Clients Frequently Asked Questions

CCMSetup.exe is the manual installation program for the Advanced Client. SMSMan.exe is the manual installation program for the Legacy Client.

Capinst is used for Logon Script-initiated Client Installation. It requires a server locator point to determine which site the client is assigned to. Capinst.exe then starts CCMSetup.exe or SMSMan.exe, as appropriate.

CCMSetup is recommended because it:

• Manages a local copy of the correct client.msi for future repairs of the client.
• Implements multi-language client installation for support of the International Client Packs (ICPs).
• Offers "Checkpoint Restart" download behavior.
• Includes an installation feedback mechanism in case of client installation/upgrade failure. CCMSetup sends a status message before the client is installed.
• Persists at installing the client. Client.msi makes one attempt and then fails, but CCMSetup keeps trying until it can download and install the Advanced Client.
• Repairs a previously installed client if run on an existing client installed with CCMSetup. In other words, performing Client Push Installation on installed clients will trigger a repair or upgrade of all installed Advanced Clients in the client push boundaries.

Client.msi is a Windows Installer package containing the Advanced Client software. It can be used to distribute the Advanced Client through Group Policy, but it should not be run manually on the client. Clients installed using Client.msi will experience difficulties with upgrade and repair operations if the version of the MSI file used to install the client is not available when the client is repaired or patched. (Unlike Ccmsetup, Client.msi does not manage a local copy of the correct Client.msi for future repairs of the client.) If you installed the client using Group Policy, using use Advanced Client and Management Point Cleaner (CCMClean.exe) to remove the client is not recommended or supported. Group Policy installation creates registry keys that are not removed by use Advanced Client and Management Point Cleaner and these residual registry keys might complicate future reinstallation of the Advanced Client through Group Policy. If you configure Group Policy to install the Advanced Client, configure the policy to Uninstall this application when it falls out of the scope of management. If you need to remove the advanced client from a computer, change the permissions on the policy so it does not apply to that computer. Removing the Advanced Client software through the software settings in the GPO removes all related registry keys and allows for future reinstallation through Group Policy.

Note Due to a Group Policy limitation, Group Policy cannot be used to apply Hotfixes to Advanced Client components.

For more information about managing Group Policy, see the Help and Support Center. For more information about CCMSetup, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.

Determining the version and type of the SMS client software that is installed on a computer is often important during troubleshooting and for other purposes, such as verifying the success of client deployment. The following section shows how you can check the client version and type from the SMS Administrator console or on the client computer.

If you need to determine the client version by using a script or any other programmatic method, you can locate the client version in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\ SMS Client Base Components\Installation Properties|Installed Version

On the Advanced Client, this client's version registry key value is set to 99.9.9999.9999. This value ensures that the Advanced Client software is never overwritten by the Legacy Client software. To determine the client's software version, you can check Windows Management Instrumentation (WMI). The client's software version is stored in the ClientVersion property of the SMS_Client class in the root\CCM namespace.

At a client, you can determine the client type by the SMS client installation directory. If a %Windir%\MS\SMS directory exists, then the client is a Legacy Client. If a %Windir%\System32\CCM\Clicomp directory exists, then the client is an Advanced Client. Also, Systems Management in Control Panel on the Advanced Client has an Actions tab, which the Legacy Client does not have.

Common client versions for SMS 2003 are listed below.

No. Advanced Clients can run in Windows NT 4.0 domains. Active Directory is required for advanced security mode. Active Directory schema extensions are required for global roaming. Active Directory with schema extensions is also required if you want clients to automatically detect the server locator points and management points without generating WINS traffic.

For more information about Advanced Clients, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

When using CCMSETUP to install the Advanced Client, you can use the CCMDEBUGLOGGING switch to enable debug logging. The default for the CCMLOGLEVEL switch is 1. Changing that setting to 0 when using CCMSETUP enables verbose logging.

To enable debug logging after installation, create the following registry key: HKLM\SOFTWARE\Microsoft\CCM\Logging\debuglogging

To enable verbose logging after installation, change the following value to 0:

HKLM\Software\Microsoft\CCM\Logging\@Global\Loglevel

You might need to change the registry permissions on this key to change these values.

For more information about enabling Windows Installer logging, see article 223300, "How to Enable Windows Installer Logging," in the Microsoft Knowledge Base.

By default, the Advanced Client for 32-Bit clients is installed in the %Windir%\System32\CCM folder. You can change this default by running Ccmsetup.exe with the CCMINSTALLDIR installation property. Regardless of where the Advanced Client software is installed, the Ccmcore.dll file is always installed in the %Windir%\System32 folder. This is done so the SMS Advanced Client programs in Control Panel function properly.

A new Advanced Client that is not configured as a management point will store the client logs at %windir%\System32\CCM\Logs. A new Advanced Client that is configured as a management point will store the client log files in SMS_CCM\Logs. SMS 2003 Legacy Clients still store the client log files at %windir%\MS\SMS\Logs.

The SMS 2003 Advanced Client installation location differs on computers running supported 64-bit operating systems. In this case, Advanced Client installation files are always copied to %Windir%\CCMSetup before installation. SMS 2003 64-bit Advanced Client software is always installed to %Windir%\Syswow64\CCM. You cannot modify this installation location.

For more information about using the advanced client installer, see "Appendix I: Installing and Configuring SMS Clients" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

The SMS Advanced Client software is not automatically removed under any circumstances. Only a user with administrative credentials on the computer can remove the Advanced Client software. You can manually remove it in two ways. You can use Advanced Client and Management Point Cleaner (CCMClean.exe) from the SMS 2003 Toolkit, which is available for download on the SMS Web site.

You can also run

msiexec /x \\<management point>\smsclient\i386\client.msi.

Secondary sites do support Advanced Clients. However, Advanced Clients cannot be assigned to the secondary site. They are always assigned to the parent primary site, but can reside in the boundaries of the secondary site, taking advantage of any proxy management points and distribution points at the secondary site.

For more information about planning site boundaries and roaming boundaries, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Management points must communicate with an SMS site database. Secondary sites do not have their own SMS site database; they use the site database at their parent primary site. The Policy system for Advanced Clients is based off the primary site and the clients can get policy only when assigned to the primary sites.

For more information about planning site boundaries and roaming boundaries, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.

Roaming is the ability to move a computer running the SMS Advanced Client from one IP subnet or Active Directory site to another. Roaming always involves an IP address change on the client. In SMS 2.0, clients moving to other sites might have been uninstalled and reinstalled into a new site, or they might have retrieved packages and contacted client access points across slow WAN links. Roaming was developed to help control how mobile computers use the network when communicating with SMS distribution points and management points.

For a Flash demonstration illustrating the concepts and processes of Advanced Client Roaming, see the "Systems Management Server 2003 Product Documentation" page on the SMS Web site.

For more information about roaming and roaming boundaries, see the "Configuration and Operation of Advanced Client Roaming" whitepaper on the Microsoft Download site.

When configuring roaming boundaries, the SMS administrator specifies whether a roaming boundary is a local roaming boundary or a remote roaming boundary. The terms local and remote are designed to be used by the SMS administrator as a way to label well-connected and not well-connected network segments, respectively. If the SMS administrator defines the roaming boundaries in this way, then the following definitions apply:

Local roaming boundary A roaming boundary in which the site distribution points are locally available to the Advanced Client and software packages are available to that client over a well-connected link. Advertisements sent to Advanced Clients specify whether the Advanced Client downloads the package source files from the locally available distribution point before running the program.

Remote roaming boundary A roaming boundary in which the site distribution points are not locally available to the Advanced Client. Advertisements sent to Advanced Clients specify whether the client downloads the software program from a remote distribution before running it, runs the package from a remote distribution point, or does nothing and waits until a distribution point becomes available locally.

As a best practice, specify local roaming boundaries for the well-connected segments of an SMS site (such as over a LAN). Specify remote roaming boundaries for the slow or unreliable network links in your SMS site (such as RAS, a wireless network, a 56 Kbps dial-up connection, or a branch office that is not configured as a separate site).

Remote and local roaming boundaries are considered equivalent for automatic site assignment.

For more information about roaming and roaming boundaries, see the"Configuration and Operation of Advanced Client Roaming"whitepaper on the Microsoft Download site.

If Active Directory is not available, or if the Active Directory schema for SMS is not extended, Advanced Clients can roam only to the lower level sites of their assigned site. This is called regional roaming. In regional roaming, the Advanced Client can roam to lower level sites and still receive software packages from distribution points.

Global roaming allows the Advanced Client to roam to higher level sites, sibling sites, and sites in other branches of the SMS hierarchy, and still receive software packages from distribution points. Global roaming requires Active Directory and the SMS Active Directory schema extensions. Global roaming cannot be performed across Active Directory forests.

For more information about roaming and roaming boundaries, see the "Configuration and Operation of Advanced Client Roaming" whitepaper on the Microsoft Download site.

Simulate a simple client request to IIS on the management point. First, on the Start menu, Click Run and type http://<management point name>/sms_mp/.sms_aut?mplist. If you see a blank screen instead of an error message, the request is successful. Next, on the Start menu, Click Run and type

http://<management point name>/sms_mp/.sms_aut?mpcert. If the request is successful, you will see a long list of numbers and letters. Finally, run the MPGetPolicy tool from the SMS Toolkit1, available on the Microsoft Download site. If all of these tests fail, verify that your management point has been installed correctly. For more information about verifying the successful installation of a management point, see "Site Systems Frequently Asked Questions" on Microsoft TechNet.

Verify that the client is assigned to the site. By default, the wizard only pushes to clients assigned to the site.

Verify that you have created the appropriate accounts and they have access to all chosen client computers. Client Push Installation requires that you grant administrator rights and permissions to either the SMS Service Account (if the site is running in standard security mode) or Client Push Installation Accounts that you create in the Client Push Installation Properties dialog box in the SMS Administrator console.

To troubleshoot Client Push Installation problems during Advanced Client installation, review the Ccm.log file on the SMS site server, which is located in the SMS\Logs folder. On the client, review the Ccmsetup.log and Client.msi.log file, which is located in %Windir%\System32\Ccmsetup.

Also, to enable Client Push Installation for client computers running Windows XP SP 2, enable File and Print Sharing in the Windows Firewall (formerly known as Internet Connection Firewall, or ICF) configuration on the Windows XP client.

Site-wide Client Push Installation cannot install the SMS client on computers that are running Windows NT 4.0, and are discovered only by Active Directory discovery methods. Instead, you can create a collection and deploy the client to the collection instead of the whole site.

For more information about using site-wide client push installation on Windows NT 4.0 computers, see the SMS 2003 Installation Release Notes. For information about how to configure Windows Firewall on Windows XP SP 2, search for "Windows Firewall" in Help and Support Center.

Yes. It is called capinst.log and is located in the logged in the user’s temp directory (I.e. D:\documents and settings\User1\Local Settings\temp).

Note The Local Settings folder is marked as hidden by default.

No. The management point is not stored on the client in a registry setting that can be manipulated to cause it to be assigned to a management point. Clients use a dynamic process to locate their management point. This is an important feature of the Advanced Client that allows computers to roam to other sites.

Management point lookup occurs periodically, such as when the SMS Agent Host service starts. If you need to force the client to relocate the management point. you can:

• Stop and restart the SMS Agent Host service on the client. Restarting the computer will also cause this service to stop and restart.
• Disconnect the computer from the network and reconnect it. You can physically disconnect and reconnect the cable, disable and re-enable the network adaptor, or release and renew a DHCP-assigned IP address.
• Use Control Panel to force discovery of the local SMS site. Double-Click the Systems Management icon in Control Panel. On the Advanced tab in the Properties dialog box, Click Discover to automatically find the local SMS site and management points.

If you have extended the Active Directory schema, then the client will use an LDAP query to determine the management point. If the schema has not been extended, the client will perform a WINS record lookup.

This is a known issue. If the upgrade was set to restart the Legacy Client after installation, the client generates status message 10022, which indicates the operation was successful, but a restart of the system is required for the operation to be complete. This message overrides the 10800 message that indicates a successful installation of the Advanced Client.

There are three reports that are currently affected by this condition:

• Status of an Advanced Client distribution
• Advertisement status messages for a client being upgraded to the Advanced Client
• All system resources for a specific Advanced Client distribution in a specific state

These reports will show that the program completed successfully, but there is a restart pending. Assuming these clients have completed a restart, you can consider them fully installed. You can also add the client version to the detail in the report and use the version number to determine which clients have successfully installed the Advanced Client.

Note You may find a larger-than-expected number of computers reported as Succeeded in Advertisement status messages for a client being upgraded to the Advanced Client. If an Advanced Client successfully upgrades once, it will not rerun the upgrade program. If the Advanced Client package is advertised to more than one collection and the same client is a member of both collections, then that client will send the Program will not rerun status message. This status message moves the client from the Advanced Client installed count to the Succeeded count. If it is not possible to avoid the collection overlap, use client version reports to determine whether upgrades were successful.

Yes. At this time there are two known compatibility issues that require hotfixes and five application compatibility issues caused by the secure configuration of the Windows Firewall (also known as Internet Connection Firewall, or ICF).

Hotfixes

Accessing SMS items in Control Panel Because of restrictions imposed on DCOM with Windows XP SP2, users will not be able to access Run Advertised Programs or Program Download Monitor in Control Panel when using SMS 2003 (no service pack.) Also, the Actions tab of the Systems Management in Control Panel is not accessible. A hotfix is available to correct this problem. The hotfix is included in SMS 2003 SP1. For more information about this hotfix, see article 832862 in the Microsoft Knowledge Base. To successfully deploy this hotfix to the clients using SMS software distribution, you must verify that the countdown feature is disabled on the Advertised Programs Client agent.

Downloading packages by using BITS Windows XP SP2 interferes with the Advanced Client’s ability to download packages by using BITS when using SMS 2003 (no service pack.) Downloading policy by using BITS is not affected. This issue is fixed by applying a hotfix to the BITS-enabled distribution points. For more information about this hotfix, see article 832860 in the Microsoft Knowledge Base. The hotfix is included in SMS 2003 SP1.

Application compatibility issues and workarounds

When you install Windows XP SP 2, the Windows Firewall is enabled by default. The default Windows Firewall settings will interfere with operations of several SMS functions.

To modify the programs and services permitted by Windows Firewall:

1. On the computer running Windows XP, in Control Panel open Windows Firewall.
2. On the Exceptions tab, select either the default service specified later in this section, or Click Add Program or Add Port to create custom programs or ports.
3. If necessary, Click Change scope to define the set computers for which this port is open.

Remote Control SMS clients running Windows XP SP 2 cannot be remotely managed by using SMS Remote Tools. The recommended best practice is to use Remote Assistance on client computers that support it, such as Windows XP. To enable SMS Remote Tools, add the following port for each necessary remote tool:

For more information about ports used by SMS remote control, see article 256884 in the Microsoft Knowledge Base. Remote Assistance is unavailable when initiated from the SMS Administrator console Remote assistance sessions initiated from the SMS Administrator console to a computer running Windows XP SP 2 will fail, although remote assistance sessions requested by the Windows XP client will succeed. To enable Remote Assistance to be initiated from the SMS Administrator console, add both the custom program helpsvc.exe and the custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the Windows XP client. Also, Windows Firewall must be configured to permit Remote Assistance and Remote Desktop. If a user initiates a request for Remote Assistance from that computer, Windows Firewall will automatically be configured to permit Remote Assistance and Remote Desktop.

Windows Event Viewer, System Monitor and Windows Diagnostics from the SMS Administrator console The SMS Administrator console cannot access Windows Event Viewer or System Monitor on computers running Windows XP SP2. To enable remote access to these features, enable File and Print Sharing in the Windows Firewall configuration on the Windows XP client. There is no workaround at this time to access Windows Diagnostics from the SMS Administrator console.

Client Push Installation Client Push Installation fails on client computers running Windows XP SP 2. To enable Client Push Installation, enable File and Print Sharing in the Windows Firewall configuration on the Windows XP client.

Queries If you run the SMS Administrator console on a Windows XP SP2, queries will fail the first time they run. After failing to run the first time, the operating system displays a dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future queries will run without errors. You can also manually add statview.exe to the list of programs and services on the Exceptions tab of the Windows Firewall prior to running a query.

SMS Administrator console Windows Firewall has three settings: On, On with no exceptions, and Off. When you select the Don’t allow exceptions check box,, the SMS Administrator console cannot connect to any SMS site database from the Windows XP client. This is by design. If Windows Firewall is set to On (recommended), the SMS Administrator console cannot display all of the items in the console tree until you add the program unsecapp.exe and the port TCP 135 to the list of programs and services on the Exceptions tab of Windows Firewall.

Advanced users can configure Windows Firewall by using the netsh.exe command line tool. For more information about this tool, search for "Configuring Windows Firewall from the command line" in Help and Support Center. Network administrators can also use Group Policy to configure Windows Firewall settings. For a complete list of Group Policy options, see "Deploying Internet Connection Firewall Settings for Microsoft Windows XP with Service Pack 2" at the Microsoft Download Center.

Some customers have reported this issue, but at this time, Microsoft has not been able to reproduce this condition. If you run the SMS Administrator console only from computers that belong to the same domain as the SMS Provider, permitting unsecapp.exe and port TCP 135 to pass through the Windows Firewall should be sufficient. However, some customers have reported that even after permitting these two exceptions, the SMS Administrator console still cannot connect to an SMS site database from the Windows XP SP 2 client, even when both computers are in the same domain. As a last resort, adding anonymous remote access rights in DCOM resolves the issue but increases your security risk.

If you grant anonymous remote access rights, you disable a layer of protection for the system. An attacker no longer needs to circumvent user authentication to discover and exploit potential vulnerabilities in the system. To avoid potential attacks related to granting anonymous remote access rights, you can use Remote Desktop to connect to the computer running the SMS Provider and run the SMS Administrator console remotely.

To allow anonymous remote access in DCOM:

1. From the Start menu, Click Run and type Dcomcnfg.exe.
2. In Component Services, Click Console Root, Click Component Services, Click Computers, and then Click My Computer. On the Action menu, Click Properties.
3. In the My Computer Properties dialog box, on the COM Security tab, in the Access Permissions section, Click Edit Limits.
4. In the Access Permission dialog box, select the check box to allow Remote Access for Anonymous Logon.
5. Restart the computer.