence continues running. 4. The task sequence continues running with its next step. Note The Setup Windows and ConfigMgr task sequence action is responsible for running Group Policy on the newly installed computer. The time at which Group Policy is applied during the task sequence action depends on the operating system being deployed. For example, with Windows XP and Windows Server 2003 Group Policy is applied after the Setup Windows and ConfigMgr task sequence action is completed. On Windows Vista and Windows Server 2008, Group Policy is applied after the task sequence is finished.

Details
On the Properties tab for this step, you can configure the settings described in this section. In addition, use the Options tab to do the following actions: Disable the step. Specify if the task sequence continues if an error occurs while running the step. Specify conditions that must be met for the step to run.
Specifies a short user-defined name that describes the action taken in this step.

Name

Description Specifies additional information about the action taken in this step.

Package Specifies the Configuration Manager client installation package that will be used by this task sequence step. Click Browse and select the client installation package that you want to use to install the Configuration Manager client.

Installation Properties Site assignment and the default configuration are automatically specified by the task sequence action. You can use this field to specify any additional installation properties to use when you install the client. To enter multiple installation properties, separate them with a space. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: You can specify command-line options to use during client installation. For example,
2148

you can enter /skipprereq: silverlight.exe to inform CCMSetup.exe not to install the Microsoft Silverlight prerequisite. For more information about available command-line options for CCMSetup.exe, see the CCMSetup.exe Command-Line Properties section in the About Client Installation Properties in Configuration Manager topic.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

Task Sequence Scenarios in Configuration Manager

Use the examples in this topic as a guide while you create your own operating system deployment task sequences in System Center 2012 Configuration Manager. These basic task sequence scenarios provide a framework that can be used when writing task sequences for your specific operating system deployment scenarios. To use these examples create a custom task sequence and then use the Task Sequence editor to add task sequence groups and task sequence steps. For more information about creating and editing task sequences, see How to Manage Task Sequences in Configuration Manager.

Stand-alone Media Task Sequence Example

Use the following table as a guide as you create a task sequence to deploy an operating system using stand-alone media. The table will help you decide the general sequence for your task sequence steps and how to organize and structure those task sequence steps into logical groups. The task sequence that you create might vary from this sample and can contain more or fewer task sequence steps and groups. Note You must always use the Task Sequence Media Wizard to create stand-alone media.
Task Sequence Group or Step Description

Capture File and Settings - (New Task Sequence Group)

Create a task sequence group. A task sequence group keeps similar task sequence steps together for better organization and error control. Use this task sequence step to identify the Microsoft Windows settings that are captured from the existing operating system on the
2149

Capture Windows Settings

Task Sequence Group or Step

Description

destination computer prior to reimaging. You can capture the computer name, user and organizational information, and the time zone settings. Capture Network Settings Use this task sequence step to capture network settings from the computer that receives the task sequence. You can capture the domain or workgroup membership of the computer and the network adapter setting information. Create a task sequence group within a task sequence group. This sub-group contains the steps needed to capture user state data from the existing operating system on the destination computer prior to reimaging. Similar to the initial group that you added, this sub-group keeps similar task sequence steps together for better organization and error control. Use this task sequence step to specify a local location using the protected path task sequence variable. The user state is stored on a protected directory on the hard drive. Use this task sequence step to capture the user files and settings you want to migrate to the new operating system. Create another task sequence sub-group. This sub-group contains the steps needed to install the operating system. Use this task sequence step to specify restart options for the computer that receives this task sequence. This step will display a message to the user indicating that the computer will be restarted so that the installation can continue. This step uses the read-only _SMSTSInWinPE task sequence variable. If the associated value equals false the task sequence step will continue. Apply Operating System Use this task sequence step to install the operating system image onto the destination
2150

Capture User Files and Settings - (New Task Sequence Sub-Group)

Set Local State Location

Capture User State

Install Operating System - (New Task Sequence Group) Reboot to Windows PE or hard disk

Task Sequence Group or Step

Description

computer. This step deletes all files on that volume (with the exception of Configuration Manager-specific control files) and then applies all volume images contained in the WIM file to the corresponding sequential disk volume. You can also specify a sysprep answer file to configure which disk partition to use for the installation. Apply Windows Settings Use this task sequence step to configure the Windows settings configuration information for the destination computer. The windows settings you can apply are user and organizational information, product or license key information, time zone, and the local administrator password. Use this task sequence step to specify the network or workgroup configuration information for the destination computer. You can also specify if the computer uses a DHCP server or you can statically assign the IP address information. Use this task sequence step to make all device drivers in a driver package available for use by Windows setup. All necessary device drivers must be contained on the stand-alone media. Create another task sequence sub-group. This sub-group contains the steps needed to install the Configuration Manager client. Use this task sequence step to install the Configuration Manager client software. Configuration Manager installs and registers the Configuration Manager client GUID. You can assign the necessary installation parameters in the Installation properties window. Create another task sequence sub-group. This sub-group contains the steps needed to restore the user state.

Apply Network Settings

Apply Driver Package

Setup Operating System - (New Task Sequence Group) Setup Windows and ConfigMgr

Restore User Files and Settings - (New Task Sequence Group)

2151

Task Sequence Group or Step

Description

Restore User State

Use this task sequence step to initiate the User State Migration Tool (USMT) to restore the user state and settings that were captured from the Capture User State Action to the destination computer.

Install Existing Operating System Image Task Sequence Example

Use the following table as a guide as you create a task sequence that deploys an operating system using an existing operating system image. The table will help you decide the general sequence for your task sequence steps and how to organize and structure those task sequence steps into logical groups. The task sequence that you create may vary from this sample and can contain more or less task sequence steps and groups. Important You must always use the Create Task Sequence Wizard to create this task sequence. When you use the Create Task Sequence Wizard to create this new task sequence some of the task sequence step names are different than what than what they would be if you manually added these task sequence steps to an existing task sequence. The following table displays the naming differences:
Create Task Sequence Wizard Task Sequence Step name Equivalent Task Sequence Editor Step Name

Request User State Storage Capture User Files and Settings Release User State Storage Restart in Windows PE Partition Disk 0 Restore User Files and Settings

Request State Store Capture User State Release State Store Reboot to Windows PE or hard disk Format and Partition Disk Restore User State

Task Sequence Group or Step

Description

Capture File and Settings - (New Task Sequence Group)

Create a task sequence group. A task sequence group keeps similar task sequence steps together for better organization and error
2152

Task Sequence Group or Step

Description

control. This group contains the steps needed to capture files and settings from the operating system of a reference computer. Capture Windows Settings Use this task sequence step to identify the Microsoft Windows settings to capture from the reference computer. You can capture the computer name, user and organizational information and the time zone settings. Use this task sequence step to capture network settings from the reference computer. You can capture the domain or workgroup membership of the reference computer and the network adapter setting information. Create a task sequence group within a task sequence group. This sub-group contains the steps needed to capture user state data. Similar to the initial group that you added, this sub-group keeps similar task sequence steps together for better organization and error control. Use this task sequence step to request access to a state migration point where the user state data is stored. You can configure this task sequence step to capture or restore the user state information. Use this task sequence step to use the User State Migration Tool (USMT) to capture the user state and settings from the reference computer that will receive the task sequence associated with this task step. You can capture the standard options or configure whish options to capture. Use this task sequence step to notify the state migration point that the capture or restore action is complete. Create another task sequence sub-group. This sub-group contains the steps needed to install
2153

Capture Network Settings

Capture User Files and Settings - (New Task Sequence Sub-Group)

Request User State Storage

Capture User Files and Settings

Release User State Storage

Install Operating System - (New Task Sequence Group)

Task Sequence Group or Step

Description

and configure the Windows PE environment. Restart in Windows PE Use this task sequence step to specify the restart options for the destination computer that receives this task sequence. This step will display a message to the user indicating that the computer will be restarted so that the installation can continue.. This step uses the read-only _SMSTSInWinPE task sequence variable. If the associated value equals false the task sequence step continues. Partition Disk 0 This task sequence step specifies the actions necessary to format the hard drive on the destination computer. The default disk number is 0. This step uses the read-only _SMSTSClientCache task sequence variable. This step will run if the Configuration Manager client cache does not exist. Apply Operating System Use this task sequence step to install the operating system image onto the destination computer. This step applies all volume images contained in the WIM file to the corresponding sequential disk volume on the target computer after first deleting all files on that volume (with the exception of Configuration Manager-specific control files). You can specify a sysprep answer file and also configure which disk partition is used for the installation. Use this task sequence step to configure the Windows settings configuration information for the destination computer. The windows settings you can apply are user and organizational information, product or license key information, time zone, and the local administrator password. Use this task sequence step to specify the network or workgroup configuration information for the destination computer. You can also specify if the computer uses a DHCP server or
2154

Apply Windows Settings

Apply Network Settings

Task Sequence Group or Step

Description

you can statically assign the IP address information. Apply Device Drivers Use this task sequence step to install drivers as part of the operating system deployment. You can allow Windows Setup to search all existing driver categories by selecting Consider drivers from all categories or limit which driver categories Windows Setup searches by selecting Limit driver matching to only consider drivers in selected categories. This step uses the read-only _SMSTSMediaType task sequence variable. This task sequence step runs only if the value of the variable does not equal FullMedia. Apply Driver Package Use this task sequence step to make all device drivers in a driver package available for use by Windows setup. Create another task sequence sub-group. This sub-group contains the steps needed to set up the installed operating system. Use this task sequence step to install the Configuration Manager client software. Configuration Manager installs and registers the Configuration Manager client GUID. You can assign the necessary installation parameters in the Installation properties window. Use this task sequence step to specify how software updates are installed on the destination computer. The destination computer is not evaluated for applicable software updates until this task sequence step runs. At that point, the destination computer is evaluated for software updates similar to any other Configuration Manager-managed client. This step uses the read-only _SMSTSMediaType task sequence variable. This task sequence step runs only if the value
2155

Setup Operating System - (New Task Sequence Group) Setup Windows and ConfigMgr

Install Updates

Task Sequence Group or Step

Description

of the variable does not equal FullMedia.. Restore User Files and Settings - (New Task Sequence Sub-Group) Request User State Storage Create another task sequence sub-group. This sub-group contains the steps needed to restore the user files and settings. Use this task sequence step to request access to a state migration point where the user state data is stored. Use this task sequence step to initiate the User State Migration Tool (USMT) to restore user state and settings to a destination computer. Use this task sequence step to notify the state migration point that the user state dat is no longer needed.

Restore User Files and Settings

Release User State Storage

Build and Capture Operating System Image Task Sequence Example

Use the following table as a guide as you create a task sequence that builds and captures an operating system image. The table will help you decide the general sequence for your task sequence steps and how to organize and structure those task sequence steps into logical groups. The task sequence that you create may vary from this sample and can contain more or less task sequence steps and groups. Important You must always use the Create Task Sequence Wizard to create this type of task sequence. When you use the New Task Sequence Wizard to create this new task sequence some of the task sequence step names are different than what they would be if you manually added these task sequence steps to an existing task sequence. The following table displays the naming differences:
New Task Sequence Wizard Task Sequence Step name Equivalent Task Sequence Editor Step Name

Restart in Windows PE Partition Disk 0 Apply Device Drivers

Reboot to Windows PE or hard disk Format and Partition Disk Auto Apply Drivers
2156

New Task Sequence Wizard Task Sequence Step name

Equivalent Task Sequence Editor Step Name

Install Updates Join Workgroup Prepare ConfigMgr Client Prepare Operating System Capture the Reference Machine

Install Software Updates Join Domain or Workgroup Prepare ConfigMgr Client for Capture Prepare Windows for Capture Capture Operating System Image

Task Sequence Group/Step

Reference

Build the Reference Computer - (New Task Sequence Group)

Create a task sequence group. A task sequence group keeps similar task sequence steps together for better organization and error control. This group contains the actions necessary to build a reference computer.

Restart in Windows PE

Use this task sequence step to specify the restart options for the destination computer. This step will display a message to the user that the computer will be restarted so that the installation can continue. This step uses the read-only _SMSTSInWinPE task sequence variable. If the associated value equals false the task sequence step will continue.

Partition Disk 0

Use this task sequence step to specify the actions necessary to format the hard drive on the destination computer. The default disk number is 0. This step uses the read-only _SMSTSClientCache task sequence variable. This step will run if the Configuration Manager client cache does not exist.

Apply Operating System

Use this task sequence step to install a specified operating system image on the destination computer. This step applies all volume images contained in the WIM file to the corresponding sequential disk volume on the
2157

Task Sequence Group/Step

Reference

target computer after first deleting all files on that volume (with the exception of Configuration Manager-specific control files). Apply Windows Settings Use this task sequence step to configure the Windows settings configuration information for the destination computer. Use this task sequence step to specify the network or workgroup configuration information for the destination computer. You his task sequence step to match and install drivers as part of an operating system deployment. You can allow Windows Setup to search all existing driver categories by selecting Consider drivers from all categories or limit which driver categories Windows Setup searches by selecting Limit driver matching to only consider drivers in selected categories. This step uses the read-only _SMSTSMediaType task sequence variable. If the associated value does not equal FullMedia this task sequence step will run. Setup Windows and ConfigMgr Use this task sequence step to install the Configuration Manager client software. Configuration Manager installs and registers the Configuration Manager client GUID. You can assign the necessary installation parameters in the Installation properties window. Use this task sequence step to specify how software updates are installed on the destination computer. The destination computer is not evaluated for applicable software updates until this task sequence step runs. At that point, the destination computer is evaluated for software updates similar to any other Configuration Manager-managed client. This step uses the read-only _SMSTSMediaType task sequence variable. If
2158

Apply Network Settings

Apply Device Drivers

Install Updates

Task Sequence Group/Step

Reference

the associated value does not equal FullMedia this task sequence step will run. Capture the Reference Computer - (New Task Sequence Group) Create another a task sequence group. This group contains the necessary steps to prepare and capture a reference computer.

Join Workgroup

Use this task sequence step to specify information needed to have the destination computer join a workgroup. Use this step to take the Configuration Manager client on the reference computer and prepares it for capture as part of the imaging process Use this task sequence step to specify the Sysprep options to use when capturing Windows settings from the reference computer. This task sequence step runs Sysprep and then reboots the computer into the Windows PE boot image specified for the task sequence. Use this task sequence step to enter a specific existing network share and .WIM file to use when saving the image. This location is used as the package source location when adding an operating system image package using the Add Operating System Image Package Wizard.

Prepare ConfigMgr Client for Capture

Prepare Operating System

Capture Operating System Image

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

How to Provision Windows To Go in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager.
2159

Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides the steps to provision Windows To Go in Microsoft System Center 2012 Configuration Manager SP1. Windows To Go is an enterprise feature of Windows 8 that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on computers that meet the Windows 7 or Windows 8 certification requirements, regardless of the operating system running on the computer. Windows To Go workspaces can use the same image enterprises use for their desktops and laptops and can be managed the same way. For more information about Windows To Go, see the Windows To Go feature overview topic in the Windows 8 TechNet documentation library.

Provision Windows To Go
Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows To Go drive much like you provision other operating system deployments. However, because Windows To Go is designed to be a user-centric and highly mobile solution, you must take a slightly different approach to provisioning these drives. At a high level, Windows To Go is a two-phased deployment that allows you to configure the Windows To Go device and prestage content for the operating system deployment. You can achieve this with minimal impact to the user and limit downtime for the users computer. After you prestage the computer, you must complete the provisioning process to ensure the computer is ready for the user. The provisioning process is similar to the current operating system deployment process. The following lists the general workflow to prestage content and provision Windows To Go: 1. Create a Task Sequence to Deploy Windows 8 2. Create Prestaged Media 3. Create a Windows To Go Creator package 4. Update the Task Sequence to Enable BitLocker for Windows To Go 5. Deploy the Windows To Go Creator Package and Task Sequence 6. User Runs the Windows To Go Creator 7. Configuration Manager Configures and Stages the Windows To Go Drive 8. User Logs In to Windows 8

Prerequisites to Provision Windows To Go

Before you provision Windows To Go, you must complete the following in Configuration Manager: Distribute a boot image to a distribution point: Before you create prestaged media, you must distribute the boot image to a distribution point. Note
2160

Boot images are used to install the operating system on the destination computers in your Configuration Manager environment. They contain a version of Windows PE that installs the operating system, as well as any additional device drivers that are required. Configuration Manager provides two boot images: One to support x86 platforms and one to support x64 platforms. You can also create your own boot images. For more information about boot images, see Planning for Boot Image Deployments in Configuration Manager Distribute the Windows 8 operating system image to a distribution point : Before you create prestaged media, you must distribute the Windows 8 operating system image to a distribution point. Note Operating system images are .WIM format files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. For more information about operating system images, see Planning for Deploying Operating System Images in Configuration Manager. Create a Task Sequence to Deploy Windows 8: You must create a task sequence for a Windows 8 deployment that you will reference when you create prestaged media. For more information about how to create a task sequence, see How to Manage Task Sequences in Configuration Manager.

Create Prestaged Media

Prestaged media contains the boot image used to start the destination computer and the operating system image that is applied to the destination computer. The computer that you provision with prestaged media can be started by using the boot image. The computer can then run an existing operating system deployment task sequence to install a complete operating system deployment. The task sequence that deploys the operating system is not included in the media. Starting with Microsoft System Center 2012 Configuration Manager SP1, you can add content, such as applications and device drivers, in addition to the operating system image and boot image during the prestage phase. This reduces the time it takes to deploy an operating system and reduces network traffic because the content is already on the drive. Use the following procedure to create the prestaged media. To create prestaged media 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, specify the following information, and then click Next.
2161

Select Prestaged media. Select Allow unattended operating system deployment to boot to the Windows To Go deployment with no user interaction. Important When you use this option with the SMSTSPreferredAdvertID custom variable (set later in this procedure), no user interaction is required and the computer will automatically boot to the Windows To Go deployment when it detects a Windows To Go drive. The user is still prompted for a password if the media is configured for password protection. If you use the Allow unattended operating system deployment setting without configuring the SMSTSPreferredAdvertID variable, an error will occur when you deploy the task sequence.

5. On the Media Management page, specify the following information, and then click Next. Select Dynamic media if you want to allow a management point to redirect the media to another management point, based on the client location in the site boundaries. Select Site-based media if you want the media to contact only the specified management point. Created by: Specify who created the media. Version: Specify the version number of the media. Comment: Specify a unique description of what the media is used for. Media file: Specify the name and path of the output files. The wizard writes the output files to this location. For example: \\servername\folder\outputfile.wim Select Enable unknown computer support to allow the media to deploy an operating system to a computer that is not managed by Configuration Manager. There is no record of these computers in the Configuration Manager database. Unknown computers include the following: A computer where the Configuration Manager client is not installed A computer that is not imported into Configuration Manager A computer that is not discovered by Configuration Manager

6. On the Media Properties page, specify the following information, and then click Next.

7. On the Security page, specify the following information, and then click Next.

Select Protect the media with a password and enter a strong password to help protect the media from unauthorized access. When you specify a password, the user must provide that password to use the prestaged media. Security As a security best practice, always assign a password to help protect the prestaged media. Note When you protect the prestaged media with a password, the user is
2162

prompted for the password even when the media is configured with the Allow unattended operating system deployment setting. For HTTP communications, select Create self-signed media certificate, and then specify the start and expiration date for the certificate. For HTTPS communications, select Import PKI certificate, and then specify the certificate to import and its password. For more information about this client certificate that is used for boot images, see PKI Certificate Requirements for Configuration Manager. User Device Affinity: To support user-centric management in Configuration Manager, specify how you want the media to associate users with the destination computer. For more information about how operating system deployment supports user device affinity, see How to Associate Users with a Destination Computer. Specify Allow user device affinity with auto-approval if you want the media to automatically associate users with the destination computer. This functionality is based on the actions of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and destination computer when it deploys the operating system to the destination computer. Specify Allow user device affinity pending administrator approval if you want the media to associate users with the destination computer after approval is granted. This functionality is based on the scope of the task sequence that deploys the operating system. In this scenario, the task sequence creates a relationship between the specified users and the destination computer, but waits for approval from an administrative user before the operating system is deployed. Specify Do not allow user device affinity if you do not want the media to associate users with the destination computer. In this scenario, the task sequence does not associate users with the destination computer when it deploys the operating system.

8. On the Task Sequence page, specify the Windows 8 task sequence that you created in the previous section. 9. On the Boot image page, specify the following information, and then click Next. Important The architecture of the boot image that is distributed must be appropriate for the architecture of the destination computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination computer can boot and run only an x86 boot image. For Windows 8 certified computers in EFI mode, you must use an x64 boot image. Boot image: Specify the boot image to start the destination computer. Distribution point: Specify the distribution point that hosts the boot image. The wizard retrieves the boot image from the distribution point and writes it to the media.

2163

Note The administrative user must have Read access rights to the boot image content on the distribution point. For more information about setting access rights, see the Manage Accounts to Access Package Content in the Operations and Maintenance for Content Management in Configuration Manager topic. If you selected Site-based media on the Media Management page of this wizard, in the Management point box, specify a management point from a primary site. If you selected Dynamic media on the Media Management page of the wizard, in the Associated management points box, specify the primary site management points to use and a priority order for the initial communications. Image package: Specify the package that contains the Windows 8 operating system image. Image index: Specify the image to deploy if the package contains multiple operating system images. Distribution point: Specify the distribution point that hosts the operating system image package. The wizard retrieves the operating system image from the distribution point and writes it to the media. Note The administrative user must have Read access rights to the operating system image content on the distribution point. For more information about setting access rights, see the Manage Accounts to Access Package Content in the Operations and Maintenance for Content Management in Configuration Manager topic. 11. On the Select Application page, select application content to include in the media file, and then click Next. 12. On the Select Package page, select additional package content to include in the media file, and then click Next. 13. On the Select Driver Package page, select driver package content to include in the media file, and then click Next. 14. On the Distribution Points page, select one or more distribution points that contain the content required by the task sequence, and then click Next. 15. On the Customization page, specify the following information, and then click Next. Variables: Specify the variables that the task sequence uses to deploy the operating system. For Windows To Go, use the SMSTSPreferredAdvertID variable to automatically select the Windows To Go deployment by using the following format: SMSTSPreferredAdvertID = {DeploymentID}, where DeploymentID is the deployment ID associated with the task sequence that you will use to complete the provisioning process for the Windows To Go drive.

10. On the Images page, specify the following information, and then click Next.

2164

Tip When you use this variable with a task sequence that is set to run unattended (set earlier in this procedure), no user interaction is required and the computer automatically boots to the Windows To Go deployment when it detects a Windows To Go drive. The user is still prompted for a password if the media is configured for password protection. Prestart commands: Specify any prestart commands that you want to run before the task sequence runs. Prestart commands can be a script or executable that can interact with the user in Windows PE before the task sequence runs to install the operating system. Configure the following for the Windows To Go deployment: OSDBitLockerPIN: BitLocker for Windows To Go requires a passphrase. Set the OSDBitLockerPIN variable as part of a prestart command to set the BitLocker passphrase for the Windows To Go drive. Warning After BitLocker is enabled for the passphrase, the user must enter the passphrase each time the computer boots to the Windows To Go drive. SMSTSUDAUsers: Specifies the primary user of the destination computer. Use this variable to collect the user name, which can then be used to associate the user and device. For more information about associating users with the destination computer, see How to Associate Users with a Destination Computer. Tip To retrieve the username, you can create an input box as part of the prestart command, have the user enter their username, and then set the variable with the value. For example, you can add the following lines to the prestart command script file:
UserID = inputbox("Enter Username" ,"Enter your username:","",400,0) env("SMSTSUDAUsers") = UserID

For more information about how to create a script file to use as your prestart command, see Prestart Commands for Task Sequence Media in Configuration Manager. 16. Complete the wizard. Note It can take an extended period of time for the wizard to complete the prestaged media file.

Create a Windows To Go Creator package

As part of the Windows To Go deployment, you must create a package to deploy the prestage media file. The package must include the tool that configures the Windows To Go drive and
2165

extracts the prestaged media to the drive. Use the following procedure to create the Windows To Go Creator package. To create the Windows To Go Creator package 1. On the server to host the Windows To Go Creator package files, create a source folder for the package source files. Note The computer account of the site server must have Read access rights to the source folder. 2. Copy the prestaged media file that you created in the Create Prestaged Media section to the package source folder. 3. Copy the Windows To Go Creator tool (WTGCreator.exe) to the package source folder. The creator tool is available on any Configuration Manager SP1 primary site server at the following location: <ConfigMgrInstallationFolder>\OSD\Tools\WTG\Creator. 4. Create a package and program by using the Create Package and Program Wizard. 5. In the Configuration Manager console, click Software Library. 6. In the Software Library workspace, expand Application Management, and then click Packages. 7. On the Home tab, in the Create group, click Create Package. 8. On the Package page, specify the name and description of the package. For example, enter Windows To Go for the package name and specify Package to configure a Windows To Go drive using System Center Configuration Manager for the package description. 9. Select This package contains source files, specify the path to the package source folder that you created in step 1, and then click Next. 10. On the Program Type page, select Standard program, and then click Next. 11. On the Standard Program page, specify the following: Name: Specify the name of the program. For example, type Creator for the program name. Command Line: Type WTGCreator.exe /wim:PrestageName.wim, where PrestageName is the name of prestaged file that you created and copied to the package source folder for the Windows To Go Creator package. Optionally, you can add the following options: enableBootRedirect: command-line option to change the Windows To Go startup options to allow boot redirection. When you use this option, the computer will boot from USB without having to change the boot order in the computer firmware or have the user select from a list of boot options during startup. If a Windows To Go drive is detected, the computer boots to that drive.

Run: Specify Normal to run the program based on the system and program defaults. Program can run: Specify whether the program can run only when a user is logged on.
2166

Run mode: Specify whether the program will run with the logged on users permissions or with administrative permissions. The Windows To Go Creator requires elevated permissions to run. Select Allow users to view and interact with the program installation, and then click Next. Platform requirements: Select the applicable Windows 8 platforms to allow provisioning. Estimated disk space: Specify the size of the package source folder for the Windows To Go Creator. Maximum allowed run time (minutes): Specifies the maximum time that the program is expected to run on the client computer. By default, this value is set to 120 minutes. Important If you are using maintenance windows for the collection on which this program is run, a conflict might occur if the Maximum allowed run time is longer than the scheduled maintenance window. If the maximum run time is set to Unknown, it will start during the maintenance window, but will continue to run until it completes or fails after the maintenance window is closed. If you set the maximum run time to a specific period (not set to Unknown) that exceeds the length of any available maintenance window, then that program will not be run. Note If the value is set to Unknown, Configuration Manager sets the maximum allowed run time to 12 hours (720 minutes). Note If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration Manager stops the program if run with administrative rights is selected and Allow users to view and interact with the program installation is not selected on the Standard Program page.

12. On the Requirements page, specify the following:

Click Next and complete the wizard.

Update the Task Sequence to Enable BitLocker for Windows To Go

Windows To Go enables BitLocker on an external bootable drive without the use of TPM. Therefore, you must use a separate tool to configure BitLocker on the Windows To Go drive. To enable BitLocker, you must add an action to the task sequence after the Setup Windows and ConfigMgr step.
2167

Note BitLocker for Windows To Go requires a passphrase. In the Create Prestaged Media step, you set the passphrase as part of a prestart command by using the OSDBitLockerPIN variable. Use the following procedure to update the Windows 8 task sequence to enable BitLocker for Windows To Go. To update the Windows 8 task sequence to enable BitLocker 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. On the Home tab, in the Create group, click Create Package. 4. On the Package page, specify the name and description of the package. For example, type BitLocker for Windows To Go for the package name and specify Package to update BitLocker for Windows To Go for the package description. 5. Select This package contains source files, specify the location for the BitLocker tool for Windows To Go, and then click Next. The BitLocker tool is available on any Configuration Manager SP1 primary site server at the following location: <ConfigMgrInstallationFolder>\OSD\Tools\WTG\BitLocker\ 6. On the Program Type page, select Do not create a program. 7. Click Next and complete the wizard. 8. In the Configuration Manager console, click Software Library. 9. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 10. Select the Windows 8 task sequence that you reference in the prestaged media. 11. On the Home tab, in the Task Sequence group, click Edit. 12. Click the Setup Windows and ConfigMgr step, click Add, click General, and then click Run Command Line. The Run Command Line step is added after the Setup Windows and ConfigMgr step. 13. On the Properties tab for the Run Command Line step, add the following: a. Name: Specify a name for the command line, such as Enable BitLocker for Windows To Go. b. Command Line: i386\osdbitlocker_wtg.exe /Enable /pwd:< None|AD> Parameters: /pwd:<None|AD> Specify the BitLocker password recovery mode. This parameter is required you use the /Enable parameter is in the command-line.

Select AD to configure BitLocker Drive Encryption to back up recovery information for BitLocker-protected drives to Active Directory Domain Services (AD DS). Backing up recovery passwords for a BitLocker-protected drive allows administrative users to recover the drive if it is locked. This ensures that encrypted data belonging to the
2168

enterprise can always be accessed by authorized users. When you specify None, the user is responsible for keeping a copy of the recovery password or recovery key. If the user loses that information or neglects to decrypt the drive before leaving the organization, administrative users cannot easily access to the drive.
c. /wait:<TRUE|FALSE> Specify whether the task sequence waits for encryption to complete before it completes.

Select Package, and then specify the package that you created at the start of this procedure. Condition = Task Sequence Variable Variable = _SMSTSWTG Condition = Equals Value = True

d. On the Options tab, add the following conditions:

Note The Enable BitLocker step, which is likely after the new command-line step, is not used to enable BitLocker for Windows To Go. However, you can keep this step in the task sequence to use for Windows 8 deployments that do not use a Windows To Go drive.

Deploy the Windows To Go Creator Package and Task Sequence

Windows To Go is a hybrid deployment process. Therefore, you must deploy the Windows To Go Creator package and the Windows 8 task sequence. Use the following procedures to complete the deployment process. To deploy the Windows To Go Creator package 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Application Management, and then click Packages. 3. Select the Windows To Go package that you created in the Create a Windows To Go Creator package step. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following settings: a. Software: Verify that the Windows To Go package is selected. b. Collection: Click Browse to select the collection to which you want to deploy the Windows To Go package. c. Use default distribution point groups associated to this collection: Select this option if you want to store the package content on the collections default distribution point group. If you have not associated the selected collection with a distribution point group, this option will be unavailable.
2169

6. On the Content page, click Add and then select the distribution points or distribution point groups to which you want to deploy the content associated with this package and program. 7. On the Deployment Settings page, select Available for the deployment type, and then click Next. 8. On the Scheduling, configure when this package and program will be deployed or made available to client devices. The options on this page will differ depending on whether the deployment action is set to Available or Required. 9. On the Scheduling, configure the following settings, and then click Next. a. Schedule when this deployment will become available: Specify the date and time when the package and program is available to run on the destination computer. When you select UTC, this setting ensures that the package and program is available for multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. b. Schedule when this deployment will expire: Specify the date and time when the package and program expires on the destination computer. When you select UTC, this setting ensures that the task sequence expires on multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. 10. On the User Experience page of the Wizard, specify the following information: Software installation: Allows the software to be installed outside of any configured maintenance windows. System restart (if required to complete the installation) : Allows a device to restart outside of configured maintenance windows when required by the software installation. Embedded Devices: For Configuration Manager SP1 only. When you deploy packages and programs to Windows Embedded devices that are write filter enabled, you can specify to install the packages and programs on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Deployment options: Specify Download content from distribution point and run locally. Allow clients to share content with other clients on the same subnet : Select this option to reduce load on the network by allowing clients to download content from other clients on the network that have already downloaded and cached the content. This option utilizes Windows BranchCache and can be used on computers running Windows Vista SP2 and later. All clients to use a fallback source location for content : Specify whether to allow clients to fall back and use a non-preferred distribution point as the source location
2170

11. On the Distribution Points page, specify the following information:

for content when the content is not available on a preferred distribution point. 12. Complete the wizard. To deploy the Windows 8 task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. Select the Windows 8 task sequence that you created in the Create a Task Sequence to Deploy Windows 8 step. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following settings: a. Task sequence: Verify that the Windows 8 task sequence is selected. b. Collection: Click Browse to select the collection that includes all devices for which a user might provision Windows To Go. Important If the prestaged media that you created in the Create Prestaged Media section uses the SMSTSPreferredAdvertID variable, you can deploy the task sequence to the All Systems collection and specify the Windows PE only (hidden) setting on the Content page. Because the task sequence is hidden, it will only be available to media. c. Use default distribution point groups associated to this collection : Select this option if you want to store the package content on the collections default distribution point group. If you have not associated the selected collection with a distribution point group, this option will be unavailable.

6. On the Deployment Settings page, configured the following settings, and then click Next. Purpose: Select Available. When you deploy the task sequence to a user, the user sees the published task sequence in the Application Catalog and can request it on demand. If you deploy the task sequence to a device, the user will see the task sequence in Software Center and can install it on demand. Make available to the following: Specify whether the task sequence is available to Configuration Manager clients, media, or PXE. Important Use the Only media and PXE (hidden) setting for automated task sequence deployments. Select Allow unattended operating system deployment and set the SMSTSPreferredAdvertID variable as part of the prestaged media to have the computer automatically boot to the Windows To Go deployment with no user interaction when it detects a Windows To Go drive. For more information about these prestaged media settings, see the Create Prestaged Media section.
2171

7. On the Scheduling page, configure the following settings, and then click Next. a. Schedule when this deployment will become available: Specify the date and time when the task sequence is available to run on the destination computer. When you select UTC, this setting ensures that the task sequence is available for multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. b. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer. When you select UTC, this setting ensures that the task sequence expires on multiple destination computers at the same time rather than at different times, according to the local time on the destination computers. 8. On the User Experience page, specify the following information: Show Task Sequence progress: Specify whether the Configuration Manager client displays the progress of the task sequence. Software installation: Specify whether the user is allowed to install software outside a configured maintenance windows after the scheduled time. System restart (if required to complete the installation) : Allows a device to restart outside of configured maintenance windows when required by the software installation. Embedded Devices: When you deploy packages and programs to Windows Embedded devices that are write filter enabled, you can specify to install the packages and programs on the temporary overlay and commit changes later, or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. Internet-based clients: Specify whether the task sequence is allowed to run on an Internet-based client. Operations that install software, such as an operating system, are not supported with this setting. Use this option only for generic script-based task sequences that perform operations in the standard operating system.

9. On the Alerts page, specify the alert settings that you want for this task sequence deployment, and then click Next. 10. On the Distribution Points page, specify the following information, and then click Next. Deployment options: Select Download content locally when needed by running task sequence. When no local distribution point is available, use a remote distribution point : Specify whether clients can use distribution points that are on slow and unreliable networks to download the content that is required by the task sequence. Allow clients to use a fallback source location for content : Specify whether to allow clients to fall back and use a non-preferred distribution point as the source location for content when the content is not available on a preferred distribution point.

11. Complete the wizard.

2172

User Runs the Windows To Go Creator

After you deploy the Windows To Go package and Windows 8 task sequence, the Windows To Go Creator is available to the user. The user can go to the software catalog, or Software Center if the Windows To Go Creator was deployed to devices, and run the Windows To Go Creator program. Once the creator package is downloaded, a flashing icon is displayed on the task bar. When the user clicks the icon, a dialog box is displayed for the user to select the Windows To Go drive to provision (unless the /drive command-line option is used). If the drive does not meet the requirements for Windows To Go or if the drive does not have enough free disk space to install the image, the creator program displays an error message. The user can verify the drive and image that will be applied from the confirmation page. As the creator configures and prestages content to the Windows To Go drive, it displays a progress dialog box. After the prestaging is complete, the creator displays a prompt to restart the computer to boot to the Windows To Go drive. Note If you did not enable boot redirection as part of the command line for the creator program in the Create a Windows To Go Creator package section, the user might be required to manually boot to the Windows To Go drive on every system restart.

Configuration Manager Configures and Stages the Windows To Go Drive

After the computer restarts to the Windows To Go drive, the drive will boot into Windows PE and connect to the management point to get the policy to complete the operating system deployment. Configuration Manager configures and stages the drive. After Configuration Manager stages the drive, the user can restart the computer to finalize the provisioning process (such as to join a domain or install apps). This process is the same for any prestaged media.

User Logs In to Windows 8

After Configuration Manager completes the provisioning process and the Windows 8 lock screen is displayed, the user can login to the operating system.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

Prestart Commands for Task Sequence Media in Configuration Manager

You can create a prestart command in System Center 2012 Configuration Manager to use with boot media, stand-alone media, and prestaged media. The prestart command is a script or
2173

executable that runs before the task sequence is selected and can interact with the user in Windows PE. The prestart command can prompt a user for information and save it in the task sequence environment or query a task sequence variable for information. When the destination computer boots, the command-line is run before the policy is downloaded from the management point. Use the following procedures to create a script to use for the prestart command, distribute the content associated with the prestart command, and configure the prestart command in media.

Create a Script File to Use for the Prestart Command

Task Sequence variables can be read and written by using the Microsoft.SMS.TSEnvironment COM object while the task sequence is running. The following example illustrates a Visual Basic script file that queries the _SMSTSLogPath task sequence variable to get the current log location. The script also sets a custom variable.
dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment") dim logPath ' You can query the environment to get an existing variable. logPath = env("_SMSTSLogPath") ' You can also set a variable in the OSD environment. env("MyCustomVariable") = "varname"

Create a Package for the Script File and Distribute the Content
After you create the script or executable for the prestart command, you must create a package source to host the files for the script or executable, create a package for the files (no program required), and then distribute the content to a distribution point. For more information about creating a package, see How to Create Packages and Programs in Configuration Manager. For more information about distributing content, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager.

Configure the Prestart Command in Media

You can configure a prestart command in the Create Task Sequence Media Wizard for standalone media, bootable media, or prestaged media. For more information about the media types, see Planning for Media Operating System Deployments in Configuration Manager. Use the following procedure to create a prestart command in media. To create a prestart command in media
2174

1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task Sequence Media Wizard. 4. On the Select Media Type page, select Stand-alone media, Bootable media, or Prestaged media, and then click Next. 5. Navigate to the Customization page of the wizard. For more information about configuring the other pages in the wizard, see How to Deploy Operating Systems by Using Media in Configuration Manager 6. On the Customization page, specify the following information, and then click Next. Select Enable prestart command. In the Command line text box, enter the script or executable that you created for the prestart command. Important Use cmd /C <prestart command> to specify the prestart command. For example, if you used TSScript.vbs as the name for your prestart command script, you would enter cmd /C TSScript.vbs for the command line. Where cmd /C opens a new Windows command interpreter window and uses the Path environment variable to find the prestart command script or executable. You can also specify the full path to the prestart command, but the drive letter could be different on computers with different drive configurations. Select Include files for the prestart command. Click Set to select the package that is associated with the prestart command files. Click Browse to select the distribution point that hosts the content for the prestart command.

7. Complete the wizard.

See Also
Technical Reference for Deploying Operating Systems in Configuration Manager

How to Create a PXE-Initiated Windows 8 Deployment for UEFI-Based or BIOS-Based Computers in Configuration Manager
Note

2175

The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Note This topic appears in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. Operating system deployment provides System Center 2012 Configuration Manager administrative users with a tool for creating operating system images that they can deploy to computers that are managed by Configuration Manager. This topic shows how you can create a reference operating system image, partition computers differently based on whether the computer starts in UEFI mode or BIOS mode, and deploy Windows 8 to computers that are managed by Configuration Manager

Scenario Overview
This scenario represents one way to deploy Windows 8 to computers based on specific assumptions and business requirements. The following table provides an outline of the sections that make up this scenario. Technical Requirements This section lists the technical requirements of your Configuration Manager environment and client hardware to support this scenario. This section lists the business requirements for this scenario. This section provides information that you might consider before you perform the steps in this scenario. This section provides information about how to prepare and distribute a boot image.

Business Requirements Pre-Deployment Considerations

Step 1: Prepare and Deploy the Boot Image

Step 1a: Prepare the Boot Image Step 1b: Distribute the Boot Image

Step 2: Build and Capture a Reference Operating System Image

Step 2a: Add the Windows 8 Operating System Image Step 2b: Create a Build and Capture Task Sequence Step 2c: Distribute the Task Sequence Content Step 2d: Deploy the Build and Capture

This section provides information about how to build and capture a Windows 8 operating system image from a reference computer by using a task sequence.

2176

Task Sequence

Step 2e: Run the Task Sequence from the Reference Computer Step 2f: Add the Reference Operating System Image Step 2g: Schedule Operating System Image Updates This section provides information about how to create a task sequence to deploy Windows 8. The task sequence is available to computers when they startup in PXE.

Step 3: Create a Task Sequence to Deploy the Operating System

Step 3a: Create the Task Sequence to Deploy Windows 8 Step 3b: Review the Task Sequence Settings Step 3c: Distribute the Task Sequence Content Step 3d: Deploy the Task Sequence to Install Windows 8

Technical Requirements
This scenario requires the following technical requirements: All sites in the Configuration Manager hierarchy are running Configuration Manager SP1 and are fully functional. PXE-enabled distribution points are configured and available to select as the content location for task sequence content. For more information about how to configure the distribution point to support PXE, see the Planning for PXE-Initiated Operating System Deployments in Configuration Manager topic. Windows Assessment and Deployment Kit (Windows ADK) for Windows 8 is installed on all site servers and computers that have the SMS Provider site system role. For more information about Windows ADK, see Windows Deployment with the Windows ADK. All computers that are managed by Configuration Manager have x64 system architecture. The computers that are managed by Configuration Manager have either firmware that meets the Unified Extensible Firmware Interface (UEFI) 2.3.1 specifications or a BIOS firmware interface. For more information about UEFI, see the Unified EFI Forum website. All computers that are managed by Configuration Manager have Trusted Platform Module (TPM) enabled. The task sequence steps that support BitLocker require TPM.

Business Requirements
This scenario accommodates the following business requirements:

2177

Create a single task sequence to deploy Windows 8 to computers that have firmware that meets the UEFI specifications or a BIOS firmware interface. The deployment for Windows 8 will be PXE-initiated only. Install all mandatory software updates with the Windows 8 deployment. Enable BitLocker on all computers that install Windows 8.

Pre-Deployment Considerations
Before you deploy Windows 8 to Configuration Manager clients, consider the following predeployment steps Windows 8 upgrade assessment: The Microsoft System Center 2012 Configuration Manager Upgrade Assessment Tool gives you information that you can use to determine whether the hardware and software on computers that are managed by Configuration Manager are compatible with Windows 8. The Upgrade Assessment Tool provides the following functionality: Retrieves device driver compatibility for installed peripheral devices and creates reports that you can use to determine which device drivers have to be upgraded to support the Windows operating system. Lets you see which computers meet the recommended system requirements for Windows operating systems and to customize these requirements for your environments. Creates summary reports that you can use to see an enterprise wide view of operating system upgrade readiness. Lets you create dynamic collections for an operating system deployment. The collection query rules can be based on system requirements, application compatibility status, and device driver status.

Download the Upgrade Assessment Tool from the Microsoft Download Center site. For more information, see Configuration Manager Upgrade Assessment Tool. UEFI-based computers: Before you install Windows 8 on a UEFI-based computer, note the following. All computers that are certified for Windows 8 use firmware that meets the UEFI specifications. For some computers, you might have to perform additional steps to make sure that Windows is installed in UEFI mode, and not in legacy BIOS-compatibility mode. It is not supported to switch from legacy BIOS-compatibility mode to UEFI mode by using a task sequence. For more information, see How to Switch from BIOS-Compatibility Mode to UEFI Mode. Some computers might support UEFI. However, they do not support a PXE-initiated boot when in UEFI mode. To provision these computers in UEFI mode, you must start them from boot media instead of using PXE. If the computer performs a PXE-initiated boot, Configuration Manager detects that the computer is in BIOS mode and therefore provisions the computer as such. For more information about how to create boot media, see the How to Create Bootable Media section in the How to Deploy Operating Systems by Using Media in Configuration Manager topic.
2178

UEFI and BIOS have different disk partitioning requirements. UEFI hard disks require the GUID partition table (GPT) partition structure, instead of the master boot record (MBR) partition structure that is used in BIOS. When you use a task sequence to deploy Windows 8, the task sequence detects whether the computer was started in UEFI mode or BIOS-compatibility mode, and the task sequence configures the partitions on the hard disk to accommodate the associated requirements.

Step 1: Prepare and Deploy the Boot Image

A boot image contains a version of Windows PE that provides a boot environment for a computer. Windows PE is a minimal operating system with limited components and services that prepare the destination computer for Windows installation. In this scenario, after a computer starts in Windows PE, Configuration Manager begins the Windows 8 installation. You can use the steps in this section to prepare and deploy the boot image that you will use in your Windows 8 deployment task sequence. This section consists of the following steps: Step 1a: Prepare the Boot Image Step 1b: Distribute the Boot Image

For more information about how to manage boot images, see the How to Manage Boot Images in Configuration Manager topic.

Step 1a: Prepare the Boot Image

Configuration Manager provides two boot images: One to support the x86 architecture and one to support the x64 architecture. For computers that start in UEFI mode, you must use a boot image that matches the architecture of the computer; that is, x86 for x86-based computers or x64-based computers. You cannot use an x86 boot image for both architectures for computers that boot in UEFI mode in the same manner that you can for computers that boot in BIOS. For this scenario, only x64-based computers are in the environment. Therefore, this scenario uses the default x64 boot image (Boot image (x64)). Important Starting with System Center 2012 Configuration Manager with SP1 and cumulative update 1, Configuration Manager supports a PXE-initiated startup for computers that have the IA-32 architecture. The default boot image contains standard device drivers and might be sufficient for your deployment. However, you can customize the boot image with one or more of the following configurations: Image properties Drivers Prestart command settings Windows PE background image Command shell support Windows PE scratch space
2179

Optional components to use in Windows PE

For more information about how to change the boot image, see the How to Modify a Boot Image section in the topic, How to Manage Boot Images in Configuration Manager.

Step 1b: Distribute the Boot Image

After you prepare the boot image, you must distribute the image to all PXE-enabled distribution points. When the task sequence is run by a client, the client downloads the boot image from the distribution point. You distribute boot images to distribution points in the same way that you distribute other content. You can specify single distribution points, distribution point groups, or collections that are associated with distribution point groups. For more information about distributing content in Configuration Manager, see the Distribute Content on Distribution Points section in the Operations and Maintenance for Content Management in Configuration Manager topic. Follow these steps to distribute the boot image to distribution points. To distribute the boot image to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Boot Images. 3. In the Boot Images node, select the boot image objects that you want to deploy. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the content listed is the content that you want to distribute, and then click Next. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about how to associate collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To
2180

distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the points. For more information about how to monitor the content distribution, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 2: Build and Capture a Reference Operating System Image

Operating system images are WIM files and represent a compressed collection of reference files and folders that are required to successfully install and configure an operating system on a computer. You can use the steps in this section to import the base operating system image (install.wim) located on the Windows 8 installation media. Then, you create a task sequence that installs Windows 8, mandatory software updates, and applications to a reference computer. You deploy the task sequence to a reference computer and the task sequence captures a new reference operating system image and stores it on a network shared folder. Finally, you can configure Configuration Manager to apply mandatory software updates to the operating system image on a schedule that you specify. This section consists of the following steps: Step 2a: Add the Windows 8 Operating System Image Step 2b: Create a Build and Capture Task Sequence Step 2c: Distribute the Task Sequence Content Step 2d: Deploy the Build and Capture Task Sequence Step 2e: Run the Task Sequence from the Reference Computer Step 2f: Add the Reference Operating System Image Step 2g: Schedule Operating System Image Updates

For more information about how to build and capture a reference operating system image, see the How to Create Task Sequences section in the How to Manage Task Sequences in Configuration Manager topic.

Step 2a: Add the Windows 8 Operating System Image

You must add a Windows 8 operating system image to the Configuration Manager console before you can build the reference operating system image. Follow these steps to add the Windows 8 operating system image to the Configuration Manager console. To add the Windows 8 operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images.
2181

3. On the Home tab, in the Create group, click Add Operating System Image to start the Add Operating System Image Wizard. 4. On the Data Source page, specify the network path to the Windows 8 operating system image. For example, specify \\MyServer\MyShare\Window8InstallationFiles\sources\install.wim. 5. On the General page, specify the following information, and then click Next. Name: Specify the name of the image. By default, the name of the image is taken from the WIM file. Version: Specify the version of the image. Comment: Specify a brief description of the image.

6. Complete the wizard.

Step 2b: Create a Build and Capture Task Sequence

The build and capture task sequence is run on a reference computer where the task sequence creates an operating system image that is based on a set of operating system source files. The task sequence uses the Windows 8 operating system image that you added in Step 2a: Add the Windows 8 Operating System Image to install Windows 8 on the reference computer. Then, the task sequence adds software updates, applications, and custom settings to the reference computer. Finally, the task sequence captures a new Windows 8 image from the reference computer and stores it on a network shared folder. Follow these steps to create the build and capture task sequence. To create a task sequence that builds and captures an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Build and capture a reference operating system image, and then click Next. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence, such as a description of the operating system that is created by the task sequence. Boot image: Specify the default x64 boot image (Boot image (x64)). Image package: Click Browse, select the Windows 8 operating system image that you added in Step 2a: Add the Windows 8 Operating System Image, and then click
2182

6. On the Install Windows page, specify the following settings, and then click Next.

OK. Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys or standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, you must also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system is deployed. Disable local administrator account: Specify whether the local administrator account is disabled when the operating system is deployed. Always use the same administrator password: Specify whether the same password is used for the local administrator account on all computers where the operating system is deployed.

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup when the operating system is deployed. Join a domain: Specify whether to add the destination computer to a domain when the operating system is deployed. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest. However, you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, verify that the Configuration Manager client package is selected, add any additional properties to use for client installation, and then click Next. For more information about properties that can be used to install a client, see About Client Installation Properties in Configuration Manager. 9. On the Include Updates page, specify Mandatory software updates. Configuration Manager installs only the software updates that target the collections for which the destination computer is a member. 10. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify
2183

that the task sequence continues if the installation of a specific application fails. 11. On the System Preparation page, click Next. Sysprep is automatically available on Windows 8 and you do not have to specify a package. 12. On the Images Properties page, specify the following settings for the operating system image, and then click Next. Created by: Specify the name of the user who created the operating system image. Version: Specify a user-defined version number that is associated with the operating system image. Description: Specify a user-defined description of the operating system computer image. Path: Specify a shared network folder where the output .WIM file is stored. This file contains the operating system image that is based on the settings that you specify in the wizard. Configuration Manager overwrites a .WIM file with the same name, if it exists. Use the following account to access the output folder: Specify the Windows account that has Read and Write permissions to the output shared network folder.

13. On the Capture Image page, specify the following settings, and then click Next.

14. Complete the wizard.

Step 2c: Distribute the Task Sequence Content

Before the reference computer can run the task sequence to build and capture the reference operating system task sequence, you must distribute that content to distribution points. Follow these steps to distribute the content that is referenced by a task sequence. To distribute the task sequence content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequences node, select the task sequence that you created in step 2b. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the content listed is the content that you want to distribute, and then click Next. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about how to associate collections with
2184

distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic. Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the distribution points. For more information about how to monitor the content distribution, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 2d: Deploy the Build and Capture Task Sequence

Now that you created the task sequence to build and capture the reference operating system and the content is available on a distribution point, you must deploy it to the reference computer. When the task sequence runs on the reference computer, the computer starts in Windows PE. Then, the task sequence partitions and formats the hard disk on the reference computer, installs Windows 8, installs software updates and applications, and then creates a new reference Windows 8 operating system image that you will use to deploy Windows 8. Follow these steps to deploy the task sequence to the reference computer. To deploy the task sequence to build and capture the reference operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you created in Step 2b: Create a Build and Capture Task Sequence. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following information, and then click Next. Task sequence: Verify that the correct task sequence is selected. Collection: Specify the collection that contains the reference computer. Important Verify that the collection you select contains only the reference computer that will run the task sequence. Comments (optional): Specify additional information that describes this deployment of the task sequence.
2185

6. On the Deployment Settings page, specify the following information, and then click Next. Purpose: Choose Available from the drop-down list. Specify when to make this task sequence available. For this scenario, choose Only media and PXE to have the task sequence available when you use the preexecution environment (PXE) to initiate the task sequence deployment.

7. On the Scheduling page, specify the following information, and then click Next. Specify the current date and time for Schedule when this deployment will become available, and then click Next. Schedule when this deployment will become available: Specify the current date and time to make the task sequence available on the reference computer. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer.

8. On the User Experience page, review the default settings, and then click Next. For this scenario, the default settings are likely sufficient. 9. On the Alerts page, specify whether to generate an alert for a failed deployment, and then click Next. 10. On the Distribution Points page, click Next. For this scenario, the default settings are likely sufficient. 11. Complete the wizard.

Step 2e: Run the Task Sequence from the Reference Computer
You have deployed the build and capture task sequence to a collection that contains the reference computer. Now, you must start the reference computer to PXE and run the task sequence to create the new Windows 8 reference operating system image. When you start in PXE, the task sequence that you created in Step 2b: Create a Build and Capture Task Sequence should be available to run. Start the task sequence to restart the computer to Windows PE, partition and format the hard disk drive, and install Windows 8. When the operating system installation is complete, the task sequence begins a capture and stores the new operating system image on a network shared folder.

Step 2f: Add the Reference Operating System Image

After the task sequence creates the Windows 8 reference operating system image, you must add the image to the Configuration Manager console before it will be available to use in the task sequence to deploy Windows 8 to clients. Follow these steps to add the Windows 8 reference operating system image to the Configuration Manager console. To add the Windows 8 operating system image 1. In the Configuration Manager console, click Software Library.
2186

2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. On the Home tab, in the Create group, click Add Operating System Image to start the Add Operating System Image Wizard. 4. On the Data Source page, specify the path to the Windows 8 reference operating system image. This is the same path that you specified on the Capture Image page in step 2b. 5. On the General page, specify the following information, and then click Next. Name: Specify the name of the image. By default, the name of the image is taken from the WIM file. Version: Specify the version of the image. Comment: Specify a brief description of the image.

6. Complete the wizard.

Step 2g: Schedule Operating System Image Updates

Periodically, new software updates are released that apply to the operating system in your operating system image. You can apply applicable software updates to an image on a specified schedule to reduce the number of required software updates to install after the operating system is installed. This process reduces your vulnerability footprint on the image. On the schedule that you specify, Configuration Manager applies the software updates that you select to the operating system image, and then optionally distributes the updated image to distribution points. For more information about scheduling operating system image updates, see the How to Manage Operating System Images and Installers in Configuration Manager topic. Follow these steps to apply software updates to an operating system image. To apply software updates to an operating system image 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Operating System Images. 3. Select the operating system image to which to apply software updates. 4. On the Home tab, in the Operating System Image group, click Schedule Updates to start the wizard. 5. On the Choose Updates page, select the software updates to apply to the operating system image, and then click Next. 6. On the Set Schedule page, specify the following settings, and then click Next. a. Schedule: Specify the schedule for when the software updates are applied to the operating system image. b. Continue on error: Select this option to continue to apply software updates to the image even when there is an error. c. Distribute the image to distribution points: Select this option to update the operating system image on distribution points after the software updates are applied.
2187

7. On the Summary page, verify the information, and then click Next. 8. On the Completion page, verify that the software updates were successfully applied to the operating system image.

Step 3: Create a Task Sequence to Deploy the Operating System

The task sequence performs multiple steps on a client computer at the command-line level without requiring user intervention. In this section, you will create a task sequence to install Windows 8 on computers. The task sequence uses the default x64 boot image, Boot image (x64), to start the computer in Windows PE, partition the hard disk, pre-provision BitLocker, install Windows 8, enable BitLocker, and restore user files and settings. This section consists of the following steps: Step 3a: Create the Task Sequence to Deploy Windows 8 Step 3b: Review the Task Sequence Settings Step 3c: Distribute the Task Sequence Content Step 3d: Deploy the Task Sequence to Install Windows 8

For more information about how to create and deploy a task sequence, see the How to Manage Task Sequences in Configuration Manager topic.

Step 3a: Create the Task Sequence to Deploy Windows 8

The task sequence to deploy Windows 8 provides the steps to format and partition the computer, install Windows 8, enable BitLocker, and install mandatory software updates. Follow these steps to create the task sequence to deploy Windows 8. To create a task sequence to deploy Windows 8 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. On the Home tab, in the Create group, click Create Task Sequence to start the Create Task Sequence Wizard. 4. On the Create a New Task Sequence page, select Install an existing image package, and then click Next. 5. On the Task Sequence Information page, specify the following settings, and then click Next. Task sequence name: Specify a name that identifies the task sequence. Description: Specify a description of the task that is performed by the task sequence.

2188

Boot image: Specify the default x64 boot image (Boot image (x64)). Image package: Click Browse, select the Windows 8 operating system image that you captured and then added in Step 2f: Add the Reference Operating System Image, and then click OK. Partition and format the target computer before installing the operating system : Configure task sequence for use with BitLocker: Select this setting to use Product key: Specify the product key for the Windows operating system to install. You can specify encoded volume license keys or standard product keys. If you use a non-encoded product key, each group of 5 characters must be separated by a dash (-). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX Server licensing mode: Specify that the server license is Per seat, Per server, or that no license is specified. If the server license is Per server, also specify the maximum number of server connections. Specify how to handle the administrator account that is used when the operating system is deployed. Randomly generate the local administrator password and disable the account on all supported platforms (recommended) : Specify whether the local administrator account is disabled when the operating system is deployed. Enable the account and specify the local administrator password : Specify whether to enable the local administrator account. When enabled, specify the password to use for this account.

6. On the Install Windows page, specify the following settings, and then click Next.

7. On the Configure Network page, specify the following settings, and then click Next. Join a workgroup: Specify whether to add the destination computer to a workgroup when the operating system is deployed. Join a domain: Specify whether to add the destination computer to a domain when the operating system is deployed. In Domain, specify the name of the domain. Important You can browse to locate domains in the local forest. However, you must specify the domain name for a remote forest. You can also specify an organizational unit (OU). This is an optional setting that specifies the LDAP X.500-distinguished name of the OU in which to create the computer account if it does not already exist. Account: Specify the user name and password for the account that has permissions to join the specified domain. For example: domain\user or %variable%. Important You must enter the appropriate domain credentials if you plan to migrate either the domain settings or the workgroup settings. 8. On the Install Configuration Manager page, verify that the Configuration Manager client package is selected, add any additional properties to use for client installation, and then click Next.
2189

For more information about properties that can be used to install a client, see About Client Installation Properties in Configuration Manager. 9. On the State Migration page, clear the following settings, and then click Next. The user settings are not captured in this scenario. Capture user settings: The task sequence captures the user state. For more information about how to capture and restore the user state, see How to Manage the User State in Configuration Manager. Capture network settings: The task sequence captures network settings from the computer. You can capture the membership of the domain or workgroup in addition to the network adapter settings. Capture Microsoft Windows settings: The task sequence captures Windows settings from the computer before the operating system image is installed. You can capture the computer name, registered user and organization name, and the time zone settings.

10. On the Include Updates page, specify Mandatory software updates. Configuration Manager installs only applicable software updates that are deployed to a collection for which the computer is a member. 11. On the Install Applications page, specify the applications to install on the destination computer, and then click Next. If you specify multiple applications, you can also specify that the task sequence continues if the installation of a specific application fails. 12. Complete the wizard.

Step 3b: Review the Task Sequence Settings

The Create Task Sequence creates the steps that you must follow to deploy Windows 8. However, before you deploy the task sequence review the settings to make sure that they meet your business requirements. Follow these steps to review the task sequence: To review the task sequence 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you created in Step 3a: Create the Task Sequence to Deploy Windows 8. 4. On the Home tab, in the Task Sequence group, click Edit. 5. Verify each step in the task sequence, including the following steps: Partition Disk 0 BIOS: Verify that the volume disk space is sufficient for the boot partition. Notice on the Options tab that there several conditions specified to so this step is not run if the task sequence detects that the computer starts in UEFI mode. Partition Disk 0 UEFI: Verify that the volume disk space is sufficient for the various partitions. Notice on the Options tab that there several conditions specified to so this
2190

step is not run if the task sequence detects that the computer does not boot in UEFI mode. Pre-provision BitLocker: Verify that BitLocker will be applied to the appropriate destination drive and that the Skip this step for computers that do not have a TPM or when TPM is not enabled setting is enabled. This step enables BitLocker on a drive while in Windows PE. Only the used drive space is encrypted, and therefore, encryption times are much faster. The step can only be run on computers that have TPM enabled. Pre-provision BitLocker section of the Task Sequence Steps in Configuration Manager topic. Enable BitLocker: Verify that the Current operating system drive is selected and the encryption type is TPM only. For more information about the Enable BitLocker task sequence step, see the Enable BitLocker section of the Task Sequence Steps in Configuration Manager topic.

6. Add additional steps to the task sequence to support the business requirements in your environment. 7. Click OK to save the changes.

Step 3c: Distribute the Task Sequence Content

Before you deploy the task sequence to computers, distribute the content to distribution points to make sure that the content is available. Follow these steps to distribute the content that is referenced by a task sequence. To distribute the task sequence content to distribution points 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequences node, select the task sequence that you created in Step 3a: Create the Task Sequence to Deploy Windows 8. 4. On the Home tab, in the Deployment group, click Distribute Content to start the Distribute Content Wizard. 5. On the General page, verify that the content listed is the content that you want to distribute, and then click Next. 6. On the Content Destination page, click Add, choose one of the following, and then follow the associated step: Collections: Select User Collections or Device Collections, click the collection associated with one or more distribution point groups, and then click OK. Note Only the collections that are associated with a distribution point group are displayed. For more information about how to associate collections with distribution point groups, see the Configure Distribution Point Groups section in the Configuring Content Management in Configuration Manager topic.
2191

Distribution Point: Select an existing distribution point, and then click OK. Distribution points that have previously received the content are not displayed. Distribution Point Group: Select an existing distribution point group, and then click OK. Distribution point groups that have previously received the content are not displayed.

When you finish adding content destinations, click Next. 7. On the Summary page, review the settings for the distribution before you continue. To distribute the content to the selected destinations, click Next. 8. The Progress page displays the progress of the distribution. 9. The Confirmation page displays whether the content was successfully assigned to the distribution points. For more information about how to monitor the content distribution, see the Monitor Content section in the Operations and Maintenance for Content Management in Configuration Manager topic.

Step 3d: Deploy the Task Sequence to Install Windows 8

As soon as you create the task sequence to install Windows 8 and the content is available on your distribution points, you can deploy the task sequence to Configuration Manager clients. Before you deploy the task sequence, make sure that you have a deployment strategy that includes the collections for which you will deploy the task sequence. If you used the Upgrade Assessment Tool in the Pre-Deployment Considerations section, you likely created collections with clients that are ready to upgrade to Windows 8. Follow these steps to deploy the task sequence to deploy Windows 8. To deploy the task sequence to install Windows 8 1. In the Configuration Manager console, click Software Library. 2. In the Software Library workspace, expand Operating Systems, and then click Task Sequences. 3. In the Task Sequence list, select the task sequence that you created in Step 3a: Create the Task Sequence to Deploy Windows 8. 4. On the Home tab, in the Deployment group, click Deploy. 5. On the General page, specify the following information, and then click Next. Task sequence: Verify that the correct task sequence is selected. Collection: Specify the collection for this deployment. Members of this collection will receive the task sequence to install Windows 8 when they boot to PXE. Important To install Windows 8 to computers that are not managed by Configuration Manager, you must use a collection that includes All Unknown Computers. Comments (optional): Specify additional information that describes this deployment. 6. On the Deployment Settings page, specify the following information, and then click Next.
2192

Purpose: Choose Available from the drop-down list. Specify when to make this task sequence available. For this scenario, choose Only media and PXE to have the task sequence available when the destination computer boots to PXE. Schedule when this deployment will become available: Specify the current date and time to make the task sequence available to destination computers. Schedule when this deployment will expire: Specify the date and time when the task sequence expires on the destination computer.

7. On the Scheduling page, specify the following information, and then click Next.

8. On the User Experience page, review the default settings, and then click Next. For this scenario, the default settings are likely sufficient. 9. On the Alerts page, specify whether to generate an alert for a failed deployment, and then click Next. 10. On the Distribution Points page, click Next. For this scenario, the default settings are likely sufficient. 11. Complete the wizard.

Assets and Compliance in System Center 2012 Configuration Manager

The Assets and Compliance in System Center 2012 Configuration Manager guide provides documentation to help you manage your network devices (computers and mobile devices) in Microsoft System Center 2012 Configuration Manager. If you are new to Configuration Manager, read Getting Started with System Center 2012 Configuration Manager before you read this guide.

Assets and Compliance Topics

Use the following topics to help you manage your network devices in System Center 2012 Configuration Manager: Collections in Configuration Manager Queries in Configuration Manager Inventory in Configuration Manager Power Management in Configuration Manager Remote Control in Configuration Manager Software Metering in Configuration Manager Out of Band Management in Configuration Manager Compliance Settings in Configuration Manager Remote Connection Profiles in Configuration Manager
2193

Company Resource Access in Configuration Manager Endpoint Protection in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Documentation Library for System Center 2012 Configuration Manager

Collections in Configuration Manager

Collections in System Center 2012 Configuration Manager provide a method of managing groups of computers, mobile devices, users, and other resources in your organization.

Collection Topics
Use the following topics to help you create and manage Configuration Manager collections in your organization: Introduction to Collections in Configuration Manager Planning for Collections in Configuration Manager Operations and Maintenance for Collections in Configuration Manager Security and Privacy for Collections in Configuration Manager Technical Reference for Collections in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Collections in Configuration Manager

Collections in System Center 2012 Configuration Manager provide you with the means to organize resources into manageable units, which then enable you to create an organized structure that logically represents the kinds of tasks that you want to perform. Collections are also used to perform Configuration Manager operations on multiple resources at one time. The following table shows some examples for how you might use collections in Configuration Manager: Operation Example
2194

Grouping resources

You can create collections that logically group resources that are based on your organizations hierarchy. For example, you could create a collection of all computers that reside in the London Headquarters Active Directory Organizational Unit (OU). For more information about how to create this type of collection, see How to Create Collections in Configuration Manager. You could then use this collection to perform operations such as configuring Endpoint Protection settings, configuring device power management settings, or installing the Configuration Manager client.

Application deployment

You can create a collection of all computers that do not have Microsoft Office 2013 installed and then deploy this software to all computers in that collection. Note You can also use application requirements to perform this task. For more information, see How to Create Applications in Configuration Manager.

Managing client settings

Although the default client settings in Configuration Manager apply to all devices and all users, you can create custom client settings that apply to a collection of devices or a collection of users. For example, if you want remote control to be available on all but a few devices, configure the default client settings to allow remote control and then configure custom client settings that do not allow remote control. Deploy these custom client settings to a collection that contains the computers that will not use remote control. For more information about how to use collections for client settings, see About Client Settings in Configuration Manager.

Power management

For each collection that you create, you can

2195

configure power settings such as how soon computers in the collection go into sleep mode when they are inactive. For more information about how to use collections with power management, see Power Management in Configuration Manager. Role-based administration Collections can be used with role-based administration to control which groups of users have access to various functionality in the Configuration Manager console. For more information about how configure collections for role-based administration, see the Planning for Role-Based Administration section in the Planning for Security in Configuration Manager topic. Maintenance Windows Maintenance windows provide a means by which administrative users can define a time period when various Configuration Manager operations can be carried out on members of a device collection. You can use maintenance windows to help ensure that client configuration changes occur during periods that do not affect the productivity of the organization. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. Most management tasks rely on using one or more collections. For example, before you can deploy software updates to devices, you must identify a collection for the deployment of software updates. Although you can use the built-in collection of All Systems, using this collection for management tasks is not a best practice. In all but a testing environment, you will typically benefit from creating your own custom collections to more specifically identify the devices or users to manage. Built-in and custom collections appear in the User Collections and Device Collections nodes in the Assets and Compliance workspace in the Configuration Manager console. Collections that you have recently viewed appear in the Users node and in the Devices node in the Assets and Compliance workspace in the Configuration Manager console.

2196

Collection Types in Configuration Manager

Configuration Manager has some built-in collections that you can use for common operations. In addition, you can create your own collections that group resources specific to your business requirements.

Built-in collections
By default, Configuration Manager includes the following collections, which cannot be modified.
Collection name Description

All User Groups

Contains the user groups that are discovered by using Active Directory Security Group Discovery. Contains the users who are discovered by using Active Directory User Discovery. Contains the All Users and the All User Groups collections. This collection cannot be modified and contains the largest scope of user and user group resources. Contains the server and desktop devices that have the Configuration Manager client installed. Membership is maintained by Heartbeat Discovery. Contains the mobile devices that are managed by Configuration Manager. Membership is restricted to those mobile devices that are successfully assigned to a site or discovered by the Exchange Server connector. Note In Configuration Manager SP1, this collection excludes the mobile devices that are enrolled by Windows Intune.

All Users All Users and User Groups

All Desktop and Server Clients

All Mobile Devices

All Systems

Contains the All Desktop and Server Clients, the All Mobile Devices, and All Unknown Computers collections. In Configuration Manager SP1, this collection also includes the mobile devices that are enrolled by Windows Intune. This collection cannot be modified and contains
2197

Collection name

Description

the largest scope of device resources. All Unknown Computers Contains generic computer records for multiple computer platforms. You can use this collection to deploy an operating system by using a task sequence and PXE boot, bootable media, or prestaged media.

Custom Collections
When you create a custom collection in Configuration Manager, the membership of that collection is determined by one or more collection rules. For information about how to configure collection rules, see How to Create Collections in Configuration Manager. There are four rules that you can use:

Direct Rule
Direct rules let you to choose the users or computers that you want to add as members to a collection. This rule gives you direct control over which resources are members of the collection. The membership does not automatically change unless a resource is removed from Configuration Manager. Configuration Manager must discover the resources or you must import the resources before you can add them to a direct rule collection. Direct rule collections have a higher administrative overhead than query rule collections because you must modify this collection type manually.

Query Rule
Query rules dynamically update the membership of a collection based on a query that Configuration Manager runs on a schedule. For example, you can create a collection of users who are a member of the Human Resources organizational unit in Active Directory Domain Services. Unlike direct rule collections, this collection membership automatically updates when you add or remove new users to the Human Resources organizational unit. Query rules remove the administrative overhead of manually adding devices to the collection by using a direct rule. However, they do reduce the control you have over which computers are added to the collection. Examples of query based rules include: All users in a specified OU All computers that run Windows 8 All computers that have more than 20GB of free disk space

2198

Include Collections Rule

The include collections rule lets you include the members of another collection in a Configuration Manager collection. Configuration Manager updates the membership of the current collection on a schedule if the membership of the included collection changes.

Exclude Collections Rule

The exclude collections rule lets you exclude the members of another collection from a Configuration Manager collection. Configuration Manager updates the membership of the current collection on a schedule if the membership of the excluded collection changes. Note If a collection includes both include collection and exclude collection rules and there is a conflict, the exclude rule takes priority over the include rule.

Incremental Collection Updates

When you enable incremental updates for a collection, Configuration Manager periodically scans for new or changed resources from the previous collection evaluation and updates a collections membership with these resources, independently of a full collection evaluation. By default, when you enable incremental collection updates, it runs every 10 minutes and helps keep your collection data up-to-date without the overhead of a full collection evaluation. Note When you create a new collection, incremental updates are disabled by default.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following table lists features that are new or that have changed in collections since Configuration Manager 2007.
Feature Description

User Collections and Device Collections nodes

You can no longer combine user resources and device resources in the same collection. The Configuration Manager console has two new nodes for user collections and device collections. Sub collections are no longer used in System Center 2012 Configuration Manager.
2199

Sub collections

Feature

Description

In Configuration Manager 2007, sub collections had two main uses: Organize collections in folders. In System Center 2012 Configuration Manager, you can now create a hierarchy of folders in which to store collections. Sub collections were often used in Configuration Manager 2007 for phased software deployments to a larger collection of computers. In System Center 2012 Configuration Manager, you can use include rules to progressively increase the membership of a collection.

For more information, see How to Manage Collections in Configuration Manager. Include collection rules and exclude collection rules Incremental collection member evaluation In System Center 2012 Configuration Manager, you can include or exclude the contents of another collection from a specified collection. Incremental collection member evaluation periodically scans for new or changed resources from the previous collection evaluation and updates a collections membership with these resources, independently of a full collection evaluation. By default, when you enable incremental collection member updates, it runs every 10 minutes and helps to keep your collection data up-to-date without the overhead of a full collection evaluation. Collections can be migrated from Configuration Manager 2007 collections. For more information, see Planning a Migration Job Strategy in System Center 2012 Configuration Manager. You can use collections to limit access to Configuration Manager objects. For more information, see Planning for Security in Configuration Manager.

Migration support

Role-based administration security scopes

2200

Feature

Description

Collection resources

In Configuration Manager 2007, collections contained only resources from the site where they were created and from child sites of that site. In System Center 2012 Configuration Manager, collections contain resources from all sites in the hierarchy. In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection.

Collection limiting

Whats New in Configuration Manager SP1

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for collections in Configuration Manager SP1: The built-in collections are now read-only and cannot be modified.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for collections in System Center 2012 R2 Configuration Manager: A new management option allows you to configure maintenance windows to apply to task sequences only, software updates only, or to all deployments.

See Also
Collections in Configuration Manager

2201

Planning for Collections in Configuration Manager

Use the following topics in this section to help you plan for collections in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Collections in Configuration Manager Best Practices for Collections in Configuration Manager

See Also
Collections in Configuration Manager

Prerequisites for Collections in Configuration Manager

Collections in System Center 2012 Configuration Manager contain only dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Reporting services point

The reporting services point site system role must be installed before you can run reports for collections. For more information, see Reporting in Configuration Manager. You must have the following security permissions to manage compliance settings: To create and manage collections: Create, Delete, Modify, Modify Folder, Move Object, Read and Read Resource for the Collection Object. To manage collection settings: Modify Collection Setting for the Collection Object.

Specific security permissions must have been granted to manage collections

2202

Dependency

More information

Note The Modify Folder permission is required for all collection folders, including the root folder.

See Also
Planning for Collections in Configuration Manager

Best Practices for Collections in Configuration Manager

Use the following best practices for collections in System Center 2012 Configuration Manager.

Do not use incremental updates for a large number of collections

When you enable the Use incremental updates for this collection option, this configuration might cause evaluation delays when you enable it for many collections. The threshold is about 200 collections. The exact number depends on the following factors: The total number of collections The frequency of new resources being added and changed in the hierarchy The number of clients in your hierarchy The complexity of collection membership rules in your hierarchy

Do not modify the built-in collections and instead, copy and then modify the pasted collection (Configuration Manager with no service pack)
If a default collection (such as All Desktop and Server Clients) does not meet your business requirements, do not modify the collection. Instead, copy and paste the collection, and then modify the new collection. This practice helps to troubleshoot collection queries and safeguards against the possibility that future upgrades might overwrite and change the built-in collections. In Configuration Manager SP1, the built-in collections are read-only and cannot be modified.

2203

Make sure that maintenance windows are large enough to deploy critical software updates
You can configure maintenance windows for device collections to restrict the times that Configuration Manager can install software on these devices. If you configure the maintenance window to be too small, the client might not be able to install critical software updates, which leaves the client vulnerable to the attack that is mitigated by the software update.

See Also
Collections in Configuration Manager

Operations and Maintenance for Collections in Configuration Manager

Use the following topics in this section to help you create and manage collections in the System Center 2012 Configuration Manager hierarchy.

In this Section
How to Create Collections in Configuration Manager How to Manage Collections in Configuration Manager How to Use Maintenance Windows in Configuration Manager

See Also
Collections in Configuration Manager

How to Create Collections in Configuration Manager

Create collections in System Center 2012 Configuration Manager to represent logical groupings of users or devices. You can use collections to help you perform many tasks including application management, deploying compliance settings, or installing software updates. You can also use collections to manage groups of client settings or use them with role-based administration to specify the resources that an administrative user can access. Configuration Manager contains several built-in collections. For more information, see Introduction to Collections in Configuration Manager.

2204

Note A collection cannot contain users and devices. The following table lists the rules that you can use to configure the members of a collection in Configuration Manager.
Membership rule type More information

Direct rule

Direct rules let you choose the users or computers that you want to add as members to a collection. This rule gives you direct control over which resources are members of the collection. This membership does not change unless a resource is removed from Configuration Manager. Configuration Manager must have discovered the resources or you must have imported the resources before you can add them to a direct rule collection. Direct rule collections have a higher administrative overhead than query rule collections because you must make changes to this collection type manually. Query rules dynamically update the membership of a collection based on a query that Configuration Manager runs on a schedule. For example, you can create a collection of users that are a member of the Human Resources organizational unit in Active Directory Domain Services. Unlike direct rule collections, this collection membership is automatically updated when new users are added to or removed from the Human Resources organizational unit. Tip For example queries that you can use to build collections, see the section Example WQL Queries in the topic How to Create Queries in Configuration Manager.

Query rule

Include collection rule

The include collection rule let you include the members of another collection in a Configuration Manager collection The
2205

Membership rule type

More information

membership of the current collection is updated on a schedule if the membership of the included collection has changed. Note You can add multiple include collection rules to a collection. Example: You create a collection that has two include collection rules. The first include collection rule is for a collection of laptops and the second include collection rule is for a collection of desktops. The new collection will contain all the members in the laptop collection and the desktop collection. Exclude collection rule The exclude collection rule let you exclude the members of another collection from a Configuration Manager collection. The membership of the current collection is updated on a schedule if the membership of the excluded collection has changed. Note You can add multiple exclude collection rules to a collection. If a collection includes both include collection and exclude collection rules and there is a conflict, the exclude collection rule takes priority over the include collection rule. Example: You create a collection that has one include collection rule and one exclude collection rule. The include collection rule is for a collection of Dell desktops. The exclude collection is for a collection of computers that have less than 4 GB RAM. The new collection will contain Dell desktops that have at least 4 GB RAM. Use the following procedures to help you create collections in Configuration Manager. You can also import collections that were created at this or another Configuration Manager site. For

2206

information about how to export collections, see How to Manage Collections in Configuration Manager. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about creating collections for computers that run Linux and UNIX, see the Collections of Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic. To create a device collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. On the Home tab, in the Create group, click Create Device Collection. 4. On the General page of the Create Device Collection Wizard, specify the following information: Name: Specify a unique name for the collection. Comment: Specify a description for the collection. Limiting collection: Click Browse to select a limiting collection. The collection that you are creating will only contain members from the limiting collection.

5. On the Membership Rules page of the Create Device Collection Wizard, specify the following information: In the Add Rule list, select the type of membership rule that you want to use for this collection. You can configure multiple rules for each collection. Use the following procedures to configure each membership rule type. To configure a direct rule a. On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: Resource class: In the list, select the type of resource you want to search for and add to the collection. Select from System Resource values to search for inventory data returned from client computers or Unknown Computer to select from values returned by unknown computers. Attribute name: In the list, select the attribute associated with the selected resource class that you want to search for. For example, if you want to select computers by their NetBIOS name, select System Resource in the Resource class list and NetBIOS name in the Attribute name list. Exclude resources marked as obsolete If a client computer is marked as obsolete, do not include this value in the search results. Exclude resources that do not have the Configuration Manager
2207

client installed If the search results include a resource that does not have a Configuration Manager client installed, this value will not be displayed in the search results. Value: Enter a value for which you want to search the selected attribute name. You can use the percent character % as a wildcard. For example, if you wanted to search for computers that have a NetBIOS name beginning with M, enter M% in this field.

b. On the Select Resources page of the Create Direct Membership Rule Wizard, select the resources that you want to add to the collection in the Resources list, and then click Next. c. Complete the Create Direct Membership Rule Wizard.

To configure a query rule a. In the Query Rule Properties dialog box, specify the following information: Name: Specify a unique name for the query rule. Import Query Statement Opens the Browse Query dialog box where you can select a System Center 2012 Configuration Manager query to use as the query rule for the collection. For more information about how to create these queries and some examples, see How to Create Queries in Configuration Manager. Resource class: In the list, select the type of resource you want to search for and add to the collection. Select a value from System Resource values to search for inventory data returned from client computers or Unknown Computer to select from values returned by unknown computers. Edit Query Statement Opens the Query Statement Properties dialog box where you can author a query to use as the rule for the collection. For more information about queries, see Queries in Configuration Manager.

b. Click OK to close the Query Rule Properties dialog box and to save the query membership rule.

To configure an include collection rule a. In the Select Collections dialog box, select the collections you want to include in the new collection. b. Click OK to close the Select Collections dialog box and to save the include membership rule.

2208

To configure an exclude collection rule a. In the Select Collections dialog box, select the collections you want to exclude from the new collection. b. Click OK to close the Select Collections dialog box and to save the exclude membership rule. Use incremental updates for this collection Select this option to periodically scan for only new or changed resources from the previous collection evaluation and update the collection membership with only these resources, independently of a full collection evaluation. Incremental updates occur at 10 minute intervals. Important Collections configured by using query rules that use the following classes do not support incremental updates: SMS_G_System_CollectedFile SMS_G_System_LastSoftwareScan SMS_G_System_AppClientState SMS_G_System_DCMDeploymentState SMS_G_System_DCMDeploymentErrorAssetDetails SMS_G_System_DCMDeploymentCompliantAssetDetails SMS_G_System_DCMDeploymentNonCompliantAssetDetails SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections of users only) SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for collections of users only) SMS_G_System_SoftwareUsageData SMS_G_System_CI_ComplianceState SMS_G_System_EndpointProtectionStatus SMS_GH_System_* SMS_GEH_System_* Schedule a full update on this collection Select this option to schedule a regular full evaluation of the collection membership.

6. Complete the wizard to create the new collection. The new collection is displayed in the Device Collections node of the Assets and Compliance workspace. Note You must refresh or reload the Configuration Manager console to see the collection members. However, the members will not appear in the collection until after the first scheduled update, or you manually select Update Membership for the collection. Depending on the complexity of the collection rule and the number of entries in the Configuration Manager database, it can take a few minutes for a collection update to
2209

complete. To create a user collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click User Collections. 3. On the Home tab, in the Create group, click Create User Collection. 4. On the General page of the Create User Collection Wizard, specify the following information: Name: Specify a unique name for the collection. Comment: Specify a description for the collection. Limiting collection: Click Browse to select a limiting collection. The collection you are creating will only contain members from the limiting collection.

5. On the Membership Rules page of the Create User Collection Wizard, specify the following information: In the Add Rule list, select the type of membership rule you want to use for this collection. You can configure multiple rules for each collection. Use the following procedures to configure each membership rule type. To configure a direct rule a. On the Search for Resources page of the Create Direct Membership Rule Wizard, specify the following information: Resource class: In the list, select the type of resource you want to search for and add to the collection. Select from User Resource values to search for user information collected by Configuration Manager or User Group Resource to search for user group information collected by Configuration Manager. Attribute name: In the list, select the attribute associated with the selected resource class that you want to search for. For example, if you want to select users by their Organizational Unit (OU) name, select User Resource in the Resource class list and User OU Name in the Attribute name list. Value: Enter a value that you want to search the selected attribute name for. You can use the percent character % as a wildcard. For example, if you wanted to search for users in the Contoso OU, enter Contoso in this field.

b. On the Select Resources page of the Create Direct Membership Rule Wizard, select the resources that you want to add to the collection in the Resources list, and then click Next. c. Complete the Create Direct Membership Rule Wizard.

2210

To configure a query rule a. In the Query Rule Properties dialog box, specify the following information: Name: Specify a unique name for the query rule. Import Query Statement Opens the Browse Query dialog box where you can select a System Center 2012 Configuration Manager query to use as the query rule for the collection. For more information about queries, see Queries in Configuration Manager. Resource class: In the list, select the type of resource you want to search for and add to the collection. Select from User Resource values to search for user information collected by Configuration Manager or User Group Resource to search for user group information collected by Configuration Manager. Edit Query Statement Opens the Query Statement Properties dialog box where you can author a query to use as the rule for the collection. For more information about queries, see Queries in Configuration Manager.

b. Click OK to close the Query Rule Properties dialog box and to save the query membership rule.

To configure an include collection rule a. In the Select Collections dialog box, select the collections you want to include in the new collection. b. Click OK to close the Select Collections dialog box and to save the include membership rule.

To configure an exclude collection rule a. In the Select Collections dialog box, select the collections you want to exclude from the new collection. b. Click OK to close the Select Collections dialog box and to save the exclude membership rule. Use incremental updates for this collection Select this option to periodically scan for only new or changed resources from the previous collection evaluation and update the collection membership with only these resources, independently of a full collection evaluation. Incremental updates occur at 10 minute intervals. Important
2211

Collections configured by using query rules that use the following classes do not support incremental updates: SMS_G_System_CollectedFile SMS_G_System_LastSoftwareScan SMS_G_System_AppClientState SMS_G_System_DCMDeploymentState SMS_G_System_DCMDeploymentErrorAssetDetails SMS_G_System_DCMDeploymentCompliantAssetDetails SMS_G_System_DCMDeploymentNonCompliantAssetDetails SMS_G_User_DCMDeploymentCompliantAssetDetails (for collections of users only) SMS_G_User_DCMDeploymentNonCompliantAssetDetails (for collections of users only) SMS_G_System_SoftwareUsageData SMS_G_System_CI_ComplianceState SMS_G_System_EndpointProtectionStatus SMS_GH_System_* SMS_GEH_System_* Schedule a full update on this collection Select this option to schedule a regular full evaluation of the collection membership.

6. Complete the wizard to create the new collection. The new collection is displayed in the User Collections node of the Assets and Compliance workspace. Note You must refresh or reload the Configuration Manager console to see the collection members. However, the members will not appear in the collection until after the first scheduled update, or you manually select Update Membership for the collection. Depending on the complexity of the collection rule and the number of entries in the Configuration Manager database, it can take a few minutes for a collection update to complete. To import a collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click User Collections or Device Collections. 3. On the Home tab, in the Create group, click Import Collections. 4. On the General page of the Import Collections Wizard, click Next. 5. On the MOF File Name page, click Browse and then browse to the MOF file that contains the collection information you want to import. Note The file you want to import must have been exported from a site running the
2212

same version of Configuration Manager as this one. For more information about exporting collections, see How to Manage Collections in Configuration Manager. 6. Complete the wizard to import the collection. The new collection is displayed in the User Collections or Device Collections node of the Assets and Compliance workspace. Note You must refresh or reload the Configuration Manager console to see the collection members for the newly imported collection.

See Also
Operations and Maintenance for Collections in Configuration Manager

How to Manage Collections in Configuration Manager

Use the overview information in this topic to help you perform management tasks for collections in System Center 2012 Configuration Manager. Note For information about how to create Configuration Manager collections, see How to Create Collections in Configuration Manager.

How to Manage Device Collections

In the Assets and Compliance workspace, select Device Collections, select the collection to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Show Members

Displays all of the resources that are members of the selected collection in a temporary node under the Devices node. Provides the following options to perform one of the following actions: Add Selected Items to Existing Device Collection

No additional information.

Add Selected Items

How to Create Collections in Configuration Manager

2213

Management task

Details

More information

Opens the Select Collection dialog box where you can select the collection to which you want to add the members of the selected collection. The selected collection is included in this collection by using an Include Collections membership rule. Add Selected Items to New Device Collection Opens the Create Device Collection Wizard where you can create a new collection. The selected collection is included in this collection by using an Include Collections membership rule.

Install Client

Opens the Install Client Wizard How to Install Configuration which uses client push installation Manager Clients by Using to install a Configuration Manager Client Push client on all computers in the selected collection. Opens the Manage User Device Affinity Requests dialog box where you can approve or reject pending requests to establish user device affinities for devices in the selected collection. Provides the following options for using out of band management on computers in the selected collection: Discover AMT Status Power Control Clear Audit Log Operating System Deployment in Configuration
2214

Manage Affinity Requests

How to Manage User Device Affinity in Configuration Manager

Manage Out of Band

Out of Band Management in Configuration Manager

Clear Required PXE Deployments

Clears any required PXE boot deployments from all members of

Management task

Details

More information

the selected collection. Update Membership

Manager

Evaluates the membership for the No additional information. selected collection. For collections with many members, this update might take some time to finish. Use the Refresh action to update the display with the new collections members after the update is completed. Opens the Add Resources to Collection dialog box where you can search for new resources to add to the selected collection. Note The icon for the selected collection displays an hourglass symbol while the update is in progress. No additional information.

Add Resources

Client Notification

Instructs all clients in the selected No additional information. device collection to download computer policy (Configuration Manager SP1 and System Center 2012 R2 Configuration Manager) or user policy (System Center 2012 R2 Configuration Manager only) Performs a full or quick antimalware scan or downloads the latest antimalware definitions to computers in the selected collection. Opens the Export Collection Wizard that helps you export this collection to a Managed Object Format (MOF) file that can then be archived or used at another Configuration Manager site. Important
2215

Endpoint Protection

Endpoint Protection in Configuration Manager

Export

No additional information.

Management task

Details

More information

When you export a collection, collections that are referenced by the selected collection through the use of an Include or Exclude rule are not exported. Copy Creates a copy of the selected collection. The new collection uses the selected collection as a limiting collection. Deletes the selected collection. You can also delete all of the resources in the collection from the site database. Note You cannot delete the collections that are built into Configuration Manager. Simulate Deployment Opens the Simulate Application Deployment Wizard which lets you test the results of an application deployment without installing or uninstalling the application. Displays the following options: Application Opens the Deploy Software Wizard where you can select and configure an application deployment to the selected collection. How to Simulate an Application Deployment in Configuration Manager No additional information.

Delete

For a list of the built-in collections, see Introduction to Collections in Configuration Manager.

Deploy

How to Deploy Applications in Configuration Manager How to Deploy Packages and Programs in Configuration Manager

How to Deploy Configuration Baselines in Configuration Program - Opens the Deploy Manager Software Wizard where you Planning a Task Sequences can select and configure a Strategy in Configuration package and program Manager deployment to the selected collection. Operations and Maintenance
2216

Management task

Details

More information

Configuration Baseline Opens the Deploy Configuration Baselines dialog box where you can configure the deployment of one or more configuration baselines to the selected collection. Task Sequence - Opens the Deploy Software Wizard where you can select and configure a task sequence deployment to the selected collection. Software Updates Opens the Deploy Software Updates Wizard where you can configure the deployment of software updates to resources in the selected collection.

for Software Updates in Configuration Manager

How to Manage User Collections

In the Assets and Compliance workspace, select User Collections, select the collection to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Show Members

Displays all of the resources that are members of the selected collection in a temporary node under the Users node. This option lets you perform one of the following actions: Add Selected Items to Existing User Collection Opens the Select Collection dialog box where you can

No additional information.

Add Selected Items

How to Create Collections in Configuration Manager

2217

Management task

Details

More information

select the collection to which you want to add the members of the selected collection. The selected collection is included in this collection by using an Include Collections membership rule. Add Selected Items to New User Collection Opens the Create User Collection Wizard where you can create a new collection. The selected collection is included in this collection by using an Include Collections membership rule. How to Manage User Device Affinity in Configuration Manager

Manage Affinity Requests

Opens the Manage User Device Affinity Requests dialog box where you can approve or reject pending requests to establish user device affinities for users in the selected collection.

Update Membership

Evaluates the membership for the No additional information. selected collection. For collections with many members, this update might take some time to finish. Use the Refresh action to update the display with the new collections members after the update is completed. Note The icon for the selected collection displays an hourglass symbol while the update is in progress.

Add Resources

Opens the Add Resources to Collection dialog box where you can search for new resources to add to the selected collection. Opens the Export Collection

No additional information.

Export

No additional information.
2218

Management task

Details

More information

Wizard that helps you to export this collection to a Managed Object Format (MOF) file that can then be archived or used at another Configuration Manager site. Important When you export a collection, collections that are referenced by the selected collection through the use of an Include or Exclude rule are not exported. Copy Creates a copy of the selected collection. The new collection uses the selected collection as a limiting collection. Deletes the selected collection. You can also delete all of the resources in the collection from the site database. Note You cannot delete the collections that are built into Configuration Manager. Simulate Deployment Opens the Simulate Application Deployment Wizard which lets you test the results of an application deployment without installing or uninstalling the application. Displays the following options: Application Opens the Deploy Software Wizard where you can select and configure an application How to Simulate an Application Deployment in Configuration Manager No additional information.

Delete

For a list of the built-in collections, see Introduction to Collections in Configuration Manager.

Deploy

How to Deploy Applications in Configuration Manager How to Deploy Packages and Programs in Configuration Manager
2219

Management task

Details

More information

deployment to the selected collection.

How to Deploy Configuration Baselines in Configuration Program - Opens the Deploy Manager Software Wizard where you can select and configure a package and program deployment to the selected collection. Configuration Baseline Opens the Deploy Configuration Baselines dialog box where you can configure the deployment of one or more configuration baselines to the selected collection.

Collection Properties
When you open the Properties dialog box for a collection, you can view and configure the following properties for a collection.
Tab name More information

General

Lets you view and configure general information about the selected collection including the collection name and the limiting collection. Lets you configure the membership rules that define the membership of this collection. For more information, see How to Create Collections in Configuration Manager. Lets you configure power management plans that are assigned to computers in the selected collection. For more information, see Power Management in Configuration Manager. Displays any software that has been deployed to members of the selected collection. Lets you view and configure maintenance windows that are applied to members of the
2220

Membership Rules

Power Management

Deployments Maintenance Windows

Tab name

More information

selected collection. For more information, see How to Use Maintenance Windows in Configuration Manager. Collection Variables Lets you configure variables that apply to this collection and can be used by task sequences. For more information, see How to Manage Task Sequences in Configuration Manager. If an out of band service point is installed, this option enables members of the selected collection for provisioning for AMT-based computers. For more information, see Out of Band Management in Configuration Manager. Lets you associate one or more distribution point groups to members of the selected collection. For more information, see Content Management in Configuration Manager. Displays the administrative users who have permissions for the selected collection from associated roles and security scopes. Lets you configure when alerts are generated for client status and Endpoint Protection. For more information, see How to Configure Client Status in Configuration Manager and How to Configure Alerts for Endpoint Protection in Configuration Manager.

Out of Band Management

Distribution Point Groups

Security

Monitor

See Also
Operations and Maintenance for Collections in Configuration Manager

How to Use Maintenance Windows in Configuration Manager

Maintenance windows in System Center 2012 Configuration Manager provide a means by which administrative users can define a time period when various Configuration Manager operations can be carried out on members of a device collection. You can use maintenance windows to help
2221

ensure that client configuration changes occur during periods that do not affect the productivity of the organization. The following Configuration Manager operations support maintenance windows: Software deployments Software update deployments Compliance settings deployment and evaluation Operating system deployments Task sequence deployments

Maintenance windows are configured for a collection with a start date, a start and finish time, and a recurrence pattern. Each maintenance window must have a duration of less than 24 hours. By default, computer restarts caused by a deployment are not allowed outside of a maintenance window, but you can override the default in the settings for each deployment. Maintenance windows affect only the time when the deployment program runs; applications configured to download and run locally can download content outside of the maintenance window. When a client computer is a member of a device collection that has a maintenance window configured, a deployment program runs only if the maximum allowed run time does not exceed the duration configured for the maintenance window. If the program fails to run, an alert is generated and the deployment is rerun during the next scheduled maintenance window that has available time.

Using Multiple Maintenance Windows

When a client computer is a member of multiple device collections that have configured maintenance windows, the following rules apply: If the maintenance windows do not overlap, they are treated as two independent maintenance windows. If the maintenance windows overlap, they are treated as a single maintenance window encompassing the time period covered by both maintenance windows. For example, if two maintenance windows, each an hour in duration overlap by 30 minutes, the effective duration of the maintenance window would be 90 minutes.

When a user initiates an application installation from Software Center, the application is installed immediately, regardless of any configured maintenance windows. If an application deployment with a purpose of Required reaches its installation deadline during the nonbusiness hours configured by a user in Software Center, it is installed regardless of the configured nonbusiness hours. How to configure maintenance windows in Configuration Manager 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection for which you want to configure a maintenance window.
2222

4. On the Home tab, in the Properties group, click Properties. 5. In the Maintenance Windows tab of the <collection name> Properties dialog box, click the New icon. Note You cannot create maintenance windows for the All Systems collection. 6. In the <new> Schedule dialog box, specify a name, a schedule, and a recurrence pattern for the maintenance window. You can also enable the option to apply the schedule to only task sequences. 7. For System Center 2012 R2 Configuration Manager only: From the Apply this schedule to drop-down list, select whether this maintenance window applies to all deployments, only software updates, or only task sequences. 8. Click OK to close the <new> Schedule dialog box and create the new maintenance window. 9. Close the <collection name> Properties dialog box.

See Also
Operations and Maintenance for Collections in Configuration Manager

Security and Privacy for Collections in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security best practices and privacy information for collections in System Center 2012 Configuration Manager. There is no privacy information specifically for collections in Configuration Manager. Collections are containers for resources, such as users and devices. Collection membership often depends on the information that Configuration Manager collects during standard operation. For example, by using resource information that has been collected from discovery or inventory, a collection can be configured to contain the devices that meet specified criteria. Collections might also be based on the current status information for client management operations, such as deploying software and checking for compliance. In addition to these query-based collections, administrative users can also add resources to collections. For more information about collections, see Introduction to Collections in Configuration Manager. For more information about any security best practices and privacy information for Configuration

2223

Manager operations that can be used to configure collection membership, see Security Best Practices and Privacy Information for Configuration Manager.

Security Best Practices for Collections

Use the following security best practice for collections.
Security best practice More information

When you export or import a collection by using a Managed Object Format (MOF) file that is saved to a network location, secure the location, and secure the network channel.

Restricts who can access the network folder. Use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between the network location and the site server to prevent an attacker from tampering with the exported collection data. Use IPsec to encrypt the data on the network to prevent information disclosure.

Security Issues for Collections

Collections have the following security issues: If you use collection variables, local administrators can read potentially sensitive information. Collection variables can be used when you deploy an operating system.

See Also
Collections in Configuration Manager

Technical Reference for Collections in Configuration Manager

There is currently no technical reference information for collections in System Center 2012 Configuration Manager.

See Also
Collections in Configuration Manager

2224

Queries in Configuration Manager

Queries in System Center 2012 Configuration Manager return information from the site database based on criteria that you specify. You can use queries to retrieve information about resources in your site or about inventory data and status messages.

Queries Topics
Use the following topics to help you use queries in Configuration Manager. Introduction to Queries in Configuration Manager Operations and Maintenance for Queries in Configuration Manager Security and Privacy for Queries in Configuration Manager Technical Reference for Queries in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Queries in Configuration Manager

You can create and run queries to locate objects in a System Center 2012 Configuration Manager hierarchy that match your query criteria. These objects include items such as specific types of computers or user groups. Queries can return most types of Configuration Manager objects, which include sites, collections, applications, and inventory data. When you create a query, you must specify a minimum of two parameters: where you want to search and what you want to search for. For example, to find the amount of hard disk space that is available on all computers in a Configuration Manager site, you can create a query to search the Logical Disk attribute class and the Free Space (MB) attribute for available hard disk space. After you create an initial query, you can specify additional query criteria. For example, you can specify that the query results include only computers that are assigned to a specified site. You can also modify how results are displayed so that you can view the results in an order that is meaningful to you. For example, you can specify that the results are sorted by the amount of free hard disk space in either ascending or descending order. When you create a query, it is stored by Configuration Manager and displayed in the Queries node in the Monitoring workspace. From this location, you can create a new query and then run, update, or manage an existing query.

2225

You can also import a query into a query rule in a Configuration Manager collection. For more information, see How to Create Collections in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for queries since Configuration Manager 2007: The option to export the results of a query is not available in this release. As a workaround, you can copy the query results to the Windows clipboard.

See Also
Queries in Configuration Manager

Operations and Maintenance for Queries in Configuration Manager

Use the following topics in this section for operations and maintenance information for queries in System Center 2012 Configuration Manager.

In This Section
How to Create Queries in Configuration Manager How to Manage Queries in Configuration Manager

See Also
Queries in Configuration Manager

How to Create Queries in Configuration Manager

Use the following sections in this topic to help you create or import queries in System Center 2012 Configuration Manager. How to Create Queries How to Import Queries
2226

Example WQL Queries

How to Create Queries

Use this procedure to help you create queries in Configuration Manager. To create a query 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Queries and then, in the Home tab, in the Create group, click Create Query. 3. On the General tab of the Create Query Wizard, specify a unique name and an optional comment for the query. 4. If you want to import an existing query to use as a basis for the new query, click Import Query Statement and then, in the Browse Query dialog box, select an existing query that you want to import, and then click OK. 5. In the Object Type list, select the type of object you want the query to return. The following table describes some examples of the type of object you can search for:
Object type Description

System Resource

Use to search for typical system attributes, such as the NetBIOS name of a device, the client version, the client IP address, and Active Directory Domain Services information. Use to search for typical user information such as user names, user group names, and security group names. Use to search for typical attributes of a deployment, such as the deployment name, schedule, and the collection to which it was deployed.

User Resource

Deployment

6. Click Edit Query Statement to open the <Query Name> Statement Properties dialog box. 7. On the General tab in the <Query Name> Statement Properties dialog box, specify the attributes that this query returns and how they are to be displayed. Click the New icon to add a new attribute. You can also click Show Query Language to enter or edit the query directly in WMI Query Language (WQL). For examples of WMI queries, see the Example WQL Queries section in this topic. Tip
2227

You can use the following MSDN reference documentation to help you construct your own WQL queries: WQL (SQL for WMI) WHERE Clause WQL Operators

8. On the Criteria tab of the <Query Name> Statement Properties dialog box, specify criteria that are used to refine the results of the query. For example, you could return only resources that have a site code of XYZ in the query results. You can configure multiple criteria for a query. Important If you create a query that contains no criteria, the query will return all devices in the All Systems collection. 9. On the Joins tab in the <Query Name> Statement Properties dialog box, you can combine data from two different attributes into your query results. Although Configuration Manager automatically creates query joins when you choose different attributes for your query result, the Joins tab provides more advanced options. The attribute classes supported by System Center 2012 Configuration Manager are shown in the following table:
Join type Description

Inner

Displays only matching results always used by joins that are created automatically. Displays all results for the base attribute and only the matching results for the join attribute. Displays all the results for the join attribute and only the matching results for the base attribute. Displays all the results for both the base attribute and the join attribute.

Left

Right

Full

For more information about how to use Join operations, see your SQL Server documentation. 10. Click OK to close the <Query Name> Statement Properties dialog box. 11. On the General tab of the Create Query Wizard, specify whether the results of this query are not limited to the members of a collection, are limited to the members of a specified collection, or prompt for a collection each time the query is run. 12. Complete the wizard to create the query. The new query is displayed in the Queries node in the Monitoring workspace.
2228

How to Import Queries

Use this procedure to help you import a query into Configuration Manager. For information about how to export queries, see How to Manage Queries in Configuration Manager. To import a query 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Queries and then, in the Home tab, in the Create group, click Import Objects. 3. On the MOF File Name page of the Import Objects Wizard, click Browse to select the Managed Object Format (MOF) file containing the query that you want to import. 4. Review information about the query to be imported and then complete the wizard. The new query is displayed in the Queries node in the Monitoring workspace.

Example WQL Queries

This section contains example WMI queries that you can use in your hierarchy or modify for other purposes. To use these queries, click Show Query Language in the Query Statement Properties dialog box, and then copy and paste the query into the Query Statement field. Tip Use the wildcard character % to signify any string of characters. For example, %Visio% returns Microsoft Office Visio 2010.

Computers that run Windows 7

Use the following query to return the NetBIOS name and operating system version of all computers that run Windows 7. Tip To return computers that run Windows Server 2008 R2, change %Workstation 6.1% to %Server 6.1%.
select SMS_R_System.NetbiosName, SMS_R_System.OperatingSystemNameandVersion from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion like "%Workstation 6.1%"

Computers with a specific software package installed

Use the following query to return the NetBIOS name and software package name of all computers that have a specific software package installed. This example displays all computers with a version of Microsoft Visio installed. Replace %Visio% with the software package you want to query for.
2229

Tip This query searches for the software package by using the names that are displayed in the programs list in Windows Control Panel.
select SMS_R_System.NetbiosName, SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceId = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "%Visio%"

Computers that are in a specific Active Directory Domain Services Organizational Unit (OU)
Use the following query to return the NetBIOS name and OU name of all computers in a specified OU. Replace the text OU Name with the name of the OU that you want to query for.
select SMS_R_System.NetbiosName, SMS_R_System.SystemOUName from SMS_R_System where SMS_R_System.SystemOUName = "OU Name"

Computers with a specific NetBIOS name

Use the following query to return the NetBIOS name of all computers that begin with a specific string of characters. In this example, the query returns all computers with a NetBIOS name that begins with ABC.
select SMS_R_System.NetbiosName from SMS_R_System where SMS_R_System.NetbiosName like "ABC%"

Devices of a specific type

Device types are stored in the Configuration Manager database under the resource class sms_r_system and the attribute name AgentEdition. Use the following query to retrieve only the devices that match the agent edition of the device type you specify:
Select SMS_R_System.ClientEdition from SMS_R_System where SMS_R_System.ClientEdition = <Device ID>

Use one of the following values for <Device ID>:

Device type Value of AgentEdition

Windows Desktop or laptop computer

0
2230

Device type

Value of AgentEdition

Windows ARM-based device (running Windows 1 RT) Windows Mobile 6.5 Nokia Symbian Windows Phone Mac computer Windows CE Windows Embedded iOS iPad iPod Touch Android Intel System On a Chip Unix and Linux servers 2 3 4 5 6 7 8 9 10 11 12 13

For example, if you want the query to return only Mac computers, use the following query:
Select SMS_R_System.ClientEdition from SMS_R_System where SMS_R_System.ClientEdition = 5

See Also
Operations and Maintenance for Queries in Configuration Manager

How to Manage Queries in Configuration Manager

Use the information in this topic to help you manage queries in System Center 2012 Configuration Manager. For information about how to create queries, see How to Create Queries in Configuration Manager.

2231

How to Manage Queries

In the Monitoring workspace, select Queries, select the query to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Run

Runs the selected query and displays the results in the Configuration Manager console. Opens the Install Client Wizard that lets you install the Configuration Manager client on computers returned by the selected query. Important This option is not available for queries that return mobile devices, users, or user groups.

No additional information.

Install Client

For more information about how to install Configuration Manager clients by using client push, see How to Install Configuration Manager Clients by Using Client Push.

Export

Opens the Export Objects Wizard that lets you export this query to a Managed Object Format (MOF) file that can then be imported at another site. Opens the Move Selected Items dialog box where you can move the selected query to a folder that you previously created under the Queries node.

No additional information.

Move

No additional information.

See Also
Operations and Maintenance for Queries in Configuration Manager

2232

Security and Privacy for Queries in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Queries in Configuration Manager let you retrieve information from the site database based on the criteria that you specify. Configuration Manager collects the site database information during standard operation. For example, by using information that has been collected from discovery or inventory, you can configure a query to identify devices that meet specified criteria. For more information about queries, see Introduction to Queries in Configuration Manager. For more information about any security best practices and privacy information for Configuration Manager operations that collect the information that you can retrieve by using queries, see Security Best Practices and Privacy Information for Configuration Manager.

Security Best Practices for Queries

Use the following security best practice for queries.
Security best practice More information

When you export or import a query that is Restrict who can access the network folder. saved to a network location, secure the location Use server message block (SMB) signing or and secure the network channel. Internet Protocol Security (IPsec) between the network location and the site server to prevent an attacker from tampering with the query data before it is imported.

See Also
Queries in Configuration Manager

Technical Reference for Queries in Configuration Manager

There is currently no technical reference information for queries in System Center 2012 Configuration Manager.
2233

See Also
Queries in Configuration Manager

Inventory in Configuration Manager

You can use a number of methods in System Center 2012 Configuration Manager to inventory hardware and software in your organization. Use hardware inventory for detailed information about the hardware of client computers and mobile devices that are enrolled by Configuration Manager. Use software inventory for information about software and files present on client computers. Asset Intelligence extends these inventory capabilities to help you manage licenses for software in the enterprise.

Inventory Topics
Use the following topics to help you find information about hardware inventory, software inventory, and Asset Intelligence in Configuration Manager. Hardware Inventory in Configuration Manager Software Inventory in Configuration Manager Asset Intelligence in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Hardware Inventory in Configuration Manager

Use System Center 2012 Configuration Manager hardware inventory to collect detailed information about the hardware of client devices in your enterprise.

In This Section
Use the following topics to help you plan, configure, operate and maintain, and troubleshoot hardware inventory in System Center 2012 Configuration Manager. Introduction to Hardware Inventory in Configuration Manager Planning for Hardware Inventory in Configuration Manager Configuring Hardware Inventory in Configuration Manager
2234

Operations and Maintenance for Hardware Inventory in Configuration Manager Hardware Inventory for Linux and UNIX in Configuration Manager Security and Privacy for Hardware Inventory in Configuration Manager Technical Reference for Hardware Inventory in Configuration Manager

See Also
Inventory in Configuration Manager

Introduction to Hardware Inventory in Configuration Manager

Use hardware inventory in System Center 2012 Configuration Manager to collect information about the hardware configuration of client devices in your organization. To collect hardware inventory, the Enable hardware inventory on clients setting must be enabled in client settings. After hardware inventory is enabled and a hardware inventory cycle is run by the client, the client sends the inventory information that it has collected to a management point in the clients site. The management point then forwards the inventory information to the Configuration Manager site server which stores the inventory information in the site database. Hardware inventory runs on clients according to the schedule that you specify in client settings. You can use several methods to view the hardware inventory data that System Center 2012 Configuration Manager collects. These include the following: Create queries that return devices that are based on a specific hardware configuration. For more information, see Queries in Configuration Manager. Create query-based collections that are based on a specific hardware configuration. Querybased collection memberships automatically update on a schedule. You can use collections for several tasks, which include software deployment. For more information, see Collections in Configuration Manager. Run reports that display specific details about hardware configurations in your organization. For more information, see Reporting in Configuration Manager. Use Resource Explorer to view detailed information about the hardware inventory that is collected from client devices. For more information, see How to Use Resource Explorer to View Hardware Inventory in Configuration Manager.

When hardware inventory runs on a client device, the first inventory data that the client returns is always a full inventory. Subsequent inventory information contains only delta inventory information. The site server processes delta inventory information in the order in which it is received. If delta inventory information for a client is missing, the site server rejects additional delta inventory information and instructs the client to run a full inventory cycle.

2235

Configuration Manager provides limited support for dual-boot computers. Configuration Manager can discover dual-boot computers but only returns inventory information from the operating system that was active at the time the inventory cycle ran. Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about how to use hardware inventory with clients that run Linux and UNIX, see Hardware Inventory for Linux and UNIX in Configuration Manager.

Extending Configuration Manager Hardware Inventory

In addition to the built-in hardware inventory in Configuration Manager, you can also use one of the following methods to extend hardware inventory to collect additional information:
Method Description

Add and remove inventory classes from the Configuration Manager console

In System Center 2012 Configuration Manager, you can enable, disable, add and remove inventory classes for hardware inventory from the Configuration Manager console. Use NOIDMIF files to collect information about client devices that cannot be inventoried by Configuration Manager. For example, you might want to collect device asset number information that exists only as a label on the device. NOIDMIF inventory is automatically associated with the client device that it was collected from. Use IDMIF files to collect information about assets in your organization that are not associated with a Configuration Manager client, for example, projectors, photocopiers and network printers.

NOIDMIF files

IDMIF files

For more information about using these methods to extend Configuration Manager hardware inventory, see How to Extend Hardware Inventory in Configuration Manager.

Whats New in Configuration Manager

Note
2236

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for hardware inventory since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable custom hardware inventory, and add and import new inventory classes from the Configuration Manager console. The sms_def.mof file is no longer used to customize hardware inventory. You can extend the inventory schema by adding or importing new classes. Different hardware inventory settings can be applied to collections of devices by using client settings.

See Also
Hardware Inventory in Configuration Manager

Planning for Hardware Inventory in Configuration Manager

Review the information in this section to help you plan for hardware inventory in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Hardware Inventory in Configuration Manager Best Practices for Hardware Inventory in Configuration Manager

See Also
Hardware Inventory in Configuration Manager

Prerequisites for Hardware Inventory in Configuration Manager

Hardware inventory in System Center 2012 Configuration Manager contains only dependencies within the product.

Configuration Manager Dependencies

2237

Dependency

More information

Hardware inventory must be enabled for clients to collect inventory

For information about how to enable and configure hardware inventory, see How to Configure Hardware Inventory in Configuration Manager. The reporting services point site system role must be installed before you can run reports for hardware inventory. For more information, see Reporting in Configuration Manager.

Reporting services point

See Also
Planning for Hardware Inventory in Configuration Manager

Best Practices for Hardware Inventory in Configuration Manager

Use the following best practices information to help you use hardware inventory in System Center 2012 Configuration Manager.

Enable MIF file collection only when required

MIF files could contain large amounts of data and collecting this data could negatively affect the performance of your site. Enable MIF file collection only when required and configure the option Maximum custom MIF file size (KB) in the hardware inventory client settings. For more information, see How to Configure Hardware Inventory in Configuration Manager.

See Also
Planning for Hardware Inventory in Configuration Manager

Configuring Hardware Inventory in Configuration Manager

Use the following topics to help you configure hardware inventory in System Center 2012 Configuration Manager.

2238

In This Section
How to Configure Hardware Inventory in Configuration Manager How to Extend Hardware Inventory in Configuration Manager How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager

See Also
Hardware Inventory in Configuration Manager

How to Configure Hardware Inventory in Configuration Manager

Use the following steps to configure System Center 2012 Configuration Manager hardware inventory for your site. This procedure configures the default client settings for hardware inventory and will apply to all the clients in your hierarchy. If you want these settings to apply to only some clients, create a custom device client setting and assign it to a collection that contains the devices that you want to use hardware inventory. For more information about how to create custom device settings, see How to Configure Client Settings in Configuration Manager. Note If a client device receives hardware inventory settings from multiple sets of client settings, then the hardware inventory classes from each set of settings will be merged when the client reports hardware inventory. To configure hardware inventory 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, configure the following: Enable hardware inventory on clients - From the drop-down list, select True. Hardware inventory schedule Specify the interval at which clients collect hardware inventory. Use the default value of 7 days or click Schedule to configure a custom interval.

7. Configure any other client settings that you require. For a list of hardware inventory client settings that you can configure, see the Hardware Inventory section in the About Client
2239

Settings in Configuration Manager topic. 8. Click OK to close the Default Settings dialog box. Client devices will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Hardware Inventory in Configuration Manager

How to Extend Hardware Inventory in Configuration Manager

System Center 2012 Configuration Manager hardware inventory reads information about devices by using Windows Management Instrumentation (WMI). WMI is the Microsoft implementation of web-based Enterprise Management (WBEM), which is an industry standard for accessing management information in an enterprise environment. In previous versions of Configuration Manager, you could extend hardware inventory by modifying the file sms_def.mof on the site server. This file contained a list of WMI classes that could be read by Configuration Manager hardware inventory. If you edited this file, you could enable and disable existing classes, and also create new classes to inventory. The Configuration.mof file is used to define the data classes to be inventoried by hardware inventory on the client and is unchanged from Configuration Manager 2007. You can create data classes to inventory existing or custom WMI repository data classes or registry keys present on client systems. The Configuration.mof file also defines and registers the WMI providers that access device information during hardware inventory. Registering providers defines the type of provider to be used and the classes that the provider supports. When Configuration Manager clients request policy, for example, during their standard client policy polling interval, the Configuration.mof is attached to the policy body. This file is then downloaded and compiled by clients. When you add, modify, or delete data classes from the Configuration.mof file, clients automatically compile these changes that are made to inventoryrelated data classes. No further action is necessary to inventory new or modified data classes on Configuration Manager clients. In System Center 2012 Configuration Manager, you no longer edit the sms_def.mof file as you did in Configuration Manager 2007. Instead, you can enable and disable WMI classes, and add new classes to collect by hardware inventory by using client settings. Configuration Manager provides the following methods to extend hardware inventory.

2240

Method

More information

Enable or disable existing inventory classes

You can enable or disable the default inventory classes used by Configuration Manager or you can create custom client settings that allow you to collect different hardware inventory classes from specified collections of clients. For more information, see the To enable or disable existing inventory classes procedure in this topic. You can add a new inventory class from the WMI namespace of another device. For more information, see the To add a new inventory class procedure in this topic. You can import and export Managed Object Format (MOF) files that contain inventory classes from the Configuration Manager console. For more information, see the To import hardware inventory classes and To export hardware inventory classes procedures in this topic. Use NOIDMIF files to collect information about client devices that cannot be inventoried by Configuration Manager. For example, you might want to collect device asset number information that exists only as a label on the device. NOIDMIF inventory is automatically associated with the client device that it was collected from. For more information, see To create NOIDMIF files in this topic. Use IDMIF files to collect information about assets in your organization that are not associated with a Configuration Manager client, for example, projectors, photocopiers and network printers. For more information, see To create IDMIF files in this topic.

Add a new inventory class

Import and export hardware inventory classes

Create NOIDMIF Files

Create IDMIF Files

2241

Procedures to Extend Hardware Inventory

Use the following procedures to extend hardware inventory, as described in the preceding table. These procedures help you to configure the default client settings for hardware inventory and they apply to all the clients in your hierarchy. If you want these settings to apply to only some clients, create a custom client device setting and assign it to a collection that contains the devices that you want to inventory. For more information about how to create custom client settings, see How to Configure Client Settings in Configuration Manager. To enable or disable existing inventory classes 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, select or clear the classes and class properties to be collected by hardware inventory. You can expand classes to select or clear individual properties within that class. Use the Search for inventory classes field to search for individual classes. Important When you add new classes to Configuration Manager hardware inventory, the size of the inventory file that is collected and sent to the site server will increase. This might negatively affect the performance of your network and Configuration Manager site. Enable only the inventory classes that you want to collect. 8. Click OK to save your changes and close the Hardware Inventory Classes dialog box. To add a new inventory class 1. In the Configuration Manager console, click Administration. Important You can only add inventory classes from the top level server in the hierarchy and by modifying the default client settings. This option is not available when you create custom device settings. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, click Add.
2242

8. In the Add Hardware Inventory Class dialog box, click Connect. 9. In the Connect to Windows Management Instrumentation (WMI) dialog box, specify the name of the computer from which you will retrieve the WMI classes and the WMI namespace to use for retrieving the classes. If you want to retrieve all classes below the WMI namespace that you specified, click Recursive. If the computer you are connecting to is not the local computer, supply login credentials for an account that has permission to access WMI on the remote computer. 10. Click Connect. 11. In the Add Hardware Inventory Class dialog box, in the Inventory classes list, select the WMI classes that you want to add to System Center 2012 Configuration Manager hardware inventory. 12. If you want to edit information about the selected WMI class, click Edit, and in the Class qualifiers dialog box, provide the following information: Display name Specify a friendly name for the class that will be displayed in Resource Explorer. Properties Specify the units in which each property of the WMI class will be displayed.

You can also designate properties as a key property to help uniquely identify each instance of the class. If no key is defined for the class and multiple instances of the class are reported from the client, only the latest instance that is found is stored in the database. When you have finished configuring the properties, click OK to close the Class qualifiers dialog box. 13. Click OK to close the Add Hardware Inventory Class dialog box. 14. Click OK to close the Hardware Inventory Classes dialog box. 15. Click OK to close the Default Client Settings dialog box. To import hardware inventory classes 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. Important You can only import inventory classes when you modify the default client settings. However, you can use custom client settings to import information that does not contain a schema change, such as changing the property of an existing class from True to False. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, click Import.
2243

8. In the Import dialog box, select the Managed Object Format (MOF) file that you want to import, and then click OK. 9. In the Import Summary dialog box, review the items that will be imported, and then click Import. To export hardware inventory classes 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Hardware Inventory. 6. In the Device Settings list, click Set Classes. 7. In the Hardware Inventory Classes dialog box, click Export. Note When you export classes, all currently selected classes will be exported. 8. In the Export dialog box, specify the Managed Object Format (MOF) file that you want to export the classes to, and then click Save.

How to Use Management Information Files (MIF Files) to Extend Hardware Inventory
Use Management Information Format (MIF) files to extend hardware inventory information collected from clients by Configuration Manager. During hardware inventory, the information stored in MIF files is added to the client inventory report and stored in the site database, where you can use the data in the same ways that you use default client inventory data. There are two types of MIF files, NOIDMIF and IDMIF. Important Before you can add information from MIF files to the Configuration Manager database, you must create or import class information for them. For more information, see the sections To add a new inventory class and To import hardware inventory classes in this topic.

To create NOIDMIF files

NOIDMIF files can be used to add information to a client hardware inventory that cannot normally be collected by Configuration Manager and is associated with a particular client device. For example, many companies label each computer in the organization with an asset number and then catalogue these by hand. When you create a NOIDMIF file, this information can be added to the Configuration Manager database and be used for queries and reporting. For information

2244

about creating NOIDMIF files, see the System Center 2012 Configuration Manager SDK documentation. Important When you create a NOIDMIF file, this must be saved in an ANSI encoded format. NOIDMIF files saved in UTF-8 encoded format cannot be read by Configuration Manager. After you create a NOIDMIF file, store this in the folder %Windir%\System32\CCM\Inventory\Noidmifs folder on each client. Configuration Manager will collect information from NODMIF files in this folder during the next scheduled hardware inventory cycle.

To create IDMIF files

IDMIF files can be used to add information about assets to the System Center 2012 Configuration Manager database that could not normally be inventoried by System Center 2012 Configuration Manager and is not associated with a particular client device. For example, you could use IDMIFS to collect information about projectors, DVD players, photocopiers, or other equipment that does not contain a Configuration Manager client. For information about creating IDMIF files, see the System Center 2012 Configuration Manager SDK documentation. After you create an IDMIF file, store this in the folder %Windir%\System32\CCM\Inventory\Idmifs folder on client computers. Configuration Manager will collect information from this file during the next scheduled hardware inventory cycle. You must declare new classes for information contained in the file by adding or importing them. For more information, see How to Extend Hardware Inventory in Configuration Manager.

See Also
Configuring Hardware Inventory in Configuration Manager

How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager
In Configuration Manager, you can collect the hardware inventory on Windows Phone 8, iOS, Android, and Windows devices by using the Windows Intune connector. For information about how to configure hardware inventory, see How to Configure Hardware Inventory in Configuration Manager.

2245

Hardware Inventory for Mobile Devices

The following table lists the inventory classes available for hardware inventory.
Hard ware Inven tory Class Windows Phone 8 Windows RT iOS Android (available when using the Android company portal app)

Nam e

Device_Computer System.DeviceNa me

Device_ComputerSy stem.DeviceName Device_ComputerSy stem.DeviceName

Device_ComputerSy stem.DeviceName Device_ComputerSy stem.UDID

Not applicable

Uniq Device_Computer ue System.DeviceClie Devi ntID ce ID Seria Not applicable l Num ber Emai l Addr ess Oper ating Syst em Type Oper ating Syst em Versi on Build Versi on Servi

Not applicable

Not applicable

Device_ComputerSy stem.SerialNumber

Device_ComputerSy stem.SerialNumber

Device_Email.Own Device_Email.Owner erEmailAddress EmailAddress

Device_Email.Owner EmailAddress

Not applicable

Device_OSInforma CCM_OperatingSyst tion.Platform em .SystemType

Not applicable

Device_OSInformatio n.Platform

Device_Computer System.SoftwareV ersion

Win32_OperatingSys Device_OSInformatio Device_OSInformatio tem.Version n.OSVersion n.Version

Not applicable

Win32_OperatingSys Not applicable tem.BuildNumber Win32_OperatingSys Not applicable

Not applicable

Not applicable

Not applicable
2246

Hard ware Inven tory Class

Windows Phone 8

Windows RT

iOS

Android (available when using the Android company portal app)

ce Pack Majo r Versi on Servi ce Pack Mino r Versi on Oper ating Syst em Lang uage Not applicable

tem.ServicePackMaj orVersion

Win32_OperatingSys Not applicable tem.ServicePackMin orVersion

Not applicable

Device_OSInforma Not applicable tion.Language

Not applicable

Not applicable

Total Not applicable Stora ge Spac e Free Not applicable Stora ge Spac e Inter Not applicable natio nal Mobil e Equi

Win32_PhysicalMem ory.Capacity

Device_Memory.Devi Device_Memory.Stor ceCapacity ageTotal

Win32_OperatingSys Device_Memory.Avai tem.FreePhysicalMe lableDeviceCapacity mory

Device_Memory.Stor ageFree

Not applicable

Device_ComputerSy stem.IMEI

Device_ComputerSy stem.IMEI

2247

Hard ware Inven tory Class

Windows Phone 8

Windows RT

iOS

Android (available when using the Android company portal app)

pme nt Identi ty or IMEI (IMEI ) Mobil Not applicable e Equi pme nt Identi fier (MEI D) Man ufact urer Mod el Device_Computer System.DeviceMa nufacturer Device_Computer System.DeviceMo del Not applicable Device_ComputerSy stem.MEID Not applicable

Win32_ComputerSys Not applicable tem.Manufacturer Win32_ComputerSys ModelName tem.Model Not applicable Device_ComputerSy stem.PhoneNumber

Device_Info.Manufac turer Device_Info.Model

Phon Not applicable e Num ber Subs cribe r Carri er Not applicable

Device_ComputerSy stem.PhoneNumber

Not applicable

Device_ComputerSy stem.SubscriberCarri erNetwork

Device_ComputerSy stem.SubscriberCarri erNetwork

Cellu Not applicable lar Tech nolog

Not applicable

Device_ComputerSy stem.CellularTechnol ogy

Device_ComputerSy stem.CellularTechnol ogy

2248

Hard ware Inven tory Class

Windows Phone 8

Windows RT

iOS

Android (available when using the Android company portal app)

y Wi-Fi Not applicable MAC Win32_NetworkAdap Device_WLAN.WiFiM Device_WLAN.WiFiM ter.MACAddress AC AC

See Also
Configuring Hardware Inventory in Configuration Manager

Operations and Maintenance for Hardware Inventory in Configuration Manager

Use the information in this section to find out more about operations and maintenance for hardware inventory in System Center 2012 Configuration Manager.

In This Section
How to Use Resource Explorer to View Hardware Inventory in Configuration Manager

See Also
Hardware Inventory in Configuration Manager

How to Use Resource Explorer to View Hardware Inventory in Configuration Manager

Use Resource Explorer in System Center 2012 Configuration Manager to view information about hardware inventory that has been collected from clients in your hierarchy. Note Resource Explorer will not display any inventory data until a hardware inventory cycle has run on the client you are connecting to.
2249

Resource Explorer in Configuration Manager contains the following sections related to hardware inventory: Hardware - Contains the most recent hardware inventory collected from the specified Configuration Manager client device. You can review the inventory item Workstation Status to discover the time and date when the device last performed a hardware inventory. Hardware History Contains a history of inventoried items that have changed since the last hardware inventory was performed. Each item in the list contains a Current node and one or more <date> nodes. You can compare the information in the current node to one of the historical nodes to discover items that have changed in the client computers hardware inventory. Note Configuration Manager retains hardware inventory history for the number of days you specify in the Delete Aged Inventory History site maintenance task Note For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: For information about how to view hardware inventory from clients that run Linux and UNIX, see the How to use Resource Explorer to View Inventory for Linux and UNIX Servers section in the How to Monitor Linux and UNIX Clients in Configuration Manager topic.

Use the following procedure to run Resource Explorer in Configuration Manager. To run Resource Explorer from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or open any collection that displays devices. 3. Click the computer containing the inventory that you want to view and then, in the Home tab, in the Devices group, click Start and then click Resource Explorer. The Resource Explorer window will open. 4. You can right-click any item in the right-pane of the Resource Explorer window and then click Properties to open the <item name> Properties dialog box which can help you to view the collected inventory information in a more readable format. 5. When you are finished, close the Resource Explorer window.

See Also
Operations and Maintenance for Hardware Inventory in Configuration Manager
2250

Hardware Inventory for Linux and UNIX in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. The Configuration Manager client for Linux and UNIX supports hardware inventory. After you collect hardware inventory you can run view inventory in the resource explorer or Configuration Manager reports, and use this information to create queries and collections that enable the following operations: Software deployment Enforce maintenance windows Deploy custom client settings

Hardware inventory for Linux and UNIX servers uses a standards based Common Information Model (CIM) server. The CIM server runs as a software service (or daemon) and provides a management infrastructure that is based on Distributed Management Task Force (DMTF) standards. The CIM server provides functionality that is similar to the Windows Management Infrastructure (WMI) CIM capabilities that are available on Windows-based computers. Beginning with cumulative update 1, the client for Linux and UNIX uses the open source omiserver version 1.0.6 from the Open Group. (Prior to cumulative update 1, the client used nanowbem as its CIM server). The CIM server installs as part of the client for Linux and UNIX. The client for Linux and UNIX communicates directly with the CIM server and does not use the WS-MAN interface of the CIM server. The WS-MAN port on the CIM server is disabled when the client installs. Microsoft developed the CIM server that is now available as open source through the Open Management Infrastructure (OMI) project. For more information about the Open Management Infrastructure project, see The Open Group website. Hardware Inventory on Linux and UNIX servers operates by mapping existing Win32 WMI classes and properties to equivalent classes and properties for Linux and UNIX servers. This one-to-one mapping of classes and properties enables the Linux and UNIX hardware inventory to integrate with Configuration Manager. Inventory data from Linux and UNIX servers displays along with inventory from Windows-based computers in the Configuration Manager console and reports. This provides a consistent heterogeneous management experience. Tip You can use the Caption value for the Operating System class to identify different Linux and UNIX operating systems in queries and collections.

2251

Configuring Hardware Inventory for Linux and UNIX Servers

You can use the default client settings or create custom client device settings to configure hardware inventory. When you use custom client device settings you can configure the classes and properties you want to collect from only your Linux and UNIX servers. You can also specify custom schedules for when to collect full and delta inventories from your Linux and UNIX servers. The client for Linux and UNIX supports the following hardware inventory classes that are available on Linux and UNIX servers: Win32_BIOS Win32_ComputerSystem Win32_DiskDrive Win32_DiskPartition Win32_NetworkAdapter Win32_NetworkAdapterConfiguration Win32_OperatingSystem Win32_Process Win32_Service Win32Reg_AddRemovePrograms SMS_LogicalDisk SMS_Processor

Not all properties for these inventory classes are enabled for Linux and UNIX computers in Configuration Manager.

Operations for Hardware Inventory

After you collect hardware inventory from your Linux and UNIX servers, you can view and use this information the same way you view inventory you collect from other computers: Use Resource Explorer to view detailed information about the hardware inventory from Linux and UNIX servers Create queries based on specific hardware configurations Create query-based collections that are based on specific hardware configurations Run reports that display specific details about hardware configurations

Hardware inventory on a Linux or UNIX server runs according to the schedule you configure in client settings. By default, this is every seven days. The client for Linux and UNIX supports both full inventory cycles and delta inventory cycles. You can also force the client on a Linux or UNIX server to immediately run hardware inventory. To run hardware inventory, on a client use root credentials to run the following command to start a hardware inventory cycle: /opt/microsoft/configmgr/bin/ccmexec -rs hinv

2252

For information about machine policy, see the section Computer Policy for Linux and UNIX Servers in the How to Manage Linux and UNIX Clients in Configuration Manager topic. Actions for hardware inventory are entered into the client log file, scxcm.log.

How to use Open Management Infrastructure to Create Custom Hardware Inventory

The client for Linux and UNIX supports custom hardware inventory that you can create by using the Open Management Infrastructure (OMI). To do so you use the following steps: 1. Create a custom inventory provider by using the OMI source 2. Configure computers to use the new provider to report inventory 3. Enable Configuration Manager to support the new provider

Create a Custom Hardware Inventory Provider for Linux and UNIX computers:
To create a custom hardware inventory provider for the Configuration Manager client for Linux and UNIX, use OMI Source - v.1.0.6 and follow the instructions from the OMI Getting Started Guide. This process includes creating a Managed Object Format (MOF) file that defines the schema of the new provider. Later, you import the MOF file to Configuration Manager to enable support of the new custom inventory class. Both the OMI Source - v.1.0.6, and the OMI Getting Started Guide are available for download from The Open Group website. You can locate these downloads on the Documents tab at the following web page on the OpenGroup.org website: Open Management Infrastructure (OMI).

Configure each computer that runs Linux or UNIX with the custom hardware inventory provider:
After you create a custom inventory provider, you must copy and then register the provider library file on each computer that has inventory you want to collect. 1. Copy the provider library to each Linux and UNIX computer from which you want to collect inventory. The name of the provider library resembles the following: XYZ_MyProvider.so 2. Next, on each Linux and UNIX computer, register the provider library with the OMI server. The OMI server installs on the computer when you install the Configuration Manager client for Linux and UNIX but you must manually register custom providers. Use the following command line to register the provider: /opt/microsoft/omi/bin/omireg XYZ_MyProvider.so 3. After you register the new provider, test the provider by using the omicli tool. The omicli tool is installed on each Linux and UNIX computer when you install the Configuration Manager client for Linux and UNIX. For example, where XYZ_MyProvider is the name of the provider you created, run the following command on the computer: /opt/microsoft/omi/bin/omicli ei root/cimv2 XYZ_MyProvider

2253

For information about omicli and testing custom providers, see the OMI Getting Started Guide. Tip Use software distribution to deploy custom providers and to register custom providers on each Linux and UNIX client computer.

Enable the new Inventory Class in Configuration Manager:

Before Configuration Manager can report on inventory that is reported by the new provider on Linux and UNIX computers, you must import the Managed Object Format (MOF) file that defines the schema of your custom provider. To import a custom MOF file into Configuration Manager, use the procedure To import hardware inventory classes from the How to Extend Hardware Inventory in Configuration Manager topic.

Security and Privacy for Hardware Inventory in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for hardware inventory in System Center 2012 Configuration Manager.

Security Best Practices for Hardware Inventory

Use the following security best practices for when you collect hardware inventory data from clients:
Security best practice More information

Sign and encrypt inventory data

When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. Make sure that the site is configured to require signing and use
2254

Security best practice

More information

encryption. In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256. Do not collect IDMIF and NOIDMIF files in high- You can use IDMIF and NOIDMIF file collection security environments to extend hardware inventory collection. When necessary, Configuration Manager creates new tables or modifies existing tables in the Configuration Manager database to accommodate the properties in IDMIF and NOIDMIF files. However, Configuration Manager does not validate IDMIF and NOIDMIF files, so these files could be used to alter tables that you do not want altered. Valid data could be overwritten by invalid data. In addition, large amounts of data could be added and the processing of this data might cause delays in all Configuration Manager functions. To mitigate these risks, configure the hardware inventory client setting Collect MIF files as None.

Security Issues for Hardware Inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following: Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled. Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service. Access inventory information as it is transferred to Configuration Manager.

Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative. Hardware inventory is enabled by default as a client setting.

Privacy Information for Hardware Inventory

Note The information in this section also appears in Security and Privacy for Software Inventory in Configuration Manager.
2255

Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality. Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. Software inventory is enabled by default but files are not collected by default. Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable.. Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager database. When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option to enable inventory encryption. The inventory data is not stored in encrypted format in the database. Information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval. Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.

See Also
Hardware Inventory in Configuration Manager

Technical Reference for Hardware Inventory in Configuration Manager

There is currently no technical reference information for hardware inventory in System Center 2012 Configuration Manager.

See Also
Hardware Inventory in Configuration Manager

Software Inventory in Configuration Manager

Use System Center 2012 Configuration Manager software inventory to collect and report information about the files stored on client computers in your organization. You can also use software inventory to collect files from client computers and store them in a folder on the site server.
2256

In This Section
Use the following topics to help you plan, configure, operate and maintain, and troubleshoot software inventory in Configuration Manager. Introduction to Software Inventory in Configuration Manager Planning for Software Inventory in Configuration Manager Configuring Software Inventory in Configuration Manager Operations and Maintenance for Software Inventory in Configuration Manager Security and Privacy for Software Inventory in Configuration Manager Technical Reference for Software Inventory in Configuration Manager

See Also
Inventory in Configuration Manager

Introduction to Software Inventory in Configuration Manager

Use software inventory in System Center 2012 Configuration Manager to collect information about files that are contained on client devices in your organization. Additionally, software inventory can collect files from client devices and store these on the site server. Software inventory is collected when the Enable software inventory on clients setting is enabled in client settings. After software inventory is enabled and the clients run a software inventory cycle, the client sends the inventory information to a management point in the clients site. The management point then forwards the inventory information to the Configuration Manager site server, which stores the inventory information in the site database. Software inventory runs on clients according to the schedule that you specify in client settings. You can use a number of methods to view the software inventory data that Configuration Manager collects. These include the following: Create queries that return devices that are based on files you specify that are found on devices. For more information, see Queries in Configuration Manager. Create query-based collections that are based on files you specify that are found on devices. Query-based collection memberships automatically update on a schedule. You can use collections for a number of tasks such as software deployment. For more information, see Collections in Configuration Manager. Run reports that display specific details about files on devices in your organization. For more information, see Reporting in Configuration Manager.

2257

Use Resource Explorer to examine detailed information about the files that were inventoried and collected from client devices. For more information, see How to Use Resource Explorer to View Software Inventory in Configuration Manager.

When software inventory runs on a client device, the first inventory report returned is always a full inventory. Subsequent inventory reports contain only delta inventory information. The site server processes delta inventory information in the order in which it is received. If delta inventory information for a client is missing, the site server rejects further delta inventory information and instructs the client to run a full inventory cycle. Configuration Manager provides limited support for dual-boot computers. Configuration Manager can discover dual-boot computers but only returns inventory information from the operating system that was active at the time of inventory.

Software Inventory for Mobile Devices Enrolled by Using Windows Intune

You can collect software inventory on apps installed on mobile devices using the same methods as listed above. The apps that are inventoried will depend on whether the device is companyowned or personal-owned. For personal devices, the only apps that are inventoried are apps that are managed by Windows Intune. The table below lists what apps are inventoried for personalowned or company-owned devices.
Platform For Personal-owned Devices For Company-owned devices

Windows 8.1 (without the Configuration Manager client) Windows Phone 8 Windows RT iOS Android

Only managed apps Only managed apps Only managed apps Only managed apps Only managed apps

Only managed apps Only managed apps Only managed apps All apps installed on the device All apps installed on the device

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. There are no significant changes for software inventory in Configuration Manager since Configuration Manager 2007.
2258

See Also
Software Inventory in Configuration Manager

Planning for Software Inventory in Configuration Manager

Review the information in this section to help you plan for software inventory in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Software Inventory

See Also
Software Inventory in Configuration Manager

Prerequisites for Software Inventory

Software inventory in System Center 2012 Configuration Manager contains only dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Software inventory must be enabled for clients to collect inventory

For information about how to enable and configure software inventory, see How to Configure Software Inventory in Configuration Manager. The reporting services point site system role must be installed before you can run reports for software inventory. For more information, see Reporting in Configuration Manager.

Reporting services point

See Also
Planning for Software Inventory in Configuration Manager
2259

Configuring Software Inventory in Configuration Manager

Use the topics in this section to help you configure software inventory in System Center 2012 Configuration Manager. How to Configure Software Inventory in Configuration Manager How to Exclude Folders from Software Inventory in Configuration Manager

See Also
Software Inventory in Configuration Manager

How to Configure Software Inventory in Configuration Manager

Use the following steps to configure System Center 2012 Configuration Manager software inventory for your site. This procedure configures the default client settings for software inventory and will apply to all the computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers that you want to use software inventory. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To configure software inventory 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Software Inventory. 6. In the Device Settings list, configure the following values: Enable software inventory on clients From the drop-down list, select True. Schedule software inventory and file collection schedule Configures the interval at which clients collect software inventory and files. Use the default value of 7 days or click Schedule to configure a custom interval.

7. Configure the client settings that you require. For a list of software inventory client settings that you can configure, see the Software Inventory section in the About Client Settings in Configuration Manager topic. 8. Click OK to close the Configure Client Setting dialog box.
2260

Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Operations and Maintenance for Software Inventory in Configuration Manager

How to Exclude Folders from Software Inventory in Configuration Manager

You can create a hidden file named Skpswi.dat and place it in the root of a client hard drive to exclude it from System Center 2012 Configuration Manager software inventory. You can also place this file in the root of any folder structure you want to exclude from software inventory. This procedure can be used to disable software inventory on a single workstation or server client, such as a large file server. Note Software inventory will not inventory the client drive again unless this file is deleted from the drive on the client computer. To exclude folders from software inventory 1. Using Notepad.exe, create an empty file named Skpswi.dat. 2. Right click the Skpswi.dat file and click Properties. In the file properties for the Skpswi.dat file, select the Hidden attribute. 3. Place the Skpswi.dat file at the root of each client hard drive or folder structure that you want to exclude from software inventory.

See Also
How to Configure Software Inventory in Configuration Manager

Operations and Maintenance for Software Inventory in Configuration Manager

Use the information in this section to find out more about operations and maintenance for software inventory in System Center 2012 Configuration Manager. How to Use Resource Explorer to View Software Inventory in Configuration Manager
2261

See Also
Software Inventory in Configuration Manager

How to Use Resource Explorer to View Software Inventory in Configuration Manager

Use Resource Explorer in System Center 2012 Configuration Manager to view information about software inventory that has been collected from computers in your hierarchy. Note Resource Explorer will not display any inventory data until a software inventory cycle has run on the client you are connecting to. Resource Explorer in Configuration Manager contains the following sections related to software inventory: Software The software section of Resource Explorer contains four sections: Collected Files Displays information about files that were collected during software inventory. File Details Displays information about files that were inventoried during software inventory that are not associated with a specific product or manufacturer. Last Software Scan Displays the date and time of the last software inventory and file collection that was run on the client computer. Product Details Displays information about the software products that were inventoried by software inventory, grouped by manufacturer.

Use the following procedure to run Resource Explorer in Configuration Manager. To run Resource Explorer from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or open any collection that displays devices. 3. Click the computer containing the inventory that you want to view and then, in the Home tab, in the Devices group, click Start and then click Resource Explorer. The Resource Explorer window will open. 4. You can right-click any item in the right-pane of the Resource Explorer window and then click Properties to open the <item name> Properties dialog box which can help you to view the collected inventory information in a more readable format. 5. When you are finished, close the Resource Explorer window.
2262

See Also
Operations and Maintenance for Software Inventory in Configuration Manager

Security and Privacy for Software Inventory in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for software inventory in System Center 2012 Configuration Manager.

Security Best Practices for Software Inventory

Use the following security best practices for when you collect software inventory data from clients:
Security best practice More information

Sign and encrypt inventory data

When clients communicate with management points by using HTTPS, all data that they send is encrypted by using SSL. However, when client computers use HTTP to communicate with management points on the intranet, client inventory data and collected files can be sent unsigned and unencrypted. Make sure that the site is configured to require signing and use encryption. In addition, if clients can support the SHA-256 algorithm, select the option to require SHA-256. Configuration Manager software inventory uses all the rights of the LocalSystem account, which has the ability to collect copies of critical system files, such as the registry or security account database. When these files are available at the site server, someone with the Read Resource rights or NTFS rights to the stored file location could analyze their contents and possibly discern important details about the client in order to be able to compromise its
2263

Do not use file collection to collect critical files or sensitive information

Security best practice

More information

security. Restrict local administrative rights on client computers A user with local administrative rights can send invalid data as inventory information.

Security Issues for Software Inventory

Collecting inventory exposes potential vulnerabilities. Attackers can perform the following: Send invalid data, which will be accepted by the management point even when the software inventory client setting is disabled and file collection is not enabled. Send excessively large amounts of data in a single file and in lots of files, which might cause a denial of service. Access inventory information as it is transferred to Configuration Manager.

If users know that they can create a hidden file named Skpswi.dat and place it in the root of a client hard drive to exclude it from software inventory, you will not be able to collect software inventory data from that computer. Because a user with local administrative privileges can send any information as inventory data, do not consider inventory data that is collected by Configuration Manager to be authoritative. Software inventory is enabled by default as a client setting.

Privacy Information for Software Inventory

Note The information in this section also appears in Security and Privacy for Hardware Inventory in Configuration Manager. Hardware inventory allows you to retrieve any information that is stored in the registry and in WMI on Configuration Manager clients. Software inventory allows you to discover all files of a specified type or to collect any specified files from clients. Asset Intelligence enhances the inventory capabilities by extending hardware and software inventory and adding new license management functionality. Hardware inventory is enabled by default as a client setting and the WMI information collected is determined by options that you select. Software inventory is enabled by default but files are not collected by default. Asset Intelligence data collection is automatically enabled, although you can select the hardware inventory reporting classes to enable. Inventory information is not sent to Microsoft. Inventory information is stored in the Configuration Manager database. When clients use HTTPS to connect to management points, the inventory data that they send to the site is encrypted during the transfer. If clients use HTTP to connect to management points, you have the option to enable inventory encryption. The inventory data is not stored in encrypted format in the database. Information is retained in the database until it is
2264

deleted by the site maintenance tasks Delete Aged Inventory History or Delete Aged Collected Files every 90 days. You can configure the deletion interval. Before you configure hardware inventory, software inventory, file collection, or Asset Intelligence data collection, consider your privacy requirements.

See Also
Software Inventory in Configuration Manager

Technical Reference for Software Inventory in Configuration Manager

There is currently no technical reference information for software inventory in System Center 2012 Configuration Manager.

See Also
Software Inventory in Configuration Manager

Asset Intelligence in Configuration Manager

Asset Intelligence in System Center 2012 Configuration Manager lets you retrieve inventory data and manage software license usage throughout the enterprise by using the Asset Intelligence catalog.

Asset Intelligence Topics

Use the following topics to help you manage Asset Intelligence in Configuration Manager: Introduction to Asset Intelligence in Configuration Manager Prerequisites for Asset Intelligence in Configuration Manager Configuring Asset Intelligence in Configuration Manager Operations for Asset Intelligence in Configuration Manager Security and Privacy for Asset Intelligence in Configuration Manager Technical Reference for Asset Intelligence in Configuration Manager

Other Resources for this Product

Assets and Compliance in System Center 2012 Configuration Manager Inventory in Configuration Manager
2265

Introduction to Asset Intelligence in Configuration Manager

Asset Intelligence in System Center 2012 Configuration Manager lets you inventory and manage software license usage throughout your enterprise by using the Asset Intelligence catalog. Many hardware inventory Windows Management Instrumentation (WMI) classes improve the breadth of information that is collected about hardware and software titles that are being used. Over 60 reports present this information in easy-to-use format. Many of these reports link to more specific reports, where you can query for general information and drill down to more detailed information. You can add custom information to the Asset Intelligence catalog, such as custom software categories, software families, software labels, and hardware requirements. You can also connect to System Center Online to dynamically update the Asset Intelligence catalog with the most current information available. Microsoft customers can reconcile enterprise software license usage with purchased software licenses that are being used by importing software license information into the Configuration Manager site database. The following sections in this topic help you use Asset Intelligence: Asset Intelligence Catalog Software Categories Software Families Software Labels Inventoried Software Titles Hardware Requirements

Asset Intelligence Synchronization Point Asset Intelligence Home Page Asset Intelligence Reports Asset Intelligence Hardware Reports Asset Intelligence License Management Reports Asset Intelligence Software Reports Asset Intelligence Software Identification Tag Reports

Asset Intelligence Validation States Whats New in Configuration Manager Whats New in Configuration Manager SP1

Asset Intelligence Catalog

The Configuration Manager Asset Intelligence catalog is a set of database tables stored in the site database that contain categorization and identification information for over 300,000 software titles and versions. These database tables are also used to manage hardware requirements for specific software titles.
2266

The Asset Intelligence catalog provides software license information for software titles that are being used, both of Microsoft and of non-Microsoft software. A predefined set of hardware requirements for software titles is available in the Asset Intelligence catalog, and you can create new user-defined hardware requirement information to meet custom requirements. In addition, you can customize information in the Asset Intelligence catalog, and you can upload software title information to System Center Online for categorization. Asset Intelligence catalog updates that contain newly released software are available for download periodically to perform bulk catalog updates. Or, the catalog can be dynamically updated by using the Asset Intelligence synchronization point site system role.

Software Categories
Asset Intelligence software categories are used to widely categorize inventoried software titles and are also used as high-level groupings of more specific software families. For example, a software category could be energy companies, and a software family within that software category could be oil and gas or hydroelectric. Many software categories are predefined in the Asset Intelligence catalog, and you can create user-defined categories to additionally define inventoried software. The validation state for all predefined software categories is always Validated, whereas custom software category information added to the Asset Intelligence catalog is User Defined. For more information about how to manage software categories, see the Software Categories section in Configuring Asset Intelligence in Configuration Manager. Note Predefined software category information that is stored in the Asset Intelligence catalog is read-only and cannot be changed or deleted. Administrative users can add, modify, or delete user-defined software categories.

Software Families
Asset Intelligence software families are used to define inventoried software titles within software categories. Many software families are predefined in the Asset Intelligence catalog, and you can create user-defined categories to additionally define inventoried software. The validation state for all predefined software families is always Validated, whereas custom software family information added to the Asset Intelligence catalog is User-Defined. For more information about how to manage software families, see the Software Families section in Configuring Asset Intelligence in Configuration Manager. Note Predefined software family information is read-only and cannot be changed. Administrative users can add, modify, or delete user-defined software families.

Software Labels
Asset Intelligence custom software labels let you create filters that you can use to group software titles and to view them by using Asset Intelligence reports. You can use software labels to create
2267

user-defined groups of software titles that share a common attribute. For example, you could create a software label called Shareware, associate that software label with inventoried shareware titles, and run a report to display all software titles with the associated Shareware software label. Software labels are not predefined. The validation state for software labels is always User Defined. For more information about how to manage software labels, see the Software Labels section in Configuring Asset Intelligence in Configuration Manager.

Hardware Requirements
You can use the hardware requirements information to verify that computers meet the hardware requirements for software titles before they are targeted for software deployments. You can manage hardware requirements for software titles in the Assets and Compliance workspace in the Hardware Requirements node under the Asset Intelligence node. Many hardware requirements are predefined in the Asset Intelligence catalog, and you can create new userdefined hardware requirement information to meet custom requirements. The validation state for all predefined hardware requirements is always Validated, whereas user-defined hardware requirements information added to the Asset Intelligence catalog is User Defined. For more information about how to manage hardware requirements, see the Hardware Requirements section in Configuring Asset Intelligence in Configuration Manager. Note The hardware requirements displayed in the Configuration Manager console are retrieved from the Asset Intelligence catalog and are not based on inventoried software title information from System Center 2012 Configuration Manager clients. Hardware requirements information is not updated as part of the synchronization process with System Center Online. You can create user-defined hardware requirements for inventoried software that does not have associated hardware requirements. By default, the following information is displayed for each listed hardware requirement: Software Title: Specifies the software title associated with the hardware requirement. Minimum CPU (MHz): Specifies the minimum processor speed, in megahertz (MHz), required by the software title. Minimum RAM (KB): Specifies the minimum RAM, in kilobytes (KB), required by the software title. Minimum Disk Space (KB): Specifies the minimum free hard disk space, in KB, required by the software title. Minimum Disk Size (KB): Specifies the minimum hard disk size, in KB, required by the software title. Validation State: Specifies the validation state for the hardware requirement.

Predefined hardware requirements stored in the Asset Intelligence catalog are read-only and cannot be deleted. Administrative users can add, modify, or delete user-defined hardware requirements for software titles that are not stored in the Asset Intelligence catalog.

2268

Inventoried Software Titles

You can view inventoried software title information in the Assets and Compliance workspace in the Inventoried Software node under the Asset Intelligence node. The Hardware Inventory Client Agent collects the inventoried software information from Configuration Manager clients based on the software titles that are stored in the Asset Intelligence catalog. Warning The Hardware Inventory Client Agent collects inventory based on the Asset Intelligence hardware inventory reporting classes that you enable. For more information about how to enable the reporting classes, see Enable Asset Intelligence Hardware Inventory Reporting Classes. By default, the following information is displayed for each inventoried software title: Name: Specifies the name of the inventoried software title. Vendor: Specifies the name of the vendor that developed the inventoried software title. Version: Specifies the product version of the inventoried software title. Category: Specifies the software category that is currently assigned to the inventoried software title. Family: Specifies the software family that is currently assigned to the inventoried software title. Label [1, 2, and 3]: Specifies the custom labels that are associated with the software title. Inventoried software titles can have up to three custom labels associated with them. Count: Specifies the number of Configuration Manager clients that have inventoried the software title. State: Specifies the validation state for the inventoried software title. Note You can change the categorization information (product name, vendor, software category, and software family) for inventoried software only at the top-level site in your hierarchy. After you modify the categorization information for predefined software, the validation state for the software changes from Validated to User Defined.

Asset Intelligence Synchronization Point

The Asset Intelligence synchronization point is a Configuration Manager site system role used to connect to System Center Online (by using TCP port 443) to manage dynamic Asset Intelligence catalog information updates. This site role can be installed only on top-level site of the hierarchy. You must configure all Asset Intelligence catalog customization by using a Configuration Manager console connected to the top-level site. Although all updates must be configured at the top-level site, Asset Intelligence catalog information is replicated to other sites in the hierarchy. The Asset Intelligence synchronization point site role lets you request on-demand catalog synchronization with System Center Online or schedule automatic catalog synchronization. In addition to downloading new Asset Intelligence catalog information, the Asset Intelligence synchronization
2269

point can upload custom software title information to System Center Online for categorization. Microsoft treats all software titles uploaded to System Center Online for categorization as public information. Therefore, you should make sure that your custom software titles do not contain confidential or proprietary information. Note After an uncategorized software title is submitted, and there are at least 4 categorization requests from customers for the same software title, System Center Online researchers identify, categorize, and then make the software title categorization information available to all customers who are using the online service. Software titles that represent the most requests for categorization receive the highest priority to categorize. Custom software and line-of-business applications are unlikely to receive a category, and as a best practice, you should not send these software titles to Microsoft for categorization. Note An Asset Intelligence synchronization point site system role is required to connect to System Center Online. For information about how to install an Asset Intelligence synchronization point, see the Install an Asset Intelligence Synchronization Point section in Configuring Asset Intelligence in Configuration Manager.

Asset Intelligence Home Page

The Asset Intelligence node in the Asset and Compliance workspace is the home page for Asset Intelligence in Configuration Manager. The Asset Intelligence home page displays a summary dashboard view for Asset Intelligence catalog information. Note The Asset Intelligence home page does not automatically update while it is being viewed. The Asset Intelligence home page contains the following sections: Catalog Synchronization: Provides information about whether Asset Intelligence is enabled and the current status of the Asset Intelligence synchronization point. The section also provides the synchronization schedule, whether the customer license statement is imported, when status was last updated and the time for the next scheduled update, and number of changes that occurred after the Asset Intelligence synchronization point site system was installed. Note The Asset Intelligence catalog synchronization section of the Asset Intelligence home page is only displayed if an Asset Intelligence synchronization point site system role was installed. Inventoried Software Status: Provides the count and percentage of inventoried software, software categories, and software families that are identified by Microsoft, identified by an administrator, pending online identification, or unidentified and not pending. The information
2270

displayed in table format shows the count for each, and the information displayed in the chart shows the percentage for each.

Asset Intelligence Reports

The Asset Intelligence reports are located in the Configuration Manager console, in the Monitoring workspace, in the Asset Intelligence folder under the Reporting node. The reports provide information about hardware, license management, and software. For more information about reports in Configuration Manager, see Reporting in Configuration Manager. Note The accuracy of the quantity of installed software titles and license information displayed in Asset Intelligence reports might vary from the actual number of software titles installed or licenses that are used in the environment. This variation is because of the complex dependencies and limitations involved in inventorying software license information for software titles that are installed in enterprise environments. Do not use Asset Intelligence reports as the sole source for determining purchased software license compliance.

Asset Intelligence Hardware Reports

Asset Intelligence hardware reports provide information about hardware assets in the organization. By using hardware inventory information, such as speed, memory, peripheral devices, and more, Asset Intelligence hardware reports can present information about USB devices, about hardware that must be upgraded, and even about computers that are not ready for a specific software upgrade. Note Some user data in Asset Intelligence hardware reports is collected from the System Security Event Log. For better report accuracy, we recommend that you clear this log when you reassign a computer to a new user.

Asset Intelligence License Management Reports

Asset Intelligence license management reports provide data about licenses that are being used. The License Ledger report lists installed Microsoft applications in a format congruent with a Microsoft License Statement (MLS). This provides a convenient method of matching purchased licenses with used licenses. Other License Management reports provide information about computers acting as servers that run the Key Management Service (KMS) for operating system activation statistics. Important Several of the Asset Intelligence License Management reports present information about the function of KMS, a method of administering volume licensing. If a KMS server has not been implemented, some reports might not return any data. For more information about KMS, search for KMS on Microsoft TechNet.
2271

Asset Intelligence Software Reports

Asset Intelligence software reports provide information about software families, categories, and specific software titles that are installed on computers in the organization. The software reports present information about browser helper objects, software that starts automatically, and more. These reports can be used to identify adware, spyware, and other malware, and identify software redundancy to help streamline software purchasing and support.

Asset Intelligence Software Identification Tag Reports

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: Asset Intelligence software identification tag reports provide information about software that contains a software identification tag that is compliant with ISO/IEC 19770-2. The software identification tags provide authoritative information that is used to identify installed software. When you enable the SMS_SoftwareTag hardware inventory reporting class, Configuration Manager collects information about the software with software identification tags. The following reports provide information about the software: Software 14A Search for software identification tag enabled software: This report provides the count of installed software with a software identification tag enabled. Software 14B Computers with specific software identification tag enabled software installed: This report lists all computers that have installed software with a specific software identification tag enabled. Software 14C Installed software identification tag enabled software on a specific computer: This report lists all installed software with a specific software identification tag enabled on a specific computer.

Asset Intelligence Reporting Limitations

Asset Intelligence reports can provide large amounts of information about installed software titles and purchased software licenses that are being used. However, you should not use this information as the only source for determining purchased software license compliance.

Example Dependencies
The accuracy of the quantity displayed in the Asset Intelligence reports for installed software titles and license information can vary from the actual amounts currently used. This variation is caused by the complex dependencies involved in inventorying software license information for software titles in use in enterprise environments. The following examples show the dependencies involved in inventorying installed software in the enterprise by using Asset Intelligence that might affect the accuracy of Asset Intelligence reports:
Client hardware inventory dependencies Asset Intelligence installed software reports are based on data that is collected from Configuration Manager clients by extending hardware inventory to enable Asset
2272

Intelligence reporting. Because of this dependency on hardware inventory reporting, Asset Intelligence reports reflect data only from Configuration Manager clients that successfully complete hardware inventory processes with the required Asset Intelligence WMI reporting classes enabled. In addition, because Configuration Manager clients perform hardware inventory processes on a schedule defined by the administrative user, a delay might occur in data reporting that affects the accuracy of Asset Intelligence reports. For example, an inventoried licensed software title might be uninstalled after the client finishes a successful hardware inventory cycle. However, the software title is displayed as installed in Asset Intelligence reports until the client s next scheduled hardware inventory reporting cycle.

Software packaging dependencies Because Asset Intelligence reports are based on installed software title data that is collected by using standard Configuration Manager client hardware inventory processes, some software title data might not be collected correctly. For example, software installations that do not comply with standard installation processes or software installations that were changed before installation could cause inaccurate Asset Intelligence reporting.

Legal Limitations
The information displayed in Asset Intelligence reports are subject to many limitations and the information displayed in them does not represent legal, accounting, or other professional advice. The information that is provided by Asset Intelligence reports is for information only and should not be used as the only source of information for determining software license usage compliance. The following are example limitations involved in inventorying installed software and license usage in the enterprise by using Asset Intelligence that might affect the accuracy of Asset Intelligence reports:
Microsoft license usage quantity limitations The quantity of purchased Microsoft software licenses is based on information that administrators supply and should be closely reviewed to ensure that the correct number of software licenses is provided. The reported quantity of Microsoft software licenses contains information only about Microsoft software licenses acquired through volume licensing programs and does not reflect information for software licenses acquired through retail, OEM, or other software license sales channels. Software licenses acquired in the last 45 days might not be included in the quantity of Microsoft software licenses reported because of software reseller reporting requirements and schedules. Software license transfers from company mergers or acquisitions might not be reflected in Microsoft software license quantities.
2273

Nonstandard terms and conditions in a Microsoft Volume Licensing (MVLS) agreement might affect the number of software licenses reported and, therefore, might require additional review by a Microsoft representative.

Installed software title quantity limitations Configuration Manager Clients must successfully complete hardware inventory reporting cycles for the Asset Intelligence reports to accurately report the quantity of installed software titles. Additionally, there might be a delay between the installation or uninstallation of a licensed software title after a successful hardware inventory reporting cycle that is not reflected in Asset Intelligence reports run before the client reports its next scheduled hardware inventory.

License reconciliation limitations The reconciliation of the quantity of installed software titles to the quantity of purchased software licenses is calculated by using a comparison of the license quantity specified by the administrator and the quantity of installed software titles collected from Configuration Manager client hardware inventories based on the schedule set by the administrator. This comparison does not represent a final Microsoft conclusion of the license positions. The actual license position depends on the specific software title license and usage rights granted by the license terms.

Asset Intelligence Validation States

Asset Intelligence validation states represent the source and current validation status of Asset Intelligence catalog information. The following table shows possible Asset Intelligence validation states and administrator actions that can cause them.
State Definition Administrator action Comment

Validated

Catalog item was defined by System Center Online researchers. Catalog item has not been defined by System Center Online researchers. Catalog item was not defined by System Center Online

None.

Best state.

User Defined

Customized the local catalog information. Requested categorization from System Center

This state is displayed in Asset Intelligence reports.

Pending

Catalog item remains in this state until System Center Online researchers
2274

State

Definition

Administrator action

Comment

researchers, but the Online. item was submitted to System Center Online for categorization.

categorize the item, and the Asset Intelligence catalog is synchronized. Note Catalog items submitted to System Center Online for categorization have a validation state of Pending on a central administration site, but continue to be displayed with a validation state of Uncategorized on child primary sites. You can use the Resolve Conflict action to decide whether to use the new categorization information or the previous userdefined value. For more information about how to resolve conflicts, see Resolve Software Details Conflicts. Note After a categorization conflict is resolved, the item is not validated as conflicting again unless later categorization updates introduce new information

Updateable

A user-defined catalog item has been categorized differently by System Center Online during subsequent catalog synchronization.

Customized the local Asset Intelligence catalog to categorize an item as userdefined.

2275

State

Definition

Administrator action

Comment

about the item. Uncategorized Catalog item has not been defined by System Center Online researchers, the item has not been submitted to System Center Online for categorization, and the administrator has not assigned a userdefined categorization value. None. Request categorization or customize local catalog information. For more information about requesting categorization, see Request a Catalog Update for Uncategorized Software Titles. For more information about how to change the category for the software title, see Modify Categorization Information for Inventoried Software.

For examples of when a validation state might transition from one state to another, see Example Validation State Transitions for Asset Intelligence.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for Asset Intelligence since Configuration Manager 2007: In System Center 2012 Configuration Manager, you can enable Asset Intelligence hardware inventory classes without editing the sms_def.mof file. You can now download the MVLS license statement from the Microsoft Volume Licensing Service Center and import the license statement from the Configuration Manager console. There is a new maintenance task (Check Application Title with Inventory Information) that checks that the software title reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. There is a new maintenance task (Summarize Installed Software Data) that provides the information displayed in the Inventoried Software node under the Asset Intelligence node in the Assets and Compliance workspace. The Client Access License reports have been deprecated.

2276

Whats New in Configuration Manager SP1

The following items are new for Asset Intelligence in Configuration Manager SP1: Asset Intelligence supports the 7 mandatory software identification tags that are defined in ISO/IEC 19770-2. The ISO/IEC 19770-2 standard specifies the structure and basic usage of software identification. Software identification tags provide authoritative information used to identify installed software. If software contains software identification tag information that is compliant with ISO/IEC 19770-2, then Asset Intelligence collects the software identification tags from the software. Note You must enable the SMS_SoftwareTag Asset Intelligence hardware inventory reporting class before Configuration Manager will collect the software identification tags. Asset Intelligence provides the three new reports that provide information about software with the software identification tags. The report titles start with Software 14A, Software 14B, and Software 14C. Asset Intelligence collects information about Microsoft Application Virtualization (App-V) 5 applications and continues to collect information about App-V 4.

See Also
Asset Intelligence in Configuration Manager

Prerequisites for Asset Intelligence in Configuration Manager

Asset Intelligence in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table provides the dependencies for Asset Intelligence that are external to Configuration Manager.
Dependency More Information

Auditing of Success Logon Events Prerequisites

Four Asset Intelligence reports display information gathered from the Windows Security event logs on client computers. If the Security event log settings are not configured to log all Success logon events, these reports
2277

Dependency

More Information

contain no data even if the appropriate hardware inventory reporting class is enabled. The following Asset Intelligence reports depend on collected Windows Security event log information: Hardware 03A - Primary Computer Users Hardware 03B - Computers for a Specific Primary Console User Hardware 04A - Shared (Multi-user) Computers Hardware 05A - Console Users on a Specific Computer

To enable the Hardware Inventory Client Agent to inventory the information required to support these reports, you must first modify the Windows Security event log settings on clients to log all Success logon events, and enable the SMS_SystemConsoleUser hardware inventory reporting class. For more information about modifying Security event log settings to log all Success logon events, see Enable Auditing of Success Logon Events. Note The SMS_SystemConsoleUser hardware inventory reporting class retains successful logon event data for only the previous 90 days of the Security event log, regardless of the length of the log. If the Security event log has fewer than 90 days of data, the entire log is read.

Dependencies Internal to Configuration Manager

The following table provides the dependencies for Asset Intelligence that are internal to Configuration Manager.

2278

Dependency

More Information

Client Agent Prerequisites

The Asset Intelligence reports depend on client information that is obtained through client hardware and software inventory reports. To obtain the information necessary for all Asset Intelligence reports, the following client agents must be enabled: Hardware Inventory Client Agent Software Metering Client Agent

Hardware Inventory Client Agent Dependencies To collect inventory data required for some Asset Intelligence reports, the Hardware Inventory Client Agent must be enabled. In addition, some hardware inventory reporting classes that Asset Intelligence reports depend on must be enabled on primary site server computers. For information about enabling the Hardware Inventory Client Agent, see How to Configure Hardware Inventory in Configuration Manager. Software Metering Client Agent Dependencies A number of Asset Intelligence software reports depend on the Software Metering Client Agent for data. For information about enabling the Software Metering Client Agent, see Configuring Software Metering in Configuration Manager. The following Asset Intelligence reports depend on the Software Metering Client Agent to provide data: Software 07A - Recently Used Executables by Number of Computers Software 07B - Computers that Recently Used a Specified Executable Software 07C - Recently Used Executables on a Specific Computer Software 08A - Recently Used Executables by Number of Users Software 08B - Users that Recently Used a Specified Executable Software 08C - Recently Used Executables by a Specified User
2279

Dependency

More Information

Asset Intelligence Hardware Inventory Reporting Class Prerequisites

Asset Intelligence reports in Configuration Manager depend on specific hardware inventory reporting classes. Until the hardware inventory reporting classes are enabled and clients have reported hardware inventory based on these classes, the associated Asset Intelligence reports do not contain any data. You can enable the following hardware inventory reporting classes to support Asset Intelligence reporting requirements:
1

SMS_SystemConsoleUsage SMS_SystemConsoleUser SMS_InstalledSoftware SMS_AutoStartSoftware SMS_BrowserHelperObject Win32_USBDevice SMS_InstalledExecutable SMS_SoftwareShortcut SoftwareLicensingService SoftwareLicensingProduct SMS_SoftwareTag
2 1

By default, the SMS_SystemConsoleUsage and SMS_SystemConsoleUser Asset Intelligence hardware inventory reporting classes are enabled.
2

This hardware inventory reporting class is available starting in Configuration Manager SP1. You can edit the Asset Intelligence hardware inventory reporting classes in the Configuration Manager console, in the Assets and Compliance workspace, when you click the Asset Intelligence node. For more information, see the Enable Asset Intelligence Hardware Inventory Reporting Classes section in the Configuring Asset Intelligence in Configuration Manager topic. Reporting services point The reporting services point site system role must be installed before software updates
2280

Dependency

More Information

reports can be displayed. For more information about creating a reporting services point, see Configuring Reporting in Configuration Manager.

See Also
Asset Intelligence in Configuration Manager

Configuring Asset Intelligence in Configuration Manager

You must complete a number of configuration steps before you can use Asset Intelligence in System Center 2012 Configuration Manager to inventory and manage software license usage throughout your enterprise.

Steps to Configure Asset Intelligence

Use the steps in the following table to configure Asset Intelligence in Configuration Manager.
Step Details More Information

Step 1: Enable Asset Intelligence Hardware Inventory Reporting Classes

Asset Intelligence information collection is not enabled when Configuration Manager is first installed. To enable Asset Intelligence, at least one of the required hardware inventory reporting classes that Asset Intelligence reports rely on must be enabled. Note To collect the inventory data required for Asset Intelligence reports, the Hardware Inventory Client Agent must be enabled. For information about enabling

For more information, see the following procedure in this topic: Enable Asset Intelligence Hardware Inventory Reporting Classes.

2281

Step

Details

More Information

the Hardware Inventory Client Agent, see How to Configure Hardware Inventory in Configuration Manager. Step 2: Install an Asset Intelligence Synchronization Point The Asset Intelligence synchronization point site system role is used to connect Configuration Manager sites to System Center Online to synchronize Asset Intelligence catalog information. The Asset Intelligence synchronization point can be installed only on a site system located at the top-level site of the Configuration Manager hierarchy and requires Internet access to synchronize with System Center Online by using TCP port 443. In addition to downloading new Asset Intelligence catalog information, the Asset Intelligence synchronization point can upload custom software title information to System Center Online for categorization. Microsoft treats all software titles uploaded to System Center Online for categorization as public information. Therefore, you should ensure that your custom software titles do not contain confidential or proprietary information. For more information about requesting software title categorization, see Request a Catalog Update for Uncategorized Software Titles. Step 3: Enable Auditing of Success Logon Events Four Asset Intelligence reports display information gathered from For more information, see the following procedures in
2282

For more information, see the following procedure in this topic: Install an Asset Intelligence Synchronization Point.

Step

Details

More Information

the Windows Security event logs on client computers. If the Security event log settings are not configured to log all Success logon events, these reports contain no data even if the appropriate hardware inventory reporting class is enabled. To enable the Hardware Inventory Client Agent to inventory the information required to support these reports, you must first modify the Windows Security event log settings on clients to log all Success logon events, and enable the SMS_SystemConsoleUser hardware inventory reporting class. Step 4: Import Software License Information The Import Software License Wizard is used to import Microsoft Volume Licensing (MVLS) information and general license statements into the Asset Intelligence catalog. The MVLS license statement contains information about the license entitlements, or number of purchased licenses, for Microsoft products. A general license statement contains information about the purchased licenses for any publisher. Step 5: Configure Asset Intelligence Maintenance Tasks The following maintenance tasks are associated with Asset Intelligence. By default, both maintenance tasks are enabled and are configured on a default schedule. Check Application Title with Inventory Information: This maintenance task checks that

this topic: Enable Auditing of Success Logon Events.

For more information, see the following procedures in this topic: Import Software License Information.

For more information, see the following procedures in this topic: Configure Asset Intelligence Maintenance Tasks.

2283

Step

Details

More Information

the software title that is reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. Summarize Installed Software Data: This maintenance task provides the information that is displayed in the Assets and Compliance workspace, in the Inventoried Software node, under the Asset Intelligence node. When the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary site. Note The Summarize Installed Software Data maintenance task is available only on primary sites.

Supplemental Procedures for Configuring Asset Intelligence

Use the following information for the steps in the preceding table.

Enable Asset Intelligence Hardware Inventory Reporting Classes

To enable Asset Intelligence in Configuration Manager sites, you must enable one or more Asset Intelligence hardware inventory reporting classes. You can enable the classes on the Asset Intelligence home page, or, in the Administration workspace, in the Client Settings node, in client settings properties. Use one of the following procedures to enable the Asset Intelligence hardware inventory reporting classes. To enable Asset Intelligence hardware inventory reporting classes from the Asset Intelligence home page 1. In the Configuration Manager console, click Asset and Compliance.
2284

2. In the Asset and Compliance workspace, click Asset Intelligence. 3. On the Home tab, in the Asset Intelligence group, click Edit Inventory Classes. The Edit Inventory Classes dialog box opens. 4. To enable Asset Intelligence reporting, select Enable all Asset Intelligence reporting classes or select Enable only the selected Asset Intelligence reporting classes, and select at least one reporting class from the classes displayed. Note Asset Intelligence reports that depend on the hardware inventory classes that you enable by using this procedure do not display data until clients have scanned for and returned hardware inventory. 5. Click OK to enable the selected Asset Intelligence hardware inventory reporting classes. To enable Asset Intelligence hardware inventory reporting classes from client settings properties 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then select the Default Client Agent Settings. Note If you have created custom client settings, you can select the custom client settings instead of the default client settings. 3. On the Home tab, in the Properties group, click Properties. The Client Settings Properties dialog box opens. 4. Click Hardware Inventory, and then click Set Classes. The Hardware Inventory Classes dialog box opens. 5. Click Filter by category, and then click Asset Intelligence Reporting Classes. The list of classes is refreshed with only the Asset Intelligence hardware inventory reporting classes. 6. Select at least one reporting class from the list of Asset Intelligence reporting classes. Note Asset Intelligence reports that depend on the hardware inventory classes that you enable by using this procedure do not display data until clients have scanned for and returned hardware inventory. 7. Click OK to enable the selected Asset Intelligence hardware inventory reporting classes.

Install an Asset Intelligence Synchronization Point

Use the following procedure to install an Asset Intelligence synchronization point site system role. To install an Asset Intelligence synchronization point site system role 1. In the Configuration Manager console, click Administration.
2285

2. In the Administration workspace, expand Site Configuration, and then click Servers and Site System Roles. 3. Add the Asset Intelligence synchronization point site system role to a new or existing site system server by using the associated step: New site system server: On the Home tab, in the Create group, click Create Site System Server. The Create Site System Server Wizard opens. Note By default, when Configuration Manager installs a site system role, the installation files are installed on the first available NTFS-formatted hard disk drive that has the most available free hard disk space. To prevent Configuration Manager from installing on specific drives, create an empty file named No_sms_on_drive.sms and copy it to the root folder of the drive before you install the site system server. Existing site system server: Click the server on which you want to install the Asset Intelligence synchronization point site system role. When you click a server, a list of the site system roles that are already installed on the server are displayed in the details pane. On the Home tab, in the Server group, click Add Site System Role. The Add Site System Roles Wizard opens. 4. On the General page, specify the general settings for the site system server. When you add the Asset Intelligence synchronization point to an existing site system server, verify the values that were previously configured. 5. On the System Role Selection page, select Asset Intelligence Synchronization Point from the list of available roles, and then click Next. 6. On the Asset Intelligence Synchronization Point Connection Settings page, click Next. By default, the Use this Asset Intelligence Synchronization Point setting is selected and cannot be configured on this page. System Center Online accepts network traffic only over TCP port 443, therefore the SSL port number setting cannot be configured on this page of the wizard. 7. Optionally, you can specify a path to the System Center Online authentication certificate (.pfx) file, and then click Next. Typically, you do not specify a path for the certificate because the connection certificate is automatically provisioned during site role installation. 8. On the Proxy Server Settings page, specify whether the Asset Intelligence synchronization point will use a proxy server when connecting to System Center Online to synchronize the catalog and whether to use credentials to connect to the proxy server, and then click Next. Warning If a proxy server is required to connect to System Center Online, the connection
2286

certificate might also be deleted if the user account password expires for the account configured for proxy server authentication. 9. On the Synchronization Schedule page, specify whether to synchronize the Asset Intelligence catalog on a schedule. When you enable the synchronization schedule, you specify a simple or custom synchronization schedule. During scheduled synchronization, the Asset Intelligence synchronization point connects to System Center Online to retrieve the latest Asset Intelligence catalog. You can manually synchronize the Asset Intelligence catalog from the Asset Intelligence node in the Configuration Manager console. For the steps to manually synchronize the Asset Intelligence catalog, see the To manually synchronize the Asset Intelligence catalog section in the Operations for Asset Intelligence in Configuration Manager. 10. On the Summary page of the New Site Role Wizard, review the settings you have specified to ensure that they are correct before you continue. To make changes to any settings, click Previous until you return to the appropriate page, make the change, and return to the Summary page.

Enable Auditing of Success Logon Events

Use the following procedure to configure computer security policy logon settings to enable auditing of Success logon events. To enable success logon event logging by using a local security policy 1. On a Configuration Manager client computer, click Start, point to Administrative Tools, and then click Local Security Policy. 2. In the Local Security Policy dialog box, under Security Settings, expand Local Policies, and then click Audit Policy. 3. In the results pane, double-click Audit logon events, ensure that the Success check box is selected, and then click OK. To enable success logon event logging by using an Active Directory domain security policy 1. On a domain controller computer, click Start, point to Administrative Tools, and then click Domain Security Policy. 2. In the Local Security Policy dialog box, under Security Settings, expand Local Policies, and then click Audit Policy. 3. In the results pane, double-click Audit logon events, ensure that the Success check box is selected, and then click OK.

Import Software License Information

The following sections describe the procedures necessary to import both Microsoft and general software licensing information into the Configuration Manager site database by using the Import Software License Wizard. When you import software license information into the site database
2287

from license statement files, the site server computer account requires Full Control permissions for the NTFS file system to the file share that is used to import software license information. Important When software license information is imported into the site database, existing software license information is overwritten. Ensure that the software license information file that you use with the Import Software License Wizard contains a complete listing of all necessary software license information. To import software license information into the Asset Intelligence catalog 1. In the Asset and Compliance workspace, click Asset Intelligence. 2. On the Home tab, in the Asset Intelligence group, click Import Software Licenses. The Import Software License Wizard opens. 3. On the Welcome page, click Next. 4. On the Import page, specify whether you are importing a Microsoft Volume Licensing (MVLS) file (.xml or .csv) or a General License Statement file (.csv). For more information about creating a General License Statement file, see Create a General License Statement Information File for Import later in this topic. Warning To download an MVLS file in .csv format that you can import to the Asset Intelligence catalog, see Microsoft Volume Licensing Service Center. To access this information, you must have a registered account on the website. You must contact your Microsoft account representative for information about how to get your MVLS file in .xml format. 5. Enter the UNC path to the license statement file or click Browse to select a network shared folder and file. Note The shared folder should be correctly secured to prevent unauthorized access to the licensing information file, and the computer account of the computer that the wizard is being run on must have Full Control permissions to the share that contains the license import file. 6. On the Summary page, review the information you have specified to ensure that it is correct before continuing. To make any changes, click Previous to return to the Import page.

Create a General License Statement Information File for Import

A general license statement can also be imported into the Asset Intelligence catalog by using a manually created license import file in comma delimited (.csv) file format. Note

2288

While only the Name, Publisher, Version, and EffectiveQuantity fields are required to contain data, all fields must be entered on the first row of the license import file. All date fields should be displayed in the following format: Month/Day/Year, for example, 08/04/2008. Asset Intelligence matches the products that you specify in the general license statement by using the product name and product version, but not publisher name. You must use a product name in the general license statement that is an exact match with the product name stored in the site database. Asset Intelligence takes the EffectiveQuantity number given in the general license statement and compares the number with the number of installed products found in Configuration Manager inventory. Tip To get a complete list of the product names stored in the Configuration Manager site database, you can run the following query on the site database: SELECT ProductName0 FROM v_GS_INSTALLED_SOFTWARE. You can specify exact versions for a product or specify part of the version, such as only the major version. The following examples provide the resulting version matches for a general license statement version entry for a specific product.
General license statement entry Matching site database entries

Name: MySoftware, ProductVersion0: 2

ProductName0: Mysoftware, ProductVersion0: 2.01.1234 ProductName0: MySoftware, ProductVersion0: 2.02.5678 ProductName0: MySoftware, ProductVersion0: 2.05.1234 ProductName0: MySoftware, ProductVersion0: 2.05.5678 ProductName0: MySoftware, ProductVersion0: 2.05.3579.000 ProductName0: MySoftware, ProductVersion0: 2.10.1234

Name: MySoftware, Version 2.05

ProductName0: MySoftware, ProductVersion0: 2.05.1234 ProductName0: MySoftware, ProductVersion0: 2.05.5678 ProductName0: MySoftware, ProductVersion0: 2.05.3579.000

Name: Mysoftware, Version 2

Error during import. The import fails when more than one entry matches the same product
2289

General license statement entry

Matching site database entries

Name: Mysoftware, Version 2.05

version.

The following procedure describes the process that can be used to create a general license statement import file by using Microsoft Excel. To create a general license statement import file by using Microsoft Excel 1. Open Microsoft Excel and create a new spreadsheet. 2. On the first row of the new spreadsheet, enter all software license data field names. 3. On the second and subsequent rows of the new spreadsheet, enter software license information as required. Ensure that at least all of the required software license data fields are entered on subsequent rows for each software license to be imported. The software title name entered in the spreadsheet must be the same as the software title that is displayed in Resource Explorer for a client computer after hardware inventory has run. 4. On the File menu, click Save As, and then save the file in .csv format. 5. Copy the .csv file to the file share that is used to import software license information into the Asset Intelligence catalog. 6. In the Configuration Manager console, use the Import Software License Wizard to import the newly created .csv license information file. 7. Run the Asset Intelligence License 15A Third Party Software Reconciliation Report to verify that the licensing information has been successfully imported into the Asset Intelligence catalog. Note For an example of a general software license file that you can use for testing purposes, see Example Asset Intelligence General License Import File.

Sample Table to Describe Software Licenses

When creating a general license statement import file, the information in the following table can be used to describe software licenses to be imported into the Asset Intelligence catalog.
Column name Data type Required Example

Name Publisher Version Language

Up to 255 characters Up to 255 characters Up to 255 characters Up to 255 characters

Yes Yes Yes Yes

Software title Software publisher Software title version Software title language
2290

Column name

Data type

Required

Example

EffectiveQuantity PONumber ResellerName DateOfPurchase

Integer value Up to 255 characters Up to 255 characters Date value in the following format: MM/DD/YYYY Bit value Date value in the following format: MM/DD/YYYY Up to 255 characters

Yes No No No

Number of licenses purchased Purchase order information Reseller information Date of license purchase 0 or 1: Enter 0 for Yes, or 1 for No End date of purchased support Optional comments

SupportPurchased SupportExpirationDate

No No

Comments

No

Configure Asset Intelligence Maintenance Tasks

The following maintenance tasks are available for Asset Intelligence: Check Application Title with Inventory Information : This maintenance task checks that the software title that is reported in software inventory is reconciled with the software title in the Asset Intelligence catalog. By default, this task is enabled and scheduled to run on Saturday after 12:00 A.M. and before 5:00 A.M. This maintenance task is only available at the top-level site in your Configuration Manager hierarchy. Summarize Installed Software Data: This maintenance task provides the information that is displayed in the Assets and Compliance workspace, in the Inventoried Software node, under the Asset Intelligence node. When the task runs, Configuration Manager gathers a count for all inventoried software titles at the primary site. By default, this task is enabled and scheduled to run every day after 12:00 A.M. and before 5:00 A.M. This maintenance task is available only on primary sites. To configure Asset Intelligence maintenance tasks 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. Select the site on which to configure the Asset Intelligence maintenance task. Note The Summarize Installed Software Data maintenance task is available only on primary sites.
2291

4. On the Home tab, in the Settings group, click Site Maintenance. A list of all available site maintenance tasks appears. 5. Select the desired maintenance task, and then click Edit to modify the settings. 6. Enable and configure the maintenance task. To minimize interference with the site operation, we recommend that you set the time period to off-peak hours of the site. The time period is the time interval in which the task can run. It is defined by the Start after and Latest start time specified in the Task Properties dialog box. Warning You can initiate the task right away by selecting the current day and setting the Start after time to a couple minutes after the present time. 7. Click OK to save your settings. The task now runs according to its schedule. Note If a task fails to run on the first attempt, Configuration Manager attempts to rerun the task until either the task runs successfully or until the time period in which the task can run has passed.

See Also
Asset Intelligence in Configuration Manager

Operations for Asset Intelligence in Configuration Manager

Use the following sections in this topic to help you manage typical Asset Intelligence operations in your System Center 2012 Configuration Manager hierarchy: View Asset Intelligence Information Asset Intelligence Home Page Asset Intelligence Reports

Synchronize the Asset Intelligence Catalog Customize the Asset Intelligence Catalog Software Categories Software Families Software Labels Hardware Requirements

Modify Categorization Information for Inventoried Software Request a Catalog Update for Uncategorized Software Titles Resolve Software Details Conflicts

2292

View Asset Intelligence Information

You can view Asset Intelligence information on the Asset Intelligence home page and in Asset Intelligence reports.

Asset Intelligence Home Page

The Asset Intelligence home page displays a summary dashboard for Asset Intelligence catalog information. On the home page, you can view information about catalog synchronization and inventoried software status. The Asset Intelligence home page is divided into the following sections: Catalog Synchronization: Provides information about whether Asset Intelligence is enabled, the current status of the Asset Intelligence synchronization point, the synchronization schedule, whether the customer license statement is imported, when status was last updated and the time for the next scheduled update, and the number of changes that occurred after the Asset Intelligence synchronization point site system was installed. Note The Asset Intelligence catalog synchronization section of the Asset Intelligence home page is only displayed if an Asset Intelligence synchronization point site system role has been installed. Inventoried Software Status: Provides the count and percentage of inventoried software, software categories, and software families that are identified by Microsoft, identified by an administrative user, pending online identification, or unidentified and not pending. The information displayed in table format shows the count for each, while the information displayed in the chart shows the percentage for each.

Use the following procedure to view Asset Intelligence information on the Asset Intelligence home page. To view Asset Intelligence information on the Asset Intelligence home page 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Asset and Compliance workspace, click Asset Intelligence. The Asset Intelligence reports are displayed.

Asset Intelligence Reports

There are over 60 Asset Intelligence reports that display the information collected by Asset Intelligence. Many of these reports link to more specific reports in which you can query for general information and drill down to more detailed information. The Asset Intelligence reports are located in the Configuration Manager console, in the Monitoring workspace, under the Reporting node. The reports provide information about hardware, license management, and software. For more information about reports in Configuration Manager, see Reporting in Configuration Manager.

2293

Note The accuracy of installed software title quantities and license information displayed in Asset Intelligence reports might vary from the actual number of software titles installed or licenses in use in the environment because of the complex dependencies and limitations involved in inventorying software license information for software titles installed in enterprise environments. Asset Intelligence reports should not be used as the sole source for determining purchased software license compliance. Use the following procedure to view Asset Intelligence information by using the Asset Intelligence reports. To view collected Asset Intelligence information by using Asset Intelligence reports 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, expand Reports, and click Asset Intelligence. The Asset Intelligence reports are displayed. Warning If no report folders exist under the Reports node, verify that you have configured reporting. For more information, see Configuring Reporting in Configuration Manager. 3. Select the Asset Intelligence report that you want to run, and then on the Home tab, in the Report Group group, click Run.

Synchronize the Asset Intelligence Catalog

You can synchronize the local Asset Intelligence catalog with System Center Online to retrieve the latest software title categorization. When you manually request catalog synchronization with System Center Online, it could take 15 minutes or longer to complete the synchronization process with System Center Online. Configuration Manager updates the Last Successful Update setting on the Asset Intelligence home page with the current time for when synchronization successfully finishes. Note An Asset Intelligence synchronization point site system role must first be installed before by using the procedures. For information about installing an Asset Intelligence synchronization point, see Install an Asset Intelligence Synchronization Point. Use the following procedure to create a synchronization schedule for the Asset Intelligence catalog. To create a synchronization schedule for the Asset Intelligence catalog 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence.
2294

3. On the Home tab, in the Create group, click Synchronize, and then click Schedule Synchronization. 4. In the Asset Intelligence Synchronization Point Schedule dialog box, select Enable synchronization on a schedule, and then configure a simple or custom schedule. 5. Click OK to save the changes. Note For information about the synchronization schedule, including the next scheduled synchronization, see the Asset Intelligence node in the Assets and Compliance workspace on the top-level site of the hierarchy. Use the following procedure to manually synchronize the Asset Intelligence catalog. Warning System Center Online accepts only one manual synchronization request in a 12-hour period. To manually synchronize the Asset Intelligence catalog 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence. 3. On the Home tab, in the Create group, click Synchronize, click Synchronize Asset Intelligence Catalog, and then click OK.

Customize the Asset Intelligence Catalog

Asset Intelligence catalog categorization information received from System Center Online is stored in the site database with read-only permissions and cannot be modified or deleted. However, you can create, modify, and delete custom software categories, software families, software labels, and hardware requirements catalog information. Then you can use custom categorization data instead of the information supplied by System Center Online for existing or user-defined software title information. When you change or add categorization information, the catalog information is considered user-defined. User-defined categorization information is stored in different database tables than validated catalog information.

Software Categories
Asset Intelligence software categories are used to broadly categorize inventoried software titles and are also used as high-level groupings of more specific software families. For example, a software category could be energy companies, and a software family within that software category could be oil and gas or hydroelectric. Many software categories are predefined in the Asset Intelligence catalog, and additional user-defined categories can be created to further define inventoried software. The validation state for all predefined software categories is always Validated, while custom software category information added to the Asset Intelligence catalog is User Defined.
2295

Use the following procedure to create a user-defined software category. To create a user-defined software category 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Catalog. 3. On the Home tab, in the Create group, click Create Software Category. 4. On the General page, enter a name for the new software category and, optionally, a description. Note The validation state for all new custom software categories is always set to User Defined. Click Next. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Software Families
Asset Intelligence software families are used to further define inventoried software titles within software categories. For example, a software category could be energy companies, and a software family within that software category could be oil and gas or hydroelectric. Many software families are predefined in the Asset Intelligence catalog, and additional user-defined families can be created to define inventoried software. The validation state for all predefined software families is always Validated, while custom software family information added to the Asset Intelligence catalog is User Defined. Use the following procedure to create a user-defined software family. To create a user-defined software family 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Catalog. 3. On the Home tab, in the Create group, click Create Software Family. 4. On the General page, enter a name for the new software family and, optionally, a description. Note The validation state for all new custom software families is always set to User Defined. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.
2296

Software Labels
Asset Intelligence custom software labels let you create filters that you can use to group software titles and view them by using Asset Intelligence reports. For example, you can create a software label called shareware, associate it with a number of applications, and then run a report that shows you all titles with the software label of shareware. The validation state is User Defined for all custom software labels that you add to the Asset Intelligence catalog. Use the following procedure to create a user-defined custom label. To create a user-defined software label 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Catalog. 3. On the Home tab, in the Create group, click Create Software Label. 4. On the General page, enter a name for the new software family and, optionally, a description. Note The validation state for all new custom software labels is always set to User Defined. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Hardware Requirements
Hardware requirements information can help you verify that computers meet the hardware requirements for software titles before they are targeted for software deployments. Many hardware requirements are predefined in the Asset Intelligence catalog, and you can create new user-defined hardware requirement information to meet custom requirements. The validation state for all predefined hardware requirements is always Validated, while user-defined hardware requirements information added to the Asset Intelligence catalog is User Defined. Important The hardware requirements displayed in the Configuration Manager console are retrieved from the Asset Intelligence catalog on the local computer and are not based on inventoried software title information from System Center 2012 Configuration Manager clients. Hardware requirements information is not updated as part of the synchronization process with System Center Online. You can create user-defined hardware requirements for inventoried software that does not have associated hardware requirements. Use the following procedure to create a user-defined hardware requirement. To create a user-defined hardware requirements 1. In the Configuration Manager console, click Assets and Compliance.
2297

2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Hardware Requirements. 3. On the Home tab, in the Create group, click Create Hardware Requirements. 4. On the General page, enter the following information: a. Software title: Specifies the software title for which the hardware requirements are associated. The software title cannot already exist in the Asset Intelligence catalog. b. Validation state: Lists the validation state as User Defined for the hardware requirements. You cannot modify this setting. c. Minimum CPU (MHz): Specifies the minimum processor speed, in megahertz (MHz), required by the software title.

d. Minimum RAM (KB): Specifies the minimum RAM, in kilobytes (KB), required by the software title. e. Minimum Disk Space (KB): Specifies the minimum free disk space, in KB, required by the software title. f. Minimum Disk Size (KB): Specifies the minimum hard disk size, in KB, required by the software title.

Click Next. 5. On the Summary page, review the settings, and then click Next. 6. On the Completion page, click Close to exit the wizard.

Modify Categorization Information for Inventoried Software

Predefined software in the Asset Intelligence catalog is configured with specific categorization information, such as product name, vendor, software category, and software family. When the predefined categorization information does not meet your requirements, you can modify the information in the properties for the software title. When you modify categorization information for predefined software, the validation state for the software changes from Validated to User Defined. Important The categorization information can only be modified at the top-level site. Use the following procedure to modify categorization information for inventoried software. To modify the categorizations for software titles 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Select a software title or select multiple software titles for which you want to modify categorizations. 4. On the Home tab, in the Properties group, click Properties. 5. On the General tab, you can modify the following categorization information:
2298

Product Name: Specifies the name of the inventoried software title. Vendor: Specifies the name of the vendor that developed the inventoried software title. Category: Specifies the software category that is currently assigned to the inventoried software title. Family: Specifies the software family that is currently assigned to the inventoried software title.

6. Click OK to save the changes. Use the following procedure to revert software to the original categorization information.

Revert Categorization Information to Original Settings for Software

Configuration Manager stores categorization information obtained from System Center Online in the database. The information cannot be deleted. After the information has been modified, you can revert the categorization information back to the System Center Online categorization. Inventoried software that is not in the Asset Intelligence catalog can also be reverted back to the original settings. Use the following procedure to revert categorization information to the original settings. To revert categorization information to original settings 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Select a software title or select multiple software titles that you want to revert to the original settings. Only software that has a User Defined state can be reverted. Tip Click the State column to sort by the validation state. Sorting lets you see all software by validation state and quickly select multiple items to revert to the original settings. 4. On the Home tab, in the Product group, click Revert. 5. Click Yes to revert the software to the original categorization information. 6. When you revert categorization information for software that is in the Asset Intelligence catalog, the validation state changes from User Defined to Validated. When you revert software that is not in the catalog, the validation state changes from User Defined to Uncategorized.

2299

Request a Catalog Update for Uncategorized Software Titles

Uncategorized software title information can be submitted to System Center Online for research and categorization. After an uncategorized software title is submitted, and there are at least 4 categorization requests from customers for the same software title, researchers identify, categorize, and then make the software title categorization information available to all customers that are using the System Center Online service. Microsoft gives the highest priority to software titles that have the most requests for categorization. Custom software and line-of-business applications are unlikely to receive a category, and as a best practice, you should not send these software titles to Microsoft for categorization. When software title information is submitted to System Center Online for categorization, the following conditions apply: Only basic software title information is transmitted to System Center Online, and software title information to be categorized can be reviewed before submission. Software license information is never transmitted. Any software title that is uploaded becomes publicly available as part of the System Center Online catalog and can be downloaded by other customers. The source of the software title is not stored in the System Center Online catalog. However, application titles containing confidential or proprietary information should not be submitted for categorization by System Center Online. Note For more information about Asset Intelligence privacy information, see Security and Privacy for Asset Intelligence in Configuration Manager. Use the following procedure to request Asset Intelligence catalog software title categorization from System Center Online. To request a catalog update for uncategorized software titles 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Select a product name or select multiple product names, to be submitted to System Center Online for categorization. Only uncategorized inventoried software titles can be submitted to System Center Online for categorization. If an inventoried software title has been categorized by an administrator resulting in a user-defined state, you must rightclick the inventoried software title, and then click Revert to revert the software title to the Uncategorized state before it can be submitted to System Center Online for categorization. Note Configuration Manager can process up to 100 software titles for categorization at a time. If you select more than 100 software titles, only the first 100 software
2300

titles will be processed. You must select the remaining software titles for categorization in batches of less than 100. Tip Click the State column to sort by the validation state. This lets you see all uncategorized product names and quickly select multiple items to submit for categorization. 4. On Home tab, in the Product group, click Request Catalog Update. 5. Review the System Center Online categorization submission privacy message. Click Details to view the information that will be sent to System Center Online. 6. Select I have read and understood this message, and then click OK to allow the selected software titles to be submitted for categorization. 7. Verify that the state of the inventoried software product names submitted to System Center Online for categorization has changed from Uncategorized to Pending. Note Software that is submitted to System Center Online for categorization has a validation state of Pending on a central administration site is still displayed with a validation state of Uncategorized on child primary sites.

Resolve Software Details Conflicts

After newly updated software categorization details have been received from System Center Online that conflict with existing software details information, you can choose how to resolve the conflict. Software that has a current conflict has a validation state of Updatable. After a software details conflict has been resolved, the software categorization information is retained in the Asset Intelligence catalog according to the setting that you specify. A software details conflict does not occur for the same software categorization value again unless the System Center Online value changes after the conflict has been resolved. Use the following procedure to resolve a software details conflict. To resolve a software details conflict 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Asset Intelligence, and then click Inventoried Software. 3. Review the State column for software titles in the Updatable state. 4. Select the software title for which you have to resolve a conflict, and then on the Home tab, in the Product group, and click Resolve Conflict. 5. Review the following information: Local value: Specifies the existing software categorization information in the Asset Intelligence catalog that conflicts with newer System Center Online software categorization details.
2301

Downloaded value: Specifies the new System Center Online software categorization information for conflicting Asset Intelligence catalog software categorization information. Do not change the locally edited catalog information value: Resolves the software details conflict by retaining the existing Asset Intelligence catalog software categorization information. When you select this setting, the software title state changes from Updatable to User Defined. Overwrite the locally edited catalog information value with the downloaded System Center Online value: Resolves the software details conflict by overwriting the existing Asset Intelligence catalog software categorization information with new information obtained from System Center Online. When you select this setting, the software title state changes from Updatable to Validated.

6. Select one of the following settings to resolve the software details conflict:

Click OK to save the conflict resolution.

See Also
Asset Intelligence in Configuration Manager

Security and Privacy for Asset Intelligence in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for Asset Intelligence in Configuration Manager.

Security Best Practices for Asset Intelligence

Use the following security best practices for when you use Asset Intelligence.
Security best practice More information

When you import a license file (Microsoft Volume Licensing file or a General License Statement file), secure the file and communication channel.

Use NTFS file system permissions to ensure that only authorized users can access the license files and use Server Message Block (SMB) signing to ensure the integrity of the data when it is transferred to the site server during the import process.
2302

Security best practice

More information

Use the principle of least permissions to import the license files.

Use role-based administration to grant the Manage Asset Intelligence permission to the administrative user who imports license files. The built-in role of Asset Manager includes this permission.

Privacy Information for Asset Intelligence

Asset Intelligence extends the inventory capabilities of Configuration Manager to provide a higher level of asset visibility in the enterprise. Asset Intelligence information collection is not automatically enabled. You can modify the type of information collected by enabling hardware inventory reporting classes. For more information, see Enable Asset Intelligence Hardware Inventory Reporting Classes. Asset Intelligence information is stored in the Configuration Manager database in the same manner as inventory information. When clients connect to management points by using HTTPS, the data is always encrypted during transfer to the management point. When clients connect by using HTTP, you can configure the inventory data transfer to be signed and encrypted. Inventory data is not stored in encrypted format in the database. Information is retained in the database, until the site maintenance task Delete Aged Inventory History deletes it in intervals of every 90 days. You can configure the deletion interval. Asset Intelligence does not send information about users and computers or license usage to Microsoft. You can choose to send System Center Online requests for categorization, which means that you can tag one or more software titles that are uncategorized and send them to System Center Online for research and categorization. After a software title is uploaded, Microsoft researchers identify, categorize, and then make that knowledge available to all customers who use the on-line service. You should be aware of the following privacy implications of submitting information to System Center Online: Upload applies only to generic software title information (name, publisher, and so on) that you choose to send to System Center Online. Inventory information is not sent with an upload. Upload never occurs automatically, and the system is not designed for this task to be automated. You must manually select and approve the upload of each software title. A dialog box shows you exactly what data is going to be uploaded, before the upload process starts. License information is not sent to Microsoft. The license information is stored in a separate area of the Configuration Manager database, and it cannot be sent to Microsoft. Any software title that is uploaded becomes public, in the sense that the knowledge of that given application and its categorization become part of the System Center Online Asset Intelligence catalog, and then is downloaded to other consumers of the catalog.

2303

The source of the software title is not recorded in the Asset Intelligence catalog, and it is not made available to other customers. However, you must still verify that you do not load any application titles that contain any private information. Uploaded data cannot be recalled.

Before you configure Asset Intelligence data collection and decide whether to submit information to System Center Online, consider the privacy requirements of your organization.

See Also
Asset Intelligence in Configuration Manager

Technical Reference for Asset Intelligence in Configuration Manager

This section contains technical reference information for Asset Intelligence in System Center 2012 Configuration Manager.

Technical Reference
Example Validation State Transitions for Asset Intelligence Example Asset Intelligence General License Import File

Other Resources for this Product

Inventory in Configuration Manager Asset Intelligence in Configuration Manager

Example Validation State Transitions for Asset Intelligence

Asset Intelligence validation states are not static and can change from administrative actions that you take to affect the data that are stored in the Asset Intelligence catalog. This topic provides the following examples for possible validation state transitions: Uncategorized Catalog Item Is Categorized by the Administrative User Categorized Catalog Item Is Re-categorized by the Administrative User User-Defined Catalog Item Is Recategorized by System Center Online Uncategorized Catalog Item Is Submitted to System Center Online for Categorization User-Defined Catalog Item Is Submitted to System Center Online for Categorization
2304

Uncategorized Catalog Item Is Categorized by the Administrative User

State transition State transition description

Uncategorized

An inventoried software title that has not been previously categorized by System Center Online or that the administrative user has entered into the Asset Intelligence catalog. The uncategorized item is categorized by the administrative user.

Uncategorized to User Defined

Categorized Catalog Item Is Re-categorized by the Administrative User

State transition State transition description

Validated

Catalog item has been defined by System Center Online researchers and is present in the Asset Intelligence catalog. The validated catalog item is re-categorized by the administrative user. Note Because categorization information obtained from System Center Online is stored in the database and cannot be deleted, the administrative user can revert back to the System Center Online categorization later.

Validated to User Defined

User-Defined Catalog Item Is Recategorized by System Center Online

State transition State transition description

Uncategorized

An inventoried software title is entered into the Asset Intelligence catalog that has not been
2305

State transition

State transition description

previously categorized by System Center Online or the administrative user. User Defined User Defined to Updateable The uncategorized item is categorized by the administrative user. A user-defined catalog item has been categorized differently by System Center Online during subsequent manual bulk updates of the Asset Intelligence catalog. The administrative user can use the Software Details Conflict Resolution dialog box to decide whether to use the new categorization information or the previous user-defined value. Updateable to Validated The administrative user uses the Software Details Conflict Resolution dialog box to use the new categorization information received from System Center Online during the previous catalog update.

or Updateable to User Defined The administrative user uses the Software Details Conflict Resolution dialog box to use the previous user-defined value. Note Because categorization information obtained from System Center Online is stored in the database and cannot be deleted, the administrative user can revert back to the System Center Online categorization later.

Uncategorized Catalog Item Is Submitted to System Center Online for Categorization

State transition State transition description

Uncategorized

An inventoried software title is entered into the Asset Intelligence database that has not been
2306

State transition

State transition description

previously categorized by System Center Online or the administrative user. Uncategorized to Pending The uncategorized item is submitted to System Center Online for categorization by the administrative user. The item is categorized by System Center Online. The administrative user imports the item into the Asset Intelligence catalog by using a bulk catalog update or Asset Intelligence catalog synchronization. Both are available by using the Asset Intelligence synchronization point site system role.

Pending to Validated

User-Defined Catalog Item Is Submitted to System Center Online for Categorization

State transition State transition description

Uncategorized

An inventoried software title is entered into the Asset Intelligence database that has not been previously categorized by an administrative user or System Center Online. You categorized the uncategorized item. You submit the user-defined item to System Center Online for categorization. A user-defined catalog item has been categorized differently by System Center Online during subsequent catalog synchronization. You can use the Resolve Conflict action to decide whether to use the new categorization information or the previous user-defined value. For more information about resolving conflicts, see Resolve Software Details Conflicts. You use the Resolve Conflict action and select the new categorization information received from System Center Online during the previous catalog update. For more information
2307

User Defined User Defined to Pending Pending to Updateable

Updateable to Validated

State transition

State transition description

about resolving conflicts, see Resolve Software Details Conflicts. or Updateable to User Defined You use the Resolve Conflict action and select to use the previous user-defined value. For more information about resolving conflicts, see Resolve Software Details Conflicts. Note Because categorization information obtained from System Center Online is stored in the database and cannot be deleted, you can revert back to the System Center Online categorization later.

See Also
Technical Reference for Asset Intelligence in Configuration Manager

Example Asset Intelligence General License Import File

The example information in this topic can be used to create a sample general software license file to import software licenses into the Asset Intelligence catalog by using the Import Software License Wizard. You can copy and paste the following table into a new Microsoft Excel spreadsheet and save it with a .csv file name extension to be used as an example general software license import file for testing purposes. When creating the license import file, all header fields are required while only Name, Publisher, Version, and EffectiveQuantity data values are required in the spreadsheet. For more information about importing software licenses to the Asset Intelligence catalog, see Import Software License Information.
Nam e Publi Ver sher sio n Lang uage Effective Quantity PONu mber Reselle rName DateOfP urchase SupportP urchased SupportExpi Com rationDate ment s

Soft war

Soft 1.0 ware 1

Engli 1 sh

Purc hase

Resell er

10/10/2 010

10/10/2012

Com ment
2308

Nam e

Publi Ver sher sio n

Lang uage

Effective Quantity

PONu mber

Reselle rName

DateOfP urchase

SupportP urchased

SupportExpi Com rationDate ment s

e Title 1 Soft war e title 2 Soft war e title 3 Soft war e title 4 Soft war e title 5 Soft war e title 6 Soft war e title 7 Soft war e

publi sher Soft 1.0 ware 2 publi sher Soft 1.0 ware 3 publi sher Soft 1.0 ware 4 publi sher Soft 1.0 ware 5 publi sher Soft 1.0 ware 6 publi sher Soft 1.0 ware 7 publi sher Soft 1.0 ware 8 publi Engli 1 sh

numb name er Purc Resell hase er numb name er Purc Resell hase er numb name er Purc Resell hase er numb name er Purc Resell hase er numb name er Purc Resell hase er numb name er Purc Resell hase er numb name er Purc Resell hase er numb name 10/10/2 010 0 10/10/2012 Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

2309

Nam e

Publi Ver sher sio n

Lang uage

Effective Quantity

PONu mber

Reselle rName

DateOfP urchase

SupportP urchased

SupportExpi Com rationDate ment s

title 8 Soft war e title 9 Soft war e title 10

sher Soft 1.0 ware 9 publi sher Soft 1.1 ware 0 publi sher Engli 1 sh

er Purc Resell hase er numb name er Purc Resell hase er numb name er 10/10/2 010 0 10/10/2012 Com ment

Engli 1 sh

10/10/2 010

10/10/2012

Com ment

See Also
Technical Reference for Asset Intelligence in Configuration Manager

Power Management in Configuration Manager

Power management in System Center 2012 Configuration Manager provides a set of tools and resources that you can use to manage and monitor the power consumption of client computers in the enterprise.

Power Management Topics

Use the following topics to help you find information about power management. Introduction to Power Management in Configuration Manager Planning for Power Management in Configuration Manager Configuring Power Management in Configuration Manager Operations and Maintenance for Power Management in Configuration Manager Security and Privacy for Power Management in Configuration Manager Technical Reference for Power Management in Configuration Manager

2310

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Power Management in Configuration Manager

Power Management in System Center 2012 Configuration Manager addresses the need that many organizations have to monitor and reduce the power consumption of their computers. The feature takes advantage of the power management features built into Windows to apply relevant and consistent settings to computers in the organization. You can apply different power settings to computers during business hours and nonbusiness hours. For example, you might want to apply a more restrictive power plan to computers during nonbusiness hours. In cases where computers must always remain turned on, you can prevent power management settings from being applied. Power management in Configuration Manager includes several reports to help you analyze power consumption and computer power settings in your organization. You can also use the reports to help you troubleshoot problems with power management. For a detailed workflow about how to configure and use power management, see Administrator Checklist for Power Management in Configuration Manager. Important Configuration Manager power management is not supported on virtual machines. You cannot apply power plans to virtual machines, nor can you or report power data from them.

The Power Management Workflow

Use the following three phases to plan and implement power management in Configuration Manager.

Monitoring and Planning Phase

Power Management uses Configuration Manager hardware inventory to collect data about computer usage and power settings for computers in the site. There are a number of reports that you can use to analyze this data and determine the optimal power management settings for computers. For example, during the monitoring and planning phase of the power management workflow, you can create collections that are based on the data that is included in the Power Capabilities report and use that data to identify the computers that are not capable of power management. Then, you can exclude those computers from power management.

2311

Important Do not apply power plans to computers in your site until you collect and analyze the power data from client computers. If you apply new power management settings to computers without first examining the existing settings, you might experience an increase in power consumption.

Enforcement Phase
Power management lets you create power plans that you can apply to collections of computers in your site. These power plans configure Windows power management settings on computers. You can use the power plans that are included with Configuration Manager, or you can configure your own custom power plans. You can use the power data that is collected during the monitoring and planning phase as a baseline to help you evaluate power savings after you apply a power plan to computers. For more information, see Administrator Checklist for Power Management in Configuration Manager.

Compliance Phase
In the compliance phase, you can run reports that help you to evaluate power usage and power cost savings in your organization. You can also run reports that describe the improvements in the amount of CO2 generated by computers. Reports are also available that help you validate that power settings were correctly applied to computers and that help you troubleshoot problems with the power management feature.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for power management since Configuration Manager 2007: If an administrative user enables this option, users can exclude computers from power management. Virtual machines are excluded from power management. Administrative users can copy power management settings from another collection. A new Computers Excluded report is now available. It displays the computers that are excluded from power management.

See Also
Power Management in Configuration Manager

2312

Planning for Power Management in Configuration Manager

Use the following topics in this section to help you plan for power management in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Power Management in Configuration Manager Best Practices for Power Management in Configuration Manager Administrator Checklist for Power Management in Configuration Manager

See Also
Power Management in Configuration Manager

Prerequisites for Power Management in Configuration Manager

Power management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product.

Dependencies External to Configuration Manager

The following table lists the dependencies external to Configuration Manager for using power management.
Dependency More information

Client computers must be able to support the required power states

To use all features of power management, client computers must be able to support the sleep, hibernate, wake from sleep, and wake from hibernate actions. You can use the Power Capabilities report to determine if computers can support these actions. For more information, see Power Capabilities Report in the topic How to Monitor and Plan for Power Management in Configuration Manager.

2313

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for using power management.
Dependency More Information

Power management must be enabled before you can create and monitor power plans. Reporting services point

For information about how to enable and configure power management, see Configuring Power Management in Configuration Manager. You must configure a reporting services point before you can view power management reports. For more information, see Reporting in Configuration Manager.

See Also
Planning for Power Management in Configuration Manager

Best Practices for Power Management in Configuration Manager

Use the following best practices for power management in System Center 2012 Configuration Manager.

Perform the monitoring phase at a representative time

The monitoring phase of power management provides you with information about the power consumption, activity, power management capabilities, and environmental impact of computers in your organization. Ensure that you choose a representative time to perform the monitoring phase. For example, performing the monitoring phase over a public holiday does not provide a realistic report on computer power usage.

Create a control collection of computers with no power plans applied

Create two collections of computers to help you monitor the effects of applying power plans to computers. The first collection should contain the majority of the computers to which you want to apply power settings and the other collection (the control collection) should contain the remaining
2314

computers. Apply the required power management plan to the collection containing the majority of computers. You can then run reports to compare the power cost, power usage and environmental impact of the computers to which you have applied power settings with the control collection that you have not applied power settings to.

Run the Power Settings report before you apply a power management plan
Before you apply a power management plan to a collection of computers, run the Power Settings report to help you understand the power management settings that are already configured on computers in the collection. If you apply new power management settings to computers without first examining the existing settings, this might lead to an increase in power consumption.

Exclude computers that you do not want to manage

If you have computers that you do not want to manage with power management, add these to a collection and ensure that the collection is excluded from power management. Examples of computers you might want to exclude from power management include: Computers that must remain turned on. Computers that users need to connect to by using Remote Desktop Connection. Computers that cannot use power management. Server computers that must remain available at all times. Computers that have the distribution point site system role. Public computers such as kiosk computers, information displays or monitoring consoles where the computer and the monitor must always be turned on.

For more information, see Configuring Power Management in Configuration Manager.

First, apply power plans to a test collection of computers

Always test the effect of applying a power management plan on a test collection of computers before you apply the power plan to a larger collection of computers. Power settings applied to computers running Windows XP or Windows Server 2003 are not reverted to their original values even if you exclude the computer from power management. On later versions of Windows, excluding a computer from power management causes all power settings to be reverted to their original values. You cannot revert individual power settings to their original values.

2315

Apply power plan settings individually

Monitor the effect of applying each power setting before you apply the next one to ensure each setting has the required effect. For more information about power plan settings, see Available Power Management Plan Settings in the topic How to Create and Apply Power Plans in Configuration Manager.

Regularly monitor computers to see if they have multiple power plans applied
Power management includes a report that displays computers that have more than one power plan applied. If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken: Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used. Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight will be used. For more information, see Computers with Multiple Power Plans in the topic How to Monitor and Plan for Power Management in Configuration Manager. For more information about how power management resolves conflicts, see How to Create and Apply Power Plans in Configuration Manager.

Save or export power management information during the monitoring and planning phase of power management
Power management information used by daily reports is retained in the Configuration Manager site database for 31 days. Power management information used by monthly reports is retained in the Configuration Manager site database for 13 months. When you run reports during the monitoring and planning and compliance phases of power management, save or export the results from any reports for which you want to retain the data for later comparison in case they are later removed by Configuration Manager.

See Also
Planning for Power Management in Configuration Manager

2316

Administrator Checklist for Power Management in Configuration Manager

This administrator checklist provides the recommended steps for using System Center 2012 Configuration Manager power management in your organization.

Configuring Power Management

Use these steps to help you configure your hierarchy to collect power management information from client computers. Important Do not apply power plans to computers in your hierarchy until you have collected and analyzed power data from client computers. If you apply new power management settings to computers without first examining the existing settings, this might lead to an increase in power consumption.
Task Details

Review the power management concepts in the See Introduction to Power Management in Configuration Manager documentation library. Configuration Manager. Review the power management prerequisites in See Prerequisites for Power Management in the Configuration Manager documentation Configuration Manager. library. Review the best practices information for power See Best Practices for Power Management in management. Configuration Manager. Configure the following collections for power management: Collection for reporting of baseline data. Collection of computers to be excluded from power management. Collection of computers incapable of power management. Collections of computers to which power plans will be applied. Collections of computers that are running Windows Server. Before you can begin to use power management, you must enable it and configure the required client settings. For more
2317

Use the collections listed to help you manage power settings for computers in your hierarchy. You can create multiple collections and apply different power plans to each collection.

Enable power management.

Task

Details

information, see Configuring Power Management in Configuration Manager. Collect power management information from client computers. Power management data is reported by clients through Configuration Manager hardware inventory. Depending on the hardware inventory schedule that you have configured, it might take some time to retrieve inventory from all client computers.

Monitoring and Planning Phase

Task Details

Run the report Computer Activity.

The Computer Activity report displays a graph showing monitor, computer, and user activity for a specified collection over a specified time period. This report links to the Computer Activity Details report which displays the sleep and wake capabilities of computers in the specified collection. For more information, see Computer Activity Report and Computer Activity Details Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Energy Consumption and Energy Consumption by Day reports display the total monthly power consumption in kilowatt per hour (kWh) for a specified collection over a specified time period. For more information, see Energy Consumption Report and Energy Consumption by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Environmental Impact and Environmental Impact by Day reports display a graph showing carbon dioxide (CO2) emissions saved by a specified collection of computers for a specified period of time. For
2318

Run the report Energy Consumption or Energy Consumption by Day.

Run the report Environmental Impact or Environmental Impact by Day.

Task

Details

more information, see Environmental Impact Report and Environmental Impact by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. Run the report Energy Cost or Energy Cost by Day. The Energy Cost and Energy Cost by Day reports display the total power consumption cost for a specified period of time. For more information, see Energy Cost Report and Energy Cost by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Power Capabilities report displays the power management capabilities of computers in the specified collection. For more information, see Power Capabilities Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Power Settings report displays an aggregated list of the current power settings used by computers in a specified collection. For more information, see Power Settings Report in the topic How to Monitor and Plan for Power Management in Configuration Manager.. See Configuring Power Management in Configuration Manager.

Run the report Power Capabilities.

Run the report Power Settings.

Exclude any required collections of computers from power management.

Important Ensure that you save the information from power management reports generated during the monitoring and planning phase. You can compare this data to power management information generated during the enforcement and compliance phases to help you evaluate, the power usage, power cost and environmental impact savings from applying a power plan to computers in your hierarchy.

Enforcement Phase

2319

Task

Details

Select existing power plans or create new See How to Create and Apply Power Plans in power plans for collections of computers in your Configuration Manager. organization. Apply these power plans to computers. See How to Create and Apply Power Plans in Configuration Manager.

Compliance Phase
Task Details

Run the report Computer Activity.

The Computer Activity report displays a graph showing monitor, computer, and user activity for a specified collection over a specified time period. This report links to the Power Computer Activity Details report which displays the sleep and wake capabilities of computers in the specified collection. For more information, see Computer Activity Report and Computer Activity Details Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Energy Consumption and Energy Consumption by Day reports display the total monthly power consumption in kilowatt per hour (kWh) for a specified collection over a specified time period. For more information, see Energy Consumption Report and Energy Consumption by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. The Environmental Impact and Environmental Impact by Day reports display a graph showing carbon dioxide (CO2) emissions saved by a specified collection of computers for a specified period of time. For more information, see Environmental Impact Report and Environmental Impact by Day
2320

Run the report Energy Consumption or Energy Consumption by Day.

Run the report Environmental Impact or Environmental Impact by Day.

Task

Details

Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. Run the report Energy Cost or Energy Cost by Day. The Energy Cost and Energy Cost by Day reports display the total power consumption cost for a specified period of time. For more information, see Energy Cost Report and Energy Cost by Day Report in the topic How to Monitor and Plan for Power Management in Configuration Manager.

Troubleshooting
Use these steps to help you troubleshoot problems with power management.
Task Details

If computers in your hierarchy have not entered sleep or hibernate, run the report Insomnia Report to display possible causes.

The Insomnia Report displays a list of common causes that prevented computers from entering sleep or hibernate and the number of computers affected by each cause for a specified time period. For more information, see Insomnia Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. See Computers with Multiple Power Plans in the topic How to Monitor and Plan for Power Management in Configuration Manager.

If multiple power plans are applied to one computer, then the least restrictive power plan is applied. Run the report Computers with Multiple Power Plans to see computers with multiple power plans applied.

See Also
Planning for Power Management in Configuration Manager

2321

Configuring Power Management in Configuration Manager

Before you can use power management in System Center 2012 Configuration Manager, you must perform the following configuration steps.

Enable and Configure Power Management Client Settings

This procedure configures the default client settings for power management and will apply to all the computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers that you want to use power management. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To enable power management and configure client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Client Settings dialog box, click Power Management. 6. Configure the following value for the power management client settings: Allow power management of devices From the drop-down list, select True to enable power management.

7. Configure the client settings that you require. For a list of power management client settings that you can configure, see the Power Management section in the About Client Settings in Configuration Manager topic. 8. Click OK to close the Default Client Settings dialog box. Client computers will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

Exclude Computers from Power Management

You can prevent collections of computers from receiving power management settings. If a computer is a member of any collection that is excluded from power management settings, that computer does not apply power management settings, even if it is a member of another collection that applies power management settings. You might want to exclude computers from power management for any of the following reasons:
2322

You have a business requirement for computers to be turned on at all times. You have created a control collection of computers on which you do not want to apply power management settings. Some of your computers are incapable of applying power management settings. You want to exclude computers that run Windows Server from power management. Note If the option Allow users to exclude their device from power management is configured in client settings, users can exclude their own computers from power management by using Software Center.

To find out which computers have been excluded from power management, run the report Computers Excluded. For more information about this report see Computers Excluded in the topic How to Monitor and Plan for Power Management in Configuration Manager. Important Power settings that are applied to computers that run Windows XP or Windows Server 2003 are not reverted to their original values, even if you exclude the computer from power management. On later versions of Windows, excluding a computer from power management causes all power settings to be reverted to their original values. You cannot revert individual power settings to their original values. To exclude a collection of computers from power management 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, select the collection that you want to exclude from power management and then, in the Home tab, in the Properties group, click Properties. 4. In the Power Management tab of the <Collection Name> Properties dialog box, select Never apply power management settings to computers in this collection . 5. Click OK to close the <Collection Name> Properties dialog box and to save your settings.

See Also
Power Management in Configuration Manager

Operations and Maintenance for Power Management in Configuration Manager

Use the information in this section to find out more about operations and maintenance for power management in System Center 2012 Configuration Manager.
2323

In This Section
How to Monitor and Plan for Power Management in Configuration Manager How to Create and Apply Power Plans in Configuration Manager

See Also
Power Management in Configuration Manager

How to Monitor and Plan for Power Management in Configuration Manager

Use the following information to help you monitor and plan for power management in System Center 2012 Configuration Manager.

How to Use Reports for Power Management

Power management in Configuration Manager includes several reports to help you analyze power consumption and computer power settings in your organization. The reports can also be used to help you troubleshoot problems. Before you can use the power management reports, you must configure reporting for your hierarchy. For more information about reporting in Configuration Manager, see Reporting in Configuration Manager. Note Power management information used by daily reports is retained in the Configuration Manager site database for 31 days. Power management information used by monthly reports is retained in the Configuration Manager site database for 13 months. When you run reports during the monitoring and planning and compliance phases of power management, save or export the results from any reports for which you want to retain the data for later comparison in case they are later removed by Configuration Manager.

List of Power Management Reports

The following lists details the power management reports that are available in Configuration Manager.
2324

Note Power management reports display the number of physical computers and the number of virtual computers in a selected collection. However, only power management information from physical computers is displayed in power management reports.

Computer Activity Report

The Computer Activity report displays a graph showing the following activity for a specified collection over a specified period: Computer On The computer has been turned on. Monitor On The monitor has been turned on. User Active Activity has been detected from the computer mouse, computer keyboard, or from a Remote Desktop connection to the computer

This report is used during the monitoring and planning and enforcement stages to help you understand the alignment between computer activity, monitor activity and user activity over a 24 hour period. If you run the report over a number of days then the data is aggregated over this period. This report can help you to determine typical business (peak) and nonbusiness (nonpeak) hours for a selected collection to help you decide when to apply configured power management plans. The graph shows time periods where a computer might be turned on, but there is no user activity. Consider applying more restrictive power settings during these times to save on the power costs of computers that are turned on, but are not being used. A computer is counted as being active if there has been computer, user or monitor activity for one minute or more for a displayed hour on the graph. If a computer is not reporting power management data, it will not be included in the Computer Activity report. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Start date End date (Optional) Collection name Device type

From the drop-down list, select the start date for this report. From the drop-down list, select an optional end date for this report. From the drop-down list, select a collection to use for this report. From the drop-down list, select the type of computer for which you want a report. Valid
2325

Parameter Name

Description

values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
If a value for End date (optional) is not specified, this report contains a link to the following report which provides further information.
Report Name Details

Computer Activity Details

Click the Click for detailed information link to see a list of active, inactive and non-reporting computers for the specified date. For more information, see Computer Activity Details Report in this topic.

Computer Activity by Computer Report

The Computer Activity by Computer report displays a graph showing the following activity for a specified computer on a specified date: Computer On The computer has been turned on. Monitor On The monitor has been turned on. User Active Activity has been detected from the computer mouse, computer keyboard, or from a Remote Desktop connection to the computer.

This report can be run independently or called by the Computer Activity Details report. Note Information about computer activity is collected from client computers during hardware inventory. Depending on the time at which hardware inventory runs, activity during an applied peak or non-peak power plan might be collected. Use the following parameters to configure this report.
2326

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Report date Computer name

From the drop-down list, select a date for this report. Enter a computer name for which you want a report.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click the Click for detailed information link to see the power capabilities, power settings, and applied power plans for the selected computer.

Computer Activity Details Report

The Computer Activity Details report displays a list of active or inactive computers with their sleep and wake capabilities. This report is called by the Computer Activity Report and is not designed to be run directly by the site administrator. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name Report date

From the drop-down list, select a collection to use for this report. From the drop-down list, select a date to use
2327

Parameter Name

Description

for this report. Report hour From the drop-down list, select an hour from the specified date for which to run this report. Valid values are between 12am and 11pm. From the drop-down list, select the computer state for which to run this report. Valid values are: All Displays computers that were turned on or turned off during the reporting period. On Displays only computers that were turned on during the reporting period. Off Displays only computers that were turned off, in sleep, or in hibernate during the reporting period.

Computer state

Device type

From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Sleep capable

From the drop-down list, select if you want to display computers capable of sleep in the report. Valid values are: All Report both computers that are capable of sleep and computers not capable of sleep. No Report only computers that are not capable of sleep. Yes Report only computers that are capable of sleep.

Wake from sleep capable

From the drop-down list, select if you want to display computers capable of wake from sleep in the report. Valid values are: All Report both computers that are capable of wake from sleep and computers
2328

Parameter Name

Description

that are not capable of wake from sleep. Power plan No Report only computers that are not capable of wake from sleep. Yes Report only computers that are capable of wake from sleep.

From the drop-down list, select the power plan types you want to display in the report. Valid values are: All Displays computers that do not have any power management plans applied, computers that have a power management plan applied, and computers that have been excluded from power management. Not specified Displays only computers that do not have a power management plan applied. Defined Displays only computers that have a power management plan applied. Excluded Displays only computers that have been excluded from power management.

Operating system

From the drop-down list, select the computer operating systems that you want to display in the report or select All to display all operating systems.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Activity by Computer

Click a computer name to see the following activity for the specified computer over a specified period: Computer On The computer has been
2329

Report Name

Details

turned on. Monitor On The monitor has been turned on. User Active Activity has been detected from the computer mouse, computer keyboard, or from a remote desktop connection to the computer.

For more information, see Computer Activity by Computer Report in this topic.

Computer Details Report

The Computer Details report displays detailed information about the power capabilities, power settings, and power plans applied to a specified computer. This report is called by the Computer Activity by Computer report, the Computers with Multiple Power Plans report, the Power Capabilities report and the Power Settings Details report. It is not designed to be run directly by the site administrator.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Computer name Power mode

Enter a computer name for which you want a report. From the drop down list, select the type of power settings you want to display in the report results. Select Plugged In to view the power settings configured for when the computer is plugged in and On Battery to view the power settings configured for when the computer is running on battery power.

Hidden Report Parameters

This report has no hidden parameters you can set.

2330

Report Links
This report does not link to any other power management reports.

Computer Not Reporting Details Report

The Computer Not Reporting Details report displays a list of computers in a specified collection that have not reported any power activity on a specified date and time. This report is called by the Computer Activity Report and is not designed to be run directly by the site administrator. Note Computers report power management information as part of their hardware inventory schedule. Before you consider a computer to not be reporting, ensure it has reported hardware inventory. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name Report date Report hour

From the drop-down list, select a collection to use for this report. From the drop-down list, select a date for this report. From the drop-down list, select an hour from the specified date for which to run this report. Valid values are between 12am and 11pm. From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Device type

Hidden Report Parameters

This report has no hidden parameters that you can set.

2331

Report Links
This report does not link to any other power management reports.

Computers Excluded
The Computers Excluded report displays a list of computers in a specified collection that have been excluded from Configuration Manager power management. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection Reason

From the drop-down list, select a collection for this report. From the drop-down list, select the reason why the computers were excluded from power management. You can select from the following: All Display all excluded computers. Excluded by administrator Display only computers that were excluded by an administrative user. Excluded by user Display only computers that were excluded by a user of Software Center.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Power Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer.

2332

Report Name

Details

For more information, see Computer Details Report in this topic.

Computers with Multiple Power Plans

The Computers with Multiple Power Plans report displays a list of computers that are members of multiple collections, each applying different power plans. For each computer with potentially conflicting power settings, the report displays the computer name and the power plans being applied for each collection that the computer is a member of. Important If a computer is a member of multiple collections, each applying different power plans, then the following actions are taken: Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used. Wakeup time: If multiple wakeup times are applied to a computer, the time closest to midnight is used.

Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection for this report.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Power Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer.
2333

Report Name

Details

For more information, see Computer Details Report in this topic.

Energy Consumption Report

The Energy Consumption report displays the following information: A graph showing the total monthly power consumption of computers in kiloWatt per hour (kWh) in the specified collection for the specified time period. A graph showing the average power consumption in kiloWatt per hour (kWh) of each computer in the specified collection for the specified time period. A table showing the total monthly power consumption in kiloWatt per hour (kWh) and the average power consumption of computers in the specified collection for the specified time period.

This information can be used to help you to understand power consumption trends in your environment. After applying a power plan to computers in the selected collection, the power consumption of computers should decrease. Note If you add or remove members to the collection after you have applied a power plan, this will affect the results shown by the Energy Consumption report and might make it more difficult to compare the results from the monitoring and planning phase and the enforcement phase. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Start date End date Collection name Device type

From the drop-down list, select a start date for this report. From the drop-down list, select an end date for this report. From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable
2334

Parameter Name

Description

computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour.

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

2335

Report Links
This report does not link to any other power management reports.

Energy Consumption by Day Report

The Energy Consumption by Day report displays the following information: A graph showing the total daily power consumption of computers in kiloWatt per hour (kWh) in the specified collection for the last 31 days. A graph showing the average daily power consumption in kiloWatt per hour (kWh) of each computer in the specified collection for last 31 days. A table showing the total daily power consumption in kiloWatt per hour (kWh) and the average daily power consumption of computers in the specified collection for the last 31 days.

This information can be used to help you to understand power consumption trends in your environment. After applying a power plan to computers in the selected collection, the power consumption of computers should decrease. Note If you add or remove members to the collection after you have applied a power plan, this will affect the results shown by the Energy Consumption report and might make it more difficult to compare the results from the monitoring and planning phase and the enforcement phase. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection Device Type

From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer for which you want to report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

2336

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour.

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

Report Links
This report does not link to any other power management reports.

Energy Cost Report

The Energy Cost report displays the following information: A graph showing the total monthly power cost for computers in the specified collection for specified time period.

2337

A graph showing the average monthly power cost for each computer in the specified collection for the specified time period. A table showing the total monthly power cost and the average monthly power cost for computers in the specified collection for the last 31 days.

This information can be used to help you to understand power cost trends in your environment. After applying a power plan to computers in the selected collection, the power cost for computers should decrease. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Start date End date Cost of KwH

From the drop-down list, select a start date for this report. From the drop-down list, select an end date for this report. Specify the cost per kWh of electricity. The default value is 0.09. Note You can modify the unit of currency used by this report in the hidden parameters section.

Collection name Device type

From the drop-down list, select a collection to use for this report. From the drop-down list, select the type of computer for which you want to report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
2338

Parameter Name

Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour. Specify the currency label to use for this report. The default value is USD ($).

Laptop computer on

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

Currency

Report Links
This report does not link to any other power management reports.

Energy Cost by Day Report

The Energy Cost by Day report displays the following information: A graph showing the total daily power cost for computers in the specified collection for the last 31 days.

2339

A graph showing the average daily power cost for each computer in the specified collection for the last 31 days. A table showing the total daily power cost and the average daily power cost for computers in the specified collection for the last 31 days.

This information can be used to help you to understand power cost trends in your environment. After applying a power plan to computers in the selected collection, the power cost for computers should decrease. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name Device type

From the drop-down list, select a collection to use for this report. From the drop-down list, select the type of computer you want to report about. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Cost of KwH

Specify the cost per kWh of electricity. The default value is 0.09. Note You can modify the unit of currency used by this report in the hidden parameters section.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default
2340

Parameter Name

Description

value is 0.07 kW per hour. Laptop computer on Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour. Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour. Specify the currency label to use for this report. The default value is USD ($).

Desktop computer sleep

Laptop computer sleep

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

Currency

Report Links
This report does not link to any other power management reports.

Environmental Impact Report

The Environmental Impact report displays the following information: A graph showing the total monthly CO2 generated (in tons) for computers in the specified collection for the specified time period. A graph showing the average monthly CO2 generated (in tons) for each computer in the specified collection for the specified time period. A table showing the total monthly CO2 generated and the average monthly CO2 generated for computers in the specified collection for specified time period.
2341

The Environmental Impact report calculates the amount of CO2 generated (in tons) by using the time that a computer or monitor was turned on in a 24 hour period. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Report start date Report end date Collection name Device type

From the drop-down list, select a start date for this report. From the drop-down list, select an end date for this report. From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer for which you want a report. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kW per hour. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kW per hour. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kW per hour.
2342

Laptop computer on

Desktop computer sleep

Parameter Name

Description

Laptop computer sleep

Specify the power consumption of a portable computer that has entered sleep. The default value is 0.001 kW per hour. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kW per hour. Specify the power consumption of a desktop computer monitor when it is turned on. The default value is 0.028 kW per hour. Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kW per hour. Specify the value for carbon factor (in tons/kWh) that you typically can obtain from your power company. The default value is 0.0015 tons per kWh.

Desktop computer off

Laptop computer off

Desktop monitor on

Laptop monitor on

Carbon Factor (tons/kWh) (CO2Mix)

Report Links
This report does not link to any other power management reports.

Environmental Impact by Day Report

The Environmental Impact by Day report displays the following information: A graph showing the total daily CO2 generated (in tons) for computers in the specified collection for the last 31 days. A graph showing the average daily CO2 generated (in tons) for each computer in the specified collection for the last 31 days. A table showing the total daily CO2 generated and the average daily CO2 generatedfor computers in the specified collection for the last 31 days.

The Environmental Impact by Day report calculates the amount of CO2 generated (in tons) by using the time that a computer or monitor was turned on in a 24 hour period.

Required Report Parameters

The following parameters must be specified to run this report.
2343

Parameter Name

Description

Collection name Device type

From the drop-down list, select a collection for this report. From the drop-down list, select the type of computer you want to report about. Valid values are: All Reports on both desktop and portable computers. Desktop - Reports on desktop computers only. Laptop Reports on portable computers only.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

Desktop computer on

Specify the power consumption of a desktop computer when it is turned on. The default value is 0.07 kWh. Specify the power consumption of a portable computer when it is turned on. The default value is 0.02 kWh. Specify the power consumption of a desktop computer when it is turned off. The default value is 0 kWh. Specify the power consumption of a portable computer when it is turned off. The default value is 0 kWh. Specify the power consumption of a desktop computer that has entered sleep. The default value is 0.003 kWh. Specify the power consumption of a portable computer has entered sleep. The default value is 0.001 kWh. Specify the power consumption of a desktop
2344

Laptop computer on

Desktop computer off

Laptop computer off

Desktop computer sleep

Laptop computer sleep

Desktop monitor on

Parameter Name

Description

computer monitor when it is turned on. The default value is 0.028 kWh. Laptop monitor on Specify the power consumption of a portable computer monitor when it is turned on. The default value is 0 kWh. Specify a value for the carbon factor (in tons/kWh) that you typically can obtain from your power company. The default value is 0.0015 tons per kWh.

Carbon Factor (tons/kWh) (CO2Mix)

Report Links
This report does not link to any other power management reports.

Insomnia Computer Details Report

The Insomnia Computer Details report displays a list of computers that did not sleep or hibernate for a specific reason within a specified time period. This report is called by the Insomnia Report and is not designed to be run directly by the site administrator. The Insomnia Report displays computers as Not sleep capable when they are not capable of sleep and have been turned on during the entire specified report interval. The report displays computers as Not hibernate capable when they are not capable of hibernate and have been turned on during the entire specified report interval. Note Power management can only collect causes that prevented computers from entering sleep or hibernate from computers running Windows 7 or Windows Server 2008 R2. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name Report interval (days) Cause of Insomnia

From the drop-down list, select a collection to use for this report. Specify the number of days to report. The default value is 7 days. From the drop-down list, select one of the
2345

Parameter Name

Description

causes that can prevent computers from entering sleep or hibernate.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click the Click for detailed information link to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

Insomnia Report
The Insomnia Report displays a list of common causes that prevented computers from entering sleep or hibernate and the number of computers affected by each cause for a specified time period. There are a number of causes that might prevent a computer from entering sleep or hibernate such as a process running on the computer, an open Remote Desktop session, or that the computer is incapable of sleep or hibernate. From this report, you can open the Insomnia Computer Details report which displays a list of computers affected by each cause of computers not sleeping or hibernating. The Power Insomnia report displays computers as Not sleep capable when they are not capable of sleep and have been turned on during the entire specified report interval. The report displays computers as Not hibernate capable when they are not capable of hibernate and have been turned on during the entire specified report interval. Note Power management can only collect causes that prevented computers from entering sleep or hibernate from computers running Windows 7 or Windows Server 2008 R2. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
2346

Parameter Name

Description

Collection name Report interval (days)

From the drop-down list, select a collection to use for this report. Specify the number of days to report. The default value is 7 days. The maximum value is 365 days. Specify 0 to run the report for today.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Insomnia Computer Details

Click a number in the Affected Computers column to see a list of computers that could not sleep or hibernate because of the selected cause. For more information, see Insomnia Computer Details Report in this topic.

Power Capabilities Report

The Power Capabilities report displays the power management hardware capabilities of computers in the specified collection. This report is typically used in the monitoring phase of power management to determine the power management capabilities of computers in your organization. The information displayed in the report can then be used to create collections of computers to apply power plans to, or to exclude from power management. The power management capabilities displayed by this report are: Sleep Capable - Indicates whether the computer has the capability to enter sleep if it is configured to do so. Hibernate Capable Indicates whether the computer can enter hibernate if it is configured to do so. Wake from Sleep Indicates whether the computer can wake from sleep if it is configured to do so. Wake from Hibernate Indicates whether the computer can wake from hibernate if it is configured to do so.
2347

The values reported by the Power Capabilities report indicate the sleep and hibernate capabilities of computers as reported by Windows. However, the reported values do not reflect cases where Windows or BIOS settings prevent these functions from working. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection Display Filter

From the drop-down list, select a collection for this report. From the drop-down list, select one of the following values: Not Supported - Displays only computers in the specified collection that are not capable of sleep, hibernate, wake from sleep, or wake from hibernate. Show All - Displays all computers in the specified collection.

Hidden Report Parameters

This report has no hidden parameters that you can set.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

Power Settings Report

The Power Settings report displays an aggregated list of power settings used by computers in the specified collection. For each power setting, the possible power modes, values, and units are
2348

displayed, together with a count of the number of computers that use those values. This report can be used during the monitoring phase of power management to help the administrator understand the existing power settings used by computers in the site and to help plan optimal power settings to be applied by using a power management plan. The report is also useful when troubleshooting to validate that power settings were correctly applied. Note The settings displayed are collected from client computers during hardware inventory. Depending on the time at which hardware inventory runs, settings from applied peak or non-peak power plans might be collected. Use the following parameters to configure this report.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection name

From the drop-down list, select a collection for this report.

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

numberOfLocalizations

Specify the number of languages in which you want to view power setting names reported by client computers. If you only want to view the most popular language, leave this setting at the default of 1. To view all languages, set this value to 0.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Power Settings Details

Click the number of computers in the Computers column to see a list of all computers that use the power settings in that
2349

Report Name

Details

row. For more information, see Power Settings Details Report in this topic.

Power Settings Details Report

The Power Settings Details report displays further information about computers selected in the Power Settings report. This report is called by the Power Settings report and is not designed to be run directly by the site administrator.

Required Report Parameters

The following parameters must be specified to run this report.
Parameter Name Description

Collection Power Setting GUID

From the drop-down list, select a collection to use for this report. From the drop-down list, select the power setting GUID on which you want to report. For a list of all power settings and their uses, see Available Power Management Plan Settings in the topic How to Create and Apply Power Plans in Configuration Manager. From the drop down list, select the type of power settings you want to display in the report results. Select Plugged In to view the power settings configured for when the computer is plugged in and On Battery to view the power settings configured for when the computer is running on battery power. From the drop-down list, select the value for the selected power setting name on which you want to report. For example, if you want to display all computers with the turn off hard disk after setting set to 10 minutes, select turn off hard disk after for Power Setting Name and 10 for Setting Index.

Power Mode

Setting Index

2350

Hidden Report Parameters

The following hidden parameters can optionally be specified to change the behavior of this report.
Parameter Name Description

numberOfLocalizations

Specify the number of languages in which you want to view power setting names reported by client computers. If you only want to view the most popular language, leave this setting at the default of 1. To view all languages, set this value to 0.

Report Links
This report contains links to the following report which provides further information about the selected item.
Report Name Details

Computer Details

Click a computer name to see the power capabilities, power settings, and applied power plans for the selected computer. For more information, see Computer Details Report in this topic.

See Also
Operations and Maintenance for Power Management in Configuration Manager

How to Create and Apply Power Plans in Configuration Manager

Power management in System Center 2012 Configuration Manager enables you to apply power plans that are supplied with Configuration Manager to collections of computers in your hierarchy, or to create your own custom power plans. Use the procedure in this topic to apply a built-in or custom power plan to computers. Important You can only apply Configuration Manager power plans to device collections.

2351

If a computer is a member of multiple collections, each applying different power plans, then the following actions will be taken: Power plan: If multiple values for power settings are applied to a computer, the least restrictive value is used. Wakeup time: If multiple wakeup times are applied to a desktop computer, the time closest to midnight is used.

Use the Computers with Multiple Power Plans report to display all computers that have multiple power plans applied to them. This can help you discover computers that have power conflicts. For more information about power management reports, see How to Monitor and Plan for Power Management in Configuration Manager. Important Power settings configured by using Windows Group Policy will override settings configured by Configuration Manager power management. Use the following procedure to create and apply a Configuration Manager power plan. To create and apply a power plan 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. In the Device Collections list, click the collection to which you want to apply power management settings and then, in the Home tab, in the Properties group, click Properties. 4. In the Power Management tab of the <Collection Name> Properties dialog box, select Specify power management settings for this collection. Note You can also click Browse and then copy the power management settings from a selected collection to the selected collection. 5. In the Start and End fields, specify the start and end time for peak (or business) hours. 6. Enable Wakeup time (desktop computers) to specify a time when a desktop computer will wake from sleep or wake from hibernate to install scheduled updates or software installations. Important Power management uses the internal Windows wakeup time feature to wake computers from sleep or hibernate. Wakeup time settings are not applied to portable computers to prevent scenarios in which they might wake when not plugged in. The wake up time is randomized and computers will be woken over a one hour period from the specified wakeup time. 7. If you want to configure a custom power plan for peak (or business) hours, select Customized Peak (ConfigMgr) from the Peak plan drop-down list, and then click Edit. If you want to configure a power plan for non-peak (or nonbusiness) hours, select Customized Non-Peak (ConfigMgr) from the Non-peak plan drop-down list, and then
2352

click Edit. Note You can use the Computer Activity report to help you decide the schedules to use for peak and non-peak hours when you apply power plans to collections of computers. For more information, see Computer Activity Report in the topic How to Monitor and Plan for Power Management in Configuration Manager. You can also select from the built-in power plans, Balanced (ConfigMgr), High Performance (ConfigMgr) and Power Saver (ConfigMgr), and then click View to display the properties of each power plan. Note You cannot modify the built-in power plans. 8. In the <power plan name> Properties dialog box, configure the following settings: Name: Specify a name for this power plan or use the supplied default value. Description: Specify a description for this power plan or use the supplied default value. Specify the properties for this power plan: Configure the power plan properties. To disable a property, clear its check box. For information about the available settings, see Available Power Management Plan Settings in this topic. Important Enabled settings are applied to computers when the power plan is applied. If you clear a power setting check box, the value on the client computer is not changed when the power plan is applied. Clearing a check box does not restore the power setting to its previous value before a power plan was applied. 9. Click OK to close the <power plan name> Properties dialog box. 10. Click OK to close the <Collection Name> Settings dialog box and to apply the power plan.

Available Power Management Plan Settings

The following table lists the power management settings available in Configuration Manager. You can configure separate settings for when the computer is plugged in or running on battery power. Depending on the version of Windows you are using, some settings might not be configurable. Note Power settings that you do not configure will retain their current value on client computers.

2353

Name

Description

Turn off display after (minutes)

Specifies the length of time, in minutes, that the computer must be inactive before the display is turned off. Note Specify a value of 0 if you do not want power management to turn off the display.

Sleep after (minutes)

Specifies the length of time, in minutes, that the computer must be inactive before it enters sleep. Note Specify a value of 0 if you do not want power management to enter sleep on the computer.

Require a password on wakeup

Specifies whether a password is required to unlock the computer when it enters wake from sleep. Yes No Note Computers that are running Windows XP with this setting configured as Yes for On battery or Plugged in require a password on wakeup whether or not they are using battery power.

Power button action

Specifies the action that is taken when the computers power button is pressed. Possible values include the following: Do nothing Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for
2354

Name

Description

On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Start menu power button Specifies the action that occurs when you press the computers Start menu power button. Possible values include the following: Sleep Hibernate Shut down Note This setting is only applicable on computers running Windows Vista. Sleep button action Specifies the action that occurs when you press the computers Sleep button. Possible values include the following: Do nothing Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Lid close action Specifies the action that occurs when the user closes the lid of a portable computer. Possible values include the following: Do nothing Sleep Hibernate Shut down

2355

Name

Description

Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On these versions of Windows, the Shut down option is not implemented. If you select the Shut down option, the current lid close action setting on the computer will not be changed. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Turn off hard disk after (minutes) Specifies the length of time, in minutes, that the computers hard disk must be inactive before it is turned off. Note Specify a value of 0 if you do not want power management to turn off the computers hard disk. Hibernate after (minutes) Specifies the length of time, in minutes, that the computer must be inactive before it enters hibernate. Note Specify a value of 0 if you do not want power management to enter hibernate on the computer. Low battery action Specifies the action that occurs when the computers battery reaches the specified low battery notification level. Possible values include the following: Do nothing Sleep Hibernate Shut down Note
2356

Name

Description

On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Critical battery action Specifies the action that is taken when the computers battery reaches the specified critical battery notification level. Possible values include the following: Do nothing This option is not available for the On battery setting. Sleep Hibernate Shut down Note On computers that are running Windows XP, the value specified for On battery is applied, whether the computer is running on battery or is plugged in. On this version of Windows, select the Hibernate setting to enable entering hibernate on the computer. Allow hybrid sleep Specifies whether Windows saves a hibernation file when entering sleep, which can be used to restore the computer's state in the event of power loss while it has entered sleep. On Off Note Hybrid sleep is designed for desktop computers and, by default, is not enabled on portable computers. On computers that are running Windows 7, enabling hybrid sleep disables the hibernate functionality. This setting is not supported on
2357

Name

Description

computers running Windows XP. Allow standby state when sleeping action Enables the computer to be on standby, which still consumes some power, but enables the computer to wake faster. Possible values are: On Off Note If this setting is set to Off, the computer can only hibernate or turn off. The Off setting is not supported on computers running Windows XP. Required idleness to sleep (%) Specifies the percentage of idle time on the computer processor time required for the computer to enter sleep. Note This setting only applies to computers that are running Windows Vista. On computers that are running Windows 7, this value is always set to 0. Enable Windows wake up timer for desktop computers Enables the built-in Windows timer which can be used by power management to wake a desktop computer. When a desktop computer is woken by using the Windows wake up timer, it will remain awake for 10 minutes by default to allow time for the computer to install any updates or to receive policy. Possible values are: Enable Disable Important Wakeup timers are not supported on portable computers to prevent scenarios in which they might wake when they are not plugged in. The Disable setting is not supported on computers running Windows XP.

2358

See Also
Operations and Maintenance for Power Management in Configuration Manager

Security and Privacy for Power Management in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This section contains security and privacy information for power management in System Center 2012 Configuration Manager.

Security Best Practices for Power Management

There are no security-related best practices for power management.

Privacy Information for Power Management

Power management uses features that are built into Windows to monitor power usage and to apply power settings to computers during business hours and nonbusiness hours. Configuration Manager collects power usage information from computers, which includes data about when a user is using a computer. Although Configuration Manager monitors power usage for a collection rather than for each computer, a collection can contain just one computer. Power management is not enabled by default and must be configured by an administrator. The power usage information is stored in the Configuration Manager database and is not sent to Microsoft. Detailed information is retained in the database for 31 days and summarized information is retained for 13 months. You cannot configure the deletion interval. Before you configure power management, consider your privacy requirements.

See Also
Power Management in Configuration Manager

2359

Technical Reference for Power Management in Configuration Manager

There is currently no technical reference information for power management in System Center 2012 Configuration Manager.

See Also
Power Management in Configuration Manager

Remote Control in Configuration Manager

Use the following topics to help you find information about remote control in System Center 2012 Configuration Manager.

Remote Control Topics

Introduction to Remote Control in Configuration Manager Planning for Remote Control in Configuration Manager Configuring Remote Control in Configuration Manager Operations and Maintenance for Remote Control in Configuration Manager Security and Privacy for Remote Control in Configuration Manager Technical Reference for Remote Control in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Remote Control in Configuration Manager

Use remote control in System Center 2012 Configuration Manager to remotely administer, provide assistance, or view any client computer in the hierarchy. You can use remote control to troubleshoot hardware and software configuration problems on client computers and to provide help desk support when access to the users computer is required. Configuration Manager supports the remote control of workgroup computers and computers that are joined to an Active Directory domain.
2360

In addition, Configuration Manager lets you configure client settings to run Windows Remote Desktop and Remote Assistance from the Configuration Manager console. Note You cannot establish a Remote Assistance session from the Configuration Manager console to a client computer in the following scenarios: The client computer is in a workgroup. The computer running the Configuration Manager console is running Windows XP Service Pack 3, but the host computer is not running Windows XP Service Pack 3. For more information, see your Windows Remote Assistance documentation.

You can start a remote control session from any device collection in the Configuration Manager console, from the Windows Command Prompt window, or from the Windows Start menu.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for remote control since Configuration Manager 2007: Remote control now supports sending the CTRL+ALT+DEL command to computers. You can apply different remote control settings to collections of computers by using client settings. You can lock the keyboard and mouse of the computer that is being administered during a remote control session. The copy and paste functionality between the host computer and the computer that is being administered has been improved. If the remote control network connection is disconnected, the desktop of the computer that is being administered will be locked. You can start the remote control viewer from the Windows Start menu. Remote control client settings can automatically configure the Windows Firewall on client computers to allow remote control to operate. Remote control supports connecting to computers with multiple monitors. A high visibility notification bar is visible on client computers to inform the user that a remote control session is active. By default, members of the local Administrators group are granted the Remote Control permission as a client setting. The account name of the administrative user who starts the remote control session is automatically displayed to users during the remote control session. This display helps users to verify who is connecting to their computer.

2361

If Kerberos authentication fails when you make a remote control connection to a computer, you are prompted to confirm that you want to continue before Configuration Manager falls back to using the less secure authentication method of NTLM. Only TCP port 2701 is required for remote control packets; ports TCP 2702 and TCP 135 are no longer used. Responsiveness for low-bandwidth connections supports the following improvements: Elimination of mouse trails by using single mouse cursor design. Full support for Windows Aero. Elimination of mirror driver.

See Also
Remote Control in Configuration Manager

Planning for Remote Control in Configuration Manager

Use the following topics in this section to help you plan for remote control in System Center 2012 Configuration Manager.

In this Section
Prerequisites for Remote Control in Configuration Manager

See Also
Remote Control in Configuration Manager

Prerequisites for Remote Control in Configuration Manager

Remote control in System Center 2012 Configuration Manager has external dependencies and dependencies in the product.

Dependencies External to Configuration Manager

2362

Dependency

More information

Computer video card driver

Ensure that the most up-to-date video driver is installed on client computers to ensure optimal remote control performance.

Devices that run Windows Embedded, Windows Embedded for Point of Service (POS), and Windows Fundamentals for Legacy PCs do not support the remote control viewer, but they do support the remote control client. System Center 2012 Configuration Manager remote control cannot be used to remotely administer client computers that run Systems Management Server 2003 or Configuration Manager 2007. Note No Windows services are required as an external dependency for remote control.

Supported Operating Systems for the Remote Control Viewer

The following table provides information about the supported operating systems for the remote control viewer. For information about supported client operating systems, see Supported Configurations for Configuration Manager.
Operating system Viewer support More information

Windows XP (32-bit)

Yes

To run the remote control viewer on this operating system, you must first download and install the Remote Desktop Connection (RDC) client update 7.0 (KB969084) from the Microsoft Download Center. No additional information. To run the remote control viewer on this operating system, you must first download and install the Remote Desktop Connection (RDC) client update 7.0 (KB969084) from the Microsoft Download Center. To run the remote control viewer on this operating system, you must first download
2363

Windows XP (64-bit) Windows Vista (32-bit)

No Yes

Windows Vista (64-bit)

Yes

Operating system

Viewer support

More information

and install the Remote Desktop Connection (RDC) client update 7.0 (KB969084) from the Microsoft Download Center. Windows 7 (32-bit) Windows 7 (64-bit) Windows Server 2003 (32-bit) Windows Server 2003 (64-bit) Windows Server 2008 (32-bit) Windows Server 2008 (64-bit) Windows Server 2008 R2 (64bit) Yes Yes No No No No Yes No additional information. No additional information. No additional information. No additional information. No additional information. No additional information. No additional information.

Configuration Manager Dependencies

Dependency More information

Remote control must be enabled for clients

By default, remote control is not enabled when you install Configuration Manager. For information about how to enable and configure remote control, see Configuring Remote Control in Configuration Manager. The reporting services point site system role must be installed before you can run reports for remote control. For more information, see Reporting in Configuration Manager. You must have the following security permissions to use remote control: To access collection resources and to initiate a remote control session from the Configuration Manager console: Control AMT, Read, Read Resource, and Remote Control permission for the Collection object.

Reporting services point

Security permissions to manage remote control

The Remote Tools Operator security role includes these permissions that are required to
2364

Dependency

More information

manage remote control in Configuration Manager. For more information, see the Configure RoleBased Administration section in the Configuring Security for Configuration Manager topic. Additionally, you must add users whom you want to give permission to use remote control and remote assistance to the remote control permitted views list by using the option Permitted viewers of Remote Control and Remote Assistance in the Remote Tools client settings.

See Also
Remote Control in Configuration Manager

Configuring Remote Control in Configuration Manager

Before you can use remote control in System Center 2012 Configuration Manager, you must perform the following configuration steps.

How to Enable Remote Control and Configure Client Settings

This procedure describes configuring the default client settings for remote control and applies to all computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers that you want to use in a remote control session. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To enable remote control and configure client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Client Settings. 4. On the Home tab, in the Properties group, click Properties.
2365

5. In the Default dialog box, click Remote Tools. 6. Configure the remote control, Remote Assistance and Remote Desktop client settings that you require. For a list of remote tools client settings that you can configure, see the section Remote Tools in the topic About Client Settings in Configuration Manager. Note You can change the company name that appears in the ConfigMgr Remote Control dialog box by configuring a value for Organization name displayed in Software Center in the Computer Agent client settings. Important To use Remote Assistance or Remote Desktop, it must be installed and configured on the computer that runs the Configuration Manager console. For more information about how to install and configure Remote Assistance or Remote Desktop, see your Windows documentation. 7. Click OK to close the Default Settings dialog box. Client computers are configured with these settings the next time they download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Remote Control in Configuration Manager

Operations and Maintenance for Remote Control in Configuration Manager

Use the information in this section to find out more about operations and maintenance for remote control in System Center 2012 Configuration Manager.

In This Section
How to Remotely Administer a Client Computer by Using Configuration Manager How to Audit Remote Control Usage in Configuration Manager

See Also
Remote Control in Configuration Manager

2366

How to Remotely Administer a Client Computer by Using Configuration Manager

Use the following procedure to remotely administer a computer in System Center 2012 Configuration Manager. Before you begin to use remote control, ensure that you have reviewed the information in the following topics: Planning for Remote Control in Configuration Manager Configuring Remote Control in Configuration Manager By using the Configuration Manager console. At the Windows command prompt. On the Windows Start menu on a computer that runs the Configuration Manager console from the Microsoft System Center 2012 program group. To remotely administer a client computer from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select the computer that you want to remotely administer and then, in the Home tab, in the Device group, click Start, and then click Remote Control. Important If the client setting Prompt user for Remote Control permission is set to True, the connection does not initiate until the user at the remote computer agrees to the remote control prompt. For more information, see Configuring Remote Control in Configuration Manager. 4. After the Configuration Manager Remote Control window opens, you can remotely administer the client computer. Use the following options to configure the connection. Note If the computer that you connect to has multiple monitors, the display from all these monitors is shown in the remote control window. File - Connect Connect to another computer. This option is unavailable when a remote control session is active. File - Disconnect Disconnects the active remote control session but does not close the Configuration Manager Remote Control window. File - Exit Disconnects the active remote control session and closes the Configuration Manager Remote Control window. Note When you disconnect a remote control session, the contents of the Windows
2367

You can start the Configuration Manager remote control viewer by using one of three methods:

Clipboard on the computer that you are viewing is deleted. View - Full Screen Maximizes the Configuration Manager Remote Control window to fill all the available display space. Note To exit full screen mode, press Ctrl+Alt+Break. View - Scale to Fit Scales the display of the remote computer to fit the size of the Configuration Manager Remote Control window. View - Status Bar Toggles the display of the Configuration Manager Remote Control window status bar. Action - Send Ctrl+Alt+Del Key Sends a Ctrl+Alt+Del key combination to the remote computer. Action - Enable Clipboard Sharing Lets you copy and paste items to and from the remote computer. If you change this value, you must restart the remote control session for the change to take effect. Note If you do not want clipboard sharing to be enabled in the Configuration Manager console, on the computer running the console, set the value of the registry key, HKEY_CURRENT_USER\Software\Microsoft\ConfigMgr10\Remote Control\Clipboard Sharing to 0. Action - Lock Remote Keyboard and Mouse Locks the remote keyboard and mouse to prevent the user from operating the remote computer. Help - About Remote Control Displays information about the current version of the remote control viewer.

5. Users at the remote computer can view more information about the remote control session when they click the Configuration Manager Remote Control icon in the Windows notification area or the icon on the remote control session bar. 6. When you no longer require the remote control session, use one of the methods detailed earlier to end the remote control session. To start the remote control viewer from the Windows command line At the Windows command prompt, type <Configuration Manager Installation Folder>\AdminConsole\Bin\x64\CmRcViewer.exe Note CmRcViewer.exe supports the following command-line options: <Address> - Specifies the NetBIOS name, the fully qualified domain name (FQDN), or the IP address of the client computer that you want to connect to. <Site Server Name> - Specifies the name of the System Center 2012 Configuration Manager site server to which you want to send status messages that are related to the remote control session.
2368

/? Displays the command-line options for the remote control viewer. Example: CmRcViewer.exe <Address> <\\Site Server Name>

See Also
Operations and Maintenance for Remote Control in Configuration Manager

How to Audit Remote Control Usage in Configuration Manager

You can use System Center 2012 Configuration Manager reports to view audit information for remote control. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. The following two reports are available with the category Status Messages - Audit: Remote Control All computers remote controlled by a specific user Displays a summary of remote control activity that a specific user initiated. Remote Control All remote control information Displays a summary of status messages about remote control of client computers. To run the report Remote Control All computers remote controlled by a specific user 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the Reports node, click the Category column to sort the reports so that you can more easily find the reports in the category Status Messages - Audit. 4. Select the report Remote Control - All computers remote controlled by a specific user, and then, on the Home tab, in the Report Group, click Run. 5. In the User Name list of the Remote Control - All computers remote controlled by a specific user, specify the user that you want to report audit information for, and then click View Report. 6. When you have finished viewing the data in the report, close the report window. To run the report Remote Control All remote control information 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the Reports node, click the Category column to sort the reports so that you can more easily find the reports in the category Status Messages - Audit. 4. Select the report Remote Control - All remote control information, and then, on the Home tab, in the Report Group, click Run to open the Remote Control - All remote
2369

control information window. 5. When you have finished viewing data in the report, close the report window.

See Also
Operations and Maintenance for Remote Control in Configuration Manager

Security and Privacy for Remote Control in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for remote control in System Center 2012 Configuration Manager.

Security Best Practices for Remote Control

Use the following security best practices when you manage client computers by using remote control.
Security best practice More information

When you connect to a remote computer, do not continue if NTLM instead of Kerberos authentication is used.

When Configuration Manager detects that the remote control session is authenticated by using NTLM instead of Kerberos, you see a prompt that warns you that the identity of the remote computer cannot be verified. Do not continue with the remote control session. NTLM authentication is a weaker authentication protocol than Kerberos and is vulnerable to replay and impersonation. The Clipboard supports objects such as executable files and text and could be used by the user on the host computer during the remote control session to run a program on the originating computer. Software that observes keyboard input could capture the password. Or, if the program that is
2370

Do not enable Clipboard sharing in the remote control viewer.

Do not enter passwords for privileged accounts

Security best practice

More information

when remotely administering a computer.

being run on the client computer is not the program that the remote control user assumes, the program might be capturing the password. When accounts and passwords are required, the end user should enter them. If Configuration Manager detects that the remote control connection is terminated, Configuration Manager automatically locks the keyboard and mouse so that a user cannot take control of the open remote control session. However, this detection might not occur immediately and does not occur if the remote control service is terminated. Select the action Lock Remote Keyboard and Mouse in the ConfigMgr Remote Control window.

Lock the keyboard and mouse during a remote control session.

Do not let users configure remote control settings in Software Center.

Do not enable the client setting Users can change policy or notification settings in Software Center to help prevent users from being spied on. Note This setting is for the computer and not the logged-on user.

Enable the Domain Windows Firewall profile.

Enable the client setting Enable remote control on clients Firewall exception profiles and then select the Domain Windows Firewall for intranet computers.

If you log off during a remote control session If you do not log off in this scenario, the session and log on as a different user, ensure that you remains open. log off before you disconnect the remote control session. Do not give users local administrator rights. When you give users local administrator rights, they might be able to take over your remote control session or compromise your credentials. You can use Configuration Manager and Group Policy to make configuration changes to the Remote Assistance settings. When Group
2371

Use either Group Policy or Configuration Manager to configure Remote Assistance settings, but not both.

Security best practice

More information

Policy is refreshed on the client, by default, it optimizes the process by changing only the policies that have changed on the server. Configuration Manager changes the settings in the local security policy, which might not be overwritten unless the Group Policy update is forced. Setting policy in both places might lead to inconsistent results. Choose one of these methods to configure your Remote Assistance settings. Enable the client setting Prompt user for Remote Control permission. Although there are ways around this client setting that prompts a user to confirm a remote control session, enable this setting to reduce the chance of users being spied upon while working on confidential tasks. In addition, educate users to verify the account name that is displayed during the remote control session and disconnect the session if they suspect that the account is unauthorized. Limit the Permitted Viewers list. Local administrator rights are not required for a user to be able to use remote control.

Security Issues for Remote Control

Managing client computers by using remote control has the following security issues: Do not consider remote control audit messages to be reliable. If you start a remote control session and then log on by using alternative credentials, the original account sends the audit messages, not the account that used the alternative credentials. Audit messages are not sent if you copy the binary files for remote control rather than install the Configuration Manager console, and then run remote control at the command prompt.

Privacy Information for Remote Control

Remote control lets you view active sessions on Configuration Manager client computers and potentially view any information stored on those computers. By default, remote control is not enabled.

2372

Although you can configure remote control to provide prominent notice and get consent from a user before a remote control session begins, it can also monitor users without their permission or awareness. You can configure View Only access level so that nothing can be changed on the remote control, or Full Control. The account of the connecting administrator is displayed in the remote control session, to help users identify who is connecting to their computer. By default, Configuration Manager grants the local Administrators group Remote Control permissions. Before you configure remote control, consider your privacy requirements.

See Also
Remote Control in Configuration Manager

Technical Reference for Remote Control in Configuration Manager

Use the following topics in this section for technical reference information for remote control in System Center 2012 Configuration Manager.

In This Section
Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager

See Also
Remote Control in Configuration Manager

Keyboard Shortcuts for the Remote Control Viewer in Configuration Manager

When you use the System Center 2012 Configuration Manager remote control viewer, you can use the following keyboard shortcuts to control the client computer that is being administered.
Keyboard shortcut Description

Alt+Page Up Alt+Page Down

Switches between running programs from left to right. Switches between running programs from right to left.
2373

Keyboard shortcut

Description

Alt+Insert Alt+Home Ctrl+Alt+End Alt+Delete Ctrl+Alt+Minus Sign (on the numeric keypad) Ctrl+Alt+Plus Sign (on the numeric keypad)

Cycles through running programs in the order that they were opened. Displays the Start menu. Displays the Windows Security dialog box (Ctrl+Alt+Del). Displays the Windows menu. Copies the active window of the local computer to the remote computer Clipboard. Copies the entire local computer's window area to the remote computer Clipboard.

See Also
Technical Reference for Remote Control in Configuration Manager

Software Metering in Configuration Manager

Use software metering in System Center 2012 Configuration Manager to monitor and collect software usage data from Configuration Manager clients.

Software Metering Topics

Use the following topics to help you find information about planning, configuring, and managing software metering in Configuration Manager. Introduction to Software Metering in Configuration Manager Planning for Software Metering in Configuration Manager Configuring Software Metering in Configuration Manager Operations and Maintenance for Software Metering in Configuration Manager Security and Privacy for Software Metering in Configuration Manager Technical Reference for Software Metering in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

2374

Introduction to Software Metering in Configuration Manager

Use software metering in System Center 2012 Configuration Manager to monitor and collect software usage data from Configuration Manager clients. To collect this usage data, configure software metering rules or use the Configuration Manager inventory to generate these rules automatically. Client computers evaluate these rules and collect metering data to send to the site. The Configuration Manager client continues to collect usage data when there is no connection to the Configuration Manager site and sends this information when the connection is re-established. After you collect usage data from Configuration Manager clients, you can view the data in different ways, which includes using collections, queries, and reporting. This data, combined with data from software inventory, can help your organization to determine the following: How many copies of a particular software program have been deployed to the computers in your organization. Among those computers, you can determine how many users actually run the program. How many licenses of a particular software program you have to purchase when you renew your license agreement with the software vendor. Whether users are still running a particular software program. If the program is not being used, you might retire the program. Which times of the day a software program is most frequently used.

For an example scenario that shows how you might use software metering in your environment, see Example Scenario for Software Metering in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. There are no significant changes for software metering in Configuration Manager since Configuration Manager 2007.

See Also
Software Metering in Configuration Manager

2375

Planning for Software Metering in Configuration Manager

Use the following topics in this section to help you plan for software metering in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

Prerequisites for Software Metering in Configuration Manager

Software metering in System Center 2012 Configuration Manager has the following dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Client settings for software metering.

To use software metering, the client setting Enable software metering on clients must be enabled and deployed to computers. You can deploy software metering settings to all computers in the hierarchy, or you can deploy custom settings to groups of computers. For more information, see How to Configure Software Metering in Configuration Manager. You must configure a reporting services point before you can view software metering reports. For more information, see Reporting in Configuration Manager.

The reporting services point.

2376

See Also
Planning for Software Metering in Configuration Manager

Configuring Software Metering in Configuration Manager

Use the following topics in this section to help you configure software metering in System Center 2012 Configuration Manager.

In This Section
How to Configure Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

How to Configure Software Metering in Configuration Manager

Use the following steps to configure software metering for System Center 2012 Configuration Manager. This procedure configures the default client settings for software metering and applies to all computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and deploy it to a collection that contains the computers on which you want to use software metering. For more information about how to create custom device settings, see How to Configure Client Settings in Configuration Manager. To configure software metering 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings, and then click Default Client Settings. 3. On the Home tab, in the Properties group, click Properties. 4. In the Default Settings dialog box, click Software Metering. 5. In the Device Settings list, configure the following: Enable software metering on clients: In the list, select True if you want to enable software metering. Schedule data collection: Configure how often software metering data is collected
2377

from client computers. Use the default value of every 7 days or click Schedule to specify a custom schedule. 6. Click OK to close the Default Settings dialog box. Client computers are configured with these settings the next time they download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Configuring Software Metering in Configuration Manager

Operations and Maintenance for Software Metering in Configuration Manager

Use the information in this section to find out more about operations and maintenance for software metering in System Center 2012 Configuration Manager.

In This Section
How to Create Software Metering Rules in Configuration Manager How to Configure Automatic Software Metering Rule Generation in Configuration Manager How to Manage Software Metering Rules in Configuration Manager How to Monitor Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

How to Create Software Metering Rules in Configuration Manager

Use the Create Software Metering Rule Wizard to create a new software metering rule for your System Center 2012 Configuration Manager site. The following procedure provides the necessary steps to create a new software metering rule. To create a software metering rule 1. In the Configuration Manager console, click Assets and Compliance.
2378

2. In the Assets and Compliance workspace, click Software Metering. 3. On the Home tab, in the Create group, click Create Software Metering Rule. 4. On the General page of the Create Software Metering Rule Wizard, specify the following information: Name - The name of the software metering rule. This should be unique and descriptive. Note Software metering rules can share the same name if the file name contained in the rules is different. File Name - The name of the program file that you want to meter. You can click Browse to display the Open dialog box, in which you can select the program file to use. Note If you type the executable file name in the File name box, no checks are carried out to determine whether this file exists or whether it contains the necessary header information. When possible, click Browse and select the executable file to be metered. Wildcard characters are not permitted in the file name. This box is optional if a value for Original file name is specified. Original File Name - The name of the executable file that you want to meter. This name matches information in the header of the file, not the file name itself so that it can be useful in cases where the executable file has been renamed but you want to meter it by the original name. Note Wildcard characters are not permitted in the original file name. This box is optional if a value for File Name is specified. Version - The version of the executable file you that want to meter. You can use the wildcard character (*) to represent any string of characters or the wildcard character (?) to represent any single character. If you want to meter for all versions of an executable file, use the default value (*). Language - The language of the executable file to meter. The default value is the current locale of the operating system you are using. If you select an executable file to be metered by clicking the Browse button, this box is automatically filled if language information is present in the header of the file. To meter all language versions of a file, select Any in the drop-down list. Description - An optional description for the software metering rule. Apply this software metering rule to the following clients Select whether you want to apply the software metering rule to all clients in the hierarchy or to the clients that are assigned to the site specified in the Site list.

5. To continue, click Next.

2379

6. Review and confirm the settings and then complete the wizard to create the software metering rule. The new software metering rule is displayed in the Software Metering node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Software Metering in Configuration Manager

How to Configure Automatic Software Metering Rule Generation in Configuration Manager

You can configure software metering in System Center 2012 Configuration Manager to automatically generate disabled software metering rules from recent usage inventory data held in the site database. You can configure this inventory data so that only for applications that are used on a specified percentage of computers metering rules are created. You can also specify the maximum number of automatically generated software metering rules allowed on the site. Note By default, software metering rules that are automatically created are disabled. Before you can begin to collect usage data from these rules, you must enable them. The following procedure provides the necessary steps to configure automatic software metering rule generation. To configure automatic software metering rule generation 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Software Metering, and then, in the Home tab, in the Settings group, click Software Metering Properties. 3. In the Software Metering Properties dialog box, configure the following: Data retention (in days) - Specifies the amount of time that data generated by software metering rules are kept in the site database. The default value is 90 days. Enable the option Automatically create disabled metering rules from recent usage inventory data. Specify the percentage of computers in the hierarchy that must use a program before a software metering rule is automatically created - The default value is 10 percent. Specify the number of software metering rules that must be exceeded in the hierarchy before the automatic creation of rules is disabled - The default value is 100 rules.

4. Click OK to close the Software Metering Properties dialog box.

2380

See Also
Operations and Maintenance for Software Metering in Configuration Manager

How to Manage Software Metering Rules in Configuration Manager

Use the information in this topic to help you manage software metering rules in System Center 2012 Configuration Manager. For information about how to create software metering rules, see How to Create Software Metering Rules in Configuration Manager.

How to Manage Software Metering Rules

In the Assets and Compliance workspace, select Software Metering, select the software metering rule to manage, and then select a management task. Use the following table for more information about the management tasks that might require some information before you select them.
Management Task Details More Information

Enable

Enables a disabled software metering rule. This setting is downloaded to client computers according to the Client policy polling interval in the Client Policy section of client settings (by default, every 60 minutes). Disables an enabled software metering rule. This setting is downloaded to client computers according to the Client policy polling interval in the Client Policy section of client settings (by default, every 60 minutes).

How to Configure Client Settings in Configuration Manager

Disable

How to Configure Client Settings in Configuration Manager

2381

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Monitor Software Metering in Configuration Manager

Software metering in System Center 2012 Configuration Manager includes a number of built-in reports which allow you to monitor information about software metering operations. These reports have the report category of Software Metering. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. Additionally, you can create queries and collections based on the data stored in the Configuration Manager database by software metering. For more information about collections in Configuration Manager, see Collections in Configuration Manager. For more information about queries in Configuration Manager, see Queries in Configuration Manager.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

Security and Privacy for Software Metering in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for software metering in System Center 2012 Configuration Manager.

2382

Security Best Practices for Software Metering

There are currently no security-related best practices for software metering.

Security Issues for Software Metering

An attacker could send invalid software metering information to Configuration Manager, which will be accepted by the management point even when the software metering client setting is disabled. This might result in a large number of metering rules that are replicated throughout the hierarchy, causing a denial of service on the network and to Configuration Manager site servers. Because an attacker can create invalid software metering data, do not consider software metering information to be authoritative. Software metering is enabled by default as a client setting.

Privacy Information for Software Metering

Software metering monitors the usage of applications on client computers. Software metering is enabled by default. You must configure which applications to meter. Metering information is stored in the Configuration Manager database. The information is encrypted during transfer to a management point but it is not stored in encrypted form in the Configuration Manager database. This information is retained in the database until it is deleted by the site maintenance tasks Delete Aged Software Metering Data (every five days) and Delete Aged Software Metering Summary Data (every 270 days). You can configure the deletion interval. Metering information is not sent to Microsoft. Some additional metering information is collected through hardware inventory. For more information, see Security and Privacy for Hardware Inventory in Configuration Manager. Before you configure software metering, consider your privacy requirements.

See Also
Software Metering in Configuration Manager

Technical Reference for Software Metering in Configuration Manager

Use the following topics in this section for technical reference information related to software metering in System Center 2012 Configuration Manager.

In This Section
Example Scenario for Software Metering in Configuration Manager
2383

Maintenance Tasks for Software Metering in Configuration Manager

See Also
Software Metering in Configuration Manager

Example Scenario for Software Metering in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how software metering in System Center 2012 Configuration Manager can be implemented to solve the following business requirements: Determine how many copies of a specified software application are in use on the company network. Determine whether there are any unused copies of a specified software application on the network. Determine which users regularly use a specified software application.

Woodgrove Bank has deployed Microsoft Office 2010 as its standard office productivity suite. However, to support a legacy application, some computers must continue to run Microsoft Office Word 2003. The IT department wants to reduce support and licensing costs by removing these copies of Word 2003 if the legacy application is no longer used. The help desk also wants to identify which users use the legacy application. John is Woodgrove Bank's IT Systems Manager who uses software metering in Configuration Manager to achieve these business objectives. He performs the actions in the following table:
Process Reference

John checks the prerequisites for software metering and confirms that the reporting services point is installed and operational. John configures the default client settings for software metering:

Prerequisites for Software Metering in Configuration Manager How to Configure Software Metering in Configuration Manager

He enables software metering and uses the How to Create Software Metering Rules in default data collection schedule of once Configuration Manager every seven days. He configures software inventory to inventory files that have the extension .exe
2384

Process

Reference

by configuring the software inventory client setting Inventory these file types. He adds a new software metering rule, named woodgrove.exe, to monitor the legacy application. No additional information.

John waits for seven days, after which the client computers begin to report usage data for the woodgrove.exe executable. John uses the Configuration Manager report Install base for all metered software programs to see which computers have the application woodgrove.exe loaded.

How to Monitor Software Metering in Configuration Manager

After six months, John runs the report How to Monitor Software Metering in Computers that have a metered program Configuration Manager installed, but have not run the program since a specified date, specifying the software metering rule and a date six months in the past. This report identifies 120 computers that have not run the program in the past six months. John makes some further checks to confirm that the legacy application is not required on the identified computers. He then uninstalls the legacy application and the copy of Word 2003 from these computers. John runs the report Users that have run a specific metered software program to provide the help desk with a list of users who continue to use the legacy application. John continues to check the software metering reports weekly and takes remedial action if necessary. How to Monitor Software Metering in Configuration Manager No additional information.

As a result of this course of action, IT support and licensing costs are reduced by removing the applications that are no longer required. In addition, the help desk now has the list that it wanted of the users who run the legacy application.

See Also
Technical Reference for Software Metering in Configuration Manager
2385

Maintenance Tasks for Software Metering in Configuration Manager

System Center 2012 Configuration Manager includes a number of maintenance tasks to help you manage the usage data collected by software metering: Delete Aged Software Metering Data Delete Aged Software Metering Summary Data Summarize Software Metering File Usage Data Summarize Software Metering Monthly Usage Data

Use the following sections to learn more about these maintenance tasks. By default, all four tasks are enabled in Configuration Manager. Use the following procedure to configure these maintenance tasks. To configure maintenance tasks 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and then click Sites. 3. In the Sites list, select the site that you want to configure maintenance tasks for and then, in the Home tab, in the Settings group, click Site Maintenance. 4. In the Site Maintenance dialog box, configure the site maintenance tasks you require and then click OK.

Tasks that Delete Software Metering Data

The following maintenance tasks remove old software metering data and summarized data from the site database:

Delete Aged Software Metering Data

Use the Delete Aged Software Metering Data task to delete all software metering data that is older than the number of days specified. By default, the task is scheduled to run every day and to delete software metering data that is older than five days. You can configure the number of days to be any number from 2 through 255.

Delete Aged Software Metering Summary Data

Use the Delete Aged Software Metering Summary Data task to delete summarized software metering summary data that is older than the number of days specified. By default, the task is scheduled to run every Sunday and to delete software metering summary data that is older than 270 days.

2386

Tasks that Summarize Software Metering Data

The summarize software metering tasks perform the data summarization to compress the amount of data in the site database.

Summarize Software Metering File Usage Data

The Summarize Software Metering File Usage Data task condenses software metering file usage data from multiple records into one general record. This record provides information about the program name, version, language, and number of distinct users over intervals of 15 minutes and one hour. This process compresses and optimizes the amount of data stored in the site database. By default, the Summarize Software Metering File Usage Data task runs daily. For every hour and every 15-minute interval within the hour, the task calculates the total number of distinct user/computer combinations that are running the matching program. Within the 15-minute intervals, this approximates the number of concurrent users. For example: If the same user is using a software program and is logged on to three different computers simultaneously, this counts as three usages. If three users are logged on to a computer running Terminal Services and all three are running the software program, this counts as three usages. If the same user starts and stops the software program on the same computer three separate times during the hour, this counts as one usage for that user.

When replicated up hierarchy, the software metering summary data from each site remains separated from data from the other sites. When the data reaches a parent site, each record is marked with the site code of the site where the usage data was generated. These records can be added together to estimate concurrent program usage in the network.

Summarize Software Metering Monthly Usage Data

The Summarize Software Metering Monthly Usage Data task condenses detailed software metering usage data from multiple records into one general record. This record provides information about the program name, program version and language, program running times, number of usages, last usage, user name, and computer name. Data summarization helps compress the amount of data in the site database. Monthly software usage data is sent to the central administration site. The summarization information includes the number of times each matching software program ran on a particular computer and by a particular user during the month. By default, the task is scheduled to run daily and the summarization period is one month. Software monthly usage data is replicated to the parent site.

See Also
Technical Reference for Software Metering in Configuration Manager
2387

Out of Band Management in Configuration Manager

System Center 2012 Configuration Manager integrates with Intel Active Management Technology (Intel AMT), which lets you manage desktop and laptop computers independently from the Configuration Manager client or the computer operating system.

Out of Band Management Topics

Use the following topics to help you manage AMT-based computers out of band. Introduction to Out of Band Management in Configuration Manager Planning for Out of Band Management in Configuration Manager Configuring Out of Band Management in Configuration Manager Operations and Maintenance for Out of Band Management in Configuration Manager Security and Privacy for Out of Band Management in Configuration Manager Technical Reference for Out of Band Management in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager Intels application offerings on the Microsoft Pinpoint site

Introduction to Out of Band Management in Configuration Manager

Out of band management in System Center 2012 Configuration Manager provides a powerful management control for computers that have the Intel vPro chip set and a version of Intel Active Management Technology (Intel AMT) that Configuration Manager supports. Out of band management lets an administrative user connect to a computer's AMT management controller when the computer is turned off, in hibernation, or otherwise unresponsive through the operating system. In contrast, in-band management is the classic approach that Configuration Manager and its predecessors use, whereby an agent runs in the full operating system on the managed computer, and the management controller accomplishes tasks by communicating with the management agent. Out of band management supplements in-band management. While in-band management supports a wider range of operations because its environment is the full operating system, inband management might not be functional if the operating system is not present or is not operational. In these situations, by using the supplementary capabilities of out of band
2388

management, administrative users can manage these computers without requiring local access to the computer. Out of band management tasks include the following: Powering on one or many computers (for example, for maintenance on computers outside business hours). Powering off one or many computers (for example, the operating system stops responding). Restarting a nonfunctioning computer or booting from a locally connected device or known good boot image file. Re-imaging a computer by booting from a boot image file that is located on the network or by using a PXE server. Reconfiguring the BIOS settings on a selected computer (and bypassing the BIOS password if this is supported by the BIOS manufacturer). Booting to a command-based operating system to run commands, repair tools, or diagnostic applications (for example, upgrading the firmware or running a disk repair tool). Configuring scheduled software deployments to wake up computers before the computers are running.

These out of band management tasks are supported on an unauthenticated, wired connection, and an authenticated 802.1X wired connection, and wireless connection. Out of band management also has the following additional features: Auditing for selected AMT features. Support for different power states, to help conserve power consumption and adherence to IT policy. Data storage in AMT, where up to 4096 bytes in ASCII characters can be saved in the nonvolatile random access memory (NVRAM) of the management controller.

For example scenarios of how out of band management can be used, see Example Scenarios for Using Out of Band Management in Configuration Manager. Some of the preceding tasks are performed from the Configuration Manager console, while others require running the out of band management console that is supplied with Configuration Manager. Out of band management uses Windows remote management technology (WS-MAN) to connect to the AMT management controller on a computer. Note Out of band management is not supported for clients that are managed over the Internet with Internet-based client management. Configuration Manager clients that are blocked or unapproved by Configuration Manager cannot be managed out of band. The following table outlines the options and features that out of band management provides in Configuration Manager.
Feature or scenario More information

Security-based management

Out of band management integrates with an internal public key infrastructure (PKI) by using
2389

Feature or scenario

More information

the following certificates: A provisioning certificate that is installed on the out of band service point, which allows computers to be configured for out of band management. A web server certificate that is installed on the enrollment point for secured communication with the out of band service point during the provisioning process. A web server certificate that is installed on each computer that is managed out of band so that communication is authenticated and is encrypted by using Transport Layer Security (TLS). Client certificates, if required for 802.1X authentication.

For more information about these certificates, see PKI Certificate Requirements for Configuration Manager. Administrators must be authenticated by using Kerberos before they can manage computers by using the out of band management console. Out of band management activity is recorded and auditable by using an audit log on the AMT-based computers. Support for 802.1X authenticated wired networks and wireless networks: Authenticated wired 802.1X support: client authentication options of EAP-TLS or EAPTTLS/MSCHAPv2 or PEAPv0/EAPMSCHAPv2. Wireless support: WPA and WPA2 security, AES or TKIP encryption, client authentication options of EAP-TLS or EAPTTLS/MSCHAPv2 or PEAPv0/EAPMSCHAPv2.

AMT provisioning

Enables and configures Intel AMT-based computers that are running the Configuration Manager client. Provides hardware inventory data from the
2390

Enhanced inventory data

Feature or scenario

More information

AMT chip, such as asset tag, BIOS UUID, power state, processor, memory, and drive information. Identify AMT management controllers Identifies computers with an AMT management controller and its provisioning status. This information can be used to build querybased collections to group computers for out of band management activities, such as provisioning and power control. Power control Enables power on, power off, and restart capabilities for a single computer, selected computers, or a collection of computers. Computers can also be woken up by scheduled software deployments that have a scheduled deadline. Out of band management console A dedicated management console that is run from the Configuration Manager console, or at a command prompt, to initiate out of band management tasks, including IDE redirection and serial-over-LAN sessions. Note Capabilities might vary depending on the manufacturer of the managed computer. For example, IDE redirection and serial-over-LAN capability can be disabled by the manufacturer. IDE redirection Enables the computer to boot from a boot image file or locally connected device rather than from its disk IDE interface. This is useful for diagnosing, repairing, or imaging a hard disk drive. Serial-over-LAN technology encapsulates the data from a virtual serial port and sends it over the existing network connection that the out of band management console established. Serial-over-LAN technology lets you run a terminal emulation session for the managed computer, in which you can run commands and
2391

Serial over LAN

Feature or scenario

More information

character-based applications. For example, this might include reconfiguring the BIOS, or working in conjunction with IDE redirection, you can update the firmware or run diagnostic tools.

Extending Out of Band Management in Configuration Manager

For additional technical information to support and extend out of band management in Configuration Manager, see Intels application offerings on the Microsoft Pinpoint site.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for out of band management since Configuration Manager 2007: System Center 2012 Configuration Manager no longer supports provisioning out of band, which could be used in Configuration Manager 2007 when the Configuration Manager client was not installed, or the computer did not have an operating system installed. To provision computers for AMT in System Center 2012 Configuration Manager, they must belong to an Active Directory domain, have the System Center 2012 Configuration Manager client installed, and be assigned to a System Center 2012 Configuration Manager primary site. To provision computers for AMT, you must install the new site system role, the enrollment point, in addition to the out of band service point. You must install both these site system roles on the same primary site. There is a new account, the AMT Provisioning Removal Account, which you specify on the Out of Band Management Component Properties: Provisioning tab. When you specify this account and use the same Windows account that is specified as an AMT User Account, you can use this account to remove the AMT provisioning information, if you have to recover the site. You might also be able to use it when the client was reassigned and the AMT provisioning information was not removed on the old site. Configuration Manager no longer generates a status message to warn you that the AMT provisioning certificate is about to expire. You must check the remaining validity period yourself and ensure that you renew this certificate before it expires. AMT discovery no longer uses port TCP 16992; only port TCP 16993 is used. Port TCP 9971 is no longer used to connect the AMT management controller to the out of band service point to provision computers for AMT. The out of band service point uses HTTPS (by default, port TCP 443) to connect to the enrollment point. The WS-MAN translator is no longer supported.
2392

The maintenance task Reset AMT Computer Passwords has been removed. You no longer select individual permissions for each AMT User Account. Instead, all AMT User Accounts are automatically configured for the PT Administration (Configuration Manager 2007 SP1) or Platform Administration (Configuration Manager 2007 SP2) right, which grants permissions to all AMT features. You must specify a universal security group in the Out Of Band Management Component Properties to contain the AMT computer accounts that Configuration Manager creates during the AMT provisioning process. The site server computer no longer requires Full Control to the organizational unit (OU) that is used during AMT provisioning. Instead, it grants Read Members and Writer Members (this object only) permissions. The enrollment point rather than the primary site server computer now requires the Issue and Manage Certificates permission on the issuing certification authority (CA). This permission is required to revoke AMT certificates. As in Configuration Manager 2007, this computer account requires DCOM permissions to communicate with the issuing CA. To configure this, ensure that for Windows Server 2008, the computer account of the enrollment point site system server is a member of the security group Certificate Service DCOM Access, or, for Windows Server 2003 SP1 and later, a member of the security group CERTSVC_DCOM_ACCESS in the domain where the issuing CA resides. The certificate templates for the AMT web server certificate and the AMT 802.1X client certificate no longer use Supply in the request, and the site server computer account no longer requires permissions to the following certificate templates: For the AMT web server certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in the Out Of Band Management Component Properties. For the AMT 802.1X client certificate template: On the Subject tab, select Build from this Active Directory information, and then select Common name for the Subject name format. Clear the DNS name check box, and then select User principal name (UPN) as the alternate subject name. On the Security tab, grant Read and Enroll permissions to the universal security group that you specify in Out Of Band Management Point Component Properties.

The AMT provisioning certificate no longer requires that the private key can be exported. By default, the out of band service point checks the AMT provisioning certificate for certificate revocation. This occurs when the site system first runs, and when the AMT provisioning certificate is changed. You can disable this option in the Out Of Band Service Point Properties. You can enable or disable CRL checking for the AMT web server certificate in the out of band management console. To change the settings, click the Tools menu, and then click Options. The new setting is used when you next connect to an AMT-based computer. When a certificate for an AMT-based computer is revoked, the revocation reason is now Cease of Operation instead of Superseded.

2393

AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN. When you reassign an AMT-based computer from one Configuration Manager site to another, you must first remove the AMT provisioning information, reassign the client, and then provision the client again for AMT. The security rights View management controllers and Manage management controllers in Configuration Manager 2007 are now named Provision AMT and Control AMT, respectively. The Control AMT permission is automatically added to the Remote Tools Operator security role. If an administrative user is assigned to the Remote Tools Operator security role, and you want this administrative user to provision AMT-based computers or control the AMT audit log, you must add the Provision AMT permission to this security role, or ensure that the administrative user belongs to another security role that includes this permission.

See Also
Out of Band Management in Configuration Manager

Planning for Out of Band Management in Configuration Manager

Use the following topics in this section to help you plan how to manage Intel AMT-based computers out of band by using System Center 2012 Configuration Manager.

In This Section
Prerequisites for Out of Band Management in Configuration Manager Best Practices for Out of Band Management in Configuration Manager Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer

See Also
Out of Band Management in Configuration Manager

2394

Prerequisites for Out of Band Management in Configuration Manager

Out of band management in System Center 2012 Configuration Manager has external dependencies and dependencies within the product. Important Out of band management in Configuration Manager has external dependencies on Intel Active Management Technology (Intel AMT) and on Microsoft public key infrastructure (PKI) technologies. For authoritative information about configuration or technical details about these external dependencies, see the product documentation for the related technologies. For information about Intel AMT and Intel Setup and Configuration Software, see the Intel documentation or the documentation from your computer manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability. For information about Microsoft public key infrastructure (PKI) technologies, see Windows Server 2008 Active Directory Certificate Services.

Dependencies External to Configuration Manager

The following table lists the external dependencies for running out of band management.
Dependency More information

A Microsoft enterprise certification authority (CA) with certificate templates to deploy and manage the certificates required for out of band management. The issuing CA must automatically approve certificate requests from the AMT computer accounts that Configuration Manager creates in Active Directory Domain Services during the AMT provisioning process. To revoke AMT certificates, the issuing CA must be configured with the Issue and Manage Certificates permission for the server where the enrollment point site system role is installed. Important AMT cannot support CA certificates with a key length greater than 2048 bits.

The out of band service point and each desktop or laptop computer that is managed out of band must have specific PKI certificates that are managed independently from Configuration Manager. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. For step-by-step instructions, see Deploying the Certificates for AMT. The computer account for the enrollment point site system server must have DCOM permissions to revoke AMT certificates from the issuing CA. Ensure that this site system computer is a member of the security group Certificate Service DCOM Access (for Windows Server 2008) or CERTSVC_DCOM_ACCESS (for Windows Server 2003 SP1 and later) in the
2395

Dependency

More information

domain where the issuing CA resides. Desktop or laptop computers with the following configuration: Intel vPro Technology or Intel Centrino Pro Technology A supported version of Intel AMT that is configured for Enterprise mode, with the provision mode of PKI Intel HECI driver For information about the AMT versions that Configuration Manager supports, see the Out of Band Management section in the Supported Configurations for Configuration Manager topic. Download the latest HECI driver from the Intel website and consult your computer manufacturer's documentation for the Intel requirements. During the AMT provisioning process, Configuration Manager creates computer accounts in this Active Directory container or organizational unit (OU) and adds the accounts to the universal security group.

An Active Directory container and a universal security group:

The Active Directory container must be configured with the correct security permissions for the domain in which the AMT-based computers reside. If the site The site server computer requires the following manages AMT-based computers from permissions: multiple domains, the same container name For the OU that is used during the AMT and path must be used for all domains. provisioning process: Allow Create all A universal security group that contains child objects and Delete all child objects computer accounts for the AMT-based and apply to This object only. computers. For the universal security group that is used during the AMT provisioning process: Note Allow Read and Write, and apply to This You do not have to extend the Active object only. Directory schema for out of band management. For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015), and that the DHCP server dynamically updates DNS with the computer resource record. WINS cannot be used for resolving computer names, and DNS is required for all connections that are use out of band management. This includes connecting to AMT-based computers from the out of band management console, in addition to AMT provisioning. Note AMT cannot register a host record in DNS, so you must ensure that either
2396

The following network services: DHCP server with an active scope DNS servers for name resolution

Dependency

More information

DHCP or the operating system updates DNS with a host record for the AMTbased computers fully qualified domain name (FQDN). Alternatively, you can manually create these records in DNS as needed. For wireless support, ensure that DNS contains records with the wireless IP address for the AMTbased computers fully qualified domain name. Site system role dependencies for the computers that will run the enrollment point and the out of band service point site system roles. Windows Remote Management (WinRM) 1.1 or later must be installed on computers that are running Windows XP if they run the out of band management console. MSXML 6.0 is required on computers that run the out of band management console. The Windows feature, Telnet Client, must be installed on computers that run Windows 7, Windows Vista, or Windows Server 2008 if the computers run the out of band management console and perform serial-over-LAN commands. Computers to be managed out of band must belong to the same Active Directory forest as the site system servers that run the out of band service point and the enrollment point. In addition, computers must share the same namespace; disjoint namespaces are not supported. See the Prerequisites for Site System Roles section in the Supported Configurations for Configuration Manager topic. For more information about WinRM versions, see Versions of Windows Remote Management. The Setup Prerequisites checker for Configuration Manager includes the check for Microsoft MSXML 6.0. Serial over LAN uses the Telnet protocol to run a terminal emulation session for the managed computer, in which you can run commands and character-based applications. For more information, see Introduction to Out of Band Management in Configuration Manager. The following scenarios identify computers that are not supported for out of band management. AMT should be disabled on these computers: Workgroup computers. Computers that reside in a different Active Directory forest from the computers that run the out of band service point site system role and the enrollment point. Computers that reside in the same Active Directory forest as the site system servers that run the out of band service point and the enrollment point but do not share the same namespace (noncontiguous
2397

Dependency

More information

namespace). For example, an AMT-based computer with the FQDN of computer1.northwindtraders.com cannot be provisioned by the out of band service point site system with the FQDN of contoso.com, even if they belong to the same Active Directory forest. Computers that reside in the same Active Directory forest as the out of band service point site system server but have a disjoint namespacefor example, an AMT-based computer that has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com.

Intervening network devices such as routers and firewalls, and Windows Firewall if applicable, must allow the traffic associated with out of band management activity.

The following ports are used by out of band management: From the out of band service point to the enrollment point: HTTPS (by default, port TCP 443). From the out of band service point site system server to AMT management controllers for power control initiated from the Configuration Manager console and scheduled activities, provisioning, and discovery: TCP 16993. From computers running the out of band management console to AMT management controllers for all management tasks initiated from the out of band management console (including power-on commands): TCP 16993. From computers running the out of band management console to AMT management controllers for serial over LAN and IDE redirection: TCP 16995.

IPv4. Full IPsec environments are not supported.

IPv6 is not supported. Out of band management uses IPv4 only. Do not configure IPsec policies for the AMT communication between the out of band service
2398

Dependency

More information

point site system server and computers that will be managed out of band. Infrastructure support for 802.1X authenticated wired networks and wireless networks: To manage AMT-based computers out of band on an 802.1X authenticated wired network or a Authenticated wired 802.1X support: Client wireless connection, you must have a authentication options of EAP-TLS or EAP- supporting infrastructure for these environments. These networks can be TTLS/MSCHAPv2 or PEAPv0/EAPMSCHAPv2. configured by using a Microsoft RADIUS Wireless support: WPA and WPA2 security, solution, such as Network Policy Server on Windows Server 2008. Other RADIUS solutions AES or TKIP encryption, client authentication options of EAP-TLS or EAP- can be used if they are 802.1X-compliant and TTLS/MSCHAPv2 or PEAPv0/EAPsupport the configuration options listed for MSCHAPv2. authenticated wired 802.1X support and wireless support. Note For more information about Network Policy If you use client authentication Server on Windows Server 2008, see Network methods of EAP-TLS or EAPPolicy Server. TTLS/MSCHAPv2 with a client For more information about other RADIUS certificate, the RADIUS solution must solutions, see Intel vPro Expert Center: support authentication by using the Microsoft vPro Manageability. following format: domain\computer_account.

Configuration Manager Dependencies

The following table lists the dependencies within Configuration Manager for running out of band management.
Dependency More information

The primary site must be running System Center 2012 Configuration Manager and have installed the out of band service point and the enrollment point. The out of band service point must in the same Active Directory forest as the site server, and you can install only one out of band service point in each primary site. Computers that you want to manage out of band must have the Configuration Manager

Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning

How to Install Clients on Windows-Based Computers in Configuration Manager

2399

Dependency

More information

client installed and must be assigned to a primary site. Important Intel AMT-based computers that are assigned to the same Configuration Manager site must have a unique computer name, even when they belong to different domains and therefore have a unique FQDN. To configure out of band management, you must have the following security permissions: Site: Read and Modify Mobile Device Enrollment Profile: Read, Create, Modify, Meter Site, and Manage Certificates for Operating System Deployment For more information about how to configure security permissions, see Configure RoleBased Administration.

The Full Administrator security role includes these permissions. To manage computers out of band, you must have the following security permissions for the collections that contain the computers: Provision AMT: This security permission allows you to manage AMT computers from the Configuration Manager console, which includes discovering the status of AMT management controllers, provisioning computers for AMT and the auditing actions of enabling and applying audit log settings, disabling auditing, and clearing the audit log. Control AMT: This security permission allows you to view and manage computers by using the out of band management console, and initiate power control actions in the Configuration Manager console. The Remote Tools security role includes the Control AMT permission. Read and Modify Collection Setting to enable AMT provisioning for the collection. Provision AMT, Read, and Read
2400

Dependency

More information

Resource to remove provisioning information and update AMT management controllers. Reporting services point. To use Configuration Manager reports for out of band management, you must install and configure a reporting services point. For more information, see Reporting in Configuration Manager.

See Also
Planning for Out of Band Management in Configuration Manager

Best Practices for Out of Band Management in Configuration Manager

Use the following best practices information to help you manage Intel AMT-based computers by using System Center 2012 Configuration Manager.

Verify AMT capability for your Intel AMT-based computers

Conduct an inventory of Intel AMT-based computers and then for each model, search online for their system management specifications. In these specifications, look for vPro capable devices. If Intel standard manageability is listed or management is not listed these computers, the computer cannot be managed out of band by Configuration Manager. After you have confirmed that the AMT-based computers support out of band management, verify that the version of AMT is supported by System Center 2012 Configuration Manager. For more information about the AMT versions that are supported, see Supported Configurations for Configuration Manager.

Ensure that AMT is enabled in the BIOS by using a defined process

Before Configuration Manager can provision an Intel AMT-based computer for out of band management, the BIOS must be configured such that AMT is enabled. You can request this

2401

configuration from your computer manufacture. Or, you can use your own internal processes to ensure that computers are configured appropriately before they are made available to users.

Define a process for laptop computers to connect to a wired Ethernet connection during the AMT provisioning period
Laptop computers must be connected to a wired Ethernet connection before they can be provisioned for AMT. Define a process so that laptop users connect their AMT-based computers to a wired Ethernet network when you plan to provision them for AMT. For example, you might create separate collections for these AMT-based laptops and email the users to inform them when their laptops must be connected to the wired Ethernet network. Then monitor the AMT provisioning process and email these users to confirm when AMT provisioning is complete for their laptop. Contact the users when their laptops fail to provision for AMT and confirm connectivity to the wired Ethernet network during a defined period.

Review the available management tasks for AMTbased computers and train your help desk
For a list of out of band management tasks that Configuration Manager supports, see Introduction to Out of Band Management in Configuration Manager. For some example scenarios for how you might use out of band management, see Example Scenarios for Using Out of Band Management in Configuration Manager. Ensure that your help desk is trained how to manage computers out of band to support your selected scenarios.

Plan ahead before you rename computers that are provisioned for AMT
If you will rename AMT-based computers or reinstall the operating system on these computers and specify a different FQDN, plan ahead so that you can remove AMT provisioning information from these computers before you rename or reinstall them. Then provision them for AMT again after the rename or reinstallation of the operation system is complete. For more information about this scenario, see the Renaming AMT-Based Computers and Domain Changes section in the How to Manage AMT Provisioning Information in Configuration Manager topic.

See Also
Planning for Out of Band Management in Configuration Manager
2402

Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer
Before you purchase the computers that you want to manage out of band by using System Center 2012 Configuration Manager, decide whether you require a customized firmware image from your computer manufacturer. Computers that can be managed out of band have BIOS extensions that can include options such as enabling serial over LAN and IDE redirection and set values such as a certificate thumbprint of a root certification authority that is used during the AMT provisioning process. Check which BIOS extension settings are available from your computer manufacturer, and then decide whether you require a customized image to enable or disable options and specify your choice of values. Some typical examples for requiring customized firmware image include the following: You want to specify an alternative external certification authority to issue the AMT provisioning certificate, or you want to use your own internal certification authority to issue the AMT provisioning certificate. Note If you want to use your own internal certification authority, you have to supply the certificate thumbprint of your root certification authority. The default firmware image enables serial over LAN and IDE redirection, but to comply with your internal security policies, computers on your company network cannot support these highly privileged management options. For more information about serial over LAN and IDE redirection, see Introduction to Out of Band Management in Configuration Manager. The default firmware image does not enable bypassing the BIOS password, and you want to be able to use this option when powering on or restarting computers out of band with the out of band management console. You want your AMT-based computers to use a MEBx password that is different from the default value of admin.

If you think you might benefit from a customized firmware image, discuss the available BIOS extensions with your computer manufacturer or supplier.

See Also
Planning for Out of Band Management in Configuration Manager

2403

Configuring Out of Band Management in Configuration Manager

Use the following topics in this section to help you configure System Center 2012 Configuration Manager to manage Intel AMT-based computers out of band:

In This Section
Administrator Checklist: Out of Band Management in Configuration Manager How to Provision and Configure AMT-Based Computers in Configuration Manager How to Manage AMT Provisioning Information in Configuration Manager

See Also
Out of Band Management in Configuration Manager

Administrator Checklist: Out of Band Management in Configuration Manager

Use the following checklist to help you configure out of band management in System Center 2012 Configuration Manager.
Step Reference

Check the prerequisites for using out of band management with Configuration Manager, and make any required changes to your network infrastructure and computers. Ensure that the appropriate public key infrastructure (PKI) certificates are in place. Configure AMT provisioning. If you have configured AMT auditing, enable auditing on selected Intel AMT-based computers and manage the audit log entries.

Prerequisites for Out of Band Management in Configuration Manager

PKI Certificate Requirements for Configuration Manager How to Provision and Configure AMT-Based Computers in Configuration Manager How to Manage the Audit Log for AMT-Based Computers in Configuration Manager

2404

See Also
Configuring Out of Band Management in Configuration Manager

How to Provision and Configure AMT-Based Computers in Configuration Manager

Before you can manage Intel AMT-based-computers out of band in System Center 2012 Configuration Manager, you must provision them after the Configuration Manager client is installed. AMT provisioning requires Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and out of band service point site system roles. During and after the provisioning process, public key infrastructure (PKI) certificates secure the communication between the AMT-based computers and the Configuration Manager site. Use the following steps and the supplemental procedures in this topic to provision and configure AMT-based computers for out of band management. This information includes the optional configuration to manage AMT-based computers out of band when these computers are connected to an authenticated wired network or a wireless network. You can also configure these optional settings after the AMT-based computer is provisioned, and then update the AMT management controller.

Steps to Provision and Configure AMT-based Computers

Use the following table for the steps, details, and more information about how to provision and configure AMT-based computers. Important Before you perform these steps, ensure that you have all the prerequisites to provision and configure AMT-based computers. For more information, see Prerequisites for Out of Band Management in Configuration Manager. If you manage AMT-based computers on 801.1X and wireless networks, check the configuration of your RADIUS server so that you know which 802.1X settings to configure for AMT. Additionally, when the AMT-based computer host is configured for wireless networking, either natively in the operating system or by using another solution, ensure that the settings that you specify in the out of band management wireless profile for the Network name (SSID), Security type, and Encryption method match the configuration of your host wireless configuration.

2405

Steps

Details

More information

Step 1: Prepare Active Directory Domain Services by creating security groups and an organization unit (OU).

Create two security groups: A security group that contains the computer accounts of the primary site servers. A universal security group that will contain accounts for the provisioned AMTbased computers. Grant the first security group the following security permissions to This object only: Read Members and Writer Members.

For more information about how to create security groups and OUs, see the Active Directory documentation.

Create an OU in each domain that will contain AMT-based computers. Grant the first security group the following security permissions to This object only: Create Computer Objects and Delete Computer Objects. Step 2: Confirm DHCP configuration. Ensure that you have an active scope and configure the following DHCP options: 006 (DNS Servers) 015 (DNS Domain Name) For more information about how to configure DHCP, see the DHCP documentation.

Additionally, ensure that the DHCP server is configured to dynamically update DNS with the computer resource records. Step 3: Create and issue the PKI certificates. Ensure that you have configured the following: The web server certificate for the enrollment point. The AMT provisioning certificate. The AMT web server certificate template. For wireless management To configure the web server certificate for the enrollment point, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server
2406

Steps

Details

More information

only: The AMT client authentication certificate template.

2008 Certification Authority topic. To configure the certificates for AMT, see the Deploying the Certificates for AMT section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. See the following procedure Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning in this topic. See the following procedure Step 5: Configuring the Out of Band Management Component in this topic.

Step 4: Configure the site system roles for AMT.

Install and configure the following site system roles: The enrollment point. The out of band service point.

Step 5: Configure the out of band management component.

Specify settings such as the OU and security group that you configured in step 1, the certificate templates that you configured in step 3, and AMT User Accounts if you want to run the out of band management console. Powering on computers by using out of band management allows computers assigned to the site to come out of hibernation so that they can respond to scheduled management tasks. If necessary, create a new collection to contain the AMTbased computers that you want to provision. Optional but recommended: Add the AMT Status to the Configuration Manager console.

Step 6: Optional: Configure the site to send power on commands for scheduled wake-up activities.

See the following procedure Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities in this topic.

Step 7: Display the AMT Status and enable AMT provisioning.

See the following procedure Step 7: Displaying the AMT Status and Enabling AMT provisioning in this topic.

2407

Steps

Details

More information

Select Enable AMT provisioning for AMT-based computers in the collection properties. Step 8: Monitor the AMT provisioning process. When the Configuration Manager client next downloads client policy, it sends a provisioning request to the out of band service point. If provisioning fails, it automatically retries according to the provisioning schedule that is configured in the out of band management component properties. See the following procedure Step 8: Monitoring AMT Provisioning in this topic.

Supplemental Procedures to Provision and Configure AMT-based Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 4: Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning
These procedures configure the site system roles for AMT provisioning. Choose one of these procedures according to whether you install a new site system server for AMT provisioning or use an existing site system server: To install and configure the AMT provisioning site systems: New site system server To install and configure the AMT provisioning site systems: Existing site system server To install and configure the AMT provisioning site systems: New site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles 3. On the Home tab, in the Create group, click Create Site System Server. 4. On the General page, specify the general settings for the site system, and then click Next. 5. On the System Role Selection page, select Out of band service point and Enrollment
2408

point from the list of available roles, and then click Next. Note The roles are not available for secondary sites. In addition, the out of band service point cannot be installed on more than one site system in the primary site. 6. On the Out of band service point page, do not change the default settings for the scheduled power Power on commands unless you have to fine-tune these for your network infrastructure. Click Next. 7. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in step 3 in the preceding table. Or, type in the certificate thumbprint. 8. Decide whether you have to clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next. Note Although the option to check the certificate revocation list (CRL) is more secure, if the out of band service point cannot access the CRL when you enable this option, the out of band service point does not provision computers for AMT. If your AMT provisioning certificate is from an external CA, the out of band service point must have direct Internet access when you enable CRL checking, because this option does not support web proxy access. 9. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you must change them for your environment. Click Next. 10. Complete the wizard. To install and configure the AMT provisioning site systems: Existing site system server 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use for AMT provisioning. 3. On the Home tab, in the Create group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. 5. On the System Role Selection page, select Out of band service point and Enrollment point from the list of available roles, and then click Next. Note The roles are not available for secondary sites. In addition, the out of band service point cannot be installed on more than one site system in the primary site. 6. On the Out of band service point page, do not change the default settings for the scheduled power on commands unless you have to fine-tune these for your network infrastructure. Click Next.
2409

7. On the AMT Provisioning Certificate page, click Browse to select the AMT provisioning certificate that you created in step 3 in the preceding table. Or, type the certificate thumbprint. 8. Decide whether you must clear the Enable CRL checking for the AMT provisioning certificate check box, and then click Next. Note Although the option to check the CRL is more secure, if the out of band service point is unable to access the CRL, AMT provisioning will fail. If your AMT provisioning certificate is from an external CA, the out of band service point must have Internet access. 9. On the Enrollment Point Settings page, review the settings. Keep the default settings unless you need to change them for your environment. Click Next. 10. Complete the wizard.

Step 5: Configuring the Out of Band Management Component

This procedure configures the out of band management component. To configure the Out of Band Management component 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration and then click Sites. 3. On the Home tab, in the Settings group, click Configure Site Components, and then click Out of Band Management. 4. Select the enrollment point that you configured in the preceding procedure. 5. Specify the OU and then the universal group that you configured in step 1 in the preceding table. 6. Specify the AMT web server certificate that you configured in step 3 in the preceding table. 7. Decide whether to clear the check box for CRL checking. Note When this option is selected, computers that manage AMT-based computers out of band must be able to check the CRL for the AMT web server certificate before they can make a successful connection. By default, the CRL is published on the issuing CA. Although checking the CRL is more secure, if the CRL is not available, the connection fails. Computers that manage AMT-based computers include the site server and computers that run the out of band management console. 8. Click Set to specify a strong password for the account in the Management Engine BIOS extension (MEBx) that is used for the initial authenticated access to manage AMT-based computers.

2410

Note The password is case sensitive and must be at least 8 characters, with a maximum of 32 characters, together with at least one each of an uppercase, a lowercase, a numeric, and a symbol character. Symbol characters include ! @ # $ % ^ & * and exclude : (colon) (double quotes) _ (underscore). 9. Click the AMT Settings tab. 10. Click the New icon to specify AMT User Accounts that will run the out of band management console. As a best practice, specify security groups rather than individual user accounts. 11. Decide whether you must change the default manageability setting of Always on to Host is on. Note The setting Host is on can help to save power consumption for when the AMTbased computer is in standby or the operating system is shut down. It might also be required by your company policy. However, if you select Host is on and the AMT-based computer is in a power state that does not allow out of band communication, the AMT-based computer does not respond to out of band communication. In this scenario, there is no indication that you cannot connect to the AMT-based computer because it is configured for a power state that does not support manageability. 12. Click Advanced settings and decide whether to change any of the default settings, and then click OK. Note More information about the advanced settings: Enable web interface: Enables or disables the ability for the AMT-based computer to display firmware information in the AMT Web browser. This option is not enabled by default. Enable serial over LAN and IDE redirection: Enables or disables the options for serial over LAN and IDE redirection on the AMT-based computer. This option is enabled by default. Allow ping responses: Enables or disables the AMT management controller to respond to network ping requests when it is sent ICMP datagrams. This option is not enabled by default. Enable BIOS password bypass for power on and restart commands: Enables or disables the ability to bypass a BIOS prompt for a configured password when powering on an AMT-based computer or restarting it. By default, this option is enabled. Kerberos clock tolerance (minutes): Specifies the allowed clock tolerance between the management controller and the timestamp in received messages. Having a shorter value helps eliminate replay attacks, but too short a value might result in valid connections being rejected. The default setting is 5 minutes.
2411

13. Click Audit Log Settings. Review the AMT features to audit, decide whether to change any of the default settings, and then click OK. Note Selecting the features to audit does not enable auditing. You can enable auditing on selected AMT-based computers after they are provisioned. For more information, see To enable auditing and update audit settings on AMT-based computers. 14. Click the Provisioning tab. 15. If you have to specify an AMT Discovery and Provisioning Account, click the New icon specify one or more accounts. Note Specify an AMT Provisioning and Discovery Account if any one of the following conditions applies: The AMT-based computer has never been provisioned, and your manufacturer delivered the computer with a customized MEBx password. (It is not admin.) When this is the case, add an AMT Provisioning and Discovery Account named admin and specify the password that was provided by the manufacturer. The AMT-based computer has never been provisioned, and your manufacturer delivered the computer with the default MEBx password of admin, but you have configured the MEBx password in the computers BIOS extensions. When this is the case, add an AMT Provisioning and Discovery Account named admin and specify the password that you configured in the BIOS extensions. The AMT-based computer has been previously provisioned by another AMT management solution, and the provisioning information has been partially removed (either by that management solution or by locally configuring the BIOS extensions). When this is the case, and you want to discover or provision these computers by using Configuration Manager, add an AMT Provisioning and Discovery Account named admin and specify the password for the AMT Remote Admin Account that was configured by the other management solution. to

16. Configure the AMT provisioning schedule. 17. Click Set to specify the AMT Provisioning Removal Account. Specify a Windows account that is specified as an AMT User Account in step 10. You must also add this account to the local Administrators group on the out of band service point computer. Note If you must recover the site, you can use this account to remove the AMT provisioning information from computers, and then reprovision them. For more information about how to remove AMT provisioning information, see How to Remove AMT Information. 18. If you want to manage AMT-based computers when they are connected to authenticated wired and wireless 802.1X networks, click the 802.1X and Wireless tab; otherwise, click OK to close the Out of Band Management Component Properties dialog box.
2412

19. To configure 802.1X authentication for wired networks, select Enable 802.1X authentication for wired network access, and then click Configure. 20. In the 802.1X Wired Network Access Control dialog box, click Select to select the Trusted root certificate. 21. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK: To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the list. To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open.

22. In the drop-down box, select the client authentication method to use. 23. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication. 24. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template that you created in step 3 in the preceding table, and then click OK. 25. If you do not have to configure wireless settings, click OK to close the Out of Band Management Component Properties dialog box. 26. To create and configure a wireless profile, click the New icon . 27. In the Wireless Profile dialog box, type a display name for the Profile name. 28. Type the name of the wireless network in the Network name (SSID). 29. Specify the security type in the Security type box. 30. Specify the encryption method in the Encryption method box. 31. Click Select to specify the trusted root certificate for the RADIUS server. 32. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by using one of the following methods, and then click OK: To specify the trusted root certificate by selecting an enterprise CA from the forest, ensure that From certification authority (CA) is selected, and select the CA from the list. To specify the trusted root certificate by selecting a DER encoded binary X.509 (.cer) or base-64 encoded X.509 (.cer) file that contains the exported trusted root certificate, click From file, click Browse, select the .cer file, and then click Open.

33. In the drop-down box, select the client authentication method to use. 34. If you selected the client authentication method of EAP-TTLS/MSCHAPv2 or PEAPv0/EAP-MSCHAPv2, click Use client certificate if you also want to use a client certificate for authentication. 35. If Use client certificate is selected, click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template that you created in step 3 in the preceding table, and then click OK.
2413

36. Create additional wireless profiles as required. 37. To change the order of the wireless profiles, select a wireless profile, and then click the Move Item Down icon or Move Item Up icon . The AMT-based computers try each wireless profile in turn until a connection is successfully made, and they continue to use this profile for the duration of the connection. 38. If you must change the settings of a wireless profile, select the wireless profile, and then click the Properties icon . 39. Click OK to close the Out of Band Management Component Properties dialog box.

Step 6: Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities
This procedure enables the primary site server to send power on commands to AMT-based computers when they have scheduled deployments and these computers are in hibernation or are turned off. To configure the site to send power on commands for scheduled wake-up activities 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure. 3. On the Home tab, click Properties, and then click the Wake On LAN tab. 4. Select the Enable Wake On LAN for this site check box, and then select one of the following options: Use AMT power on commands if the computer supports this technology; otherwise, use wake-up packets Use AMT power on commands only Warning After configuring the wake-up option for the site, all deployments that are configured for Wake On LAN use the same setting. You cannot configure which deployments to use on an individual basis; for example, you cannot configure only software update deployments to use wake-up packets only or a specific task sequence to use power Power on commands only. 5. Click OK. Note Because of the additional overhead involved in establishing, maintaining, and terminating an out of band management session, conduct your own tests so that you can accurately judge how long it takes to wake up multiple computers by using AMT power on commands in your environment, for example, across slow WAN links to computers in secondary sites. This knowledge helps you determine whether waking up multiple computers for scheduled activities by using power on commands with out of band
2414

communication is practical when you have a high number of computers to wake up within a short period of time.

Step 7: Displaying the AMT Status and Enabling AMT provisioning

This procedure adds the AMT Status column to the Configuration Manager console and enables AMT provisioning. To display the AMT status column in the Configuration Manager console and enable AMT provisioning for a collection 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Devices, and select the device collection that contains the AMT-based computers. 3. In the results pane, right-click any column title, and select AMT Status. 4. On the Home tab, in the Collection group, click Manage out of Band, and then click Discover AMT Status. Click OK to confirm the action. 5. On the Home tab, click Properties. 6. In the collection properties dialog box, click the Out of Band Management tab. 7. Select Enable provisioning for AMT-based computers, and then click OK. 8. If you have configured out of band management for 802.1X authenticated wired connections or 802.1X wireless connections: Ensure that one of the following network connections are in operation for the AMT-based computers: The computer is connected to an Ethernet port on which 802.1X authentication is not required. The computer is connected to an 802.1X authenticated network through the operating system.

In addition, for out of band management on wireless networks, check that your DNS servers have a host record for the AMT-based computer, which contains the wireless IP address. AMT cannot register a host record in DNS, so you must ensure that either DHCP or the operating system on the host computer updates DNS so that the wireless IP address of the AMT-based computers can be resolved to its fully qualified domain name (FQDN). Alternatively, you can manually create these records in DNS as required.

Step 8: Monitoring AMT Provisioning

Although you can manually discover the current status by using the Discover AMT Status option, the value also updates automatically after the AMT provisioning process. Monitor the AMT status by using any of the following methods: View the AMT Status column in the Configuration Manager console. Create query-based collections by using the AMT Status value. View the report Computers with out of band management controllers.
2415

For more information about the AMT status, see About the AMT Status and Out of Band Management in Configuration Manager.

How to Verify That Computers are Provisioned for 802.1X Network Connections
Because the settings for 802.1X are applied after the AMT-based computer is provisioned on an unauthenticated Ethernet connection, the AMT Status of Provisioned does not confirm that the computer can be managed out of band on a wireless or wired 802.1X network connection. Use the following procedure to verify that the settings for 802.1X are successfully applied. To verify whether AMT-based computers are configured for authenticated wired and wireless network connections 1. On the out of band service point, locate and open the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log. 2. Search for one of the following text strings, where <wireless_profile> is the specified name of the wireless profile: To confirm that the authenticated wired settings were successfully configured, search for Begin to set Wired 8021x Profile..., and then Set Wired 8021x Profile Success.... To confirm that the wireless profile settings were successfully configured, search for Set wireless profile: <wireless_profile>, and then Successfully add wireless profile <wireless_profile>. To identify a failure in configuring a wireless profile because a specified configuration element failed (for example, a client certificate was specified but could not be issued), search for Set wireless profile: <wireless_profile>, the reason for the failure (for example, No client Certificate), and then The wireless profile: <wireless_profile> is invaid. Skip adding.... To identify a failure in updating wireless profiles because the AMT-based computer is currently on a wireless connection, search for The wireless connection is active, skip setting wifi profiles.

3. Close the log file and take corrective action if the settings were not successfully applied.

See Also
Configuring Out of Band Management in Configuration Manager

2416

How to Manage AMT Provisioning Information in Configuration Manager

After you have provisioned Intel AMT-based computers for System Center 2012 Configuration Manager, you might have to update the AMT settings or remove the provisioning data. Use the following sections to manage the AMT provisioning information on AMT-based computers: How to Update Computers for New AMT Settings How to Remove AMT Information

How to Update Computers for New AMT Settings

After AMT-based computers are provisioned by Configuration Manager, you must update their AMT management controller if you change any of the AMT settings or configurations. For example, you might want to add support for wireless networks after a successful trial period on the Ethernet. Computers that are already provisioned for AMT are not automatically reconfigured. Note If you manage AMT-based computers on 802.1X authenticated wired or wireless networks, you can update the AMT management controllers when the computers are connected to these networks, with the exception of settings in a wireless profile that is currently in use. To update computers for new AMT settings 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, locate, and then select the AMT-based computers to update. 3. On the Home tab, in the Device group, click Manage Out of Band, click Update AMT Provisioning Data, and then click OK.

How to Remove AMT Information

You might have to remove the AMT provisioning information because you no longer want the computer managed out of band by Configuration Manager. Or, you no longer trust the computer and decide that its associated certificates and Active Directory account should no longer be available. Another scenario is if you rename a computer that is already provisioned for AMT by Configuration Manager or move the computer to another domain, or you want to reassign the computer to another Configuration Manager site. Warning
2417

For more information about renaming or moving AMT-based computers, see Renaming AMT-Based Computers and Domain Changes in this topic. For more information about how to reassig AMT-based computers, see Reassigning AMT-Based Computers to Another Configuration Manager Site in this topic. You have the following options when you use Configuration Manager to remove provisioning information from an AMT-based computer: You can remove the configuration data for the management controller including whether IDE redirection and serial over LAN are enabled, network pings are supported, and the web interface is enabled, but keep identification information about the computer including its host name, IP address, and DNS suffix. You can remove both the configuration data and the identification information from the computer. The primary site server revokes the certificate that was issued to the AMT-based computer when it was provisioned. The revocation reason is Cease of Operation. The primary site server removes the Active Directory objects that were created during AMT provisioning: The object published to the organizational unit (OU) and the computer account added to the universal security group. The primary site server deletes the service principal name (SPN) for the AMT-based computer.

Additionally, the following actions are performed when you remove provisioning information:

By default, AMT-based computers automatically reprovision with Configuration Manager if they are in a collection that is configured for the option Enable AMT provisioning. To prevent automatic provisioning, select the option Disable automatic provisioning when you remove provisioning information for the computer. Note If you disable automatic reprovisioning and later want to automatically provision these AMT-based computers, right-click the resource, click Manage Out of Band, and then click Enable Automatic AMT Provisioning. If you reassign the client to another Configuration Manager hierarchy that is configured for AMT provisioning, the automatic AMT provisioning status Disabled is not carried forward to the new hierarchy. Use the following procedure to remove provisioning information for an AMT-based computer if you no longer want to manage it out of band with Configuration Manager. After you complete the procedure, to confirm that this action is successful, check that the AMT status for the computer changes from Provisioned to Not Provisioned. This check is particularly important if you are removing the provisioning information because the AMT-based computer is no longer trusted. If the status remains as Provisioned, you must manually delete the associated AMT account in Active Directory Domain Services and manually revoke any out of band management certificates that have been issued to the computer. Important

2418

If the AMT audit log is enabled on the AMT-based computer, clear the log before you remove the AMT provisioning information. For more information, see To clear the audit log on AMT-based computers. To remove AMT provisioning information 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, locate and select the AMT-based computers to update. 3. On the Home tab, in the Device group, click Manage Out of Band, and then click Remove AMT Provisioning Data. 4. Select a data removal option. 5. If you want to prevent the AMT-based computer from automatically reprovisioning, select Disable automatic provisioning. 6. If you are removing the AMT provisioning information because you have recovered the site, select Use AMT Provisioning Removal Account. You might also be able to use this account if you have reassigned the AMT-based computer from another site and did not remove the provisioning information in the original site. For example, this might apply if you are migrating from Configuration Manager 2007. Note To successfully remove the AMT provisioning information by using the AMT Provisioning Removal Account, the following must be true: The AMT Provisioning Removal Account is configured in the out of band management component properties. If this account is not configured, the option to select this account is not available. The account that is configured for the AMT Provisioning Removal Account was configured as an AMT User Account in the out of band management component properties when the AMT-based computer was provisioned or updated. The account that is configured for the AMT Provisioning Removal Account is a member of the local Administrators group on the out of band service point computer. The AMT auditing log does not contain any data. When the AMT Status for the selected AMT-based computer is Detected rather than Provisioned, this option is always selected when the AMT Provisioning Removal Account is configured because in this scenario, you must use the AMT Provisioning Removal Account. 7. Click OK.

Renaming AMT-Based Computers and Domain Changes

If you rename a computer that Configuration Manager already provisioned for AMT or move the computer to another domain, you must remove all the provisioning information from the AMTbased computer, and then provision the computer again. You can remove the provisioning
2419

information either before renaming or moving the computer or after renaming or moving the computer. However, do not provision the computer again until the name change or domain move is completed. If you fail to perform these procedures, the AMT-based computer cannot be managed out of band after the change of name or domain move. When you remove the provisioning information, select the option to remove both configuration data and identification information from the management controller; and select the Disable automatic provisioning option and re-enable it after the name change or domain move has taken place.

Reassigning AMT-Based Computers to Another Configuration Manager Site

If you reassign an AMT-based computer to another Configuration Manager site, you must remove the AMT provisioning information and then provision the computer again in the new site. Until you do this, you cannot connect to the AMT-based computer in the new site. In this scenario, the AMT Status displays Detected. As a best practice, use the preceding procedure in this topic to remove the provisioning information while the computer is in the original site. If this is not possible, you can manually remove the provisioning information by configuring the BIOS extensions. Alternatively, if one of the AMT User Accounts on the AMT-based computer is configured for a Windows account that is configured as the AMT Provisioning Removal Account in the new site, you can remove the provisioning information after the Configuration Manager client is assigned to the new site.

See Also
Configuring Out of Band Management in Configuration Manager

Operations and Maintenance for Out of Band Management in Configuration Manager

Use the following topics in this section to help you perform operations and maintenance tasks that manage Intel AMT-based computers out of band by using System Center 2012 Configuration Manager.

In This Section
How to Manage the Audit Log for AMT-Based Computers in Configuration Manager How to Manage AMT-based Computers Out of Band in Configuration Manager How to Monitor Out of Band Management in Configuration Manager

2420

See Also
Out of Band Management in Configuration Manager

How to Manage AMT-based Computers Out of Band in Configuration Manager

After you have provisioned Intel AMT-based computers for System Center 2012 Configuration Manager, you can manage them by using the following procedures: How to Run the Out of Band Management Console How to Power off Computers How to Power on and Restart Computers How to Configure BIOS Settings for a Computer How to Run Commands, Repair Tools, and Diagnostic Applications for a Computer

You can also block an Intel AMT-based computer if you no longer trust the computer. However, after you block an AMT-based computer that is provisioned by Configuration Manager, you cannot manage it out of band any longer. For more information, see Blocking AMT-Based Computers.

How to Run the Out of Band Management Console

You can use the out of band management console to connect to an AMT-based computer to manage it even if the operating system is not responding, or if the computer is turned off. You can run multiple out of band management consoles to connect to different AMT-based computers at the same time. However, an AMT-based computer cannot be managed by more than one out of band management console at the same time. In this scenario, the second and subsequent connections fail to restart the computer or to establish a serial connection. The computer must be provisioned for AMT before you can connect to it by using the out of band management console, and you must be logged on by using one of the AMT User Accounts that you specified in the Out of Band Management Component Properties dialog box. Log on by using one of the AMT User Accounts that you specified in the Out of Band Management Component Properties dialog box, and then use one of the following procedures to run the out of band management console. To run the out of band management console from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select the computer that you want to manage by using the out of band management console, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Out of Band Management Console.
2421

Note The Out of Band Management Console option is available for a resource only if it is provisioned for AMT. 4. When you have completed your out of band management tasks for the currently selected computer, you can leave the console running and connected, or perform one of the following actions: Click File, and then click Exit to disconnect from the computer and exit the out of band management console. Click Connection, and then click Disconnect so that you can reconnect to the same computer later.

To run the out of band management console at the command prompt 1. At the command prompt, type: <ConfigMgrInstallPath>\bin\oobconsole.exe -s <siteserver> -t <resourceID> Note If you are running the out of band management console outside the client's assigned site, specify the site server in the client's assigned site. 2. When you have completed your out of band management tasks for the currently selected computer, you can leave the console running and connected or perform one of the following actions: Click File, and then click Exit to disconnect from the computer and exit the out of band management console. Click Connection, and then click Disconnect so that you can reconnect to the same computer later.

How to Run the Intel AMT Web Console

You can use the Intel AMT web console as an alternative to running the out of band management console. For more information about this web console, see the Intel documentation. Note To support the AMT web console on computers, in the Out of Band Management Component Properties dialog box, on the AMT Settings tab, select the option Enable Web interface. Use the following procedure to manage computers by using the Intel AMT web console. To manage computers by using the Intel AMT web console 1. Open a web browser. In the address bar, type: https://<FQDN_of_computer>:16993 Note If your web browser uses a proxy web server, you might have to configure the
2422

computer's FQDN as an exception in your web browser so that the connection does not use the proxy web server for this connection on the intranet. 2. Click Log On, and supply an AMT User Account and credentials. 3. When you have finished using the AMT web console, close the web browser.

How to Power off Computers

You can power off a single computer or multiple computers in a selected collection, or power off all computers in a collection. This power control action is available from the Configuration Manager console and from the out of band management console. Caution When you power off a computer, this action should be performed as a last resort in a troubleshooting scenario where the operating system is not responding. To power off a computer has the same effect as removing the power cable from the computer: the operating system does not shut down correctly, unsaved work is lost, and logged-on users are not notified of the power off action. Use the following procedures to power off one or more computers. To power off individual computers from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple computers to power off, and then on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control. Note The Power Control option is available for a resource only if it is provisioned for AMT. 4. In the Power Control dialog box, select Power off, and then click OK to confirm the action. To power off a single computer by using the out of band management console 1. Connect to the resource by using the out of band management console. 2. Click Power Control, click Power Off, and then click Yes to confirm the action. To power off all computers in a collection from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select a collection that contains the computers to power off, and then on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control.

2423

Note The Power Control option is always available for a collection, even if the collection contains resources that are not provisioned for AMT. Configuration Manager sends power control actions only to the computers that are provisioned for AMT. 4. In the Power Control dialog box, select Power off, and then click Yes to confirm the action.

How to Power on and Restart Computers

You can power on or restart a single computer or multiple computers in a selected collection, or power on or restart all computers in a collection. The power-on and restart power control actions are available from the Configuration Manager console and the out of band management console. When you power on or restart a computer by using the out of band management console, you can also select the boot action to perform when the computer has powered on or restarted. The boot options available depend on what the computer supports, but typically include the following: Boot normally Boot from local CD or DVD drive Boot from local hard drive Boot from IDE redirection location Boot from the network Boot to BIOS Note If you power on or restart a computer that has a BIOS password configured, by default, the computer waits for the password to be entered until after the computer has powered on or restarted. If the computer supports bypassing the BIOS password for AMT management (this setting is manufacturer-dependent), selecting the option Enable BIOS password bypass in the Out of Band Management Component Properties dialog box on the AMT Settings tab or in the out of band management console enables the computer to start after the power on or restart action is performed. Additionally, you can power on a computer before the configured deadline for a software deployment. When you power on a computer by using the Configuration Manager console and when power on commands are sent to wake up computers for scheduled activities, the packets are always sent from the out of band service point. When you power on a computer by using the out of band management console, the packets are sent from the computer that is running the out of band management console. When the targeted computer is connected by a WAN link with the out of band service point, consider using the out of band management console from a computer that is local to the targeted computer to avoid traffic across the WAN. Caution
2424

Consider the restart of a computer to be a last resort in a troubleshooting scenario where the operating system is not responding. Restarting a computer has the same effect as pressing the Restart button: the operating system does not shut down correctly, unsaved work is lost, and logged-on users are not notified of the restart action. Use the following procedures to power on or restart a computer. To power on or restart individual computers from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple computers to power on or restart, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control. Note The Power Control option is available for a resource only if it is provisioned for AMT. 4. In the Power Control dialog box, select Power on if the computer is turned off or Restart Computer if the computer is running, and then click OK. To power on or restart all computers in a collection from the Configuration Manager console 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select a collection that contains computers to power on or restart, and then on the Home tab, in the Device group, click Manage Out of Band, and then click Power Control. Note The Power Control option is always available for a collection, even if the collection contains resources that are not provisioned for AMT. Configuration Manager sends power control actions only to the computers that are provisioned for AMT. 4. In the Power Control dialog box, select Power on if computers are turned off or Restart Computer if the computers are running, and then click OK. To power on or restart a single computer by using the out of band management console 1. Connect to the resource by using the out of band management console. 2. Click Power Control. 3. If you want the computer to use a boot option that is different from its default configuration after it has powered on or restarted, select it from the Boot option list. 4. If you select a boot option that uses IDE redirection, click Boot from local drive or Boot from file, and ensure that the default value associated with the option specified is correct for the computer. If you want to use another value, click the drop-down menu for the local drive, or click Browse to select the path and file name that contains the image file that
2425

you want to use. IDE paths must use ASCII characters only. Note To use the Boot from local drive and Boot from file options, the option Enable serial over LAN and IDE redirection must be selected in the Out of Band Management Properties dialog box on the AMT Settings tab. 5. Optionally, select Bypass BIOS password and Lock remote keyboard if required and if these options are supported by the AMT-based computer. 6. Click Power On if the computer is turned off, or click Restart Computer if the computer is running. To power on computers before the configured deadline for a software deployment 1. Ensure that the site is configured to send power-on commands for scheduled wake-up activities. For more information, see Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities. 2. Configure the scheduled deployment for wake-up packets.

How to Configure BIOS Settings for a Computer

You can remotely view and change BIOS settings of an AMT-based computer when you have selected the option Allow serial over LAN and IDE-Redirect for AMT devices in the Out of Band Management Component Properties dialog box on the AMT Settings tab. This out of band management option uses serial-over-LAN technology and runs a terminal emulation session within the out of band management console so that you can remotely view and interact with the computer output. Use the following procedure to run a serial over LAN connection to a computer so that you can remotely view and modify BIOS settings. To configure BIOS settings for a computer 1. Connect to the resource by using the out of band management console. 2. If you have to change the default terminal emulation type from PC ANSI to VT-100 to match the terminal emulation settings in the targeted computer's BIOS, click Tools, click Options, select VT-100, and then click OK. 3. Click Serial Connection. 4. Click the Open Serial-over-LAN button, and then click Yes to acknowledge the warning about disconnecting a wireless connection. Wait for the BIOS Setup menu to display. 5. Click Power Control, and from the displayed list of options for Boot Option, select the option that refers to BIOS Setup. 6. Click Power On if the power state of the computer is off, or click Restart Computer if the power state of the computer is on. 7. Click inside the blank window to activate the remote display session.
2426

8. View or change the BIOS settings, and then save them as required. When you have completed BIOS setup, and select the option to save the settings, the computer automatically restarts. Note Refer to your computer manufacturer's documentation for more information about configuring the BIOS settings. 9. If you have finished managing the computer, choose one of the following options: To disconnect from the computer and close the out of band management console, click File, and then click Exit. To disconnect from the computer but leave the out of band management console running so that you can reconnect to it later, click File, and then click Disconnect.

How to Run Commands, Repair Tools, and Diagnostic Applications for a Computer
You can remotely run commands, repair tools, and diagnostic applications for an AMT-based computer when both of the following conditions apply: The files or commands to run character-based tools or applications, which can be located from a network share or are locally available to the computer. (For example, they have been installed onto the local hard drive by using Configuration Manager application management.) A boot image that runs a character-based operating system. Note To use this option, in the Out of Band Management Component Properties dialog box on the AMT Settings tab, select the Enable serial over LAN and IDE redirection advanced setting. This out of band management option uses serial-over-LAN technology and runs a terminal emulation session from within the out of band management console so that you can remotely view and interact with the computer output. Although it is possible to remotely run graphics-based applications, the output will not be visible in the out of band management console. Run graphics-based applications only if you can run them completely automated. For example, you can reinstall an operating system if you also specify an unattended setup file so that no interaction is required for completion. Use the following procedure to remotely run commands, repair tools, or diagnostic applications on a computer. To remotely run commands, repair tools, or diagnostic applications on a computer 1. Connect to the resource by using the out of band management console. 2. If you have to change the default terminal emulation type from PC ANSI to VT-100 to match the terminal emulation settings in the targeted computer's BIOS, click Tools, click Options, select VT-100, and then click OK.
2427

3. Click Serial Connection. 4. Click the Open Serial-over-LAN button, and then click Yes to acknowledge the warning about disconnecting a wireless connection. Wait for the computer to complete startup, while the command prompt is displayed. 5. Click Power Control, and from the displayed list of options for Boot option, select the option that refers to IDE redirection. 6. Click Boot from file, and if required, change the default value for the IDE redirection file path so that it specifies the path and file that will run the character-based operating system. IDE paths must use ASCII characters only. 7. Click Power On if the power state of the computer is off, or click Restart Computer if the power state of the computer is on. 8. Click inside the blank window to activate the remote display session. 9. Run the commands, repair tools, or diagnostic applications. 10. Click Power Control, and then choose one of the following options: To restart the computer, select the option that refers to normal boot from the displayed list of options for Boot option, and then click Restart Computer. To power down the computer, click Power Off. To disconnect from the computer and close the out of band management console, click File, and then click Exit. To disconnect from the computer but leave the out of band management console running so that you can reconnect to it later, click File, and then click Disconnect.

11. If you have finished managing the computer, choose one of the following options:

See Also
Operations and Maintenance for Out of Band Management in Configuration Manager

How to Manage the Audit Log for AMT-Based Computers in Configuration Manager
If you have configured System Center 2012 Configuration Manager for AMT auditing, you can enable and disable auditing on selected Intel AMT-based computers, you can update existing audit settings, you can export the auditing entries to a file, and you can clear the auditing log. You might have to clear the audit log on AMT-based computers to make more space in the log for new entries. All the auditing features that you can select by using Configuration Manager are categorized as noncritical, and depending on your AMT version, these might stop writing to the audit log when it is 85 percent full or might start overwriting old entries. You can save the current audit log entries and delete them from an AMT-based computer by using the out of band management console. Use the following procedures to manage the audit log for AMT-based computers:
2428

To enable auditing and update audit settings on AMT-based computers To disable auditing on AMT-based computers To export the audit log for AMT-based computers To clear the audit log on AMT-based computers To monitor auditing activities by using status messages

Before you perform these procedures, you must configure Configuration Manager for AMT auditing as described in Configuring the Out of Band Management Component. To enable auditing and update audit settings on AMT-based computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple AMT-based computers for which you want to enable auditing or update the audit settings, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Enable Auditing and Apply Audit Log Settings. 4. Click OK in the confirmation dialog box. To disable auditing on AMT-based computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Devices or Device Collections. 3. Select one or multiple AMT-based computers for which you want to clear the AMT audit log, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Disable Audit Log. 4. Click OK in the confirmation dialog box. To export the audit log for AMT-based computers 1. Connect to the AMT-based computer by using the out of band management console. 2. Click System Audit Log, click Export All, specify the path and file name to contain the auditing entries, and then click OK. To clear the audit log on AMT-based computers 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, click Device Collections. 3. From one of the collections, perform one of the following actions: To clear the audit log for all AMT-based computers in a collection, select the collection, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Clear Audit Log. To clear the audit log for selected AMT-based computers, select one or multiple computers within a collection, and then, on the Home tab, in the Device group, click Manage Out of Band, and then click Clear Audit Log.

4. Click OK in the confirmation dialog box.

2429

To monitor auditing activities by using status messages 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, click Status Message Queries, and then in the results pane, click All Status Messages. 3. On the Home tab, in the Status Message Queries group, click Show Messages. 4. In the All Status Messages dialog box, you are prompted for the time period for which you want to check status messages. Enter the time period or date and time, and then click OK. 5. All status messages are displayed in the Configuration Manager Status Message Viewer. Click the Component column, and locate the status messages with a component named Microsoft.ConfigurationManagement.exe. 6. For more information about any of the status messages, right-click a status message, and then select Detail.

7. View the information in the Status Message Details dialog box, and then click OK to close this dialog box, or click Previous or Next to view the details of other status messages. 8. Click OK to close the Status Message Details dialog box, and close the Configuration Manager Status Message Viewer.

See Also
Operations and Maintenance for Out of Band Management in Configuration Manager

How to Monitor Out of Band Management in Configuration Manager

You can monitor the out of band management activity in System Center 2012 Configuration Manager by using the following procedures: Run reports related to out of band management. Use the out of band management performance counter for SMS AMT Operations Manager. Identify status messages related to out of band management. To monitor out of band management by running reports 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand Reporting, and then click Reports. 3. In the results pane, type out of band in the Look for box so that you can more easily find the reports relating to out of band management. 4. Right-click one of the following reports, and then click Run.
2430

Clients with out of band management controllers Status of client out of band management provisioning Out of band management console activity

5. If you see the Report Information window, specify any required or optional values, and then click Display. For more information about the AMT status values in the reports, see About the AMT Status and Out of Band Management in Configuration Manager. To monitor out of band management by using the out of band management performance counter 1. In the Performance tool, ensure that the site server is selected as the targeted computer, and in the Performance object drop-down menu, click SMS AMT Operations Manager. 2. Select either All counters or select Select counters from list, and then click one or more of the following options: Number of packets per second Total number of packets failed Total number of packets sent Total number of requests pending

3. Click Add for each out of band management performance counter that you require. 4. Click Close. To monitor out of band management by using status messages 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, expand System Status, click Status Message Queries, and then in the results pane, click All Status Messages. 3. On the Home tab, in the Status Message Queries group, click Show Messages. 4. In the All Status Messages dialog box, you are prompted for the time period for which you want to check status messages. Enter the time period or date and time, and then click OK. 5. All status messages are displayed in the Status Message Viewer. Click the Component column, and locate the status messages with the following component names: 6. SMS_AMT_OPERATION_MANAGER SMS_AMT_PROXY_COMPONENT OOB Console

For more information about any of the status messages, right-click a status message, and then select Detail.

7. View the information in the Status Message Details dialog box, and then click OK to close this dialog box, or click Previous or Next to view the details of other status messages. 8. Click OK to close the Status Message Details dialog box, and close the Status
2431

Message Viewer.

See Also
Operations and Maintenance for Out of Band Management in Configuration Manager

Security and Privacy for Out of Band Management in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for out of band management in System Center 2012 Configuration Manager.

Security Best Practices for Out of Band Management

Use the following security best practices when you manage Intel AMT-based computers out of band.
Security best practice More information

Request customized firmware before you purchase Intel AMT-based computers.

Computers that can be managed out of band have BIOS extensions that can set customized values to significantly increase security when these computers are on your network. Check which BIOS extension settings are available from your computer manufacturer, and specify your values. For more information, see Determine Whether to Use a Customized Firmware Image From Your Computer Manufacturer. If your AMT-based computers do not have the firmware values that you want to use, you might be able to manually specify them. For more information about manually configuring the BIOS extensions, see the Intel documentation or the documentation from your computer
2432

Security best practice

More information

manufacturer. For additional information, see Intel vPro Expert Center: Microsoft vPro Manageability. Customize the following options to increase your security: Replace all certificate thumbprints of external certification authorities (CAs) with the certificate thumbprint of your own internal CA. This prevents rogue provisioning servers from attempting to provision your AMT-based computers, and you do not have to purchase provisioning certificates from external CAs. Use a custom password for the MEBx Account so that the default value of admin is not used. Then specify this password with an AMT Provisioning and Discovery Account in Configuration Manager. This prevents rogue provisioning servers from attempting to provision your AMT-based computers with the known default password.

Control the request and installation of the provisioning certificate.

Request the provisioning certificate directly from the provisioning server by using the computer security context so that the certificate is installed directly into the local computer store. If you must request the certificate from another computer, you have to export the private key, and then use additional security controls when you transfer and import the certificate into a certificate store.

Ensure that you request a new provisioning An expired AMT provisioning certificate results certificate before the existing certificate expires. in a provisioning failure. If you are using an external CA for your provisioning certificate, allow for additional time to complete the renewal process and reconfigure the out of band management point.

Use a dedicated certificate template for provisioning AMT-based computers.

If you are use an Enterprise version of Windows Server for your enterprise CA, create a new certificate template by duplicating the default Web Server certificate template, ensure
2433

Security best practice

More information

that only the security group that you specify in the out of band management component properties has Read and Enroll permissions, and do not add additional capabilities to the default of server authentication. A dedicated certificate template allows you to better manage and control access to help prevent elevation of privileges. If you have a Standard version of Windows Server for your enterprise CA, you cannot create a duplicate certificate template. In this scenario, you must add Read and Enroll permissions to the security group that you specify in the out of band management component properties and remove any permission that you do not require. Use AMT power on commands instead of wake-up packets. Although both solutions support waking up computers for software installation, AMT power on commands are more secure than transmitting wake-up packets because they provide authentication and encryption by using standard industry security protocols. By using AMT power on commands with out of band management, this solution can also integrate with an existing public key infrastructure (PKI) deployment, and the security controls can be managed independently from the product. For more information, see Planning How to Wake Up Clients in Planning for Client Communication in Configuration Manager. Even when AMT-based computers have a supported version of AMT, there are some scenarios that out of band management does not support. These scenarios include workgroup computers, computers that have a different namespace, and computers that have a disjoint namespace. To ensure that these AMT-based computers are not published to Active Directory Domain Services and do not have a PKI certificate requested for them, disable AMT in the
2434

Disable AMT in the firmware if the computer is not supported for out of band management.

Security best practice

More information

firmware. AMT provisioning in Configuration Manager creates domain credentials for the accounts published to Active Directory Domain Services, which risks the elevation of privileges when the computers are not part of your Active Directory forest. Use a dedicated OU to publish AMT-based computer accounts. Do not use an existing container or organizational unit (OU) to publish the Active Directory accounts that are created during AMT provisioning. A separate OU lets you manage and control these accounts better and helps ensure that site servers and these accounts are not granted more permissions than they require. In addition to allowing the site server computer accounts Create all child objects and Delete all child objects permissions for the OU and apply to This object only, allow the following permissions for the site server computer accounts: For the OU: Write all properties permission and apply to This object and all descendant objects. For the Domain Computers group: Write all properties permission and apply to This object only. For the Domain Guest group: Write all properties permissions and apply to This object only.

Allow the site server computer accounts Write permission to the OU, the Domain Computers group, and the Domain Guests group in each domain that contains AMT-based computers.

Use a dedicated collection for AMT provisioning.

Do not use an existing collection that contains more computers than you want to provision for AMT. Instead, create a query-based collection by using the AMT status of Not Provisioned. For more information about the AMT Status and how to construct a query for Not Provisioned, see About the AMT Status and Out of Band Management in Configuration Manager.

Retrieve and store image files securely when you boot from alternative media to use the IDE

When you boot from alternative media to use the IDE redirection function, whenever possible,
2435

Security best practice

More information

redirection function.

store the image files locally on the computer running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system. If you save AMT audit log files, whenever possible, store the files locally on the computer that is running the out of band management console. If you must store them on the network, ensure that connections to retrieve the files over the network use SMB signing to help prevent the files being tampered with during the network transfer. In both scenarios, secure the stored files to help prevent unauthorized access, for example, by using NTFS permissions and the encrypted file system. Although you can specify multiple AMT Provisioning and Discovery Accounts so that Configuration Manager can discover computers that have AMT management controllers and provision them for out of band management, do not specify accounts that are not currently required and delete accounts that are no longer required. Specify only the accounts that you require to help ensure that these accounts are not granted more permissions than they require and to reduce unnecessary network traffic and processing. For more information about the AMT Provisioning and Discovery Account, see Configuring the Out of Band Management Component. The AMT Provisioning Removal Account helps ensure service continuity if you must restore the Configuration Manager site. After you restore the site, request and configure a new AMT
2436

Retrieve and store AMT audit log files securely.

Minimize the number of AMT Provisioning and Discovery Accounts.

For service continuity, specify a user account as the AMT Provisioning Removal Account and ensure that this user account is also specified as an AMT User Account.

Security best practice

More information

provisioning certificate, use the AMT Provisioning and Removal Account to remove provisioning information from AMT-based computers, and then reprovision the computers. You might also be able to use this account if an AMT-based computer was reassigned from another site and the provisioning information was not removed. For more information about how to remove AMT provisioning information, see How to Remove AMT Information. Use a single certificate template for client authentication certificates whenever practical. Although you can specify different certificate templates for each of the wireless profiles, use a single certificate template unless you have a business requirement for different settings to be used for different wireless networks, specify only client authentication capability, and dedicate this certificate template for use with Configuration Manager out of band management. For example, if one wireless network required a higher key size or shorter validity period than another, you would have to create a separate certificate template. A single certificate template lets you control its use more easily and guards against elevation of privileges. Depending on the AMT version, Configuration Manager might stop writing new entries to the AMT audit log when it is nearly full or might overwrite old entries. To ensure that new entries are logged and old entries are not overwritten, periodically clear the audit log if required, and save the auditing entries. For more information about how to manage the audit log and monitor auditing activities, see How to Manage the Audit Log for AMT-Based Computers in Configuration Manager. Use the Remote Tools Operator security role to grant administrative users the Control AMT permission, which allows them to view and
2437

Ensure that only authorized administrative users perform AMT auditing actions and manage the AMT audit logs as required.

Use the principle of least privileges and rolebased administration to grant administrative users permissions to manage AMT-based

Security best practice

More information

computers out of band.

manage computers by using the out of band management console, and initiate power control actions from the Configuration Manager console. For more information about the security permissions that you might require to manage AMT-based computers, see Configuration Manager Dependencies in Prerequisites for Out of Band Management in Configuration Manager.

Security Issues for Out of Band Management

Managing AMT-based computers out of band has the following security issues: An attacker might fake a provisioning request, which results in the creation of an Active Directory account. Monitor the OU where the AMT accounts are created to ensure that only expected accounts are created. You cannot configure web proxy access for the out of band service point to check the certificate revocation list (CRL) that is published on the Internet. If you enable CRL checking for the AMT provisioning certificate, and the CRL cannot be accessed, the out of band service point does not provision AMT-based computers. The option to disable automatic AMT provisioning is stored on the Configuration Manager client and not in AMT. This means that the AMT-based computer can still be provisioned. For example, the Configuration Manager client might be uninstalled, or the computer might be provisioned by another management product. Even though you select the option to disable automatic provisioning for an AMT-based computer, the out of band service point accepts a provisioning request from that computer.

Privacy Information for Out of Band Management

The out of band management console manages computers that have the Intel vPro chip set and Intel Active Management Technology (Intel AMT) with a firmware version that is supported by Configuration Manager. Configuration Manager temporarily collects information about the computer configuration and settings, such as the computer name, IP address, and MAC address. Information is transferred between the managed computer and the out of band management console by using an encrypted channel. By default, this feature is not enabled, and typically no information is retained after the management session is ended. If you enable AMT auditing, you can save auditing information to a file that includes the IP address of the AMT-based computer that is managed and the domain and user account that performed the management action on the recorded date and time. This information is not sent to Microsoft.

2438

You have the option to enable Configuration Manager to discover computers with management controllers that can be managed by the out of band management console. Discovery creates records for the manageable computers and stores them in the database. Data discovery records contain computer information, such as the IP address, operating system, and computer name. By default, discovery of management controllers is not enabled. Discovery information is not sent to Microsoft. Discovery information is stored in the site database. Information is retained in the database until the site maintenance task Delete Aged Discovery Data deletes it in intervals of every 90 days. You can configure the deletion interval. Before you configure out of band management, consider your privacy requirements.

See Also
Compliance Settings in Configuration Manager

Technical Reference for Out of Band Management in Configuration Manager

Use the following topics in this section to view technical reference information for managing Intel AMT-based computers out of band by using System Center 2012 Configuration Manager.

In This Section
About the AMT Status and Out of Band Management in Configuration Manager Example Scenario for Implementing Out of Band Management in Configuration Manager Example Scenarios for Using Out of Band Management in Configuration Manager AMT Provisioning Process for Out of Band Management in Configuration Manager

See Also
Out of Band Management in Configuration Manager

About the AMT Status and Out of Band Management in Configuration Manager
The AMT status is used with out of band management in System Center 2012 Configuration Manager to identify the capability and provisioning status of the management controller on Intel AMT-based computers. This status is displayed in the Configuration Manager console, in the report Computers with out of band management controllers, and can also be used to construct queries.
2439

The AMT Status Values, Descriptions, and Corresponding Queries

Use the following table for more details about the AMT status and the corresponding queries.
AMT status Description Query

Unknown

The AMT status is not yet known. This occurs when the AMT-based computer has not contacted the out of band service point site system server to be provisioned, or when you have not run Discover AMT Status for the collection.

Select * from sms_r_system where AMTStatus is null

Not Supported

The computer does not have Select * from sms_r_system AMT capability and cannot where AMTStatus=0 support out of band management. AMT capability is detected on this computer, but the out of band service point is unable to provision it for AMT. This scenario can occur when the computer has been previously provisioned for AMT outside the Configuration Manager site and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown. Before Configuration Manager can provision and manage this computer, you must remove the provisioning information, and then run the Discover AMT Status action. Tip You might be able to remove the AMT provisioning information by using Configuration
2440

Detected

Select * from sms_r_system where AMTStatus=1

AMT status

Description

Query

Manager and the AMT Provisioning Removal Account, if this account is configured in the Out of Band Management Component Properties dialog box. Or, manually remove the AMT provisioning information. For more information about removing the AMT provisioning information by using Configuration Manager and the AMT Provisioning Removal Account, see How to Remove AMT Information. Not Provisioned AMT capability is detected on this computer, and it can be provisioned for AMT by the out of band service point. AMT capability is detected on this computer, and it can be managed out of band by Configuration Manager. AMT capability is detected on this computer, and it has been provisioned outside Configuration Manager by using AMT Host Based Provisioning. The computer account of the out of band service point lets Configuration Manager manage this computer out of band. However, Configuration Manager cannot update the management controller, remove the provisioning information, or reprovision this computer. Select * from sms_r_system where AMTStatus=2

Provisioned

Select * from sms_r_system where AMTStatus=3

Externally Provisioned

Select * from sms_r_system where AMTStatus=4

2441

Determining the AMT Status

The AMT status is determined when the AMT discovery process runs, which uses the following accounts in the order specified: 1. The AMT Remote Admin Account 2. The computer account of the out of band service point 3. The AMT Provisioning and Discovery Account The AMT status is automatically updated when Configuration Manager provisions a computer for AMT or removes provisioning information.

See Also
Technical Reference for Out of Band Management in Configuration Manager

Example Scenario for Implementing Out of Band Management in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following sections in this topic provide an example scenario for implementing out of band management in System Center 2012 Configuration Manager, by using a three-phased approach: Pilot: Implementing and Testing a Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate Rollout: Full Deployment by Using an External CA for the Provisioning Certificate Add Wireless Support: Extend Management to Wireless Networks

In the following scenario, Trey Research is interested in using out of band management to more efficiently troubleshoot computers that fail to start or stop responding, require powering on for routine maintenance, or require reconfiguring the BIOS settings. This company has Intel AMTbased computers with versions of AMT that are supported by Configuration Manager, but they do not have customized firmware that includes the certificate thumbprint of their own internal root certification authority (CA). Trey Research has a single Configuration Manager primary site, and all the internal computers reside in the testnet.treyresearch.net domain. The company already has an existing public key infrastructure (PKI) infrastructure that is using Windows Server 2008 Certificate Services, and has an enterprise certification authority running Windows Server 2008 Enterprise Edition.

2442

Adam is the Configuration Manager administrative user who has been asked to implement out of band management by using a three-phase approach. He first tests the functionality by using a small number of desktop computers and without purchasing a provisioning certificate from an external CA. If the testing goes well, Adam can purchase an AMT provisioning certificate and provision all the AMT-based desktop computers. For the final deployment phase, Adam is asked to extend the out of band management to laptops that use the wireless network.

Pilot: Implementing and Testing a Few Computers that Use Certificate Services (Internal CA) for the Provisioning Certificate
For the pilot phase to implement and test out of band management, Adam takes the course of action outlined in the following table.
Process Reference

Adam checks the prerequisites for out of band management and decides to create a site system server on which he installs the out of band service point and the enrollment point. This computer has the fully qualified domain name (FQDN) of server15.testnet.treyresearch.net. Adam also confirms that the existing DHCP and DNS configuration meets the requirements for AMT. Adam works with his Active Directory service administrators to create the following Windows security groups: A group named ConfigMgr Out Band Service Points that contains server15. A group named ConfigMgr Primary Site Servers that contains the primary site server computer account. A universal security group named ConfigMgr AMT Computers that will contain the AMT computer accounts.

For more information about the prerequisites, see Prerequisites for Out of Band Management in Configuration Manager.

For more information about how to create groups and OUs, see the Active Directory Domain Services documentation.

They then create an organization unit (OU) in the testnet.treyresearch.net domain for the published AMT-based computer accounts, and grant the newly created group ConfigMgr Primary Site Servers the following
2443

Process

Reference

permissions to this OU: Create Computer Objects and Delete Computer Objects. Adam works with the PKI team with the following results: The web server certificate template is duplicated and configured for the enrollment point. It is installed and configured in IIS on server15. A custom template is created to request and install the AMT provisioning certificate on server15. The web server certificate template is duplicated and configured so that it is appropriate for out of band management. They identify and write down the certificate thumbprint of the root CA, which has to be manually added to the AMT firmware until they purchase a provisioning certificate from an external CA. For more information, see the Intel documentation. For guidance about how to deploy the PKI certificates required for out of band management, see the Deploying the Certificates for AMT section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

To prepare the desktop AMT-based computers that Adam will use in the initial testing, Adam checks that the AMT firmware configuration is correct and adds the certificate thumbprint of their internal root CA: 1. When the computer starts, he presses CTRL+P to configure the ME module. 2. He selects Intel (R) ME Configuration, Intel (R) ME Feature Control, Manageability Feature Selection, and then selects Intel (R) AMT. He exits and restarts the computer. 3. He runs the ME module again, selects Intel (R) AMT Configuration, Setup and Configuration, to verify that the value for the Current provision mode is PKI. The value is not PKI, so he selects TLS PKI, and sets the Remote Configuration to Enable. 4. In the TLS-PKI section, he selects Manage Certificate Hashes, presses the Insert key, and types the certificate thumbprint of his

2444

Process

Reference

internal root CA. 5. He saves the changes, exits, and then restarts the computer. Adam then configures the Configuration Manager primary site and makes the following changes: He installs a new site system server on server15, configures it with the intranet FQDN of server15.treyresearch.net, and then installs the out of band service point and the enrollment point. He then configures the Out of Band Management component. On the AMT Provisioning Certificate page for the out of band service point, he browses to the AMT provisioning certificate that he installed. On the Out of Band Management Component Properties dialog box, he configures the following: On the General tab, he specifies the OU that he created in testnet.treyresearch.net, the universal security group that he created, browses to the AMT web server certificate template that he created earlier, and configures a strong password for the MEBx Account. On the AMT Settings tab, he specifies his own account as an AMT User Account and a Windows global domain security group that contains help desk engineers who will use the out of band management console. He also selects the options Enable serial over LAN and IDE redirection, Allow ping responses, and Enable BIOS password bypass for power on and restart commands. For more information, see the following sections in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic: How to Install and Configure the AMT Provisioning Site Systems: New Site System Server Configuring the Out of Band Management Component

Adam wants to use Wake on LAN technology to For more information, see the Configuring the install critical software updates on computers. Site to Send Power-On Commands for He has tried this feature in the past and Scheduled Wake-Up Activities step in the How
2445

Process

Reference

discovered that subnet-directed broadcasts consumed too much network bandwidth over the remote links and that few of their network adapters worked with unicast transmissions. He enables Wake on LAN and decides to keep the default option of Use power on commands if the computer supports this technology; otherwise, use wake-up packets. Adam adds the AMT Status column to the Configuration Manager console and creates a new collection that contains just five AMTbased computers as his initial pilot. These computers are for testing only and contain different supported versions of AMT. He configures this collection for AMT provisioning. Adam monitors the AMT provisioning process.

to Provision and Configure AMT-Based Computers in Configuration Manager topic.

For more information, see the Displaying the AMT Status and Enabling AMT provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

For more information, see the Monitoring AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

When the computers are successfully provisioned for AMT, Adam starts testing these computers for out of band management. For example scenarios of using out of band management, see Example Scenarios for Using Out of Band Management in Configuration Manager.

Rollout: Full Deployment by Using an External CA for the Provisioning Certificate

When the initial testing is completed, Adam receives confirmation from his manager that out of band management can be rolled out to all AMT-based workstation computers. To eliminate the requirement to add the thumbprint of their internal root CA certificate to each AMT-based computer, Adam purchases a provisioning certificate from an external CA and installs it on server15, according to the accompanying instructions. Adam then takes the course of action outlined in the following table.
Process Reference

Adam checks the prerequisites for out of band For more information, see Prerequisites for Out management again, to see whether there are of Band Management in Configuration any additional changes that he has to make. He
2446

Process

Reference

notes the following: There are ports requirements that he must relate to the firewall administrator so that help desk engineers can connect to AMTbased computers in remote sites that are protected by the internal company firewall. Some help desk computers still run Windows XP, and so he must check these computers for their version of Windows Remote Management (WinRM) and update the version if necessary. He must add help desk engineers to an appropriate security role to run the out of band management console.

Manager.

Adam configures the properties of the out of band service point, browses to the newly purchased AMT provisioning certificate, and saves the changes. Adam creates new collections to gradually roll out AMT provisioning for workstation computers. Over a period of four weeks, he enables these collections for AMT provisioning and monitors progress.

For more information, see the Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic. For more information, see the Displaying the AMT Status and Enabling AMT provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

As a result of this course of action, all Intel AMT-based workstation computers are provisioned for AMT and can be managed out of band by the help desk. The ability to troubleshoot and repair computers when the operating system is not functioning greatly reduces the total cost of ownership for the company because engineers no longer require local access to the computer.

Add Wireless Support: Extend Management to Wireless Networks

After the successful rollout for workstations to use out of band management, Trey Research now wants to extend this support to laptop computers that use the wireless network. The wireless network uses a Windows Server 2008-based server that is running Network Policy Server (NPS) and requires a client certificate for authentication. Adam takes the course of action outlined in the following table.

2447

Process

Reference

Adam checks the wireless support prerequisites For more information about the prerequisites, for out of band management and confirms that see Prerequisites for Out of Band Management the versions of AMT on the laptops supports in Configuration Manager. wireless profiles. He notes the wireless configuration settings that are required by the Network Policy Server as WPA2 security, AES encryption, and EAP-TLS authentication. Adam works with the PKI team to create an additional certificate template that the AMTbased computers use to authenticate with the Network Policy Server. For more information about creating the client certificate template, see Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers in the Deploying the Certificates for AMT section of the Step-byStep Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager. Adam configures the Out of Band Management Component Properties: 802.1X and Wireless tab: He creates a wireless profile that contains the wireless network name, the security type of WPA2-Enterprise, and the encryption method of AES. He then selects the trusted root certificate for the Network Policy Server, and the client certificate template that was created earlier. For more information, see steps 26 through 39 in the Configuring the Out of Band Management Component section in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

Adam creates a new collection for laptops that can support AMT. On the Out of Band Management tab, he selects Enable provisioning for AMT-based computers. Adam then monitors the provisioning status for these laptops, and uses the log file Amtopmgr.log, to verify that the wireless profile is successfully configured for these AMT-based computers. Tip

For more information about monitoring AMT provisioning, see the Monitoring AMT Provisioning step in the How to Provision and Configure AMT-Based Computers in Configuration Manager topic.

2448

Process

Reference

If these laptops are already provisioned for AMT without the wireless profile, Adam runs the Update Provisioning Data in Management Controller Memory command for the wireless settings to be applied. For more information, see the How to Update Computers for New AMT Settings section in the How to Manage AMT Provisioning Information in Configuration Manager topic. As a result of this course of action, laptops can also now be managed out of band by the help desk, which reduces the time to resolve the problems reported by laptop users.

See Also
Technical Reference for Out of Band Management in Configuration Manager

Example Scenarios for Using Out of Band Management in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. The following sections in this topic provide example scenarios of how you can manage computers out of band in System Center 2012 Configuration Manager: Powering on Computers to Install Applications Powering off Computers to Protect Against a Security Attack Re-imaging a Nonfunctioning Computer Configuring BIOS Settings Troubleshooting a Nonfunctional Computer Achieving Compliance for Software Updates by Using Wake on LAN and Power on Commands

In all these scenarios for Trey Research, Adam, the Configuration Manager administrative user, has implemented out of band management throughout the Configuration Manager hierarchy. The

2449

desktop computers are AMT-based, meet all the prerequisites for out of band management, and are successfully provisioned for AMT.

Powering on Computers to Install Applications

The following scenario demonstrates how you can use out of band management to power on computers to install applications (or perform routine maintenance) without using traditional wakeup packets. The marketing department at Trey Research has approved a request to install a nonstandard application on five computers. Adam has already created a collection for these five computers and a deployment to install the application as soon as possible. After he establishes a time period when no users have their computers turned on and will not be unduly inconvenienced, he performs the actions in the following table to power on the computers so that the application can be installed.
Process More information

Adam locates the computers in the Assets and Compliance workspace of the Configuration Manager console, and then performs the following actions: Selects the five computers and right-clicks them. Clicks Manage Out of Band, and then clicks Power Control. Selects Power on. Confirms the action by clicking OK.

Section How to Power on and Restart Computers in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

He then monitors the progress of the application installation. If required, after the installation is completed, Adam can shut down each computer individually by using the Configuration Manager Remote Control and select the Shut down command in Windows. Note The out of band management power-off command is not appropriate here because this does not perform a graceful shutdown of the operating system. How to Remotely Administer a Client Computer by Using Configuration Manager

2450

As a result of the preceding course of action, the application is installed outside business hours without sending wake-up packets over the network, without requiring that the computers remain turned on, or without requiring local access to the computers.

Powering off Computers to Protect Against a Security Attack

The following scenario demonstrates how you can use out of band management to power off computers when it is imperative that they do not remain running, but you cannot shut them down by normal means. Powering off computers should always be considered a last resort because it has the same effect as removing the power cable from the computer: the operating system does not shut down correctly, unsaved work is lost, and logged-on users do not receive any notice of the power off action. Trey Research has an intrusion detection system that monitors suspicious activity on servers and the network. In the early hours of the morning, an alert is generated that indicates a security attack has occurred on one of the servers. Although the desktop computers are usually turned off at night, some users leave their computers turned on. These computers must be turned off immediately to safeguard them against the security threat. To help protect the desktop computers from the security threat, a security administrator performs the actions that are outlined in the following table.
Process More information

The security administrator identifies the desktop computers that are turned on and at risk and locates them in the Assets and Compliance workspace in the Configuration Manager console. He performs the following actions: Selects the computers and right-clicks them. Clicks Manage Out of Band, and then clicks Power Control. Selects Power off. Confirms the action by clicking OK.

Section How to Power off Computers in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

As a result of the preceding course of action, the risk of these computers being vulnerable to the security attack is greatly reduced.

2451

Re-imaging a Nonfunctioning Computer

The following scenario demonstrates how you can use out of band management to re-image a nonfunctioning computer when other troubleshooting steps have failed. Trey Research has a help desk policy that computer desktop issues that prevent business continuity must be resolved within a set period. No data is stored locally on the computers, so reimaging these computers is the most efficient way to resolve these types of reported problems. However, in the past this has meant that a help desk engineer must visit the site, or the computer must be transported to and from the help desk location. To more efficiently re-image a nonfunctioning computer, the help desk engineer proceeds with the course of action that is outlined in the following table.
Process More information

The help desk engineer locates the computer in question in the Configuration Manager console and confirms that he cannot use Configuration Manager Remote Tools to connect to the client computer. He connects to it by using the out of band management console. The help desk engineer then performs the following actions: He clicks Power Control, selects the boot option for IDE redirection, and enters the network path to the image to reinstall the operating system, custom applications and settings, and the Configuration Manager client. Then he clicks Restart Computer.

Section How to Run the Out of Band Management Console in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

Section How to Power on and Restart Computers in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

Later that day, the engineer checks the status of the computer and confirms that it is working again as required. He closes the help desk ticket within the specified time limit.

Company-specific process.

As a result of the preceding course of action, the computer is efficiently re-imaged without requiring local access, although the operating system was not responding. This level of control helps resolve critical issues in a timely manner that ensures higher levels of business continuity for the company.

2452

Configuring BIOS Settings

The following scenario demonstrates how you can use out of band management to configure BIOS settings for a desktop computer without requiring local access to the computer. The help desk at Trey Research receives notification that two newly deployed computers do not start successfully. This is a custom build, and the engineer suspects that the BIOS settings are not correctly configured. To check the BIOS settings without local access to the computer, the help desk engineer proceeds with the course of action outlined in the following table.
Process More information

The help desk engineer locates the computer in question in the Assets and Compliance workspace of the Configuration Manager console, and connects to it by using the out of band management console. The help desk engineer then performs the following actions for each computer in turn: He clicks Power Control, selects the boot option for BIOS Setup, and then clicks Power On. He clicks Serial Connection and waits for the BIOS settings to appear. When they do, he discovers that the wrong disk is configured for booting the computer. He makes the required change, and then saves the new BIOS settings.

Section How to Run the Out of Band Management Console in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic. Section How to Configure BIOS Settings for a Computer in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

The computer automatically restarts and successfully loads the operating system from the correct disk. The engineer confirms that the two computers are now operational and closes the help desk ticket. Company-specific process.

As a result of the preceding course of action, the mean time to resolution for these computers is dramatically reduced because local access to the computers is not required.

2453

Troubleshooting a Nonfunctional Computer

The following scenario demonstrates how you can use out of band management to run diagnostic commands and tools for a desktop computer that is not functioning (for example, the operating system stops responding or does not load) without requiring local access to the computer. The help desk at Trey Research receives notification that a computer has stopped responding. To troubleshoot the computer, the help desk engineer proceeds with the course of action outlined in the following table.
Process More information

The help desk engineer locates the computer in question in the Assets and Compliance workspace of the Configuration Manager console, and connects to it by using the out of band management console. The help desk engineer then performs the following actions: He clicks Power Control, selects the boot option for IDE redirection, specifies the path and file for a diagnostic tool in the IDE redirection path, and then clicks Restart Computer. He clicks Serial Connection and waits for the computer to boot from the image that contains the diagnostic tool. By using the diagnostics, he discovers that the disk has a number of bad sectors. He selects the option to repair the bad sectors, and then exits the tool. He clicks Power Control, clicks Restart Computer, and closes the out of band management console.

Section How to Run the Out of Band Management Console in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic. Section How to Run Commands, Repair Tools, and Diagnostic Applications for a Computer in the How to Manage AMT-based Computers Out of Band in Configuration Manager topic.

The engineer confirms that the computer restarts and loads the operating system successfully. Because the computer is operational again, he closes the ticket, but he puts in a request to replace the hard drive to safeguard against the same problem in the future.

Company-specific process.

As a result of the preceding course of action, the time-to-resolution for this computer is dramatically reduced because local access to the computer is not required.
2454

Achieving Compliance for Software Updates by Using Wake on LAN and Power on Commands
The following scenario demonstrates how you can use out of band management with software updates in Configuration Manager to help achieve higher success rates for installing software updates within a specified time frame. Trey Research has a security policy that requires that all computers on the network running Windows have critical security software updates installed within two weeks of release. The installation of these software updates on servers has a 100 percent success rate, but the success rate on desktops is only 80 percent, although the Configuration Manager administrative user deployed them within one week after release. On investigation, the computers that do not have the software updates installed are turned off for various reasons for example, because users are on vacation or sick leave or because the computers are not in everyday use and are turned on only when required for a specific application or process. The security policy also prohibits sending wake-up packets over the network, but there is often not enough time to track down each computer, turn it on, and install the required software updates to meet the compliance deadline. To help achieve the compliance levels in a timely and efficient fashion, Adam decides on the course of action outlined in the following table.
Process More information

Adam enables Wake on LAN for the primary sites in the hierarchy and selects the Use AMT power on commands only option.

Step Configuring the Site to Send Power on Commands for Scheduled Wake-Up Activities in the How to Provision and Configure AMTBased Computers in Configuration Manager topic. Step Configuring the Enrollment Point and Out of Band Service Point for AMT Provisioning in the How to Provision and Configure AMTBased Computers in Configuration Manager topic. How to Create Collections in Configuration Manager

He checks the packet transmission settings in the out of band service point properties and makes some minor changes.

He reads the information in the documentation about the additional time that might be required to power on multiple computers and plans accordingly by creating different collections of computers so that software update deployments can be configured in batches. Adam closely monitors the installation of the critical software updates. For the computers that have not yet installed them, he creates a

Operations and Maintenance for Software Updates in Configuration Manager

2455

Process

More information

new deployment that contains the software updates, but this time it is also configured for Wake on LAN. He targets this software update deployment in batches to the collections that he created. As a result of the preceding course of action, critical software updates are installed on the majority of computers within one week. This leaves a comfortable margin of one more week to track down and correct the few desktop computers that still require the software update, perhaps because the computer was put into hibernation before it received the software update deployment or because there was no power for the computer. By using the combination of software updates with a deadline for the majority of computers, Wake on LAN with power-on commands for the few computers that are turned off, and manual intervention for the minority of computers that remain noncompliant, Trey Research can now meet its compliance levels every month.

See Also
Technical Reference for Out of Band Management in Configuration Manager

AMT Provisioning Process for Out of Band Management in Configuration Manager

The following flow of events occurs when an AMT-based computer is provisioned by System Center 2012 Configuration Manager. 1. The Configuration Manager client downloads its client policy with instructions to initiate AMT provisioning and performs the follow checks: a. The Intel HECI driver is installed. b. The AMT status is Not Provisioned. Any other status stops the provisioning process. 2. The Configuration Manager client generates a random one-time password (OTP), hashes it, sends the hash to the site server, and then activates the AMT network interface so that the AMT-based computer is ready for provisioning. For AMT-based computers that support wireless network connections, they also send their wired IP address, which will be used during provisioning, even if the AMT-based computer has multiple network interfaces. 3. The Configuration Manager client sends AMT manufacturing information to the site server by using a state message. This information includes the AMT version number. 4. The site server receives the OTP hash and then creates an Active Directory account in the configured Active Directory container (or OU), and sets the SPN for the AMT-based

2456

computer. The site server then sends an instruction to the out of band service point to start provisioning for the Configuration Manager client. 5. The out of band service point retrieves the OTP hash for this AMT-based computer from the site server and compares it with the OTP hash reported by the AMT firmware to verify the identity of the AMT-based computer to be provisioned. 6. The out of band service point retrieves the Active Directory account and password from the site server and then sends an instruction to the enrollment point to request an AMT web server certificate for the AMT-based computer. The enrollment point impersonates the AMTbased computer to request the AMT web server certificate. 7. The out of band service point creates an outbound TLS connection by using the AMT provisioning certificate and the Secure Channel (Schannel) Security Support Provider (SSP). In this connection, the AMT-based computer is the server, and the out of band service point is the client. This transport layer session is established by using TLS handshaking: a. The out of band service point sends a client Hello message to the AMT -based computer and requests to use SHA1. b. The AMT-based computer sends a server Hello message to the out of band service point and sends its public key with a self-signed certificate. c. The Microsoft Security Support Provider Interface (SSPI) is used to create the TLS channel.

d. The out of band service point sends its AMT provisioning certificate and its full certificate chain to the AMT-based computer, with the specific AMT provisioning object identifier (OID) or OU attribute of Intel(R) Client Setup Certificate. e. The AMT-based computer checks the following for the AMT provisioning certificate and, if these successfully match, establishes the TLS session: the subject name (CN) against its own DNS namespace, the OID against the OID for AMT provisioning (or the OU attribute), and the certificate thumbprint of the root certificate from the certificate chain against the certificate thumbprint that it has stored in AMT firmware memory. 8. The out of band service point establishes an application layer connection with the AMT-based computer, by using HTTP Digest authentication: a. A SOAP request is sent from the out of band service point to the AMT-based computer, without any user name and password. b. The AMT-based computer responds to the out of band service point with an "authentication needed" response, which results in HTTP Digest authentication. c. The out of band service point resends the SOAP request with the same payload to AMTbased computer, this time by using HTTP Digest authentication.

d. The AMT-based computer finishes the authentication challenge and sends a success or failure response to the out of band service point. 9. If the HTTP Digest authentication failed during the application layer connection, the out of band service point retries by using another user name and password that has been configured in Configuration Manager. All user names and passwords are tried sequentially until authentication succeeds or there are no more user names and passwords. 10. The AMT-based computer undergoes first-stage provisioning, initiated by a SOAP request from the out of band service point:
2457

a. The AMT time is synchronized with the Windows time from the out of band service point. b. The AMT host name and domain is configured by using the computers host name and domain. The computers host and domain name might be retrieved from system discovery or from client registration when the client is assigned to the site. c. The requested and retrieved certificate is saved to the AMT firmware memory, and TLS authentication is enabled.

d. Configuration Manager creates a random and strong password for the AMT Remote Admin Account and stores this value in AMT. e. Configuration Manager might reconfigure the MEBx password with the strong password configured in the Configuration Manager console, depending on whether it has been changed previously on the AMT-based computer and on the version of AMT. f. The settings are saved in AMT firmware, and the AMT firmware state is set to the operational mode of post provisioning.

11. The AMT-based computer undergoes second-stage provisioning, initiated by a Windows Remote Management (WinRM) request from the out of band service point: a. The AMT ACLs are deleted and configured according to the AMT User Accounts and rights. b. Kerberos is enabled, and in the Out of Band Management Component Properties dialog box, on the AMT Settings tab, the power scheme is set according to the configured value for Manageability is on in the following power state. In addition, the other AMT settings, such as Enable web interface, Enable serial over LAN and IDE redirection, and Allow ping responses, are also set according to the configured values in the AMT Advanced Settings dialog box. c. If you have configured any 802.1X options, the following additional actions occur: Any existing wireless profiles are deleted, any certificates related to the wireless profiles or 802.1X wired network configuration are deleted, and the wireless capability of AMT is detected. If any certificates are required to support 802.1X, the out of band service point sends an instruction to the enrollment point to request the certificates for the AMT-based computer, and the enrollment point impersonates the AMT-based computer to request these certificates. The wireless profiles and the 802.1X authenticated wired network configuration are then saved to AMT.

12. The out of band service point sends the results of the provisioning process to the site server, which then updates the Configuration Manager database to use the following information about the AMT-based computer: the AMT status; the MEBx password, the AMT Remote Admin Password.

See Also
Technical Reference for Out of Band Management in Configuration Manager
2458

Compliance Settings in Configuration Manager

Compliance settings in System Center 2012 Configuration Manager provides a set of tools and resources that can help assess, track, and remediate the configuration compliance of client computers in the enterprise.

Compliance Setting Topics

Use the following topics to help you maintain the configuration compliance of your Configuration Manager client computers. Introduction to Compliance Settings in Configuration Manager Planning for Compliance Settings in Configuration Manager Configuring Compliance Settings in Configuration Manager Operations and Maintenance for Compliance Settings in Configuration Manager Security and Privacy for Compliance Settings in Configuration Manager Technical Reference for Compliance Settings in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager Assets and Compliance in System Center 2012 Configuration Manager

Introduction to Compliance Settings in Configuration Manager

Compliance settings in System Center 2012 Configuration Manager provides a unified interface and user experience that lets you manage the configuration and compliance of servers, laptops, desktop computers, and mobile devices in your organization. Compliance settings contains tools to help you assess the compliance of users and client devices for many configurations, such as whether the correct Windows operating system versions are installed and configured appropriately, whether all required applications are installed and configured correctly, whether optional applications are configured appropriately, and whether prohibited applications are installed. Additionally, you can check for compliance with software updates, security settings, and mobile devices. Configuration item settings of the type Windows Management Instrumentation (WMI), registry, script, and all mobile device settings in Configuration Manager let you automatically remediate noncompliant settings when they are found. Compliance is evaluated by defining a configuration baseline that contains the configuration items that you want to evaluate and settings and rules that describe the level of compliance you must
2459

have. You can import this configuration data from the web in Microsoft System Center Configuration Manager Configuration Packs as best practices that are defined by Microsoft and other vendors, in Configuration Manager, and that you then import into Configuration Manager. Or, an administrative user can create new configuration items and configuration baselines. After a configuration baseline is defined, you can deploy it to users and devices through collections and evaluate its settings for compliance on a schedule. Client devices can have multiple configuration baselines deployed to them. This provides the administrator with a high level of control. Client devices evaluate their compliance against each deployed configuration baseline and immediately report the results to the site by using state messages and status messages. If a client device is currently not connected to the network, but has downloaded the configuration items that are referenced in a deployed configuration baseline, the configuration baseline is evaluated for compliance. The compliance information is sent on reconnection. You can also view compliance evaluation results from clients that are running Windows by using the Configurations tab in Configuration Manager in Control Panel. You can monitor the results of the configuration baseline evaluation compliance from the Deployments node in the Monitoring workspace in the Configuration Manager console to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can also run compliance settings reports to find additional details, such as which devices are compliant or noncompliant, and which element of the configuration baseline is causing a computer to be noncompliant. You can also view compliance evaluation results from Windows clients by using the Configurations tab in Configuration Manager in Control Panel. You can use compliance settings to support the following business requirements: Compare the configuration of desktop computers, laptops, servers, and mobile devices in your enterprise against best practices configurations from Microsoft and other vendors. Verify the configuration of provisioned devices against one or more custom-defined configuration baselines before the computers go into production. Identify device configurations that are not authorized by change control procedures. Prioritize noncompliance with five levels of severity (None, Information, Warning, Critical, and Critical with event). Report compliance with regulatory policies and in-house security policies. Identify security vulnerabilities, as defined by Microsoft and other software vendors, across your enterprise. Provide the help desk with the information to detect probable causes of reported incidents and problems by identifying noncompliant configurations. Automatically remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager. Remediate noncompliance by deploying applications, packages and programs, or scripts to a collection that is automatically populated with computers that report that they are out of compliance. Integrate with other management products that monitor Windows events on computers to take automatic action when a configuration is reported as noncompliant.
2460

For an example scenario that shows how you might use compliance settings in your environment, see Example Scenario for Compliance Settings in Configuration Manager.

User Data and Profiles Configuration Items

For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: User data and profiles configuration items contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy them to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. Unlike other configuration items, you do not add these to configuration baselines before you deploy them. You can deploy them directly with the Deploy User Data and Profiles Configuration Item dialog box. For more information, see the topic How to Create User Data and Profiles Configuration Items in Configuration Manager.

Whats New in Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for compliance settings, previously known as desired configuration management since Configuration Manager 2007: Configuration Manager 2007 desired configuration management is now called compliance settings in System Center 2012 Configuration Manager. Configuration Manager provides a new built-in security role named Compliance Settings Manager. Administrative users who are members of this role can manage and deploy configuration items and configuration baselines and view compliance results. An administrative user can create registry and file system settings by browsing to an existing file, folder, or registry setting on the local or a remote reference computer. It is now easier for an administrative user to create configuration baselines. You can reuse settings for multiple configuration items. You can remediate noncompliant settings for WMI, the registry, scripts, and all settings for the mobile devices that are enrolled by Configuration Manager. When you deploy a configuration baseline, you can specify a compliance threshold for the deployment. If the compliance is below the specified threshold after a specified date and time, System Center 2012 Configuration Manager generates an alert to notify the administrator. You can use the new monitoring features of System Center 2012 Configuration Manager to monitor compliance settings and to view the most common causes of noncompliance, errors, and the number of users and devices that are affected. You can deploy configuration baselines to users and devices.
2461

Configuration baseline deployments and evaluation now support Configuration Manager maintenance windows. You can use compliance settings to manage the mobile devices that you enroll with Configuration Manager. Configuration item versioning lets you view and use earlier versions of configuration items. You can restore or delete earlier versions of configuration items and see the user names of administrative users who made changes. Configuration items can contain user and device settings. User settings are evaluated when the user is logged on. Examples of user settings include registry settings that are stored in HKEY CURRENT USER and user-based script settings that an administrative user configured. Improved reports contain rule details, remediation information, and troubleshooting information. You can now detect and report conflicting compliance rules. Unlike Configuration Manager 2007, System Center 2012 Configuration Manager does not support uninterpreted configuration items. An uninterpreted configuration item is a configuration item that is imported into compliance settings, but the Configuration Manager console cannot interpret it. Therefore, you cannot view or edit the configuration item properties in the console. Before you import Configuration Packs or configuration baselines to System Center 2012 Configuration Manager, you must remove uninterpreted configuration items in Configuration Manager 2007. You can migrate configuration items and configuration baselines from Configuration Manager 2007 to System Center 2012 Configuration Manager. During migration, configuration data is automatically converted into the new format. Settings groups from Configuration Manager 2007 are no longer supported in System Center 2012 Configuration Manager. Regular expressions for settings are not supported in System Center 2012 Configuration Manager. Using wildcard characters for registry settings is not supported in System Center 2012 Configuration Manager. If you migrate configuration data from Configuration Manager 2007, you must remove wildcard characters from registry settings before you migrate. Otherwise the data will not be valid in the System Center 2012 Configuration Manager configuration item. The string operators Matches and Do not Match are not supported in System Center 2012 Configuration Manager. You can no longer create configuration items of the type General from the Configuration Manager console. You can now create only application configuration items and operating system configuration items. However, if you create a configuration item for a mobile device, this is created as a general configuration item.

Whats New in Configuration Manager SP1

Note
2462

The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for compliance settings in Configuration Manager SP1: You can create user data and profiles configuration items that contain settings that control how users in your hierarchy manage folder redirection, offline files, and roaming profiles on computers that run Windows 8. You can deploy these settings to collections of users and then monitor their compliance from the Monitoring node of the Configuration Manager console. The new Mac OS X configuration item lets you evaluate and remediate property list (.plist) settings on Mac computers. You can also use shell scripts to evaluate and remediate other Mac settings.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. The following items are new or have changed for compliance settings in System Center 2012 R2 Configuration Manager: New mobile device settings and mobile device setting groups have been added. These can be found on the Mobile Device Settings page of the Create Configuration Item Wizard.

See Also
Assets and Compliance in System Center 2012 Configuration Manager

Planning for Compliance Settings in Configuration Manager

Use the following topics in this section to help you plan for using compliance settings in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Compliance Settings in Configuration Manager

2463

See Also
Compliance Settings in Configuration Manager

Prerequisites for Compliance Settings in Configuration Manager

Compliance settings in System Center 2012 Configuration Manager has the following dependencies within the product.

Configuration Manager Dependencies

Dependency More information

Clients must be enabled and configured for compliance evaluation.

Before you can use compliance settings, you must enable and configure client settings. For more information, see Configuring Compliance Settings in Configuration Manager. The reporting point site system role must be installed and configured before compliance settings reports can be displayed. For more information, see Configuring Reporting in Configuration Manager. You must have the following security permissions to manage compliance settings: To view and manage alerts and reports for compliance settings: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object. To manage configuration baseline deployments: Deploy Configuration Items, Modify Client Status Alert, Modify, Read, and Read Resource for the Collection object. To create and manage configuration baselines and configuration items: Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report, and Set Security Scope permission for the Configuration Item object.
2464

Reporting point site system role must be installed and configured.

Specific security permissions must have been granted to manage compliance settings.

Dependency

More information

To run queries related to compliance settings: Read permission for the Query object. To view compliance settings information in the Configuration Manager console: Read permission for the Site object. To select software updates to be used in configuration baselines: Read permission for the Software Updates object. To view status messages for compliance settings: Read permission for the Status Messages object. For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only: To manage user data and profiles configuration items: Author Policy, Modify Report, Read and Run Report for the Settings for user data and profile management object.

The Compliance Settings Manager security role includes these permissions that are required to manage compliance settings in Configuration Manager. For more information, see the Configure RoleBased Administration section in the Configuring Security for Configuration Manager topic.

See Also
Planning for Compliance Settings in Configuration Manager

Configuring Compliance Settings in Configuration Manager

Before you can use compliance settings in System Center 2012 Configuration Manager, you must perform the following configuration steps.
2465

You can modify the default client settings, create new custom client settings, or modify existing custom client settings. Create or modify custom client settings when you want to apply a group of client settings to specific collections. For more information, see How to Configure Client Settings in Configuration Manager.

How to Enable Compliance Settings and Configure Client Settings

This procedure configures the default client settings for compliance settings and applies to all computers in your hierarchy. If you want these settings to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers for which you want to use compliance settings. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings. To enable compliance settings and configure client settings 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Compliance Settings. 6. Configure the following client settings for compliance settings.
Client setting name More information

Enable compliance evaluation on clients Schedule compliance evaluation

Set Enable compliance evaluation on clients to True if you want to evaluate compliance on client devices. Click Schedule if you want to modify the default compliance evaluation schedule on client devices.

7. Click OK to close the Default Settings dialog box. Client computers are configured with these settings the next time they download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

See Also
Compliance Settings in Configuration Manager
2466

Operations and Maintenance for Compliance Settings in Configuration Manager

Use the information in this section to find out more about operations and maintenance for compliance settings in System Center 2012 Configuration Manager.

In This Section
How to Create Windows Configuration Items for Compliance Settings in Configuration Manager How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager How to Create Mac Computer Configuration Items in Configuration Manager How to Create Configuration Baselines for Compliance Settings in Configuration Manager How to Create Child Configuration Items in Configuration Manager How to Deploy Configuration Baselines in Configuration Manager How to Manage Configuration Baselines for Compliance Settings in Configuration Manager How to Manage Configuration Items for Compliance Settings in Configuration Manager How to Monitor for Compliance Settings in Configuration Manager How to Import Configuration Data in Configuration Manager How to Create User Data and Profiles Configuration Items in Configuration Manager

See Also
Compliance Settings in Configuration Manager

How to Create Windows Configuration Items for Compliance Settings in Configuration Manager
Create configuration items in System Center 2012 Configuration Manager to define configurations that you want to manage and assess for compliance on devices. There are different types of configuration items: Application configuration item Used to determine compliance for an application. This can include whether the application is installed and details about its configuration. Operating system configuration item
2467

Used to determine compliance for settings that relate to the operating system and its configuration. Software updates configuration item Automatically created when you download software updates with Configuration Manager. You do not create or see these configuration items in the Compliance Settings node, but you can select them when you define configuration baselines. General configuration item Used to determine compliance for mobile devices. For more information about creating configuration items for mobile devices, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. Use one the following four different methods to create a configuration item in the Configuration Manager console.
Method Description More information

Create a new configuration item

Use the Create Configuration Item Wizard to create the configuration item. Use this method to create a configuration item when you want to configure all properties, or you have no existing configuration item from which you can create a duplicate or a child configuration item.

For more information about how to create a configuration item by using the wizard, see the steps and supplemental procedures in this topic. Note For more information about how to create mobile device configuration items, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information about how to create a child configuration item, see How to Create Child Configuration Items in Configuration Manager.

Create a child configuration Create a child configuration item item from the Configuration Items node. Use this method to create a configuration item when you want a configuration item that continues to inherit the properties of an existing configuration item, but refines them with more detailed

2468

Method

Description

More information

configuration. You cannot create child configuration items for mobile devices. Import Import configuration data from a file. Use this method to create configuration items when they have been defined outside the Configuration Manager hierarchy. For example, you created them in a test environment and now want to use them on the production network, or you want to import best practices from a Configuration Pack that vendors provided. Duplicate Create a duplicate configuration item from the Configuration Items node. Use this method to create a configuration item when you want an exact copy of an existing configuration item to use as your starting point, but you want to modify it to create an independent configuration item from the original. For more information, see How to Import Configuration Data in Configuration Manager.

To create a duplicate of a configuration item, select a configuration item in the Configuration Items node and then, on the Home tab, in the Configuration Item group, click Copy. Important When you create a duplicate configuration baseline or configuration item, the duplicate does not retain a relationship to the original configuration data. Therefore, if the original configuration data is upgraded, any revisions are not passed to the duplicate configuration baseline or configuration
2469

Method

Description

More information

item.

Warning Do not configure configuration items with identical settings that evaluate different values and assign them to the same devices. When devices evaluate configuration items that have conflicting values, the order in which they are evaluated is nondeterministic. Use the following steps and the supplemental procedures for when you want to create a new configuration item for Windows-based computers.

Steps to Create a New Configuration Item for Client Computers

Use the following required steps to create a configuration item by using the Create Configuration Item Wizard.
Step Details More information

Step 1: Start the Create Configuration Item Wizard. Step 2: Provide general information about the configuration item. Step 3: Provide detection method information for the configuration item.

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node. Specify a Windows configuration item and a detection method if this configuration item assesses the compliance of an application. A detection method contains rules that detect whether an application is installed on a client device before it is assessed for compliance. Note Detection methods apply only to application configuration items (you have selected This configuration item contains application settings on the General page of the wizard).

See the Step 1: Start the Create Configuration Item Wizard section in this topic See Step 2: Provide General Information about the Configuration Item. See the Step 3: Provide Detection Method Information for the Configuration Item section in this topic.

2470

Step

Details

More information

Step 4: Configure settings for the configuration item.

A setting represents the business or technical conditions to be used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer.

See the Step 4: Configure Settings for the Configuration Item section in this topic.

Step 5: Configure compliance Compliance rules specify the rules for the configuration conditions that define the item. compliance of a configuration item. Some settings let you remediate values that are found to be noncompliant. You can also create new rules by browsing to existing settings in any configuration item and creating rules against them.

See the Step 5: Configure Compliance Rules for the Configuration Item section in this topic.

Step 6: Specify supported Supported platforms are the platforms for the configuration operating systems on which a item. configuration item is assessed for compliance.

See the Step 6: Specify Supported Platforms for the Configuration Item section in this topic.

Step 7: Complete the wizard.

Complete the wizard to create the new configuration item.

No additional information.

Supplemental Procedures to Create a New Configuration Item for Client Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Configuration Item Wizard

Use this procedure to start the Create Configuration Item Wizard.

2471

To start the Create Configuration Item Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. On the Home tab, in the Create group, click Create Configuration Item.

Step 2: Provide General Information about the Configuration Item

Use this procedure to provide general information about the configuration item. To provide general information about the configuration item 1. On the General page of the Create Configuration Item Wizard, specify the following information: Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters.

2. In the Specify type of configuration item that you want to create list, select Windows. Note If you want to create a configuration item for a mobile device, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. 3. If this configuration item is used to assess the compliance of an application, and you want to use a detection method to detect whether the application is present, select This configuration item contains application settings.

Step 3: Provide Detection Method Information for the Configuration Item

Use this procedure to provide detection method information for the configuration item. Note Applies only if you selected This configuration item contains application settings on the General page of the wizard. A detection method in Configuration Manager contains rules that are used to detect whether an application is installed on a computer. This detection occurs before the configuration item is assessed for compliance. To detect whether an application is installed, you can detect the presence of a Windows Installer file for the application, use a custom script, or select Always
2472

assume application is installed to assess the configuration item for compliance regardless of whether the application is installed. Use these procedures to configure detection methods in System Center 2012 Configuration Manager. To detect an application installation by using the Windows Installer File 1. On the Detection Methods page of the Create Configuration Item Wizard, select the Use Windows Installer detection check box. 2. Click Open, browse to the Windows Installer (.msi) file that you want to detect, and then click Open. 3. The Version box is automatically populated with the version number of the Windows Installer file that you selected. You can enter a new version number in this box if the displayed value is incorrect. 4. Select the This application is not installed for one or more users check box if you want to detect each user profile on the computer. To detect an application installation by using a custom script 1. On the Detection Methods page of the Create Configuration Item Wizard, select the Use a custom script to detect this application check box. 2. In the list, select the language of the script you want to open. Choose from the following scripts: VBScript JScript PowerShell

3. Click Open, browse to the script that you want to use, and then click Open.

Step 4: Configure Settings for the Configuration Item

Use this procedure to configure the settings in the configuration item. Settings represent the business or technical conditions that are used to assess compliance on client devices. You can configure a new setting or browse to an existing setting on a reference computer. To create a setting 1. On the Settings page of the Create Configuration Item Wizard, click New. 2. On the General tab of the Create Setting dialog box, provide the following information: Name: Enter a unique name for the setting. You can use a maximum of 256 characters. Description: Enter a description for the setting. You can use a maximum of 256 characters. Setting type: In the list, choose one of the following setting types to use for this
2473

setting:
Setting type More information

Active Directory query

Configure the following for this setting type: LDAP prefix - Specify a valid prefix to the Active Directory Domain Services query to assess compliance on client computers. You can use either LDAP:// for a or GC:// to perform a global catalog search.. Distinguished Name (DN) - Specify the distinguished name of the Active Directory Domain Services object that is assessed for compliance on client computers.

For example, if you want to evaluate a value related to a user named John Smith in the corp.contoso.com domain, enter the following: CN=John Smith, CN=Users, DC=corp, DC=Contoso, DC=com
Search filter - Specify an optional LDAP filter to refine the results from the Active Directory Domain Services query to assess compliance on client computers.

To return all results from the query, enter (objectclass=*).

Search scope - Specify the search scope in Active Directory Domain Services: Base - Queries only the object that is specified. One Level - This option is not used in this version of Configuration Manager. Subtree - Queries the object that is specified and its complete subtree in the
2474

directory. Property - Specify the property of the Active Directory Domain Services object that is used to assess compliance on client computers.

For example, if you want to query the Active Directory property badPwdCount, which stores the number of times a user incorrectly enters a password, enter badPwdCount in this field.
Query - Displays the query constructed from the entries in LDAP prefix, Distinguished name (DN), Search Filter (if specified), and Property, which are used to assess compliance on client computers.

For more information about constructing LDAP queries, see your Windows Server documentation. Assembly Configure the following for this setting type: Assembly name: Specifies the name of the assembly object that you want to search for. The name cannot be the same as other assembly objects of the same type and must be registered in the Global Assembly Cache. The assembly name can be up to 256 characters long. Note An assembly is a piece of code that can be shared between applications. Assemblies can have the file name extension .dll or .exe. The Global Assembly Cache is a folder named %systemroot%\Assembly on client computers where all shared assemblies are stored.
2475

File system

Configure the following for this setting type: Type In the list, select whether you want to search for a File or a Folder. Path - Specify the path of the specified file or folder on client computers. You can specify system environment variables and the %USERPROFILE% environment variable in the path. Note If you use the %USERPROFILE% environment variable in the Path or File or folder name boxes, all user profiles on the client computer are searched, which could result in multiple instances of the file or folder that is found. If compliance settings do not have access to the specified path, a discovery error is generated. Additionally, if the file you are searching for is currently in use, a discovery error is generated. File or folder name - Specify the name of the file or folder object to search for. You can specify system environment variables and the %USERPROFILE% environment variable in the file or folder name. You can also use the wildcards * and ? in the file name. Note If you specify a file or folder name and use wildcards, this combination might
2476

produce a high numbers of results and could result in high resource use on the client computer and high network traffic when reporting results to Configuration Manager. Include subfolders Enable this option if you also want to search any subfolders under the specified path. This file or folder is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\System32) should be searched in addition to the 32-bit system file location (%windir%\Syswow64) on Configuration Manager clients running a 64-bit version of Windows. Note If the same file or folder exists in both the 64-bit and 32-bit system file locations on the same 64-bit computer, multiple files are discovered by the global condition. The File system setting type does not support specifying a UNC path to a network share in the Path box. IIS metabase Configure the following for this setting type: Metabase path - Specify a valid path to the Internet Information Services (IIS) Metabase. Property ID - Specify the numeric property of the IIS Metabase setting.

Registry key

Configure the following for this setting type: Hive In the list, select the registry hive that you want to search in. Key - Specify the registry key name
2477

that you want to search for. Use the format key\subkey. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition. Registry value Configure the following for this setting type: Hive - In the list, select the registry hive that you want to search in. Key - Specify the registry key name that you want to search for. Use the format key\subkey. Value Specify the value that must be contained within the specified registry key. This registry key is associated with a 64-bit application - Specifies whether the 64-bit registry keys should be searched in addition to the 32-bit registry keys on clients that are running a 64-bit version of Windows. Note If the same registry key exists in both the 64-bit and 32-bit registry locations on the same 64-bit computer, both registry keys are discovered by the global condition.
2478

You can also click Browse to browse to a registry location on the computer or on a remote computer. To browse a remote computer, you must have administrator rights on the remote computer and the remote computer must be running the remote registry service. Script Configure the following for this setting type: Discovery script Click Add to enter, or browse to the script you want to use. You can use Windows PowerShell, VBScript, or Microsoft JScript scripts. Run scripts by using the logged on user credentials If you enable this option, the script runs on client computers that use the credentials of the logged-on users. Note The value returned by the script is used to assess the compliance of the global condition. For example, when using VBScript, you could use the command WScript.Echo Result to return the Result variable value to the global condition. SQL query Configure the following for this setting type: SQL Server instance Choose whether you want the SQL query to run on the default instance, all instances, or a specified database instance name. Note The instance name must refer to a local instance of SQL Server. To refer to a clustered SQL server
2479

instance, you should use a script setting. Database - Specify the name of the Microsoft SQL Server database against which you want to run the SQL query. Column - Specify the column name returned by the Transact-SQL statement that is used to assess the compliance of the global condition. Transact-SQL statement Specify the full SQL query you want to use for the global condition. You can also click Open to open an existing SQL query. Important SQL Query settings do not support any SQL commands that modify the database. You can only use SQL commands that read information from the database. WQL query Configure the following for this setting type: Namespace - Specify the Windows Management Instrumentation (WMI) namespace which is used to build a WQL query that is assessed for compliance on client computers. The default value is Root\cimv2. Class - Specifies the WMI class which is used to build a WQL query that is assessed for compliance on client computers. Property - Specifies the WMI property which is used to build a WQL query that is assessed for compliance on client computers. WQL query WHERE clause - You can use the WQL query WHERE clause item to specify a WHERE clause to be applied to the specified namespace, class, and property on
2480

client computers. XPath query Configure the following for this setting type: Path - Specify the path of the .xml file on client computers that is used to assess compliance. Configuration Manager supports the use of all Windows system environment variables and the %USERPROFILE% user variable in the path name. XML file name - Specify the file name containing the XML query that is used to assess compliance on client computers. Include subfolders - Enable this option if you also want to search any subfolders under the specified path. This file is associated with a 64-bit application - Choose whether the 64-bit system file location (%windir%\System32) should be searched in addition to the 32-bit system file location (%windir%\Syswow64) on Configuration Manager clients that are running a 64-bit version of Windows. XPath query - Specify a valid full XML path language (XPath) query that is used to assess compliance on client computers. Namespaces - Opens the XML Namespaces dialog box to identify namespaces and prefixes to be used during the XPath query. Important If you attempt to discover an encrypted .xml file, compliance settings find the file, but the XPath query produces no results, and no error is generated. Note
2481

If the XPath query is not valid, the setting is evaluated as noncompliant on client computers. Data type: In the list, choose the format in which the condition returns the data before it is used to assess the setting. The Data type list is not displayed for all setting types. Note The Floating point data type supports only 3 digits after the decimal point. 3. Configure additional details about this setting under the Setting type list. The items you can configure vary depending on the setting type you have selected. Note When you create settings of the type File system, Registry key, and Registry value, you can click Browse to configure the setting from values on a reference computer. To browse to a registry key or value on a remote computer, the remote computer must have the Remote Registry service enabled. 4. Click OK to save the setting and close the Create Setting dialog box.

Step 5: Configure Compliance Rules for the Configuration Item

Use the following procedure to configure compliance rules for the configuration item. Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. WMI, registry, and script settings let you remediate values that are found to be noncompliant. You can create new rules or browse to an existing setting in any configuration item to select rules in it. To create a compliance rule 1. On the Compliance Rules page of the Create Configuration Item Wizard, click New. 2. In the Create Rule dialog box, provide the following information: Name: Enter a name for the compliance rule. Description: Enter a description for the compliance rule. Selected setting: Click Browse to open the Select Setting dialog box. Select the setting that you want to define a rule for, or click New Setting. When you are finished, click Select. Note You can also click Properties to view information about the currently selected setting. Rule type: Select the type of compliance rule that you want to use: Value Create a rule that compares the value returned by the configuration item
2482

against a value that you specify. Existential Create a rule that evaluates the setting depending on whether it exists on a client device or on the number of times it is found. The setting must comply with the following rule Select an operator and a value which is assessed for compliance with the selected setting. You can use the following operators: More information No additional information No additional information No additional information No additional information No additional information No additional information No additional information In the text box, specify one entry on each line. In the text box, specify one entry on each line. Remediate noncompliant rules when supported Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Configuration Manager can automatically remediate the following rule types: Registry value The registry value is remediated if it is noncompliant, and created if it does not exist. Script (by automatically running a remediation script). WQL Query Important You can only remediate noncompliant rules when the rule operator is set to Equals. Report noncompliance if this setting instance is not found The configuration item reports noncompliance if this setting is not found on client computers. Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports.
2483

For a rule type of Value, specify the following information:

Operator Equals Not equal to Greater than Less than Between Greater than or equal to Less than or equal to One of None of

Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

For a rule type of Existential, specify the following information: Note The options shown might vary depending on the setting type you are configuring a rule for. The setting must exist on client devices The setting must not exist on client devices The setting occurs the following number of times:

Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also logged as a Windows event in the application event log.

3. Click OK to close the Create Rule dialog box.

Step 6: Specify Supported Platforms for the Configuration Item

Use the following procedure to specify the supported platforms for the configuration item. Supported platforms are the operating systems on which a configuration item is assessed for compliance. To specify supported platforms for the configuration item 1. On the Supported Platforms page of the Create Configuration Item Wizard, specify
2484

one of the following options: Select the versions of Windows that will assess this configuration item for compliance: In the list, select the Windows versions on which you want the configuration item to be assessed for compliance, or click Select all. Specify the version of Windows manually: Click Edit to open the Specify Windows Version Manually dialog box, and then provide the full version number of the version of Windows on which you want the configuration item to be assessed for compliance. Note You can use the winver.exe command at a Windows command prompt to display the full Windows version. 2. Click OK to close the Specify Windows Version Manually dialog box. Note This option is not displayed if you have selected the This configuration item contains application settings check box on the General page of the Wizard.

Step 7: Complete the Wizard

On the Summary page of the Wizard, review the actions that will be taken, and then complete the wizard. The new configuration item is displayed in the Configuration Items node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager
Use the following procedure to configure configuration items in System Center 2012 Configuration Manager to manage the settings on mobile devices that you enroll by using Configuration Manager or Windows Intune. The most typical mobile device settings to configure are email management, password, and roaming settings. However, there are many more settings that you can configure and define by using these three levels: The default settings group, from where you select typical settings to configure and select values in drop-down lists.

2485

Additional settings when the setting that you want to configure is not included in the default settings groups. To configure additional settings, select the Configure additional settings that are not in the default setting groups check box on the Mobile Device Settings page. Custom settings that you define yourself by using the OMA URI values. These settings are an equivalent to registry settings for computers. Consult your vendor documentation to help you define these settings and values. To create the custom settings, click Create Setting in the Browse Settings dialog box. Note Not all settings might be supported on all mobile operating systems and on all versions. Configuration Manager displays known compatibility issues for the settings that you configure in the default groups and the additional settings. However, consult your vendor documentation and test the settings and values before you deploy the settings in a production environment.

All mobile device settings can be remediated if they are out of compliance. Warning Do not configure configuration items for different values and assign them to the same devices. When devices evaluate configuration items that have conflicting values, the order in which they are evaluated is nondeterministic. To create a mobile device configuration item 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. On the Home tab, in the Create group, click Create Configuration Item. 4. On the General page of the Create Configuration Item Wizard, specify the following information, and then click Next: Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters. In the Specify type of configuration item that you want to create list, select Mobile device. Click Categories to assign optional categories to the configuration item to make it easier to search for and filter in the Configuration Manager console. For more information, see How to Manage Configuration Items for Compliance Settings in Configuration Manager.

5. On the Mobile Device Settings page, select the settings group to configure. If the setting that you want is not listed, select the Configure additional settings that are not in the default setting groups check box, and then click Next. 6. Configure the settings, and specify whether to remediate them if they are out of
2486

compliance. 7. Complete the wizard.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Mac Computer Configuration Items in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. You can use compliance settings in System Center 2012 Configuration Manager to monitor and remediate settings on Mac computers. The Mac OS X operating system uses property list (or plist) files to store application settings. Use compliance settings to evaluate and remediate the compliance of settings that are stored in a property list file. You can also manage Mac OS X settings by writing a Shell Script that returns a value that you can evaluate and remediate for compliance. Important Configuration Manager does not support the deployment of configuration baselines for Mac computers to users. Use the following required steps to create a configuration item for Mac computers by using the Create Configuration Item Wizard.
Step Details More information

Step 1: Start the Create Configuration Item Wizard Step 2: Provide General Information about the Configuration Item Step 3: Specify Supported Platforms for the Configuration Item

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node. Specify that you want to create a Mac OS X configuration item and provide general information. Supported platforms are the operating systems on which a configuration item is assessed for compliance.

See Step 1: Start the Create Configuration Item Wizard in this section. See Step 2: Provide General Information about the Configuration Item in this section. See Step 3: Specify Supported Platforms for the Configuration Item in this section.

2487

Step

Details

More information

Step 4: Configure Settings for the Configuration Item

A setting represents the business or technical conditions to be used to assess compliance on client devices. Compliance rules specify the conditions that define the compliance of a configuration item. Complete the wizard to create the new configuration item. The configuration item is displayed in the Configuration Items node of the Assets and Compliance workspace. Use the Create Configuration Baseline dialog box to add configuration items to a configuration baseline that you can then deploy to Mac computers. Use the Deploy Configuration Baselines dialog box to define configuration baseline deployments, which includes adding or removing configuration baselines from deployments in addition to specifying the evaluation schedule. Note If you want to build a collection containing only Mac computers, create a collection that uses a query rule and use the example WQL query in the Example WQL Queries section in the topic How to Create Queries in Configuration

See Step 4: Configure Settings for the Configuration Item in this section. See Step 5: Configure Compliance Rules for the Configuration Item in this section. No additional information.

Step 5: Configure Compliance Rules for the Configuration Item Step 6: Complete the wizard

Step 7: Add the configuration item to a configuration baseline

See the topic How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

Step 8: Deploy the configuration baseline to Mac computers

See the topic How to Deploy Configuration Baselines in Configuration Manager.

2488

Step

Details

More information

Manager. Step 9: Monitor the configuration baseline for compliance You can monitor the compliance of configuration baselines for Mac computers from the Configuration Manager console, by using reports, or by creating collections based on configuration baseline compliance. See the topic How to Monitor for Compliance Settings in Configuration Manager.

Supplemental Procedures to Create a New Configuration Item for Client Computers

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Configuration Item Wizard

Use this procedure to start the Create Configuration Item Wizard. To start the Create Configuration Item Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. On the Home tab, in the Create group, click Create Configuration Item.

Step 2: Provide General Information about the Configuration Item

Use this procedure to provide general information about the configuration item. To provide general information about the configuration item 1. On the General page of the Create Configuration Item Wizard, specify the following information: Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 500 characters.

2. In the Specify the type of configuration item that you want to create list, select Mac
2489

OS X.

Step 3: Specify Supported Platforms for the Configuration Item

On the Supported Platforms page of the Create Configuration Item Wizard, select the Mac operating systems on which the configuration item will be assessed for compliance, or click Select all.

Step 4: Configure Settings for the Configuration Item

Use this procedure to configure the settings in the configuration item. To create a setting 1. On the Settings page of the Create Configuration Item Wizard, click New. 2. On the General tab of the Create Setting dialog box, provide the following information: Name: Enter a unique name for the setting. You can use a maximum of 256 characters. Description: Enter a description for the setting. You can use a maximum of 1000 characters. Setting type: In the list, choose one of the following setting types to use for this setting:
Setting type More information

Mac OS X Preferences

Configure the following for this setting type: Application ID Specify the application ID of the property list file from which you want to evaluate a key for compliance.

For example, if you want to edit settings for the Safari Web browser, you might use com.apple.Safari.plist.
Key Specify the name of the key that you want to evaluate for compliance on Mac computers. Use the following syntax: /<dictionary>/<keyname>. Important The key name is case sensitive and will not be evaluated if it
2490

differs from the key name on the Mac computer. Additionally, you cannot edit the key name once you have specified it. If you need to edit the key name, delete and then recreate the setting. Script Configure the following for this setting type: Discovery Script Click Add Script, and then enter a shell script to assess settings on the Mac computer for compliance. Use the echo command in the shell script to return values to Configuration Manager for compliance. Configuration Manager uses the results returned in STDOUT to evaluate compliance. Important Do not include the reboot command in the discovery script. Because the discovery script runs each time the client restarts, this will cause the Mac computer to continually restart. Remediation script (optional) Optionally, click Add Script and then enter a shell script that is used to remediate any noncompliance settings found on Mac client computers. Warning To ensure that you do not introduce formatting characters that the Mac computer cannot interpret, do not use copy and paste
2491

but type in the script. Data type: In the list, choose the format in which the condition returns the data before it is used to assess the setting. Note The Floating point data type supports only 3 digits after the decimal point. Configuration Manager does not support using the Boolean data type for Mac configuration item script settings. Instead, set the data type to Integer and ensure that the script returns an integer value. 3. Click OK to save the setting and close the Create Setting dialog box.

Step 5: Configure Compliance Rules for the Configuration Item

Use the following procedure to configure compliance rules for the configuration item. Compliance rules specify the conditions that define the compliance of a configuration item. Before a setting can be evaluated for compliance, it must have at least one compliance rule. To create a compliance rule 1. On the Compliance Rules page of the Create Configuration Item Wizard, click New. 2. In the Create Rule dialog box, provide the following information: Name: Enter a name for the compliance rule. Description: Enter a description for the compliance rule. Selected setting: Click Browse to open the Select Setting dialog box. Select the setting that you want to define a rule for, or click New Setting. When you are finished, click Select. Note You can also click Properties to view information about the currently selected setting. Rule type: Select the type of compliance rule that you want to use: Value Create a rule that compares the value returned by the configuration item against a value that you specify. Existential Create a rule that evaluates the setting depending on whether it exists on a client. The setting must comply with the following rule Select an operator and a value which is assessed for compliance with the selected setting. You can use the following operators: More information

For a rule type of Value, specify the following information:

Operator

2492

Equals Not equal to Greater than Less than Between Greater than or equal to Less than or equal to One of None of

No additional information No additional information No additional information No additional information No additional information No additional information No additional information In the text box, specify one entry on each line. In the text box, specify one entry on each line. Remediate noncompliant rules when supported Select this option if you want Configuration Manager to automatically remediate noncompliant rules. Important You can only remediate noncompliant rules when the rule operator is set to Equals.

Report noncompliance if this setting instance is not found The configuration item reports noncompliance if this setting is not found on client computers. Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

For a rule type of Existential, specify the following information: Note The options shown might vary depending on the setting type you are configuring a rule for. The setting must exist on client devices The setting must not exist on client devices
2493

Noncompliance severity for reports: Specify the severity level that is reported if this compliance rule fails. The available severity levels are the following: None Computers that fail this compliance rule do not report a failure severity for Configuration Manager reports. Information Computers that fail this compliance rule report a failure severity of Information for Configuration Manager reports. Warning Computers that fail this compliance rule report a failure severity of Warning for Configuration Manager reports. Critical Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. Critical with event Computers that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also be logged as a Windows event in the application event log.

3. Click OK to close the Create Rule dialog box.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Configuration Baselines for Compliance Settings in Configuration Manager

Configuration baselines in System Center 2012 Configuration Manager contain predefined configuration items and optionally, other configuration baselines. After a configuration baseline is created, you can deploy it to a collection so that devices in that collection download the configuration baseline and assess their compliance with it. Configuration baselines in Configuration Manager can contain specific revisions of configuration items or can be configured to always use the latest version of a configuration item. For more information about configuration item revisions, see How to Manage Configuration Items for Compliance Settings in Configuration Manager. There are two methods that you can use to create configuration baselines in Configuration Manager: Import configuration data from a file. To start the Import Configuration Data Wizard, in the Configuration Items or Configuration Baselines node in the Assets and Compliance workspace, click Import Configuration Data. Use the Create Configuration Baseline dialog box to create a new configuration baseline.

Use the following procedure to create a configuration baseline by using the Create Configuration Baseline dialog box.
2494

To create a configuration baseline 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines. 3. On the Home tab, in the Create group, click Create Configuration Baseline. 4. In the Create Configuration Baseline dialog box, enter a unique name and a description for the configuration baseline. You can use a maximum of 255 characters for the name and 512 characters for the description. 5. The Configuration data list displays all configuration items or configuration baselines that are included in this configuration baseline. Click Add to add a new configuration item or configuration baseline to the list. You can choose from the following: Configuration Items Software Updates Configuration Baselines

6. Use the Change Purpose list to specify the behavior of a configuration item that you have selected in the Configuration data list. You can select from the following: Required The configuration baseline is evaluated as noncompliant if the configuration item is not detected on a client device. If it is detected, it is evaluated for compliance Optional The configuration item is only evaluated for compliance if the application it references is found on client computers. If the application is not found, the configuration baseline is not marked as noncompliant (only applicable to application configuration items). Prohibited The configuration baseline is evaluated as noncompliant if the configuration item is detected on client computers (only applicable to application configuration items). Note The Change Purpose list is available only if you clicked the option This configuration item contains application settings on the General page of the Create Configuration Item Wizard. 7. Use the Change Revision list to select a specific or the latest revision of the configuration item to assess for compliance on client devices or select Always Use Latest to always use the latest revision. For more information about configuration item revisions, see How to Manage Configuration Items for Compliance Settings in Configuration Manager. 8. If you want to remove a configuration item from the configuration baseline, select a configuration item, and then click Remove. 9. Click OK to close the Create Configuration Baseline dialog box and to create the configuration baseline.

2495

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create Child Configuration Items in Configuration Manager

Child configuration items in System Center 2012 Configuration Manager are copies of configuration items that retain a relationship to the original configuration item; therefore, they inherit the original configuration from the parent configuration item. When you view the properties of a child configuration item in the Configuration Manager console, you can view, but not edit the inherited objects and settings with their validation criteria. However, you can add and then edit additional validation criteria to the child configuration item, and you can also add new objects and settings to the child configuration item. Therefore, the usual purpose for creating and editing a child configuration item is that it refines the original configuration item to meet your business requirements. Note You cannot create a child configuration item from a mobile device configuration item.

To create a child configuration item

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Items. 3. In the Configuration Items list, select the configuration item for which you want to create a child configuration item, and then in the Home tab, in the Configuration Item group, click Create Child Configuration Item. 4. On the General page of the Create Child Configuration Item Wizard, you can choose a specific revision of the parent configuration item to use to create the child. Other steps in this wizard are identical to those you would use to create a standard configuration item. For more information, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager. 5. Complete the wizard. The new child configuration item displays in the Configuration Items list.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager
2496

How to Deploy Configuration Baselines in Configuration Manager

Configuration baselines in System Center 2012 Configuration Manager must be deployed to one or more collections of users or devices before client devices in those collections can assess their compliance with the configuration baseline. Use the Deploy Configuration Baselines dialog box to define configuration baseline deployments, which includes adding or removing configuration baselines from deployments in addition to specifying the evaluation schedule. To deploy a configuration baseline 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines. 3. In the Configuration Baselines list, select the configuration baseline that you want to deploy, and then in the Home tab, in the Deployment group, click Deploy. 4. In the Deploy Configuration Baselines dialog box, select the configuration baselines that you want to deploy in the Available configuration baselines list. Click Add to add these to the Selected configuration baselines list. Important If you change a configuration item that has been added to a deployed configuration baseline, the revised configuration item is not evaluated for compliance until its next scheduled evaluation time. 5. Specify the following additional information: Remediate noncompliant rules when supported Enable this option to automatically remediate any rules that are noncompliant for Windows Management Instrumentation (WMI), the registry, scripts, and all settings for mobile devices that are enrolled by Configuration Manager. Allow remediation outside the maintenance window If a maintenance window has been configured for the collection to which you are deploying the configuration baseline, enable this option to let compliance settings remediate the value outside of the maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager.

6. Generate an alert Enable this option to configure an alert that is generated if the configuration baseline compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager. 7. Collection: Click Browse to select the collection where you want to deploy the configuration baseline. 8. Specify the compliance evaluation schedule for this configuration baseline: Specifies the schedule by which the deployed configuration baseline is evaluated on
2497

client computers. This can be either a simple or a custom schedule. Note If the configuration baseline is deployed to a computer, it is evaluated for compliance within two hours of the start time that you schedule. If it is deployed to a user, it is evaluated for compliance when the user logs on. 9. Click OK to close the Deploy Configuration Baselines dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor for Compliance Settings in Configuration Manager.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Manage Configuration Baselines for Compliance Settings in Configuration Manager

Use the information in this topic to help you manage configuration baselines in System Center 2012 Configuration Manager. For information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

To manage configuration baselines

In the Assets and Compliance workspace, expand Compliance Settings, select Configuration Baselines, select the configuration baseline to manage, and then select a management task.

Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Show Members

Displays all of the configuration items that are referenced by the configuration baseline.

No additional information.

Schedule Summarization

Configures the schedule by which No additional information. the data shown in the Configuration Baselines node in the Configuration Manager
2498

Management task

Details

More information

console is updated with the latest information from the site database. Run Summarization Summarization causes the data in No additional information. the Configuration Baselines node to be refreshed with the latest data from the site database. This action might take several minutes to complete. You might have to click Refresh before you can see the latest data in the console. Displays the XML definition file for No additional information. the selected configuration baseline in a new window. This information can be useful when you want to author configuration data manually. Enables a configuration baseline for compliance monitoring. Disables a configuration baseline so it is no longer evaluated for compliance on client computers. Configuration baselines that reference this configuration baseline will also be disabled. Exports a configuration baseline in a cabinet (.cab) file format, providing that it was created at that site. You can then import it to the same or a different System Center 2012 Configuration Manager site. Configuration data is converted to DCM Digest. For information about how to import configuration data, see How to Import Configuration Data in Configuration Manager.
2499

View XML Definition

Enable Disable

No additional information. No additional information.

Export

No additional information.

Management task

Details

More information

Copy

Creates a copy of the selected configuration baseline with a name that you specify. The new configuration baseline does not retain any relationship to the original configuration baseline. Opens the Delete Configuration Baseline dialog box where you can review any references to this configuration baseline. Important You must remove all references to a configuration baseline before you can delete the configuration baseline.

No additional information.

Delete

No additional information.

Deploy

Opens the Deploy Configuration How to Deploy Configuration Baseline dialog box where you Baselines in Configuration can deploy one or more Manager configuration baselines to devices in your hierarchy.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Manage Configuration Items for Compliance Settings in Configuration Manager

Use the information in this topic to help you manage configuration items in System Center 2012 Configuration Manager. For information about how to create configuration items, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager and How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager.

2500

To manage configuration items

In the Assets and Compliance workspace, expand Compliance Settings, select Configuration Items, select the configuration item to manage, and then select a management task.

Use the following table for more information about the management tasks that might require some information before you select them.
Management task Details More information

Create Child Configuration Item

Opens the Create Child Configuration Item Wizard where you can create a child configuration item from the selected configuration item. Note You cannot create a child configuration item from a mobile device configuration item.

How to Create Child Configuration Items in Configuration Manager

Revision History

Opens the Configuration Item Revision History dialog box where you can view and manage previous revisions of the selected configuration item. Displays the XML definition file for the selected configuration item in a new window. This information can be useful when you want to author configuration data manually.

No additional information.

View XML Definition

No additional information.

Export

Exports a configuration item in a No additional information. cabinet (.cab) file format, providing that it was created at that site. You can then import it to the same or a different Configuration Manager site. Configuration data is converted to DCM Digest. Creates a copy of the selected configuration item with a name No additional information.

Copy

2501

Management task

Details

More information

you specify. The new configuration item does not retain any relationship to the original configuration item. This means that the duplicate configuration item does not continue to inherit configuration information from the original configuration item. Delete Opens the Delete Configuration Item dialog box where you can review any references to this configuration item. Important You must remove all references to a configuration item before you can delete the configuration item. No additional information.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Monitor for Compliance Settings in Configuration Manager

After you have deployed System Center 2012 Configuration Manager configuration baselines to computers in your hierarchy, you can use one or more of the following procedures to display the compliance status of the configuration baseline: How to View Compliance Results in the Configuration Manager Console How to View Compliance Results by Using Reports How to View Compliance Results on a Configuration Manager Client How to Create Collections Based on Configuration Baseline Compliance Note The validation criteria fields in compliance settings reports (the equivalent on the clientside report is Constraints) display the underlying Service Modeling Language (SML).
2502

This can make it difficult for administrators who have authored the configuration item in the Configuration Manager console to understand what the validation criteria is if they do not have knowledge of SML. In this case, use the Monitoring workspace in the Configuration Manager console to view the properties of the configuration item and its validation criteria.

How to View Compliance Results in the Configuration Manager Console

Use this procedure to view details about the compliance of deployed configuration baselines in the Configuration Manager console. To view compliance results in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. In the Deployments list, select the configuration baseline deployment for which you want to review compliance information. 4. You can review summary information about the compliance of the configuration baseline deployment on the main page. To view more detailed information, select the configuration baseline deployment, and then on the Home tab, in the Deployment group, click View Status to open the Deployment Status page. The Deployment Status page contains the following tabs: Compliant: Displays the compliance of the configuration baseline based on the number of assets affected. You can click a rule to create a temporary node under the Users or Devices node that are in the Assets and Compliance workspace, which contains all users or devices that are compliant with this rule. The Asset Details pane displays the users or devices that are compliant with the configuration baseline. Double-click a user or device in the list to display additional information. Important A configuration item rule is not evaluated if it is not detected or not applicable on a client computer; however, the rule is returned as compliant. Error: Displays a list of all errors for the selected configuration baseline deployment based on number of assets affected. You can click a rule to create a temporary node under the Users or Devices node of the Assets and Compliance workspace, which contains all users or devices that generated errors with this rule. When you select a user or device, the Asset Details pane displays the users or devices that are affected by the selected issue. Double-click a user or device in the list to display additional information about the issue. Non-Compliant: Displays a list of all noncompliant rules within the configuration baseline based on number of assets affected. You can click a rule to create a temporary node under the Users or Devices node of the Assets and Compliance workspace, which contains all users or devices that are not compliant with this rule.
2503

When you select a user or device, the Asset Details pane displays the users or devices that are affected by the selected issue. Double-click a user or device in the list to display further information about the issue. Unknown: Displays a list of all users and devices that did not report compliance for the selected configuration baseline deployment together with the current client status of devices.

5. On the Deployment Status page, you can review detailed information about the compliance of the deployed configuration baseline. A temporary node is created under the Deployments node that helps you find this information again quickly.

How to View Compliance Results by Using Reports

Compliance settings in Configuration Manager includes a number of built-in reports that let you monitor information about configuration items, configuration baselines, and deployments. These reports have the report category of Compliance and Settings Management. Important You must use a wildcard (%) character when you use the parameters Device filter and User filter in the compliance settings reports. For more information about how to configure Reporting in Configuration Manager, see Reporting in Configuration Manager

How to View Compliance Results on a Configuration Manager Client

Use this procedure to view details about the compliance of deployed configuration baselines on the Configuration Manager client. Note You cannot view information on the Configuration Manager client if you are logged on with a domain Guest account. To view compliance results on a Configuration Manager client 1. Navigate to Configuration Manager in Control Panel of the client computer, and doubleclick it to open its properties. 2. Click the Configurations tab, and view the list of deployed configuration baselines. 3. View the Compliance State for each configuration baseline: Important The evaluation results are cached on the client for 15 minutes. If you initiate a reevaluation within the 15 minute period, the compliance results are returned from
2504

this cache rather than a new evaluation. Therefore, if you make a change on the client that might affect the compliance evaluation results, wait until the 15 minutes have elapsed before initiating a re-evaluation. Compliant: The client computer is in compliance with the evaluated configuration baseline. Non-Compliant: The client computer is out of compliance with the evaluated configuration baseline. Unknown: The client computer has not yet evaluated the configuration baseline. If you want to initiate evaluation outside the compliance evaluation schedule, select the configuration baselines to evaluate, and then click Evaluate. Note If you have local administrator credentials on the client computer, you can view details of each evaluated configuration baseline to determine which configuration item is reporting a noncompliant status. To do this, select the configuration baseline, and then click View Report. 4. Click OK.

How to Create Collections Based on Configuration Baseline Compliance

Use the following procedure to create a Configuration Manager collection based on devices with a specified compliance. You can create collections based on the following compliance states: Compliant Error Non-compliant Unknown To create a collection based on compliance state 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Configuration Baselines. 3. In the Configuration Baselines list, select the configuration baseline from which you want to create a collection. 4. In the Deployment tab, in the Deployment Group, click Create New Collection and then, in the drop-down list, select the compliance level for which you want to create a collection. 5. The Create User Collection Wizard or the Create Device Collection Wizard opens, depending on whether the configuration item is deployed to users or devices. The wizard is automatically populated with the correct values to create the collection; however, you can edit these values.
2505

6. After you complete the wizard, the collection displays in the User Collections or the Device Collections node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Import Configuration Data in Configuration Manager

In addition to creating configuration baselines and configuration items in the System Center 2012 Configuration Manager console, you can import configuration data if it is contained in a cabinet (.cab) file format and adheres to the supported SML schema. You can import configuration data from the following sources: Best practice configuration data (Configuration Packs) that has been downloaded from Microsoft or from other software vendor sites. Configuration data that has been exported from System Center 2012 Configuration Manager. Configuration data that was externally authored and that conforms to the Service Modeling Language (SML) schema.

For an example Configuration Pack that helps you manage compliance for System Center 2012 Configuration Manager site server roles, see System Center 2012 Configuration Manager Configuration Pack.

How to Import Configuration Data

When you import a configuration baseline, some or all of the configuration items that are referenced in the configuration baseline might also be included in the cabinet file. During the import process, Configuration Manager verifies that all of the configuration items that are referenced in the configuration baseline are either also included in the cabinet file or already exist in the Configuration Manager site. The import process fails if you attempt to import a configuration baseline that references configuration data that Configuration Manager cannot locate. Other scenarios where the import process might fail include the following: The configuration data references configuration data that Configuration Manager cannot locate, either in its database or in the cabinet file itself. The configuration data is already present in the Configuration Manager database with the same name and configuration data version, but the content version differs. The configuration data is already present in the Configuration Manager database with the same content version, but the hash calculation identifies it as being different. A newer version of the configuration data with same name is already present or has recently been deleted in the Configuration Manager database.
2506

In a multi-site Configuration Manager hierarchy, the configuration data was originally imported from a parent site. You must update it from the same site and not a child site.

Use the following procedure to import configuration data in Configuration Manager. To import configuration data 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Configuration Items or Configuration Baselines, and then in the Home tab, in the Create group, click Import Configuration Data. 3. On the Select Files page of the Import Configuration Data Wizard, click Add, and then in the Open dialog box, select the .cab files you want to import. 4. Select the Create a new copy of the imported configuration baselines and configuration items check box if you want the imported configuration data to be editable in the Configuration Manager console. 5. On the Summary page of the wizard, review the actions that will be taken, and then complete the wizard. The imported configuration data displays in the Compliance Settings node in the Assets and Compliance workspace.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

How to Create User Data and Profiles Configuration Items in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. User data and profiles configuration items in Microsoft System Center 2012 Configuration Manager contain settings that can manage folder redirection, offline files and roaming profiles on computers that run Windows 8 for users in your hierarchy. For example, you can: Redirect a users Documents folder to a network share. Ensure that specified files stored on the network are available on a users computer when the network connection is unavailable. Configure which files in a users roaming profile are synchronized with a network share when the user logs on and off.

2507

Unlike other configuration items in Configuration Manager, you do not add user data and profile configuration items to a configuration baseline which you then deploy. Instead, you deploy the configuration item directly by using the Deploy User Data and Profiles Configuration Item dialog box. Important You can only deploy user data and profiles configuration items to user collections.

How to Enable User Data and Profiles for Compliance Settings

Use the following procedure to configure the default client setting for user data and profiles compliance settings which will apply to all computers in your hierarchy. If you want this setting to apply to only some computers, create a custom device client setting and assign it to a collection that contains the computers for which you want to use user data and profiles compliance settings. For more information about how to create custom device settings, see How to Create and Assign Custom Client Settings.

1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, click Client Settings. 3. Click Default Settings. 4. On the Home tab, in the Properties group, click Properties. 5. In the Default Settings dialog box, click Compliance Settings. 6. From the Enable User Data and Profiles drop-down list, select Yes. 7. Click OK to close the Default Settings dialog box.

How to Create a User Data and Profiles Configuration Item

Use the following procedure to create a user data and profiles configuration item in Configuration Manager.

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click User Data and Profiles. 3. On the Home tab, in the Create group, click Create User Data and Profiles Configuration Item. 4. On the General page of the Create User Data and Profiles Configuration Item Wizard, specify the following information:
2508

Name: Enter a unique name for the configuration item. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the configuration item and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters. Folder redirection Check this box if you want to configure settings for folder redirection for this configuration item. Offline files Check this box if you want to configure settings for offline files for this configuration item. Roaming user profiles Check this box if you want to configure settings for roaming user profiles for this configuration item.

5. To continue, click Next. 6. On the Folder Redirection page of the Create User Data and Profiles Configuration Item Wizard, specify how you want the client computers of users that receive this configuration item to manage folder redirection. You can configure settings for any device the user logs onto or for only the users primary devices. For more information about folder redirection, see your Windows Server documentation. Note This page of the Wizard appears only if you checked the box Folder redirection on the General page of the wizard. 7. To continue, click Next. 8. On the Offline Files page of the Create User Data and Profiles Configuration Item Wizard, you can enable or disable the use of offline files for users that receive this configuration item and configure settings for the behavior of the offline files. You can also specify offline files that will always be available on any computer that the user logs on to. For more information about offline files, see your Windows Server documentation. Note This page of the Wizard appears only if you checked the box Offline files on the General page of the wizard. 9. To continue, click Next. 10. On the Roaming Profiles page of the Create User Data and Profiles Configuration Item Wizard, you can configure whether roaming profiles are available on computers that the user logs onto and also configure further information about how these profiles behave. For more information about roaming profiles, see your Windows Server documentation. Note This page of the Wizard appears only if you checked the box Roaming user profiles on the General page of the wizard. 11. To continue, click Next. 12. On the Summary page of the wizard, review the actions that will be taken and then click Next to create the configuration item.
2509

13. Complete the wizard. The new user data and profiles configuration item is shown in the User Data and Profiles node of the Assets and Compliance workspace.

How to Deploy a User Data and Profiles Configuration Item

Use the following procedure to deploy a user data and profiles configuration item in Configuration Manager. Unlike other configuration items in Configuration Manager, you do not add user data and profile configuration items to a configuration baseline which you then deploy. Instead, you deploy the configuration item directly by using the Deploy User Data and Profiles Configuration Item dialog box.

1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click User Data and Profiles. 3. Select the user data and profiles configuration item you want to deploy and then, in the Home tab, in the Deployment group, click Deploy. 4. In the Deploy User Data and Profiles Configuration Item dialog box, specify the following information. Collection: Click Browse to select the user collection where you want to deploy the configuration item. Important You can only deploy user data and profiles configuration items to user collections. Remediate noncompliant rules when supported Enable this option to automatically remediate any rules that are evaluated as noncompliant on client computers. Allow remediation outside the maintenance window If a maintenance window has been configured for the collection to which you are deploying the configuration item, enable this option to let compliance settings remediate the value outside of the maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. Generate an alert Enable this option to configure an alert that is generated if the configuration item compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager. Specify the compliance evaluation schedule for this configuration item: Specifies the schedule by which the deployed configuration item is evaluated on client computers. This can be either a simple or a custom schedule.
2510

5. Click OK to close the Deploy User Data and Profiles Configuration Item dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor for Compliance Settings in Configuration Manager.

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

Compliance Settings for Mobile Devices in Configuration Manager

Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. You can configure compliance settings for mobile devices that are enrolled by the Windows Intune connector.

Applying Compliance Settings by Using the Windows Intune Connector

Create configuration items to define configurations that you want to manage and assess for compliance on mobile devices. The steps you have to take to manage compliance settings are as follows.
Step Description

Step 1: Create a configuration item for mobile devices.

To create configuration items for mobile devices that you enroll by using the Windows Intune connector, see How to Create Mobile Device Configuration Items for Compliance Settings in Configuration Manager. For more information about how to create the configuration baseline, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager. After a configuration baseline is created, you can apply it to a user or device collection. If you apply the settings to a user collection, the compliance settings are applied to all the
2511

Step 2: Create a configuration baseline.

Step 3: Deploy the configuration baseline.

Step

Description

enrolled devices for those users. For more information, see How to Deploy Configuration Baselines in Configuration Manager.

Compliance Settings for System Center 2012 R2 Configuration Manager

The following table lists the compliance settings available to Windows 8.1, Windows Phone 8, Windows RT, Android, and iOS devices. The Exchange connector settings are also listed but do not necessarily apply to all mobile devices, for information on what devices the exchange connector settings apply to, see the Exchange ActiveSync Client Comparison Table. Note If a setting exists and is not on this list, then that setting is not supported by any platform. Note If an iOS device is modified or an Android device is rooted, you can detect this through the query, All jailbroken or rooted devices, or through the report, Jailbroken or rooted devices. Note The System Security settings, Network Firewall, Virus Protection, and Virus Protection signatures are up-to-date cannot be disabled. Note Disabling or enabling the Voice roaming or Data roaming settings does not affect the carrier setting. These settings will only affect the device to which the policy is applied. Note This table lists the compliance settings available for mobile devices, it is not a feature list, for information on management capabilities, see: Introduction to Wi-Fi Profiles in Configuration Manager Introduction to Certificate Profiles in Configuration Manager Introduction to VPN Profiles in Configuration Manager Wiping Company Content from Mobile Devices How to Create and Deploy Applications for Mobile Devices in Configuration Manager How to Configure Hardware Inventory for Mobile Devices Enrolled by Windows Intune and Configuration Manager Introduction to Software Inventory in Configuration Manager

2512

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

Browser Browser Browser Browser Browser Browser Browser Cloud Cloud

Default browser Autofill Plug-ins Active scripting Pop-ups

No No No No No

No No No No No No No No No

No Yes Yes Yes Yes Yes No No No

Yes Yes No Yes Yes Yes Yes Yes Yes

No No No No No No No No No

Yes No No No No No No No No

Fraud warning No Cookies Encrypted backup No No

Document No synchronizatio n Photo No synchronizatio n Cloud backup No

Cloud

No

No

Yes

No

No

Cloud Cloud

No No

No Yes (GET only) Yes (GET only) Yes (GET

Yes No

No No

No No

Settings No synchronizatio n Credentials No synchronizatio n Synchronizati on over No

Cloud

No

No

No

No

Cloud

No

No

No

No

2513

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

metered connection Content Rating Content Rating Content Rating Content Rating Content Rating Device Device Device Adult Content in media store Ratings Region Movie Rating TV Show Rating App Rating Voice Dialing Voice Assistant Voice Assistant while Locked Screen Capture Video Conferencing Game Center Add Game Center friends Multiplayer No No No No No No No No No No No No No No No No

only) No No No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No No No No No No No No

Device Device Device Device Device

No No No No No

No No No No No

No No No No No

Yes Yes Yes Yes Yes

No No No No No

No No No No No
2514

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

Gaming Device Personal wallet software While Locked Diagnostic data Submission File encryption on mobile device Go to intranet site for single word entry Always send Do Not Track header Intranet security zone Security level for internet zone Security level for intranet zone Security level for trusted sites zone No No No Yes No No

Device

No

No

Yes

Yes

No

No

Encryptio n Internet Explorer Internet Explorer Internet Explorer Internet Explorer Internet Explorer Internet Explorer

Yes

No

Yes (Get only) Yes

No

Yes, for Android 4 No

Yes

No

No

No

No

No

No

Yes

No

No

No

No No

No No

Yes Yes (GET only) Yes (GET only) Yes (GET only)

No No

No No

No No

No

No

No

No

No

No

No

No

No

No

2515

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

Internet Explorer Internet Explorer

Security level for restricted sites zone Namespace exists for browser security zone Require password settings on mobile devices Password complexity Idle time before mobile device is locked (minutes) Minimum password length (characters)

No

No

Yes (GET only) Yes

No

No

No

No

No

No

No

No

Passwor d

Yes

No

No

Yes

Yes, for Android 4

Yes

Passwor d Passwor d

Yes Yes

Yes Yes

Yes Yes

Yes Yes

No Yes, for Android 4

Yes Yes

Passwor d

Yes

Yes. Password length cannot be less than six characters . Yes

Yes

Yes

Yes, for Android 4

Yes

Passwor d

Number of passwords

Yes

Yes

Yes

Yes, for Android

Yes

2516

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

remembered Passwor d Passwor d Password expiration in days Number of failed logon attempts before device is wiped Minimum complex characters Allow simple password Allow convenience logon Maximum grace period Password Quality Allow Voice Roaming Allow Global Background Fetch When Roaming Yes Yes Yes Yes

4 Yes, for Android 4 Yes, for Android 4 Yes

Yes

Yes

Yes

Yes

Yes

Passwor d Passwor d Passwor d Passwor d Passwor d Roaming Roaming

Yes

Yes

Yes

Yes

No

Yes

Yes No

No Yes

No Yes

Yes No

No No

Yes Yes

No No

No No

No No

Yes No

No Yes, for Android 4 No No

No No

No No

No No

No No

Yes Yes

No No

2517

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

Roaming Security Security

Allow Data Roaming Removable storage Camera

No Yes No

No No No

Yes No No

Yes No Yes

No No Yes, for Android 4.1 No

No Yes Yes

Security

Bluetooth

No

No

Yes (GET only) No No No

No

Yes

Security Store Store

Allow app installation Application Store Force Application Store Password

No No No

No No No

Yes Yes Yes, this settin g applie s to iTune s only Yes Yes

No No No

No No No

Store System Security System

In App Purchases

No

No No

No No

No No

No No

User to accept No untrusted TLS certificates User Access No

No

Yes

No

No

No
2518

Device Setting Group

Settings

Windows Phone 8

Windows R Window T s 8.1 and Window s RT 8.1 (enrolle d by Window s Intune)

iOS

Android (for devices with the Android compan y portal app installe d)

Exchange Connecto r (these settings do not necessaril y apply to all mobile devices)

Security System Security System Security System Security System Security

Control Network Firewall Updates Virus Protection Virus Protection signatures are up-to-date SmartScreen Work Folders URL No No Yes (GET only) Yes Yes (GET only) Yes (GET only) Yes Yes No No No

No No

No No

No No

No No

No No

No

No

No

No

No

System Security Windows Server Work Folders Windows Server Work Folders

No No

No No

No No

No No

No No

Force automatic setup

No

No

Yes

No

No

No

Compliance settings available through the iOS 7 Security Settings Extension

With System Center 2012 R2 Configuration Manager, the optional iOS 7 Security Settings extension introduces new security settings to manage iOS devices using Windows Intune and is
2519

available from within the Configuration Manager console. For information on how to install the extension, see Planning to Use Extensions in Configuration Manager. The table below lists the additional settings available once you install the extension.
Device Setting Group Settings At least iOS 7

System Security System Security System Security System Security Data Protection Data Protection

Lock screen control center Lock screen notification view Lock screen today view Fingerprint for unlocking Open managed documents in other unmanaged apps Open unmanaged documents in other managed apps

Yes Yes Yes Yes Yes Yes

Compliance settings for Configuration Manager SP1

You can ensure that users comply with basic security settings by using compliance settings. The following table lists the compliance settings available to Windows Phone 8, Windows RT, and iOS devices. For Android devices, you can use the Exchange server connector for basic security settings.
Compliance setting Windows Phone 8 Windows RT iOS

Require password settings on mobile devices

Yes

No

Yes

Minimum password length (characters)

Yes

Yes

Yes

Idle time before mobile device is locked Number of passwords remembered Password expiration in days Password complexity

Yes Yes Yes Yes

Yes Yes Yes No

Yes Yes Yes Yes

2520

Compliance setting

Windows Phone 8

Windows RT

iOS

Number of failed logon attempts before device is wiped Removable storage

Yes

Yes

Yes

Yes

No

No

Camera File encryption on mobile device

No Yes

No No

Yes No

See Also
Operations and Maintenance for Compliance Settings in Configuration Manager

Security and Privacy for Compliance Settings in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for compliance settings in System Center 2012 Configuration Manager.

Security Best Practices for Compliance Settings

Use the following security best practices when you manage compliance settings on clients.
Security best practice More information

Do not monitor sensitive data.

To help avoid information disclosure, do not configure configuration items to monitor potentially sensitive information. If you create a compliance rule based on data that users can modify, such as registry settings for configuration choices, the compliance results will not be reliable.
2521

Do not configure compliance rules that use data that can be modified by end users.

Security best practice

More information

Import Microsoft System Center configuration packs and other configuration data from external sources only if they have a valid digital signature from a trusted publisher.

Published configuration data can be digitally signed so that you can verify the publishing source and ensure that the data has not been tampered with. If the digital signature verification check fails, you are warned and prompted to continue with the import. Do not import unsigned data if you cannot verify the source and integrity of the data. Ensure that when an administrative user configures a registry or file system setting by browsing to a reference computer, the reference computer had not been compromised. To prevent tampering of the data when it is transferred over the network, use Internet Protocol security (IPsec) or server message block (SMB) between the computer that runs the Configuration Manager console and the reference computer. Administrative users who are granted the Compliance Settings Manager role can deploy configuration items to all devices and all users in the hierarchy. Configuration items can be very powerful and can include, for example, scripts and registry reconfiguration.

Implement access controls to protect reference computers.

Secure the communication channel when you browse to a reference computer.

Restrict and monitor the administrative users who are granted the Compliance Settings Manager role-based security role.

Privacy Information for Compliance Settings

You can use compliance settings to evaluate whether your client devices are compliant with configuration items that you deploy in configuration baselines. Some settings can be automatically remediated if they out of compliance. Compliance information is sent to the site server by the management point and stored in the site database. The information is encrypted when devices send it to the management point, but it is not stored in encrypted format in the site database. Information is retained in the database until the site maintenance task Delete Aged Configuration Management Data deletes it every 90 days. You can configure the deletion interval. Compliance information is not sent to Microsoft. By default, devices do not evaluate compliance settings. In addition, you must configure the configuration items and configuration baselines, and then deploy them to devices. Before you configure compliance settings, consider your privacy requirements.
2522

See Also
Compliance Settings in Configuration Manager

Technical Reference for Compliance Settings in Configuration Manager

Use the following topics in this section for technical reference information about compliance settings in System Center 2012 Configuration Manager. Example Scenario for Compliance Settings in Configuration Manager Example Scenario for User Data and Profiles Management in Configuration Manager

See Also
Compliance Settings in Configuration Manager

Example Scenario for Compliance Settings in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario for how you can use compliance settings in System Center 2012 Configuration Manager to remediate a failed application installation because a registry key is being overwritten. In this scenario, Woodgrove Bank uses a line of business application that provides access to standard company forms on the desktop of users computers. Many users are reporting that this application fails to run. John is the Configuration Manager administrator at Woodgrove bank who must troubleshoot the problem and ensure that it does not recur in the future. After investigation, John realizes that a second application overwrites a registry key that is used by the line of business application. He tests this by correcting the registry key value on a computer. This change allows the line of business application to run. John requires a way to correct this registry key value on all desktop and laptop computers at Woodgrove Bank when it is not correct. He also requires that if the registry value is changed again in the future, the problem is automatically corrected. John wants to evaluate the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1.
2523

If this registry key contains the value 0 then it is noncompliant and must be remediated with a value of 1. John discovers that compliance settings in System Center 2012 Configuration Manager can monitor for, and automatically remediate incorrect registry key values and decides to use this to solve the business problem. The following sections in this topic provide steps that can help you to create, deploy, and manage compliance settings in your organization: Preparing to perform the scenarios Step 1: Create a configuration item Step 2: Create a configuration baseline Step 3: Deploy the configuration baseline Step 4: Monitor the configuration baseline deployment

Preparing to perform the scenarios

Before John can begin to use compliance settings, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for compliance settings in System Center 2012 Configuration Manager. John reviews and implements the required prerequisites for compliance settings.

For overview information about compliance settings, see Introduction to Compliance Settings in Configuration Manager. For information about the prerequisites for compliance settings, see Prerequisites for Compliance Settings in Configuration Manager.

Step 1: Create a configuration item

John creates a configuration item that contains the settings to evaluate and remediate the registry setting by taking the actions outlined in the following table.
Process Reference

John reads the compliance settings documentation and decides that an operating system configuration item would best meet his business requirements. John starts the Create Configuration Item Wizard and specifies general information about the configuration item. He creates a

For more information, see How to Create Windows Configuration Items for Compliance Settings in Configuration Manager. For more information, see the sections Step 1: Start the Create Configuration Item Wizard and Step 2: Provide General Information about the
2524

Process

Reference

configuration item of the type Windows and does not check the This configuration item contains application settings box. He names the configuration item Woodgrove Bank Configuration Item 1. On the Supported Platforms page of the Create Configuration Item Wizard, John specifies the operating systems to evaluate the configuration item for compliance. John ensures that no Windows Server operating systems are selected that fulfills the requirement that the configuration item is not evaluated on computers that run Windows Server. On the Settings page of the wizard, John clicks New to open the Create Setting dialog box and to create a new setting with the following parameters: Name John enters Woodgrove Bank registry setting. Setting type From the drop-down list, John selects Registry value. Data type Because John wants to detect a value of 1 or 0 for the registry key, he selects Integer from the drop-down list. Hive From the drop-down list, he selects HKEY_LOCAL_MACHINE. Key John enters SOFTWARE\Woodgrove\LOB App\Configuration\Configuration1. Value John enters 1, which is the required value for this registry key.

Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

For more information, see the section Step 6: Specify Supported Platforms for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

For more information about how to create settings, see the section Step 4: Configure Settings for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

In the Compliance Rules tab of the Create Settings dialog box, John clicks New to create a new rule that defines the compliant value for the Woodgrove Bank registry setting. In the Create Rule dialog box, he verifies or supplies the following parameters: Name John enters Rule 1.

For more information about how to create settings, see the section Step 4: Configure Settings for the Configuration Item in the topic How to Create Windows Configuration Items for Compliance Settings in Configuration Manager.

2525

Process

Reference

Selected setting John verifies that the selected setting is Woodgrove Bank registry setting\Woodgrove Bank registry setting. Rule type From the drop-down list, John selects Value. The setting must comply with the following rule John verifies that the setting name is correct and configures the options to specify that the setting value must equal 1. Remediate noncompliant rules when supported John checks this box to ensure that configuration manager will reset the registry key value to the correct value if it is incorrect.

John completes the wizard and the new configuration item is displayed in the Configuration Items node of the Assets and Compliance workspace.

Step 2: Create a configuration baseline

John takes the actions outlined in the following table to create a configuration baseline that contains the configuration item he previously created and can be deployed to client computers.
Process Reference

John opens the Create Configuration Baseline dialog box and specifies the name Woodgrove Back Configuration Baseline 1. John adds the configuration item that he previously created, Woodgrove Bank Configuration Item 1 into the configuration baseline. John clicks OK to close the Create Configuration Baseline dialog box and the new configuration baseline is displayed in the Configuration Baselines node of the Assets

For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager. For more information about how to create configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager.

2526

Process

Reference

and Compliance workspace.

Step 3: Deploy the configuration baseline

To deploy the configuration baseline to computers, John takes the actions outlined in the following table.
Process Reference

John creates a device collection that contains all computers that run a desktop operating system in the Woodgrove Bank hierarchy. He names this collection All Desktop and Laptop Computers. John opens the Deploy Configuration Baselines dialog box, verifies that Woodgrove Back Configuration Baseline 1 is displayed in the Selected configuration baselines list, and then specifies the following additional information: Remediate noncompliant rules when supported John checks this box to enable Configuration Manager to remediate the incorrect registry key value when it is discovered. Select the collection for this configuration baseline deployment John clicks Browse and then selects the All Desktop and Laptop Computers device collection.

For information about how to create collections, see How to Create Collections in Configuration Manager

For more information about how to deploy configuration baselines, see How to Deploy Configuration Baselines in Configuration Manager.

John does not change the default schedule that clients evaluate the configuration item every 7 days. John completes the wizard and the deployment is displayed in the Deployments node of the Monitoring workspace.

2527

Step 4: Monitor the configuration baseline deployment

After John deploys the configuration baseline, he takes the actions outlined in the following table to monitor the deployment and ensure that computers are now reporting compliance for the registry key.
Process Reference

In the Deployments node of the Monitoring workspace, John selects the Woodgrove Back Configuration Baseline 1 configuration baseline. In the Completion Statistics section, he views general information about the devices that are compliant, noncompliant, in error, or have not reported compliance information yet (unknown). In the Home tab, in the Deployment group, he clicks View Status to view detailed information about the devices that report each status. After some time, John sees that no computers report noncompliance for the registry key value and he is able to report to his manager that the problem has been solved.

For more information about how to monitor compliance settings, see the section How to View Compliance Results in the Configuration Manager Console in the topic How to Monitor for Compliance Settings in Configuration Manager.

No additional information.

See Also
Technical Reference for Compliance Settings in Configuration Manager

Example Scenario for User Data and Profiles Management in Configuration Manager
Note The information in this topic applies only to System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager. Note

2528

This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Scenarios and Solutions Using System Center 2012 Configuration Manager guide. This topic provides an example scenario of how user data and profiles configuration items in System Center 2012 Configuration Manager can be used to solve a number of typical business requirements. Important User data and profiles configuration items can only be deployed to users of Windows 8 computers. John is the Configuration Manager administrator at Woodgrove Bank. To improve the efficiency of their IT infrastructure, he wants to make the following changes to the banks network: To ensure that important documents that are stored on users computers get archived, the Documents folder on each users primary computer must be stored on a share on one of the companys servers named \\Woodgrove\UserData. John learns that the folder redirection settings in a user data and profiles configuration item can be used to accomplish this. For information about how to define a computer as a users primary device, see the How to Manage User Device Affinity in Configuration Manager topic. Johns manager has asked that an important spreadsheet be made available on his computer even when he is not on the network. When he reconnects to the network, the file must be synchronized with the copy on the company server. John learns that the offline files settings in a user data and profiles configuration item can be used to accomplish this. It is typical for users at Woodgrove Bank to move around the office and use different computers. Users would like their own settings and desktop layouts to be available to them no matter which computer they log on to. John learns that user data and profiles configuration items can be used to control roaming profiles settings on client computers.

The following sections in this topic provide example steps that can help you to create, deploy, and manage System Center 2012 Configuration Manager user data and profiles configuration items in your organization: Preparation Step 1: Start the create user data and profiles configuration item wizard and specify general information about the configuration item Step 2: Specify folder redirection information for the user data and profiles configuration item Step 3: Specify offline files information for the user data and profiles configuration item Step 4: Specify roaming profiles information for the user data and profiles configuration item Step 5: Complete the wizard to create the configuration item Step 6: Deploy the user data and profiles configuration item Step 7: Monitor the compliance of the user data and profiles configuration item

2529

Preparation
Before John can begin to create and deploy a user data and profiles configuration item, he takes the actions outlined in the following table.
Process Reference

John reviews the available information about the basic concepts for compliance settings in Configuration Manager. John reviews and implements the required prerequisites for compliance settings. John enables the client setting for user data and profiles configuration items.

For overview information about compliance settings, see Introduction to Compliance Settings in Configuration Manager. For information about the prerequisites for compliance settings, see Prerequisites for Compliance Settings in Configuration Manager. For more information about how to enable user data and profiles configuration items, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Step 1: Start the create user data and profiles configuration item wizard and specify general information about the configuration item
John takes the actions outlined in the following table to open the Create User Data and Profiles Configuration Item Wizard and to supply general information about the configuration item.
Process Reference

John starts the Create User Data and Profiles Configuration item Wizard and specifies general information about the configuration item. He names the configuration item Woodgrove Bank user data and profiles configuration and supplies a description. Under Select user data and profiles to configure, he checks the following boxes: Folder redirection Offline files Roaming user profiles

For more information about how to start the wizard and specify general information, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

2530

Step 2: Specify folder redirection information for the user data and profiles configuration item
John takes the actions outlined in the following table to configure folder redirection settings for the configuration item. Note Configuring a users home folder in Active Directory as a local profile is not supported by user data and profiles configuration items in Configuration Manager.
Process Reference

On the Folder Redirection page of the Create User Data and Profiles Configuration Item Wizard, John selects the option Only on primary devices from the Folder redirection applicability drop-down list. This ensures that only the users primary device will redirect the contents of the Documents folder to the network share. In the Folders to redirect list, John selects Documents and then, from the drop-down list, he selects Redirect to remote. Under Configure folder redirection path, John selects Redirect to the specified folder. He then specifies the folder as \\Woodgrove\UserData.

For more information about the folder redirection page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

For more information about the folder redirection page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager. For more information about the folder redirection page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Step 3: Specify offline files information for the user data and profiles configuration item
John takes the actions outlined in the following table to configure offline files settings for the configuration item.
Process Reference

On the Offline Files page of the Create User Data and Profiles Configuration Item Wizard, John selects the option Enable offline files.

For more information about the offline files page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.
2531

Process

Reference

John instructs his manager to use the Windows Make Available Offline command on the spreadsheet he wants to use when he is not connected to the network.

See your Windows 8 documentation for more information about how to use offline files.

Step 4: Specify roaming profiles information for the user data and profiles configuration item
John takes the actions outlined in the following table to configure roaming profiles settings for the configuration item.
Process Reference

On the Roaming Profiles page of the Create User Data and Profiles Configuration Item Wizard, John selects the option Allow roaming profiles on any device.

For more information about the roaming profiles page of the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

Step 5: Complete the wizard to create the configuration item

John takes the actions outlined in the following table to complete the Create User Data and Profiles Configuration Item Wizard and to create the configuration item.
Process Reference

On the Summary page of the Create User Data and Profiles Configuration Item Wizard, John reviews the actions that will be taken and then completes the Wizard. The new configuration item is displayed in the User Data and Profiles node of the Assets and Compliance workspace.

For more information about the wizard, see How to Create User Data and Profiles Configuration Items in Configuration Manager.

2532

Step 6: Deploy the user data and profiles configuration item

John takes the actions outlined in the following table to deploy the configuration item to Windows 8 computers at Woodgrove Bank.
Process Reference

John deploys the new configuration item to users of Windows 8 computers at Woodgrove Bank.

For more information about how to deploy user data and profiles configuration items, see the How to Create User Data and Profiles Configuration Items in Configuration Manager topic.

Step 7: Monitor the compliance of the user data and profiles configuration item
John takes the actions outlined in the following table to monitor and report on the compliance of the configuration item he deployed.
Process Reference

John monitors the deployment and verifies that the folder redirection, offline files and roaming profile configurations are working correctly.

For more information about how to monitor the deployment, see How to Monitor for Compliance Settings in Configuration Manager.

See Also
Technical Reference for Compliance Settings in Configuration Manager

Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Remote connection profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor remote connection settings to devices in

2533

your organization. By deploying these settings, you minimize the effort that end users require to connect to their computers on the corporate network.

In This Section
Use the following topics to help you plan, configure, operate, and maintain remote connection profiles in Configuration Manager: Introduction to Remote Connection Profiles in Configuration Manager Planning for Remote Connection Profiles in Configuration Manager Operations and Maintenance for Remote Connection Profiles in Configuration Manager Security and Privacy for Remote Connection Profiles in Configuration Manager Technical Reference for Remote Connection Profiles in Configuration Manager

See Also
Compliance Settings in Configuration Manager

Introduction to Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use remote connection profiles in System Center 2012 Configuration Manager to allow your users to remotely connect to work computers when they are not connected to the domain or if their personal computers are connected over the Internet. Remote connection profiles let you deploy Remote Desktop Connection settings to users in your Configuration Manager hierarchy. Users can then use the company portal to access any of their primary work computers through Remote Desktop by using the Remote Desktop Connection settings provided by the company portal. Windows Intune is required if you want users to connect to their work PCs by using the company portal. If you are not using Windows Intune, users can still use the information from the remote connection profile to connect to their work PCs by using Remote Desktop over a VPN connection. Important When you specify remote connection profile settings by using the Configuration Manager console, the settings are stored in the local policy of the client computer. These settings might override Remote Desktop settings configured by another application. Additionally, if you use Windows Group Policy to configure Remote Desktop settings, the settings

2534

specified in the Group Policy will override those configured by using Configuration Manager.

Workflow for Using Remote Connection Profiles

The following table shows a high-level overview of the steps required to implement and use remote connection profiles in your organization.
Step Description

The Configuration Manager administrative user makes sure that the necessary prerequisites are in place to use remote connection profiles. The Configuration Manager administrative user creates a remote connection profile that contains details about the Remote Desktop Gateway server and connection settings that will be used to connect to work computers. The Configuration Manager administrative user deploys the remote connection profile to the devices that will be enabled for remote connections. The users can connect to their primary devices after they are published in the Windows Intune Self Service Portal.

See the topic Prerequisites for Remote Connection Profiles in Configuration Manager. See the topic How to Create Remote Connection Profiles in Configuration Manager.

See the topic How to Deploy Remote Connection Profiles in Configuration Manager.

No additional information.

When you install System Center 2012 R2 Configuration Manager, a new security group, Remote PC Connect, is created. This group is populated when you deploy a remote connection profile that includes the primary users of the computer to which you deploy the profile. Although a local administrator can add user names to this group, these users will be removed from the group when deployed remote connection profiles are next evaluated for compliance. If you manually add a user to this group, the user can initiate remote connections, but the connection information will not be published in the company portal. If you manually remove from the group a user that has been added by Configuration Manager, Configuration Manager will automatically remediate this change by adding the user back when the remote connection profile is next evaluated for compliance. Important If the user device affinity relationship between a user and a device changes (for example, the computer a user connects to, stops being a primary device of the user, Configuration Manager disables the remote connection profile and Windows Firewall settings to prevent connections to the computer.
2535

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. Remote connection profiles are new in System Center 2012 Configuration Manager. They provide the following capabilities and have some dependent configurations: Deployment of remote connection profiles that allow users to remotely connect to work computers from the company portal when they are not connected to the domain or if they are connected over the Internet.

See Also
Compliance Settings in Configuration Manager

Planning for Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use the following topics in this section to help you plan for using remote connection profiles in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Remote Connection Profiles in Configuration Manager

See Also
Remote Connection Profiles in Configuration Manager

Prerequisites for Remote Connection Profiles in Configuration Manager

Note
2536

The information in this topic applies only to System Center 2012 R2 Configuration Manager. Remote connection profiles in System Center 2012 Configuration Manager have external dependencies and dependencies in the product.

Dependencies external to Configuration Manager

Dependency Remote Desktop Gateway server More Information If you want to enable users to connect on the Internet from outside the company domain, you must install and configure a Remote Desktop Gateway server. Important If Remote Desktop or Terminal Services settings are managed by another application or Group Policy settings, remote connection profiles might not work correctly. When you deploy remote connection profiles from the Configuration Manager console, its settings are stored in the local policy of the client computer. These settings might override Remote Desktop settings that are configured by another application. Additionally, if you use Group Policy settings to configure Remote Desktop settings, the settings that are specified in the Group Policy settings override the settings that are configured by Configuration Manager. For more information about how to install and configure a Remote Desktop Gateway server, see the Windows Server documentation. If client computers run a host-based firewall, it must enable the Mstsc.exe program. When you configure a remote connection profile, you must enable the Allow Windows Firewall exception for connections on Windows domains and on private networks setting. When this setting is enabled, Configuration Manager automatically configures Windows Firewall to enable the Mstsc.exe
2537

program. However, if client computers run a different host-based firewall, you must manually configure this firewall dependency. Warning Group Policy settings to configure Windows Firewall can override the configuration that you set in Configuration Manager. If you use Group Policy to configure Windows Firewall, ensure that Group Policy settings do not block the Mstsc.exe program.

Configuration Manager Dependencies

Dependency Configuration Manager must have a configured connection to Windows Intune by using the Windows Intune Connector site system role. In order for a user to connect to a work computer on the company network, that computer must be a primary device of the user. Specific security permissions must have been granted to manage remote connection profiles. More information For more information about connecting Configuration Manager to Windows Intune, see How to Manage Mobile Devices by Using Configuration Manager and Windows Intune. For more information about user device affinity in Configuration Manager, see How to Manage User Device Affinity in Configuration Manager. You must have the following security permissions to manage remote connection profiles:

To view and manage alerts and reports for compliance settings: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object. To manage configuration baseline deployments: Deploy Configuration Items, Modify Client Status Alert, Modify, Read, and Read Resource for the Collection object. To create and manage configuration baselines and configuration items: Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report,
2538

and Set Security Scope permission for the Configuration Item object.

To run queries that are related to compliance settings: Read permission for the Query object. To view compliance settings information in the Configuration Manager console: Read permission for the Site object. To select software updates to be used in configuration baselines: Read permission for the Software Updates object. To view status messages for compliance settings: Read permission for the Status Messages object.

The Compliance Settings Manager security role includes these permissions that are required to manage remote connection profiles and compliance settings in Configuration Manager. For more information, see the Configure Role-Based Administration section in the Configuring Security for Configuration Manager topic.

See Also
Planning for Remote Connection Profiles in Configuration Manager

Operations and Maintenance for Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use the information in this section to learn more about operations and maintenance for remote connection profiles in System Center 2012 Configuration Manager.

2539

In This Section
How to Create Remote Connection Profiles in Configuration Manager How to Deploy Remote Connection Profiles in Configuration Manager How to Monitor Remote Connection Profiles in Configuration Manager

See Also
Remote Connection Profiles in Configuration Manager

How to Create Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Create remote connection profiles in System Center 2012 Configuration Manager to enable your users to remotely connect to work computers if they are not connected to the domain or if they are connected over the Internet.

Steps to Create a Remote Connection Profile

Use the following required steps to create a remote connection profile by using the Create Remote Connection Profile Wizard.
Step Details More information

Step 1: Start the Create Remote Connection Profile Wizard. Step 2: Provide general information about the remote connection profile. Step 3: Configure settings for the remote connection profile.

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node. Enter a name and description for the remote connection profile. No additional information.

See the Step 1: Start the Create Remote Connection Profile Wizard section in this topic. See the Step 2: Provide General Information about the Remote Connection Profile section in this topic. See the Step 3: Configure Settings for the Remote Connection Profile section in this topic.

2540

Step

Details

More information

Step 4: Complete the wizard.

Complete the wizard to create the new remote connection profile.

See the Step 4: Complete the Wizard section in this topic.

Supplemental Procedures to Create a New Remote Connection Profile

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Remote Connection Profile Wizard

Use this procedure to start the Create Remote Connection Profile Wizard. To start the Create Remote Connection Profile Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Remote Connection Profiles. 3. On the Home tab, in the Create group, click Create Remote Connection Profile.

Step 2: Provide General Information about the Remote Connection Profile

Use this procedure to provide general information about the remote connection profile. To provide general information about the remote connection profile 1. On the General page of the Create Remote Connection Profile Wizard, specify the following information: Name: Enter a unique name for the remote connection profile. You can use a maximum of 256 characters. Description: Enter a description that gives an overview of the remote connection profile and other relevant information that helps identify the remote connection profile in the Configuration Manager console. You can use a maximum of 256 characters.

Step 3: Configure Settings for the Remote Connection Profile

Use this procedure to configure settings for the remote connection profile. To configure settings for the remote connection profile
2541

1. Configure the following Remote Desktop settings: Full name and port of the Remote Desktop Gateway server (optional): - Specify the name of the Remote Desktop Gateway Server to be used for connections. Note Configuration Manager does not support an internationalized domain name to be used to specify a server in this box. The server name must be no longer than 256 characters and can contain uppercase characters, lowercase characters, numeric characters, and the and _ characters, which are separated by periods. Allow connections only from computers that run Remote Desktop with Network Level Authentication: Allow remote connections to work computers Allow all primary users of the work computer to remotely connect Allow Windows Firewall exception for connections on Windows domains and on private networks Important All three settings must be the same before you can proceed past this page of the wizard.

2. Select Enabled or Disabled for each of the following connection settings:

Step 4: Complete the Wizard

On the Summary page of the wizard, review the actions to be taken, and then complete the wizard. The new remote connection profile is displayed in the Remote Connection Profiles node in the Assets and Compliance workspace. For information about how to deploy the remote connection profile, see How to Deploy Remote Connection Profiles in Configuration Manager.

See Also
Operations and Maintenance for Remote Connection Profiles in Configuration Manager

How to Deploy Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager.
2542

Remote connection profiles in System Center 2012 Configuration Manager must be deployed to one or more device collections before they can be used. Use the Deploy Remote Connection Profile dialog box to configure the deployment of remote connection profiles. As part of the configuration, you define the collection to which the remote connection profile is to be deployed and specify how often the remote connection profile is evaluated for compliance. Important If a device leaves a collection to which a remote connection profile has been deployed, the remote connection profile settings are disabled on the device. However, for this process to occur correctly, you must have already deployed at least one configuration item or configuration baseline that contains a configuration item from your site. To deploy a remote connection profile 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, and then click Remote Connection Profiles. 3. In the Remote Connection Profiles list, select the remote connection profile that you want to deploy, and then, in the Home tab, in the Deployment group, click Deploy. 4. In the Deploy Remote Connection Profile dialog box, specify the following information: Collection - Click Browse to select the device collection where you want to deploy the remote connection profile. Remediate noncompliant rules when supported - Enable this option to automatically remediate the remote connection profile when it is found to be noncompliant on a client computer, for example, when it is not present. Allow remediation outside the maintenance window - If a maintenance window has been configured for the collection to which you deploy the remote connection profile, enable this option to let Configuration Manager remediate the remote connection profile outside the maintenance window. For more information about maintenance windows, see How to Use Maintenance Windows in Configuration Manager. Generate an alert - Enable this option to configure an alert that is generated if the remote connection profile compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to System Center Operations Manager. Specify the compliance evaluation schedule for this configuration baseline Specify the schedule by which the deployed remote connection profile is evaluated on client computers. You can specify either a simple or a custom schedule. Note The profile is evaluated by client computers when the user logs on. If two remote connection profiles are deployed to the same device collection, where in one profile Remediate noncompliant rules when supported is
2543

checked and in the other profile Remediate noncompliant rules when supported is not checked, and the two remote connection profiles contain different connection settings, then the profile in which Remediate noncompliant rules when supported is not checked might override the settings in the other profile. This type of remote connection profile deployment is not supported by Configuration Manager. 5. Click OK to close the Deploy Remote Connection Profile dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor Remote Connection Profiles in Configuration Manager.

See Also
Operations and Maintenance for Remote Connection Profiles in Configuration Manager

How to Monitor Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. After you deploy System Center 2012 Configuration Manager remote connection profiles to devices in your hierarchy, you can use the following procedures to monitor the compliance status of the remote connection profiles: How to View Compliance Results in the Configuration Manager Console How to View Compliance Results by Using Reports

How to View Compliance Results in the Configuration Manager Console

Use this procedure to view details about the compliance of deployed remote connection profiles in the Configuration Manager console. To view compliance results in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. In the Deployments list, select the remote connection profile deployment for which you want to review compliance information. 4. You can review summary information about the compliance of the remote connection profile deployment on the main page. To view more detailed information, select the
2544

remote connection profile deployment, and then on the Home tab, in the Deployment group, click View Status to open the Deployment Status page. The Deployment Status page contains the following tabs: Compliant: Displays the compliance of the remote connection profile based on the number of assets that are affected. You can double-click a rule to create a temporary node under the Users node in the Assets and Compliance workspace. This node contains all devices that are compliant with the remote connection profile. The Asset Details pane also displays the devices that are compliant with this profile. Doubleclick a device in the list to display additional information. Important A remote connection profile is not evaluated if it is not applicable on a client device. However, it is returned as compliant. Error: Displays a list of all errors for the selected remote connection profile deployment based on the number of assets that are affected. You can double-click a rule to create a temporary node under the Users node of the Assets and Compliance workspace. This node contains all devices that generated errors with this profile. When you select a device, the Asset Details pane displays the devices that the selected issue affects. Double-click a device in the list to display additional information about the issue. Non-Compliant: Displays a list of all noncompliant rules within the remote connection profile based on the number of assets that are affected. You can doubleclick a rule to create a temporary node under the Users node of the Assets and Compliance workspace. This node contains all devices that are not compliant with this profile. When you select a device, the Asset Details pane displays the devices that the selected issue affects. Double-click a device in the list to display additional information about the issue. Unknown: Displays a list of all devices that did not report compliance for the selected remote connection profile deployment, together with the current client status of the devices.

5. On the Deployment Status page, you can review detailed information about the compliance of the deployed remote connection profile. A temporary node is created under the Deployments node that helps you find this information again quickly.

How to View Compliance Results by Using Reports

Compliance settings in Configuration Manager include built-in reports that you can use to monitor information about remote connection profiles. These reports have the report category of Compliance and Settings Management. Important You must use a wildcard (%) character when you use the parameters Device filter and User filter in the reports for compliance settings.
2545

For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager.

See Also
Operations and Maintenance for Remote Connection Profiles in Configuration Manager

Security and Privacy for Remote Connection Profiles in Configuration Manager

Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. This topic contains security and privacy information for remote connection profiles in System Center 2012 Configuration Manager.

Security Best Practices for Remote Connection Profiles

Use the following security best practices when you manage remote connection profiles for clients.
Security best practice More information

Manually specify user device affinity instead of allowing users to identify their primary device. In addition, do not enable usage-based configuration.

Because you must enable Allow all primary users of the work computer to remotely connect before you can deploy a remote connection profile, always manually specify user device affinity. Do not consider the information that is collected from users or from the device to be authoritative. If you deploy remote connection profiles and a trusted administrative user does not specify user device affinity, unauthorized users might receive elevated privileges and then be able to remotely connect to computers.

2546

Security best practice

More information

Note If you do enable usage-based configuration, this information is collected through state messages for which Configuration Manager does not provide security. To help mitigate this threat, use Server Message Block (SMB) signing or Internet Protocol security (IPsec) between client computers and the management point. Restrict local administrative rights on the site server computer. A user who has local administrative rights on the site server can manually add members to the Remote PC Connect security group that Configuration Manager automatically creates and maintains. This might cause an elevation of privileges because members who are added to this group receive Remote Desktop permissions.

Privacy Information for Remote Connection Profiles

If a user initiates a connection to a work computer from the company portal, a file with a .rdp or .wsrdp extension is downloaded that contains the device name and the Remote Desktop Gateway Server name that is required to initiate the Remote Desktop session. The file extension depends on the operating system of the device. For example, the Windows 7 and Windows 8 operating systems use an .rdp file, and Windows 8.1 uses a .wsrdp file. The user can choose to open or save the .rdp file. If the user chooses to open the .rdp file, the file might be stored in the cache for the web browser, depending on the retention settings that are configured for the browser. If the user chooses to save the file, the file is not stored in the browser cache. The file is saved until the user manually deletes it. The .wsrdp file is downloaded and automatically saved locally. This file is overwritten the next time that the user runs a Remote Desktop session. Before you configure remote connection profiles, consider your privacy requirements.

2547

See Also
Remote Connection Profiles in Configuration Manager

Technical Reference for Remote Connection Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. There is currently no technical reference information for remote connection profiles in System Center 2012 Configuration Manager.

See Also
Remote Connection Profiles in Configuration Manager

Company Resource Access in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Company resource access in System Center 2012 Configuration Manager provides a set of tools and resources that enable you to give users in your organization access to data and applications from remote locations.

Company Resource Access Topics

Use the following topics to help you find information about company resource access. Certificate Profiles in Configuration Manager VPN Profiles in Configuration Manager Wi-Fi Profiles in Configuration Manager Email Profiles in Configuration Manager

Other Resources for this Product

TechNet Library main page for System Center 2012 Configuration Manager
2548

Assets and Compliance in System Center 2012 Configuration Manager

See Also
Compliance Settings in Configuration Manager

Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Certificate profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you provision computers in your organization with the certificates that users require to connect to various company resources.

In This Section
Use the following topics to help you plan, configure, operate, and maintain certificate profiles in Configuration Manager: Introduction to Certificate Profiles in Configuration Manager Planning for Certificate Profiles in Configuration Manager Configuring Certificate Profiles in Configuration Manager Operations and Maintenance for Certificate Profiles in Configuration Manager Security and Privacy for Certificate Profiles in Configuration Manager Technical Reference for Certificate Profiles in Configuration Manager

See Also
Company Resource Access in Configuration Manager

Introduction to Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service role to provision authentication
2549

certificates for managed devices so that users can seamlessly access company resources. For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections. Certificate profiles in Configuration Manager provide the following management capabilities: Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows RT 8.1, and Android, These certificates can then be used for Wi-Fi and VPN connections. Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required. Monitor and report about the installed certificates.

Certificate profiles can automatically configure user devices so that company resources such as Wi-Fi networks and VPN servers can be accessed without having to install certificates manually or use an out of band process. Certificate profiles can also help to keep company resources secure because you can use more secure settings that are supported by your enterprise public key infrastructure (PKI). For example, you can require server authentication for all Wi-Fi and VPN connections because you have provisioned the required certificates on the managed devices. Example: All employees must be able to connect to Wi-Fi hotspots in multiple corporate locations. To accomplish this, you can deploy the certificates required to make the Wi-Fi connection and also deploy Wi-Fi profiles in Configuration Manager that reference the correct certificate to use so that the Wi-Fi connection happens seamlessly for users. Example: You have a PKI in place and want to move to a more flexible, secure method of provisioning certificates that lets users access company resources from their personal devices without compromising security. To accomplish this, you can configure certificate profiles with settings and protocols that are supported for the specific device platform. The devices can then automatically request these certificates from an Internet-facing enrollment server. You can then configure VPN profiles to use these certificates so that the device can access company resources.

Types of Certificate Profile

You can create two types of certificate profiles in Configuration Manager: Trusted CA certificate - Allows you to deploy a trusted root CA or intermediate CA certificate to form a certificate chain of trust when the device must authenticate a server. Simple Certificate Enrollment Protocol (SCEP) settings - Allows you to request a certificate for a device or user, by using the SCEP protocol and the Network Device Enrollment Service on a server running Windows Server 2012 R2. Note You must create a certificate profile of the type Trusted CA certificate before you can create a certificate profile of the type Simple Certificate Enrollment Protocol (SCEP) settings.
2550

Requirements and Supported Platforms

To deploy certificate profiles that use the Simple Certificate Enrollment Protocol, you must install the certificate registration point on a site system server in the central administration site, or in a primary site. You must also install a policy module for the Network Device Enrollment Service, the Configuration Manager Policy Module, on a server that runs Windows Server 2012 R2 with the Active Directory Certificate Services role and a working Network Device Enrollment Service that is accessible to the devices that require the certificates. For the devices that are enrolled by Windows Intune, this requires the Network Device Enrollment Service to be accessible from the Internet, for example, in a screened subnet (also known as a DMZ). For more information about how the Network Device Enrollment Service supports a policy module so that Configuration Manager can deploy certificates, see Using a Policy Module with the Network Device Enrollment Service. Configuration Manager supports deploying certificates to different certificate stores, depending on the requirement, and also on the device type and operating system. The following devices and operating systems are supported: Windows RT 8.1 Windows 8.1 iOS Android Note For information about actions that end-users must take when installing a certificate on a device running Android, see How to Install Certificates on Android Devices in Configuration Manager. A typical scenario for System Center 2012 Configuration Manager is to install trusted root CA certificates to authenticate Wi-Fi and VPN servers when the connection uses EAP-TLS, EAPTTLS, and PEAP authentication protocols, and IKEv2, L2TP/IPsec, and Cisco IPsec VPN tunneling protocols. You must ensure that an enterprise root CA certificate is installed on the device before the device can request certificates by using a SCEP certificate profile. You can specify a variety of settings in a SCEP certificate profile to request customized certificates for different environments or connectivity requirements. The Create Certificate Profile Wizard contains two pages for enrollment parameters. The first, SCEP Enrollment, contains settings for the enrollment request and where to install the certificate. The second, Certificate Properties, describes the requested certificate itself.

Deploying Certificate Profiles

When you deploy a certificate profile, the certificate files within the profile are installed on client devices. Any SCEP parameters will also be deployed, and the SCEP requests will be processed on the client device. You can deploy certificate profiles to user collections or device collections
2551

and specify the destination store for each certificate. Applicability rules determine whether the certificates can be installed on the device.When certificate profiles are deployed to user collections, user device affinity determines which of the users devices will install the certificates. When certificate profiles that contain user certificates are deployed to device collections, by default, the certificates will be installed on each of the users primary devices. You can modify this behavior to install the certificate on any of the users devices on the SCEP Enrollment page of the Create Certificate Profile Wizard. In addition, user certificates will not be deployed to devices if they are workgroup computers.

Monitoring Certificate Profiles

You can monitor certificate profile deployments from the Deployments node of the Monitoring workspace in the Configuration Manager console. You can also use one of the following Configuration Manager reports to monitor certificate profiles: History of certificates that are issued by the certificate registration point List of assets by certificate issuance state for certificates enrolled by the certificate registration point List of assets with certificates that are close to the expiry date

Automatic Revocation of Certificates

Configuration Manager automatically revokes user and computer certificates that were deployed by using certificate profiles in the following circumstances: The device is retired from Configuration Manager management. The device is selectively wiped. The device is blocked from the Configuration Manager hierarchy.

To revoke the certificates, the site server sends a revocation command to the issuing certification authority. The reason for the revocation is Cease of Operation.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. Certificate profiles are new in System Center 2012 R2 Configuration Manager. They provide the following capabilities and have some dependent configurations: Deployment of user and device certificates for managed devices by using the Simple Certificate Enrollment Protocol (SCEP). These certificates can be used to support Wi-Fi and VPN connections.
2552

Supported devices include those that run iOS, Windows 8.1 and Windows RT 8.1, and Android. Deployment of root certification authority (CA) certificates and intermediate CA certificates, so that devices can create a chain of trust when they use server authentication for network connections. A certificate registration point must be deployed in the central administration site or a primary site and the Configuration Manager Policy Module must be installed on a server that is running Windows Server 2012 R2 with Active Directory Certificate Services and the Network Device Enrollment Service role. This server must be accessible from the Internet and communicate with an enterprise CA to issue the certificates. For more information about the changes in the Network Device Enrollment Service to support this scenario, see What's New in Certificate Services in Windows Server 2012 R2.

See Also
Certificate Profiles in Configuration Manager

Planning for Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use the following topics in this section to help you plan for certificate profiles in System Center 2012 Configuration Manager.

In This Section
Prerequisites for Certificate Profiles in Configuration Manager Planning for Certificate Template Permissions for Certificate Profiles in Configuration Manager

See Also
Certificate Profiles in Configuration Manager

2553

Prerequisites for Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Certificate profiles in System Center 2012 Configuration Manager have external dependencies and dependencies in the product.

Dependencies External to Configuration Manager

Dependency More information

An enterprise issuing certification authority (CA) For more information about Active Directory that is running Active Directory Certificate Certificate Services, see your Windows Server Services (AD CS). documentation: To revoke certificates, the issuing CA must be configured with the Issue and Manage Certificates permission for the site server at the top of the hierarchy. Note Manager approval for certificate requests is supported. However, the certificate templates that are used to issue certificates must be configured for Supply in the request for the certificate subject so that Configuration Manager can automatically supply this value. For Windows Server 2012: Active Directory Certificate Services Overview For Windows Server 2008: Active Directory Certificate Services in Windows Server 2008

The Network Device Enrollment Service role service for Active Directory Certificate Services, running on Windows Server 2012 R2. In addition: Port numbers other than TCP 443 (for HTTPS) or TCP 80 (for HTTP) are not supported for the communication between the client and the Network Device Enrollment Service.

Configuration Manager communicates with the Network Device Enrollment Service in Windows Server 2012 R2 to generate and verify Simple Certificate Enrollment Protocol (SCEP) requests. If you will issue certificates to users or devices that connect from the Internet, such as mobile devices that are managed by Windows Intune, those devices must be able to access the
2554

Dependency

More information

The server that is running the Network Device Enrollment Service must be on a different server from the issuing CA.

server that runs the Network Device Enrollment Service from the Internet. For example, install the server in a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet). If you have a firewall between the server that is running the Network Device Enrollment Service and the issuing CA, you must configure the firewall to allow the communication traffic (DCOM) between the two servers. This firewall requirement also applies to the server running the Configuration Manager site server and the issuing CA, so that Configuration Manager can revoke certificates. If the Network Device Enrollment Service is configured to require SSLa security best practicemake sure that connecting devices can access the certificate revocation list (CRL) to validate the server certificate. For more information about the Network Device Enrollment Service in Windows Server 2012 R2, see Using a Policy Module with the Network Device Enrollment Service.

If the issuing CA runs Windows Server 2008 R2, this server requires a hotfix for SCEP renewal requests.

If the hotfix is not already installed on the issuing CA computer, install the hotfix. For more information, see article 2483564: Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES in the Microsoft Knowledge Base. This certificate authenticates the server that is running the Network Device Enrollment Service to Configuration Manager. For more information, see PKI Certificate Requirements for Configuration Manager.

A PKI client authentication certificate and exported root CA certificate.

Supported device operating systems.

You can deploy certificate profiles to devices that run iOS, Windows 8.1, Windows RT 8.1, and Android operating systems.

2555

Configuration Manager Dependencies

Dependency More information

Certificate registration point site system role

Before you can use certificate profiles, you must install the certificate registration point site system role. This role communicates with the Configuration Manager database, the Configuration Manager site server, and the Configuration Manager Policy Module. For more information about system requirements for this site system role and where to install the role in the hierarchy, see the following: The Site System Requirements section in the Supported Configurations for Configuration Manager topic. The Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. Important The certificate registration point must not be installed on the same server that runs the Network Device Enrollment Service.

Configuration Manager Policy Module that is installed on the server that is running the Network Device Enrollment Service role service for Active Directory Certificate Services Discovery data

To deploy certificate profiles, you must install the Configuration Manager Policy Module. You can find this policy module on the Configuration Manager installation media. Values for the certificate subject and the subject alternative name are supplied by Configuration Manager and retrieved from information that is collected from discovery. For user certificates: Active Directory User Discovery For computer certificates: Active Directory System Discovery and Network Discovery

For more information about discovery, see Planning for Discovery in Configuration Manager.
2556

Dependency

More information

Specific security permissions to manage certificate profiles

You must have the following security permissions to manage company resource access settings, such as certificate profiles, WiFi profiles and VPN profiles: To view and manage alerts and reports for certificate profiles: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object. To create and manage certificate profiles: Author Policy, Modify Report, Read and Run Report for the Certificate Profile object. To manage Wi-Fi, certificate and VPN profile deployments: Deploy Configuration Policies, Modify Client Status Alert, Read, and Read Resource for the Collection object. To manage all configuration policies: Create, Delete, Modify, Read and Set Security Scope for the Configuration Policy object. To run queries related to certificate profiles: Read permission for the Query object. To view certificate profiles information in the Configuration Manager console: Read permission for the Site object. To view status messages for certificate profiles: Read permission for the Status Messages object. To create and modify the Trusted CA certificate profile: Author Policy, Modify Report, Read and Run Report for the Trusted CA Certificate Profile object. To create and manage VPN profiles: Author Policy, Modify Report, Read and Run Report for the VPN Profile object. To create and manage Wi-Fi profiles: Author Policy, Modify Report, Read and Run Report for the Wi-Fi Profile object.

The Company Resource Access Manager security role includes these permissions that are required to manage certificate profiles in
2557

Dependency

More information

Configuration Manager. For more information, see the Configure Role-Based Administration section in the Configuring Security for Configuration Manager topic.

See Also
Planning for Certificate Profiles in Configuration Manager

Planning for Certificate Template Permissions for Certificate Profiles in Configuration Manager
Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. The following information can help you plan for how to configure permissions for the certificate templates that System Center 2012 Configuration Manager uses when you deploy certificate profiles.

Default Security Permissions and Considerations

The default security permissions that are required for the certificate templates that Configuration Manager will use to request certificates for users and devices are as follows: Read and Enroll for the account that the Network Device Enrollment Service application pool uses Read for the account that runs the Configuration Manager console

For more information about these security permissions, see Step 1: Install and Configure the Network Device Enrollment Service and Dependencies in Configuring Certificate Profiles in Configuration Manager. When you use this default configuration, users and devices cannot directly request certificates from the certificate templates and all requests must be initiated by the Network Device Enrollment Service. This is an important restriction, because these certificate templates must be configured with Supply in the request for the certificate Subject, which means that there is a risk of impersonation if a rogue user or a compromised device requests a certificate. In the default configuration, the Network Device Enrollment Service must initiate such a request. However, this risk of impersonation remains if the service that runs the Network Device Enrollment Service is
2558

compromised. To help avoid this risk, follow all security best practices for the Network Device Enrollment Service and the computer that runs this role service. If the default security permissions do not fulfill your business requirements, you have another option for configuring the security permissions on the certificate templates: You can add Read and Enroll permissions for users and computers.

Adding Read and Enroll Permissions for Users and Computers

Adding Read and Enroll permissions for users and computers might be appropriate if a separate team manages your certification authority (CA) infrastructure team, and that separate team wants Configuration Manager to verify that users have a valid Active Directory Domain Services account before sending them a certificate profile to request a user certificate. For this configuration, you must specify one or more security groups that contain the users, and then grant those groups Read and Enroll permissions on the certificate templates. In this scenario, the CA administrator manages the security control. You can similarly specify one or more security groups that contain computer accounts and grant these groups Read and Enroll permissions on the certificate templates. If you deploy a computer certificate profile to a computer that is a domain member, the computer account of that computer must be granted Read and Enroll permissions. These permissions are not required if the computer is not a domain memberfor example, if it is a workgroup computer or personal mobile device. Although this configuration uses an additional security control, we do not recommend it as a best practice. The reason is that the specified users or owners of the devices might request certificates independently from Configuration Manager and supply values for the certificate Subject that might be used to impersonate another user or device. In addition, if you specify accounts that cannot be authenticated at the time that the certificate request occurs, the certificate request will fail by default. For example, the certificate request will fail if the server that is running the Network Device Enrollment Service is in an Active Directory forest that is untrusted by the forest that contains the certificate registration point site system server. You can configure the certificate registration point to continue if an account cannot be authenticated because there is no response from a domain controller. However, this is not a security best practice. Note that if the certificate registration point is configured to check for account permissions and a domain controller is available and rejects the authentication request (for example, the account is locked out or has been deleted), the certificate enrollment request will fail. To check for Read and Enroll permissions for users and domain-member computers 1. On the site system server that hosts the certificate registration point, create the following DWORD registry key to have a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheck
2559

2. If an account cannot be authenticated because there is no response from a domain controller, and you want to bypass the permissions check: On the site system server that hosts the certificate registration point, create the following DWORD registry key to have a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheckO nlyIfAccountAccessDenied

3. On the issuing CA, on the Security tab in the properties for the certificate template, add one or more security groups to grant the user or device accounts Read and Enroll permissions.

See Also
Planning for Certificate Profiles in Configuration Manager

Configuring Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Before you can use Configuration Manager to enroll certificates on devices and for users, you must perform the configuration steps that this topic describes.

Steps to Configure Certificate Enrollment in Configuration Manager

Use the following table for the steps, details, and more information about how to configure certificate enrollment in Configuration Manager. Before you start, check for any prerequisites that are listed in Prerequisites for Certificate Profiles in Configuration Manager. After you complete these steps and verify the installation, you can configure and deploy certificate profiles. For more information, see How to Create Certificate Profiles in Configuration Manager.
Steps Details More information

Step 1: Install and configure the Network Device Enrollment Service and dependencies

The Network Device Enrollment Service role service for Active Directory Certificate Services (AD CS) must be running on the Windows Server 2012 R2

See Step 1: Install and Configure the Network Device Enrollment Service and Dependencies in this topic.

2560

Steps

Details

More information

operating system. Important You must complete additional configuration steps before you can use the Network Device Enrollment Service with Configuration Manager. Step 2: Install and configure the certificate registration point You must install at least one certificate registration point. This registration point can be in a central administration site or a primary site. Install the Policy Module on the server that is running the Network Device Enrollment Service. See Step 2: Install and Configure the Certificate Registration Point in this topic. See Step 3: Install the Configuration Manager Policy Module in this topic.

Step 3: Install the Configuration Manager Policy Module

Supplemental Procedures to Configure Certificate Enrollment in Configuration Manager

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Install and Configure the Network Device Enrollment Service and Dependencies
You must install and configure the Network Device Enrollment Service role service for Active Directory Certificate Services (AD CS), change the security permissions on the certificate templates, deploy a public key infrastructure (PKI) client authentication certificate, and edit the registry to increase the Internet Information Services (IIS) default URL size limit. If necessary, you must also configure the issuing certification authority (CA) to allow a custom validity period. Important Before you configure Configuration Manager to work with the Network Device Enrollment Service, verify the installation and configuration of the Network Device Enrollment Service. If these dependencies are not working correctly, you will have difficulty troubleshooting certificate enrollment by using Configuration Manager. To install and configure the Network Device Enrollment Service and dependencies
2561

1. On a server that is running Windows Server 2012 R2, install and configure the Network Device Enrollment Service role service for the Active Directory Certificate Services server role. For more information, see Network Device Enrollment Service Guidance in the Active Directory Certificate Services library on TechNet. 2. Check, and if necessary, modify the security permissions for the certificate templates that the Network Device Enrollment Service is using: For the account that runs the Configuration Manager console: Read permission. This permission is required so that when you run the Create Certificate Profile Wizard, you can browse to select the certificate template that you want to use when you create a SCEP settings profile. Selecting a certificate template means that some settings in the wizard are automatically populated, so there is less for you to configure and there is less risk of selecting settings that are not compatible with the certificate templates that the Network Device Enrollment Service is using. For the SCEP Service account that the Network Device Enrollment Service application pool uses: Read and Enroll permissions. This requirement is not specific to Configuration Manager but is part of configuring the Network Device Enrollment Service. For more information, see Network Device Enrollment Service Guidance in the Active Directory Certificate Services library on TechNet. Tip To identify which certificate templates the Network Device Enrollment Service is using, view the following registry key on the server that is running the Network Device Enrollment Service: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. Note These are the default security permissions that will be appropriate for most environments. However, you can use an alternative security configuration. For more information, see Planning for Certificate Template Permissions for Certificate Profiles in Configuration Manager. 3. Deploy to this server a PKI certificate that supports client authentication. You might already have a suitable certificate installed on the computer that you can use, or you might have to (or prefer to) deploy a certificate specifically for this purpose. For more information about the requirements for this certificate, refer to the details for Servers running the Configuration Manager Policy Module with the Network Device Enrollment Service role service in the PKI Certificates for Servers section in the PKI Certificate Requirements for Configuration Manager topic. Tip If you need help deploying this certificate, you can use the instructions for Deploying the Client Certificate for Distribution Points in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic, because the certificate requirements
2562

are the same with one exception: Do not select the Allow private key to be exported check box on the Request Handling tab of the properties for the certificate template. You do not have to export this certificate with the private key because you will be able to browse to the local Computer store and select it when you configure the Configuration Manager Policy Module. 4. Locate the root certificate that the client authentication certificate chains to. Then, export this root CA certificate to a certificate (.cer) file. Save this file to a secured location that you can securely access when you later install and configure the site system server for the certificate registration point. 5. On the same server, use the registry editor to increase the IIS default URL size limit by setting the following registry keys in HKEY_LOCAL_MACHINE\ CurrentControlSet\Services\HTTP\Parameters: Set the MaxFieldLength key to 65534. Set the MaxRequestBytes key to 16777216.

For more information, see article 820129: Http.sys registry settings for Windows in the Microsoft Knowledge Base. 6. On the same server, in Internet Information Services (IIS) Manager, modify the requestfiltering settings for the /certsrv/mscep application, and then restart the server. In the Edit Request Filtering Settings dialog box, the Request Limits settings should be as follows: Maximum allowed content length (Bytes): 30000000 Maximum URL length (Bytes): 65534 Maximum query string (Bytes): 65534

For more information about these settings and how to configure them, see Requests Limits in the IIS Reference Library. 7. If you want to be able to request a certificate that has a lower validity period than the certificate template that you are using: This configuration is disabled by default for an enterprise CA. To enable this option on an enterprise CA, use the Certutil command-line tool, and then stop and restart the certificate service by using the following commands: a. certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE b. net stop certsvc c. net start certsvc For more information, see Certificate Services Tools and Settings in the PKI Technologies library on TechNet. 8. Verify that the Network Device Enrollment Service is working by using the following link as an example: https://server.contoso.com/certsrv/mscep/mscep.dll. You should see the built-in Network Device Enrollment Service webpage. This webpage explains what the service is and explains that network devices use the URL to submit certificate requests. Now that the Network Device Enrollment Service and dependencies are configured, you are
2563

ready to install and configure the certificate registration point.

Step 2: Install and Configure the Certificate Registration Point

You must install and configure at least one certificate registration point in the Configuration Manager hierarchy, and you can install this site system role in the central administration site or in a primary site. Important Before you install the certificate registration point, see the Site System Requirements section in the Supported Configurations for Configuration Manager topic for operating system requirements and dependencies for the certificate registration point. To install and configure the certificate registration point 1. In the Configuration Manager console, click Administration. 2. In the Administration workspace, expand Site Configuration, click Servers and Site System Roles, and then select the server that you want to use for the certificate registration point. 3. On the Home tab, in the Server group, click Add Site System Roles. 4. On the General page, specify the general settings for the site system, and then click Next. 5. On the Proxy page, click Next. The certificate registration point does not use Internet proxy settings. 6. On the System Role Selection page, select Certificate registration point from the list of available roles, and then click Next. 7. On the Certificate Registration Point page, accept or change the default settings, and then click Add. 8. In the Add URL and Root CA Certificate dialog box, specify the following, and then click OK: a. URL for the Network Device Enrollment Service: Specify the URL in the following format: https://<server_FQDN>/certsrv/mscep/mscep.dll. For example, if the FQDN of your server that is running the Network Device Enrollment Service is server1.contoso.com, type https://server1.contoso.com/certsrv/mscep/mscep.dll. b. Root CA Certificate: Browse to and select the certificate (.cer) file that you created and saved in Step 1: Install and configure the Network Device Enrollment Service and dependencies. This root CA certificate allows the certificate registration point to validate the client authentication certificate that the Configuration Manager Policy Module will use. Note If you are using more than one server that is running the Network Device Enrollment Service, click Add to specify the details for the other servers. 9. Click Next and complete the wizard.
2564

10. Wait a few minutes to let the installation finish, and then verify that the certificate registration point was installed successfully by using any of the following methods: In the Monitoring workspace, expand System Status, click Component Status, and look for status messages from the SMS_CERTIFICATE_REGISTRATION_POINT component. On the site system server, use the <ConfigMgr Installation Path>\Logs\crpsetup.log file and <ConfigMgr Installation Path>\Logs\crpmsi.log file. A successful installation will return an exit code of 0. By using a browser, verify that you can connect to the URL of the certificate registration pointfor example, https://server1.contoso.com/CMCertificateRegistration. You should see a Server Error page for the application name, with an HTTP 404 description.

11. Locate the exported certificate file for the root CA that the certificate registration point automatically created in the following folder on the primary site server computer: <ConfigMgr Installation Path>\inboxes\certmgr.box. Save this file to a secured location that you can securely access when you later install the Configuration Manager Policy Module on the server that is running the Network Device Enrollment Service. Tip This certificate is not immediately available in this folder. You might need to wait awhile (for example, half an hour) before Configuration Manager copies the file to this location. Now that the certificate registration point is installed and configured, you are ready to install the Configuration Manager Policy Module for the Network Device Enrollment Service.

Step 3: Install the Configuration Manager Policy Module

You must install and configure the Configuration Manager Policy Module on each server that you specified in Step 2: Install and configure the certificate registration point as URL for the Network Device Enrollment Service in the properties for the certificate registration point. To install the Policy Module 1. On the server that runs the Network Device Enrollment Service, log on as a domain administrator and copy the following files from the <ConfigMgrInstallationMedia>\SMSSETUP\POLICYMODULE\X64 folder on the Configuration Manager installation media to a temporary folder: PolicyModule.msi PolicyModuleSetup.exe

In addition, if you have a LanguagePack folder on the installation media, copy this folder and its contents. 2. From the temporary folder, run PolicyModuleSetup.exe to start the Configuration Manager Policy Module Setup wizard. 3. On the initial page of the wizard, click Next, accept the license terms, and then click
2565

Next. 4. On the Installation Folder page, accept the default installation folder for the policy module or specify an alternative folder, and then click Next. 5. On the Certificate Registration Point page, specify the URL of the certificate registration point by using the FQDN of the site system server and the virtual application name that is specified in the properties for the certificate registration point. The default virtual application name is CMCertificateRegistration. For example, if the site system server has an FQDN of server1.contoso.com and you used the default virtual application name, specify https://server1.contoso.com/CMCertificateRegistration . 6. Accept the default port of 443 or specify the alternative port number that the certificate registration point is using, and then click Next. 7. On the Client Certificate for the Policy Module page, browse to and specify the client authentication certificate that you deployed in Step 1: Install and configure the Network Device Enrollment Service and dependencies, and then click Next. 8. On the Certificate Registration Point Certificate page, click Browse to select the exported certificate file for the root CA that you located and saved at the end of Step 2: Install and configure the certificate registration point . Note If you did not previously save this certificate file, it is located in the <ConfigMgr Installation Path>\inboxes\certmgr.box on the site server computer. 9. Click Next and complete the wizard. Now that you have completed the configuration steps to install the Network Device Enrollment Service and dependencies, the certificate registration point, and the Configuration Manager Policy Module, you are ready to deploy certificates to users and devices by creating and deploying certificate profiles. For more information about how to create certificate profiles, see How to Create Certificate Profiles in Configuration Manager. If you want to uninstall the Configuration Manager Policy Module, use Programs and Features in Control Panel.

See Also
Certificate Profiles in Configuration Manager

Operations and Maintenance for Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager.
2566

Use the information in this section to learn more about operations and maintenance for certificate profiles in System Center 2012 Configuration Manager.

In This Section
How to Create Certificate Profiles in Configuration Manager How to Deploy Certificate Profiles in Configuration Manager How to Monitor Certificate Profiles in Configuration Manager

See Also
Certificate Profiles in Configuration Manager

How to Create Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Certificate profiles in System Center 2012 Configuration Manager integrate with Active Directory Certificate Services and the Network Device Enrollment Service role to provision managed devices with authentication certificates so that users can access company resources by using certificates. The information in this topic can help you create certificate profiles in Configuration Manager. Important You must perform configuration before you can create certificate profiles. For more information, see Configuring Certificate Profiles in Configuration Manager.

Steps to Create a Certificate Profile

Use the following required steps to create a certificate profile by using the Create Certificate Profile Wizard.
Step Details More information

Step 1: Start the Create Certificate Profile Wizard

Start the wizard from the Assets and Compliance workspace, in the Compliance Settings node. Provide general information,

See the Step 1: Start the Create Certificate Profile Wizard section in this topic. See the Step 2: Provide
2567

Step 2: Provide general

Step

Details

More information

information about the certificate profile

such as the name and description of the certificate profile, and the type of certificate profile that you want to create. Provide configuration information for the certificate profile. Specify the operating systems where you will install the certificate profile. Complete the wizard to create the new certificate profile.

General Information About the Certificate Profile section in this topic.

Step 3: Provide information about the certificate profile

See the Step 3: Provide Information About the Certificate Profile section in this topic. See the Step 4: Configure Supported Platforms for the Certificate Profile section in this topic. See the Step 5: Complete the Wizard section in this topic.

Step 4: Configure supported platforms for the certificate profile Step 5: Complete the wizard

Caution If you have already deployed a certificate by using a Simple Certificate Enrollment Protocol (SCEP) certificate profile, changing some configuration options will result in requesting a new certificate that has the new values. If the number of certificate request renewals is high because of these changes, those renewals can cause high CPU processing on the server that is running the Network Device Enrollment Service. When the certificate request is for a client on the intranet (for example, Windows 8.1), the original certificate is deleted when a new certificate that has the new values is requested. However, when the certificate request is for a client that is managed by using the Windows Intune connector, the original certificate is not deleted from the device and remains installed. The following sections note the settings that will result in a certificate renewal request.

Supplemental Procedures to Create a New Certificate Profile

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create Certificate Profile Wizard

Use this procedure to start the Create Certificate Profile Wizard.
2568

To start the Create Certificate Profile Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then click Certificate Profiles. 3. On the Home tab, in the Create group, click Create Certificate Profile.

Step 2: Provide General Information About the Certificate Profile

Use this procedure to provide general information about the certificate profile. To provide general information about the certificate profile 1. On the General page of the Create Certificate Profile Wizard, specify the following information: Name: Enter a unique name for the certificate profile. You can use a maximum of 256 characters. Description: Provide a description that gives an overview of the certificate profile and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters. Specify the type of certificate profile that you want to create : Choose one of the following certificate profile types: Trusted CA certificate: Select this certificate profile type if you want to deploy a trusted root certification authority (CA) or intermediate CA certificate to form a certificate chain of trust when the user or device must authenticate another device. For example, the device might be a Remote Authentication Dial-In User Service (RADIUS) server or a virtual private network (VPN) server. You must also configure a trusted CA certificate profile before you can create a SCEP certificate profile. In this case, the trusted CA certificate must be the trusted root certificate for the CA that will issue the certificate to the user or device. Simple Certificate Enrollment Protocol (SCEP) settings: Select this certificate profile type if you want to request a certificate for a user or device, by using the Simple Certificate Enrollment Protocol and the Network Device Enrollment Service role service.

Step 3: Provide Information About the Certificate Profile

Use one of the following procedures to configure certificate profile information for trusted CA certificates and SCEP certificates in the certificate profile. Important You must configure at least one trusted CA certificate profile before you can create a SCEP certificate profile.

2569

To configure a trusted CA certificate 1. On the Trusted CA Certificate page of the Create Certificate Profile Wizard, specify the following information: Certificate file: Click Import and then browse to the certificate file that you want to use. Destination store: For devices that have more than one certificate store, select where to store the certificate. For devices that have only one store, this setting is ignored.

2. Use the Certificate thumbprint value to verify that you have imported the correct certificate. Continue to Step 4: Configure Supported Platforms for the Certificate Profile. To configure SCEP certificate information 1. On the SCEP Enrollment page of the Create Certificate Profile Wizard, specify the following information: Retries: Specify the number of times that the device automatically retries the certificate request to the server that is running the Network Device Enrollment Service. This setting supports the scenario where a CA manager must approve a certificate request before it is accepted. This setting is typically used for high-security environments or if you have a stand-alone issuing CA rather than an enterprise CA. You might also use this setting for testing purposes so that you can inspect the certificate request options before the issuing CA processes the certificate request. Use this setting with the Retry delay (minutes) setting. Retry delay (minutes): Specify the interval, in minutes, between each enrollment attempt when you use CA manager approval before the issuing CA processes the certificate request. If you use manager approval for testing purposes, you will probably want to specify a low value so that you are not waiting a long time for the device to retry the certificate request after you approve the request. However, if you use manager approval on a production network, you will probably want to specify a higher value to allow sufficient time for the CA administrator to check and approve or deny pending approvals. Renewal threshold (%): Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate. Key Storage Provider (KSP): Specify where the key to the certificate will be stored. Choose from one of the following values: Install to Trusted Platform Module (TPM) if present : Installs the key to the TPM. If the TPM is not present, the key will be installed to the storage provider for the software key. Install to Trusted Platform Module (TPM) otherwise fail: Installs the key to the TPM. If the TPM module is not present, the installation will fail. Install to Software Key Storage Provider: Installs the key to the storage provider for the software key.
2570

Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Devices for certificate enrollment: If the certificate profile is deployed to a user collection, select whether to allow certificate enrollment on only the user's primary device or on all devices that the user logs on to. If the certificate profile is deployed to a device collection, select whether to allow certificate enrollment for only the primary user of the device or for all users that log on to the device.

2. On the Certificate Properties page of the Create Certificate Profile Wizard, specify the following information: Certificate template name: Click Browse to select the name of a certificate template that the Network Device Enrollment Service is configured to use and that has been added to an issuing CA. To successfully browse to certificate templates, the user account that you are using to run the Configuration Manager console must have Read permission to the certificate template. Alternatively, if you cannot use Browse, type the name of the certificate template. Important If the certificate template name contains non-ASCII characters (for example, characters from the Chinese alphabet), the certificate will not be deployed. To ensure that the certificate is deployed, you must first create a copy of the certificate template on the CA and rename the copy by using ASCII characters. Note the following, depending on whether you browse to the certificate template or type the certificate name: If you browse to select the name of the certificate template, some fields on the page are automatically populated from the certificate template. In some cases, you cannot change these values unless you choose a different certificate template. If you type the name of the certificate template, make sure that the name exactly matches one of the certificate templates that are listed in the registry of the server that is running the Network Device Enrollment Service. Make sure that you specify the name of the certificate template and not the display name of the certificate template.

To find the names of certificate templates, browse to the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP. You will see the certificate templates listed as the values for EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate. By default, the value for all three certificate templates is IPSECIntermediateOffline, which maps to the template display name of IPSec (Offline request).
Warning
2571

Because Configuration Manager cannot verify the contents of the certificate template when you type the name of the certificate template rather than browse, you might be able to select options that the certificate template does not support and that will result in a failed certificate request. When this happens, you will see an error message for w3wp.exe in the CPR.log file that the template name in the certificate signing request (CSR) and the challenge do not match. When you type the name of the certificate template that is specified for the GeneralPurposeTemplate value, you must select the Key encipherment and the Digital signature options for this certificate profile. However, if you want to enable only the Key encipherment option in this certificate profile, specify the certificate template name for the EncryptionTemplate key. Similarly, if you want to enable only the Digital signature option in this certificate profile, specify the certificate template name for the SignatureTemplate key. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Certificate type: Select whether the certificate will be deployed to a device or a user. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Subject name format: From the list, select how Configuration Manager automatically creates the subject name in the certificate request. If the certificate is for a user, you can also include the user's email address in the subject name. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Subject alternative name: Specify how Configuration Manager automatically creates the values for the subject alternative name (SAN) in the certificate request. For example, if you selected a user certificate type, you can include the user principal name (UPN) in the subject alternative name. Tip If the client certificate will be used to authenticate to a Network Policy Server, you must set the subject alternative name to the UPN. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Important
2572

iOS devices support limited subject name formats and subject alternative names in SCEP certificates. If you specify a format that is not supported, certificates will not be enrolled on iOS devices. When you configure a SCEP certificate profile to be deployed to iOS devices, use the Common name for the Subject name format, and DNS name, Email address or UPN for the Subject alternative name. Certificate validity period: If you have run the certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you can specify the amount of remaining time before the certificate expires. For more information about this command, see Step 1: Install and Configure the Network Device Enrollment Service and Dependencies in the Configuring Certificate Profiles in Configuration Manager topic. You can specify a value that is lower than the validity period in the specified certificate template, but not higher. For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. The value must also be lower than the remaining validity period of the issuing CAs certificate. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Key usage: Specify key usage options for the certificate. You can choose from the following options: Key encipherment: Allow key exchange only when the key is encrypted. Digital signature: Allow key exchange only when a digital signature helps protect the key.

If you selected a certificate template by using Browse, you might not be able to change these settings unless you select a different certificate template.
The certificate template you selected must be configured with one or both of the two key usage options above. If it is not, you will see the message Key usage in CSR and challenge do not match in the certificate registration point log file, Crp.log. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Key size (bits): Select the size of the key in bits. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Extended key usage: Click Select to add values for the certificates intended purpose. In most cases, the certificate will require Client Authentication so that the user or device can authenticate to a server. However, you can add any other key
2573

usages as required. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested. Hash algorithm: Select one of the available hash algorithm types to use with this certificate. Select the strongest level of security that the connecting devices support. Note SHA-1 supports only SHA-1. SHA-2 supports SHA-256, SHA-384, and SHA512. SHA-3 supports only SHA-3. Root CA certificate: Click Select to choose a root CA certificate profile that you have previously configured and deployed to the user or device. This CA certificate must be the root certificate for the CA that will issue the certificate that you are configuring in this certificate profile. Important If you specify a root CA certificate that is not deployed to the user or device, Configuration Manager will not initiate the certificate request that you are configuring in this certificate profile. Note If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.

Step 4: Configure Supported Platforms for the Certificate Profile

Use the following procedure to specify the operating systems where you will install the certificate profile. To specify supported platforms for the certificate profile On the Supported Platforms page of the Create Certificate Profile Wizard, select the operating systems where you want to install the certificate profile. Or, click Select all to install the certificate profile to all available operating systems.

Step 5: Complete the Wizard

On the Summary page of the wizard, review the actions that will be taken, and then complete the wizard. The new certificate profile appears in the Certificate Profiles node in the Assets and Compliance workspace and is ready to be deployed to users or devices. For more information, see How to Deploy Certificate Profiles in Configuration Manager.

2574

See Also
Operations and Maintenance for Certificate Profiles in Configuration Manager

How to Deploy Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. To deploy certificates to users or devices in System Center 2012 Configuration Manager, you must deploy certificate profiles to one or more collections of users or devices. You can deploy trusted certification authority (CA) certificates, and user or device certificates. Before you deploy a user or device certificate, check whether the device has installed the trusted root CA certificate for those certificates. If the device does not have the trusted root certificate, perhaps because it is not a domain member or is from an untrusted forest, you must deploy the root CA certificate to the device in addition to deploying the user or device certificate. Use the Deploy Certificate Profile dialog box to configure the deployment of certificate profiles. This configuration includes defining the collection to which the certificate profile will be deployed and specifying how often the certificate profile is evaluated for compliance. Note If you deploy multiple company resource access profiles to the same user or device, the following behavior occurs: If a conflicting setting contains an optional value, it will not be sent to the device. If a conflicting setting contains a mandatory value, the default value will be sent to the device. If there is no default value, the entire company resource access profile will fail. Note Before you can deploy certificate profiles, you must first configure the infrastructure and create certificate profiles. For more information, see the following topics: Configuring Certificate Profiles in Configuration Manager How to Create Certificate Profiles in Configuration Manager To deploy a certificate profile 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then click Certificate Profiles. 3. In the Certificate Profiles list, select the certificate profile that you want to deploy. 4. On the Home tab, in the Deployment group, click Deploy.
2575

5. In the Deploy Certificate Profile dialog box, specify the following information: Collection: Click Browse to select the user or device collection where you want to deploy the certificate profile. Generate an alert: Enable this option to configure an alert that is generated if the certificate profile compliance is less than a specified percentage by a specified date and time. You can also specify whether you want an alert to be sent to Microsoft System Center Operations Manager. Random delay (hours): (For certificate profiles that contain Simple Certificate Enrollment Protocol settings only) Specifies a delay window to avoid excessive processing on the Network Device Enrollment Service. The default value is 64 hours. Specify the compliance evaluation schedule for this certificate profile : Specifies the schedule by which the deployed certificate profile is evaluated on client computers. This can be either a simple schedule or a custom schedule. Note The profile is evaluated on client computers when the users log on. 6. Click OK to close the Deploy Certificate Profile dialog box and to create the deployment. For more information about how to monitor the deployment, see How to Monitor Certificate Profiles in Configuration Manager.

See Also
Operations and Maintenance for Certificate Profiles in Configuration Manager

How to Monitor Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. After you deploy System Center 2012 Configuration Manager certificate profiles to users in your hierarchy, you can use the following procedures to monitor the compliance status of the certificate profile: How to View Compliance Results in the Configuration Manager Console How to View Compliance Results by Using Reports

2576

How to View Compliance Results in the Configuration Manager Console

Use this procedure to view details about the compliance of deployed certificate profiles in the Configuration Manager console. To view compliance results in the Configuration Manager console 1. In the Configuration Manager console, click Monitoring. 2. In the Monitoring workspace, click Deployments. 3. In the Deployments list, select the certificate profile deployment for which you want to review compliance information. 4. You can review summary information about the compliance of the certificate profile on the main page. To view more detailed information, select the certificate profile, and then on the Home tab, in the Deployment group, click View Status to open the Deployment Status page. The Deployment Status page contains the following tabs: Compliant: Displays the compliance of the certificate profile based on the number of assets that are affected. You can double-click a rule to create a temporary node under the Users node in the Assets and Compliance workspace. This node contains all users that are compliant with the certificate profile. The Asset Details pane also displays the users that are compliant with this profile. Double-click a user in the list to display additional information. Important A certificate profile is not evaluated if it is not applicable on a client device. However, it is returned as compliant. Error: Displays a list of all errors for the selected certificate profile deployment based on the number of assets that are affected. You can double-click a rule to create a temporary node under the Users node of the Assets and Compliance workspace. This node contains all users that generated errors with this profile. When you select a user, the Asset Details pane displays the users that are affected by the selected issue. Double-click a user in the list to display additional information about the issue. Non-Compliant: Displays a list of all noncompliant rules within the certificate profile based on the number of assets that are affected. You can double-click a rule to create a temporary node under the Users node of the Assets and Compliance workspace. This node contains all users that are not compliant with this profile. When you select a user, the Asset Details pane displays the users that are affected by the selected issue. Double-click a user in the list to display further information about the issue. Unknown: Displays a list of all users that did not report compliance for the selected certificate profile deployment together with the current client status of the devices.

5. On the Deployment Status page, you can review detailed information about the compliance of the deployed certificate profile. A temporary node is created under the
2577

Deployments node that helps you find this information again quickly. The enrollment status of the certificate is displayed as a number. Use the following table to understand what each number means:
Enrollment status Description

0x00000001 0x00000002

The enrollment succeeded, and the certificate has been issued. The request has been submitted and the enrollment is pending, or the request has been issued out of band. Enrollment must be deferred. An error occurred. The enrollment status is unknown. The status information has been skipped. This can occur if a certification authority is not valid or has not been selected for monitoring. Enrollment has been denied.

0x00000004 0x00000010 0x00000020 0x00000040

0x00000100

How to View Compliance Results by Using Reports

Compliance settings in Configuration Manager include built-in reports that you can use to monitor information about certificate profiles. These reports have the report category of Compliance and Settings Management. Important You must use a wildcard (%) character when you use the parameters Device filter and User filter in the reports for compliance settings. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager.

See Also
Operations and Maintenance for Wi-Fi Profiles in Configuration Manager

2578

Security and Privacy for Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Note This topic appears in the Assets and Compliance in System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide. This topic contains security and privacy information for certificate profiles in System Center 2012 Configuration Manager.

Security Best Practices for Certificate Profiles

Use the following security best practices when you manage certificate profiles for users and devices.
Security best practice More information

Identify and follow any security best practices for the Network Device Enrollment Service, which includes configuring the Network Device Enrollment Service website in Internet Information Services (IIS) to require SSL and ignore client certificates. When you configure SCEP certificate profiles, choose the most secure options that devices and your infrastructure can support. Manually specify user device affinity instead of allowing users to identify their primary device. In addition, do not enable usage-based configuration.

See Network Device Enrollment Service Guidance in the Active Directory Certificate Services library on TechNet.

Identify, implement, and follow any security best practices that have been recommended for your devices and infrastructure. If you click the Allow certificate enrollment only on the users primary device option in a SCEP certificate profile, do not consider the information that is collected from users or from the device to be authoritative. If you deploy SCEP certificate profiles with this configuration and a trusted administrative user does not specify user device affinity, unauthorized users might receive elevated privileges and be granted certificates for authentication.

2579

Security best practice

More information

Note If you do enable usage-based configuration, this information is collected by using state messages that are not secured by Configuration Manager. To help mitigate this threat, use SMB signing or IPsec between client computers and the management point. Do not add Read and Enroll permissions for users to the certificate templates, or configure the certificate registration point to skip the certificate template check. Although Configuration Manager supports the additional check if you add the security permissions of Read and Enroll for users, and you can configure the certificate registration point to skip this check if authentication is not possible, neither configuration is a security best practice. For more information, see Planning for Certificate Template Permissions for Certificate Profiles in Configuration Manager.

Privacy Information for Certificate Profiles

You can use certificate profiles to deploy root certification authority (CA) and client certificates, and then evaluate whether those devices become compliant after the profiles are applied. The management point sends compliance information to the site server, and Configuration Manager stores that information in the site database. Compliance information includes certificate properties such as subject name and thumbprint. The information is encrypted when devices send it to the management point, but it is not stored in encrypted format in the site database. The database retains the information until the site maintenance task Delete Aged Configuration Management Data deletes it after the default interval of 90 days. You can configure the deletion interval. Compliance information is not sent to Microsoft. Certificate profiles use information that Configuration Manager collects by using discovery. For more information about privacy information for discovery, see the Privacy Information for Discovery section in Security and Privacy for Site Administration in Configuration Manager. Note Certificates that are issued to users or devices might allow access to confidential information. By default, devices do not evaluate certificate profiles. In addition, you must configure the certificate profiles, and then deploy them to users or devices.
2580

Before you configure certificate profiles, consider your privacy requirements.

See Also
Certificate Profiles in Configuration Manager

Technical Reference for Certificate Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use the following topics in this section to view technical reference information for certificate profiles in System Center 2012 Configuration Manager.

In This Section
How to Configure the Policy Module to Use a New Client Certificate in Configuration Manager How to Install Certificates on Android Devices in Configuration Manager

See Also
Certificate Profiles in Configuration Manager

How to Configure the Policy Module to Use a New Client Certificate in Configuration Manager
Servers that are running the Configuration Manager Policy Module with the Network Device Enrollment Service role service use a client certificate to authenticate the Policy Module to the certificate registration point site system server in System Center 2012 Configuration Manager. Typically, a client authentication certificate is valid for one year. Before the certificate expires, renew it, update the registry for the new certificate, and then restart the web server that runs the Network Device Enrollment Service. Note If the certificate has already expired, ERROR("Failed to send http request <thumbprint>. Error 12037", appears in the NDESPlugin.log file on the server that runs
2581

the Network Device Enrollment Service. In the error message, <thumbprint> is replaced with the certificate thumbprint of the expired certificate. To renew the certificate: If you manually requested this client certificate, manually request a new certificate. If you need help deploying this certificate, you can use the instructions for Deploying the Client Certificate for Distribution Points in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic, with one exception: Do not select the Allow private key to be exported check box on the Request Handling tab of the certificate template properties. If you automatically deployed this client certificate by using Group Policy enrollment, the default configuration is to automatically request a new certificate before the original certificate expires.

After the new certificate is deployed on the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, use the following procedure to configure the server to use the new certificate. To configure the Policy Module to use the new client certificate 1. On the server that runs the Network Device Enrollment Service and the Configuration Manager Policy Module, open the registry editor and replace the old certificate thumbprint with the new certificate thumbprint by using the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDES Policy\NDESCertThumbprint. Tip To identify the thumbprint for the new certificate, locate the certificate in the Computer store by using the Certificates snap-in. Then, right-click the certificate, click Properties, click View Certificate, click the Details tab, and then scroll and select Thumbprint. You will then see and be able to copy the string of hexadecimal characters that is the certificate thumbprint for this certificate. 2. Restart the services for the web server by using one of the following methods: a. From Internet Information Services (IIS) Manager: Browse to the web server node in the tree. In the Actions pane, click Restart. b. From the command line: Type iisreset /restart and press Enter. For more information, see Start or Stop the Web Server (IIS 8) in the Windows Server library on TechNet. You can confirm that the Policy Module is using the new certificate by checking for the following entry in the NDESPlugin.log file on the server that runs the Network Device Enrollment Service: INFO("NDES thumbprint is <thumbprint>.", wszBuffer);

See Also
Technical Reference for Certificate Profiles in Configuration Manager
2582

How to Install Certificates on Android Devices in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. When certificates are installed on Android devices, the end-user must perform a number of actions in order to accept and install the certificate. It is important to educate your end-users about the actions they might need to take, because if the user does not take the correct action, then the certificate will not be installed correctly. The following procedure details the actions that much be taken on Android devices by the enduser to accept and install certificates. To install a certificate on an Android device 1. The user receives a notification, titled Company Portal, on the Android device. Click the notification to begin. 2. In the Extract from: <certificate name> box, the user is asked to enter a password to extract the certificate. The user must click OK, without entering a password. 3. In the Certificate name box, the certificate name is displayed and the user must click OK to continue. Important The user must not edit the certificate name in this box or else the certificate will not function correctly. 4. In the Choose certificate box, the user must click Allow, to allow the company portal to use the certificate. Note The user must not click the Install button which allows you to select another certificate from a storage device.

See Also
Technical Reference for Certificate Profiles in Configuration Manager

VPN Profiles in Configuration Manager

Note

2583

The information in this topic applies only to System Center 2012 R2 Configuration Manager. VPN profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

In This Section
Use the following topics to help you plan for, configure, operate, and maintain VPN profiles in Configuration Manager. Introduction to VPN Profiles in Configuration Manager Planning for VPN Profiles in Configuration Manager Operations and Maintenance for VPN Profiles in Configuration Manager Security and Privacy for VPN Profiles in Configuration Manager Technical Reference for VPN Profiles in Configuration Manager

See Also
Company Resource Access in Configuration Manager

Introduction to VPN Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use VPN profiles in System Center 2012 Configuration Manager to deploy VPN settings to users in your organization. By deploying these settings, you minimize the end-user effort required to connect to resources on the company network. For example, you want to provision all devices that run the iOS operating system with the settings required to connect to a file share on the corporate network. You can create a VPN profile containing the settings necessary to connect to the corporate network and then deploy this profile to all users that have devices that run iOS in your hierarchy. Users of iOS devices see the VPN connection in the list of available networks and can connect to this network with the minimum of effort. You can configure the following device types with VPN profiles: Devices that run Windows 8.1 32-bit Devices that run Windows 8.1 64-bit Devices that run Windows RT or Windows RT 8.1
2584

IPhone devices that run iOS 5, iOS 6 and iOS 7 IPad devices that run iOS 5, iOS 6 and iOS 7

When you create a VPN profile, you can include a wide range of security settings, including certificates for server validation and client authentication that have been provisioned by using Configuration Manager certificate profiles. For more information about certificate profiles, see Certificate Profiles in Configuration Manager. If you select the option Use an automatic VPN connection (if configured) in the Create Deployment Type Wizard, you can configure an application to open an automatic VPN connection whenever the application is started. This option is only available when you configure a deployment type for a Windows app package. For more information, see How to Create Applications in Configuration Manager.

Whats New in System Center 2012 R2 Configuration Manager

Note The information in this section also appears in the Getting Started with System Center 2012 Configuration Manager guide. VPN profiles are new in System Center 2012 R2 Configuration Manager. VPN profiles provide the following capabilities and have some dependent configurations: Deployment of VPN profiles that provision devices with the settings and certificates that they need to access corporate networks. Supported devices include those that run iOS, Windows 8.1, Windows RT, and Windows RT 8.1.

See Also
VPN Profiles in Configuration Manager

Planning for VPN Profiles in Configuration Manager

Use the following topics in this section to help you plan to use VPN profiles in System Center 2012 R2 Configuration Manager.

In This Section
Prerequisites for VPN Profiles in Configuration Manager

2585

See Also
VPN Profiles in Configuration Manager

Prerequisites for VPN Profiles in Configuration Manager

VPN profiles in System Center 2012 Configuration Manager have dependencies only within the product.

Configuration Manager Dependencies

Dependency More information

Specific security permissions must be granted to manage VPN profiles

You must have the following security permissions to manage company resource access settings, such as certificate profiles, WiFi profiles, and VPN profiles: To view and manage alerts and reports for VPN profiles: Create, Delete, Modify, Modify Report, Read, and Run Report permissions for the Alerts object. To create and manage certificate profiles: Author Policy, Modify Report, Read and Run Report permissions for the Certificate Profile object. To manage Wi-Fi, certificate, and VPN profile deployments: Deploy Configuration Policies, Modify Client Status Alert, Read, and Read Resource permissions for the Collection object. To manage all configuration policies: Create, Delete, Modify, Read and Set Security Scope permissions for the Configuration Policy object. To run queries that are related to VPN profiles: Read permission for the Query object. To view VPN profiles information in the Configuration Manager console: Read permission for the Site object.
2586

Dependency

More information

To view status messages for VPN profiles: Read permission for the Status Messages object. To create and modify the Trusted CA certificate profile: Author Policy, Modify Report, Read and Run Report permissions for the Trusted CA Certificate Profile object. To create and manage VPN profiles: Author Policy, Modify Report, Read, and Run Report permissions for the VPN Profile object. To create and manage Wi-Fi profiles: Author Policy, Modify Report, Read, and Run Report permissions for the Wi-Fi Profile object.

The Company Resource Access Manager security role includes these permissions that are required to manage VPN profiles in Configuration Manager. For more information, see the Configure Role-Based Administration section in the Configuring Security for Configuration Manager topic.

See Also
Planning for VPN Profiles in Configuration Manager

Operations and Maintenance for VPN Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Use the information in this section to learn more about operations and maintenance for VPN profiles in System Center 2012 Configuration Manager.

2587

In This Section
How to Create VPN Profiles in Configuration Manager How to Deploy VPN Profiles in Configuration Manager How to Monitor VPN Profiles in Configuration Manager

See Also
VPN Profiles in Configuration Manager

How to Create VPN Profiles in Configuration Manager

Note The information in this topic applies only to System Center 2012 R2 Configuration Manager. Create VPN profiles in System Center 2012 Configuration Manager to deploy VPN settings to users in your company. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

Steps to Create a VPN Profile

Use the following required steps to create a VPN profile by using the Create VPN Profile Wizard.
Step Details More information

Step 1: Start the Create VPN Profile Wizard.

Start the wizard in the Assets and Compliance workspace in the Compliance Settings node. Enter a name and description for the VPN profile. You can also import an existing VPN profile from a file. Configure the connection type and VPN servers for the VPN profile. Configure the authentication method and certificates that

See the Step 1: Start the Create VPN Profile Wizard section in this topic. See the Step 2: Provide General Information about the VPN Profile section in this topic. See the Step 3: Provide Connection Information for the VPN Profile section in this topic. See the Step 4: Configure the Authentication Method for the
2588

Step 2: Provide general information about the VPN profile. Step 3: Provide connection information for the VPN profile.

Step 4: Configure the authentication method for the

Step

Details

More information

VPN profile. Step 5: Configure proxy settings for the VPN profile. Step 6: Configure an automatic VPN connection for the VPN profile.

the VPN profile uses.

VPN Profile section in this topic.

Configure proxy settings if they See the Step 5: Configure are required for the VPN Proxy Settings for the VPN connection. Profile section in this topic. Configure automatic VPN connections. An automatic VPN connection can be established when a user accesses a corporate network resource. Configure supported platforms. Supported platforms are the operating systems on which the VPN profile is to be installed. Complete the wizard to create the new VPN profile. See the Step 6: Configure an Automatic VPN Connection for the VPN Profile section in this topic.

Step 7: Configure supported platforms for the VPN profile.

See the Step 7: Configure Supported Platforms for the VPN Profile section in this topic. See the Step 8: Complete the Wizard section in this topic.

Step 8: Complete the wizard.

Supplemental Procedures to Create a New VPN Profile

Use the following information when the steps in the preceding table require supplemental procedures.

Step 1: Start the Create VPN Profile Wizard

Use this procedure to start the Create VPN Profile Wizard. To start the Create VPN Profile Wizard 1. In the Configuration Manager console, click Assets and Compliance. 2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then click VPN Profiles. 3. On the Home tab, in the Create group, click Create VPN Profile.

Step 2: Provide General Information about the VPN Profile

Use this procedure to provide general information about the VPN profile.
2589

To provide general information about the VPN profile 1. On the General page of the Create VPN Profile Wizard, specify the following information: Name - Enter a unique name for the VPN profile. You can use a maximum of 256 characters. Important Do not use the characters \/:*?<>|, or the space character in the VPN profile name, because these characters are not supported by the Windows Server VPN profile. Description - Enter a description that gives an overview of the VPN profile and other relevant information that helps identify it in the Configuration Manager console. You can use a maximum of 256 characters. Import an existing VPN profile item from a file Select this option to display the Import VPN Profile page. On this page, you can import VPN profile information for the Windows 8.1 and Windows RT operating systems that has previously been exported to an XML file.

Step 3: Provide Connection Information for the VPN Profile

Use this procedure to specify connection information for the VPN profile. To provide connection information for the VPN profile 1. On the Connection page of the Create VPN Profile Wizard, specify the following information: Connection type: From the drop-down list, select the connection type for the VPN connection. You can choose from the connection types in the following table that shows the platforms that each connection type supports.
Connection type iOS Windows 8.1 Windows RT Windows RT 8.1

Cisco AnyConnect Juniper Pulse F5 Edge Client Dell SonicWALL Mobile Connect Check Point Mobile VPN

Yes Yes Yes Yes Yes

No Yes Yes Yes Yes

No No No No No

No Yes Yes Yes Yes

2590

Microsoft SSL (SSTP) Microsoft Automatic IKEv2 PPTP L2TP

No No No Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Yes Yes Yes Yes Yes

Note Computers that run the x86 or x64 versions of Windows 8.1 support automatic VPN connections. However, you cannot use the option Use an automatic VPN connection (if configured), in the Create Application Wizard to associate the application with a VPN profile. In this case, you can configure a VPN profile to establish an automatic connection from the Create VPN Profile Wizard or import an XML VPN profile. Server list: Click Add to add a new VPN server to use for the VPN connection. Depending on the connection type, you can add one or more VPN servers and also specify which server is to be the default server. Note Devices that run iOS do not support using multiple VPN servers. If you configure multiple VPN servers and then deploy the VPN profile to an iOS device, only the default server is used. The further options in the following table might be displayed, which depends on the connection type that you selected. See the VPN server documentation for more information about these options.
Option More information

Realm

Used by the Juniper Pulse