Skip to main content

Clients Frequently Asked Questions

 



Deploying clients

Q. Why do we need the Legacy Client? Why not deploy just the Advanced Client?
A.The Advanced Client only runs on Windows 2000 and later. If you still have Windows 98 or Windows NT 4.0 client computers, you must run the Legacy Client. The Advanced Client is the recommended client for all clients running Windows 2000 and later.

For more information about client upgrades, see "Appendix H: Upgrading to SMS 2003" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.
Q. Will computers running Windows 2000 and later automatically upgrade to the Advanced Client? (Updated May 31, 2006)
A.No. All SMS 2.0 clients running Windows 98 and Windows NT 4.0 SP 6a will upgrade to the SMS 2003 Legacy Client on their next CCIM cycle after the client access point is updated with SMS 2003 binaries. You can use the cliupgrade tool to prevent SMS 2.0 clients from upgrading and allow staging of upgrades in addition to direct upgrade to the SMS 2003 Advanced Client.

For more information about upgrading SMS client software, see "Appendix H: Upgrading to SMS 2003" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. Is it possible to image the SMS client in SMS 2003?
A.Yes. For details, see "Appendix I: Installing and Configuring SMS Clients" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet. You can also search on "creating a computer master image with the SMS Advanced Client installed" in the SMS 2003 Operations Release Notes.

Q. Do clients need to have file and print sharing turned on for client push installation to work? (Updated April 30, 2004)
A.Yes. The Server service must be running, because you connect to the Admin$ share on the client. This is the same as in SMS 2.0.

Also, to enable Client Push Installation for client computers running Windows XP SP 2, enable File and Print Sharing in the Windows Firewall (formerly known as Internet Connection Firewall, or ICF) configuration on the Windows XP client. You might need to change the scope of the exception to define the set computers for which this port is open.

For more information about deploying SMS clients, see "Appendix C: Client Deployment Planning" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deploymenton Microsoft TechNet. For information about how to configure Windows Firewall on Windows XP SP 2, search for "Windows Firewall" in Help and Support Center.

Q. What is the difference between CCMSETUP.EXE, SMSMAN.EXE, CAPINST.EXE, and CLIENT.MSI? (updated August 31, 2004)
A.

CCMSetup.exe is the manual installation program for the Advanced Client. SMSMan.exe is the manual installation program for the Legacy Client.

Capinst is used for Logon Script-initiated Client Installation. It requires a server locator point to determine which site the client is assigned to. Capinst.exe then starts CCMSetup.exe or SMSMan.exe, as appropriate.

CCMSetup is recommended because it:

  • Manages a local copy of the correct client.msi for future repairs of the client.
  • Implements multi-language client installation for support of the International Client Packs (ICPs).
  • Offers "Checkpoint Restart" download behavior.
  • Includes an installation feedback mechanism in case of client installation/upgrade failure. CCMSetup sends a status message before the client is installed.
  • Persists at installing the client. Client.msi makes one attempt and then fails, but CCMSetup keeps trying until it can download and install the Advanced Client.
  • Repairs a previously installed client if run on an existing client installed with CCMSetup. In other words, performing Client Push Installation on installed clients will trigger a repair or upgrade of all installed Advanced Clients in the client push boundaries.

Client.msi is a Windows Installer package containing the Advanced Client software. It can be used to distribute the Advanced Client through Group Policy, but it should not be run manually on the client. Clients installed using Client.msi will experience difficulties with upgrade and repair operations if the version of the MSI file used to install the client is not available when the client is repaired or patched. (Unlike Ccmsetup, Client.msi does not manage a local copy of the correct Client.msi for future repairs of the client.) If you installed the client using Group Policy, using use Advanced Client and Management Point Cleaner (CCMClean.exe) to remove the client is not recommended or supported. Group Policy installation creates registry keys that are not removed by use Advanced Client and Management Point Cleaner and these residual registry keys might complicate future reinstallation of the Advanced Client through Group Policy. If you configure Group Policy to install the Advanced Client, configure the policy to Uninstall this application when it falls out of the scope of management. If you need to remove the advanced client from a computer, change the permissions on the policy so it does not apply to that computer. Removing the Advanced Client software through the software settings in the GPO removes all related registry keys and allows for future reinstallation through Group Policy.

Note Due to a Group Policy limitation, Group Policy cannot be used to apply Hotfixes to Advanced Client components.

For more information about managing Group Policy, see the Help and Support Center. For more information about CCMSetup, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.

Q. Will my clients automatically upgrade to SP1? (Added September 30, 2004)
A.No. Advanced Clients do not automatically update when a newer version of the Advanced Client software is available at the SMS site. You must manually upgrade existing Advanced Clients. Windows 2000 SP2 is the earliest supported version of a Windows operating system for SMS 2003 SP1 Advanced Clients. SMS 2.0 and Legacy Client computers running the Microsoft Windows® 2000, Microsoft Windows XP, and Microsoft Windows Server® 2003 operating systems do not upgrade to SMS 2003 SP1 clients. For best practices for upgrading to SMS 2003 SP1 client software, see Scenarios and Procedures for Microsoft Systems Management Server on Microsoft TechNet.

Q. How do I determine the current client versions I have installed? (Added May 31, 2006)
A.

Determining the version and type of the SMS client software that is installed on a computer is often important during troubleshooting and for other purposes, such as verifying the success of client deployment. The following section shows how you can check the client version and type from the SMS Administrator console or on the client computer.

From the SMS Administrator ConsoleFrom the Client Computer

In the SMS Administrator console, you can determine the client version and type by viewing the properties of computers in collections and queries. The ClientType property is 0 if the client is a Legacy Client and 1 if the client is an Advanced Client. These are properties of the SMS_R_System class and the v_SMS_R_System view. You can use this information when creating queries and reports.

You can determine the client version by opening Control Panel, opening Systems Management, and then clicking the Components tab.

If you need to determine the client version by using a script or any other programmatic method, you can locate the client version in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Client Components\ SMS Client Base Components\Installation Properties|Installed Version

On the Advanced Client, this client's version registry key value is set to 99.9.9999.9999. This value ensures that the Advanced Client software is never overwritten by the Legacy Client software. To determine the client's software version, you can check Windows Management Instrumentation (WMI). The client's software version is stored in the ClientVersion property of the SMS_Client class in the root\CCM namespace.

At a client, you can determine the client type by the SMS client installation directory. If a %Windir%\MS\SMS directory exists, then the client is a Legacy Client. If a %Windir%\System32\CCM\Clicomp directory exists, then the client is an Advanced Client. Also, Systems Management in Control Panel on the Advanced Client has an Actions tab, which the Legacy Client does not have.

Common client versions for SMS 2003 are listed below.

BuildClient Version

Systems Management Server 2003 (No SP)

2.50.2726.0018

Systems Management Server 2003 (SP 1)

2.50.3174.1018

Systems Management Server 2003 (SP 2)

2.50.4160.2000



Advanced Clients

Q. Does the Advanced Client require Active Directory and Active Directory schema extensions?
A.

No. Advanced Clients can run in Windows NT 4.0 domains. Active Directory is required for advanced security mode. Active Directory schema extensions are required for global roaming. Active Directory with schema extensions is also required if you want clients to automatically detect the server locator points and management points without generating WINS traffic.

For more information about Advanced Clients, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. Is there any type of 30-day client verify process for the Advanced Client? (Updated March 31, 2004)
A.No. The administrator must create an advertisement with a new or updated version of the Advanced Client files. SMS never checks or updates the Advanced Client version automatically like a Legacy Client does. Because the client is installed by using .msi, it can perform self-repair, like any other .msi application can. If a hotfix is applied to an Advanced Client component, you must apply the .MSP patch file to all Advanced Clients. You can do this by using SMS Software Distribution.

Q. How do I enable DEBUG/VERBOSE logging on the Advanced Client? (Updated January 21, 2004)
A.

When using CCMSETUP to install the Advanced Client, you can use the CCMDEBUGLOGGING switch to enable debug logging. The default for the CCMLOGLEVEL switch is 1. Changing that setting to 0 when using CCMSETUP enables verbose logging.

To enable debug logging after installation, create the following registry key: HKLM\SOFTWARE\Microsoft\CCM\Logging\debuglogging

To enable verbose logging after installation, change the following value to 0:

HKLM\Software\Microsoft\CCM\Logging\@Global\Loglevel

You might need to change the registry permissions on this key to change these values.

For more information about enabling Windows Installer logging, see article 223300, "How to Enable Windows Installer Logging," in the Microsoft Knowledge Base.

Q. In which directory are the SMS Advanced Client files stored? (Updated September 30, 2004)
A.

By default, the Advanced Client for 32-Bit clients is installed in the %Windir%\System32\CCM folder. You can change this default by running Ccmsetup.exe with the CCMINSTALLDIR installation property. Regardless of where the Advanced Client software is installed, the Ccmcore.dll file is always installed in the %Windir%\System32 folder. This is done so the SMS Advanced Client programs in Control Panel function properly.

A new Advanced Client that is not configured as a management point will store the client logs at %windir%\System32\CCM\Logs. A new Advanced Client that is configured as a management point will store the client log files in SMS_CCM\Logs. SMS 2003 Legacy Clients still store the client log files at %windir%\MS\SMS\Logs.

The SMS 2003 Advanced Client installation location differs on computers running supported 64-bit operating systems. In this case, Advanced Client installation files are always copied to %Windir%\CCMSetup before installation. SMS 2003 64-bit Advanced Client software is always installed to %Windir%\Syswow64\CCM. You cannot modify this installation location.

For more information about using the advanced client installer, see "Appendix I: Installing and Configuring SMS Clients" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. If client push is enabled and a proxy management point is configured at a secondary site will the client installation process for Advanced Clients be completely local to the secondary site? (Added May 31, 2006)
A.No, if the CCR was created at the primary site, the client.msi is initiated from the primary site's management Point. If the CCR was created at the secondary site then the proxy management point will be used.
Q. How can we change the port used by the Advanced Client? (Updated September 30, 2004)
A.SMS 2003 (no service pack) does not support changing the port. In SMS 2003 SP1 you can specify the TCP ports used by Advanced Clients on the Ports tab in the properties of your SMS site. For more information, see "Securing SMS Communications" in see Scenarios and Procedures for Microsoft Systems Management Server 2003: Security on Microsoft TechNet.

Q. How do I remove the Advanced Client? (Updated December 20, 2004)
A.

The SMS Advanced Client software is not automatically removed under any circumstances. Only a user with administrative credentials on the computer can remove the Advanced Client software. You can manually remove it in two ways. You can use Advanced Client and Management Point Cleaner (CCMClean.exe) from the SMS 2003 Toolkit, which is available for download on the SMS Web site.

You can also run

msiexec /x \\<management point>\smsclient\i386\client.msi.

64-Bit Advanced Clients

Q. I installed the SMS Advanced Client on a 64-bit computer. Where are my SMS Control Panel icons? (Added May 15, 2005)
A.On the Control Panel on a 64-bit Advanced Client, click View x86 Control Panel Icons to see the SMS icons.
Q. I installed the SMS Advanced Client on a 64-bit computer. Why don’t I have a CCM directory for my client? (Added May 15, 2005)
A.On a 64-bit computer, the Advanced Client is installed in <systemroot>\windows\syswow64\ccm.

Q. Are there any issues I should be aware of before installing the SMS Advanced Client on a 64-bit computer? (Added May 15, 2005)
A. Yes, there are Hotfixes available. At this time, you can see article IDs 886197 and 886902 for information about currently released Hotfixes. If additional Hotfixes are released, you can find out about them by searching the Microsoft Knowledge Base. Also see SMS 2003 Supported Configurations for SP1 for more information about 64-bit support.

Clients at Secondary Sites

Q. Is it true that secondary sites don't support Advanced Clients?
A.

Secondary sites do support Advanced Clients. However, Advanced Clients cannot be assigned to the secondary site. They are always assigned to the parent primary site, but can reside in the boundaries of the secondary site, taking advantage of any proxy management points and distribution points at the secondary site.

For more information about planning site boundaries and roaming boundaries, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment on Microsoft TechNet.

Q. Why can't we assign SMS 2003 Advanced Clients to SMS Secondary Sites?
A.

Management points must communicate with an SMS site database. Secondary sites do not have their own SMS site database; they use the site database at their parent primary site. The Policy system for Advanced Clients is based off the primary site and the clients can get policy only when assigned to the primary sites.

For more information about planning site boundaries and roaming boundaries, see "Appendix E: Designing Your SMS Sites and Hierarchy" in Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.

Q. I cannot install the SMS Client on my secondary site server by using Client Push Installation. What’s wrong? (Updated December 20, 2004)
A.The secondary site server often has an existing connection to the primary site server. This interferes with the security context needed to install the SMS client. For more information, see the section "Configuring Client Push Installation to a Secondary Site Server Computer from a Primary Site Server" in the most recent version of Scenarios and Procedures for Microsoft Systems Management Server 2003: Planning and Deployment.

Roaming

Q. What is roaming? (Updated July 30, 2004)
A.

Roaming is the ability to move a computer running the SMS Advanced Client from one IP subnet or Active Directory site to another. Roaming always involves an IP address change on the client. In SMS 2.0, clients moving to other sites might have been uninstalled and reinstalled into a new site, or they might have retrieved packages and contacted client access points across slow WAN links. Roaming was developed to help control how mobile computers use the network when communicating with SMS distribution points and management points.

For a Flash demonstration illustrating the concepts and processes of Advanced Client Roaming, see the "Systems Management Server 2003 Product Documentation" page on the SMS Web site.

For more information about roaming and roaming boundaries, see the "Configuration and Operation of Advanced Client Roaming" whitepaper on the Microsoft Download site.

Q. What is the difference between local roaming boundaries and remote roaming boundaries? (Updated July 30, 2004)
A.

When configuring roaming boundaries, the SMS administrator specifies whether a roaming boundary is a local roaming boundary or a remote roaming boundary. The terms local and remote are designed to be used by the SMS administrator as a way to label well-connected and not well-connected network segments, respectively. If the SMS administrator defines the roaming boundaries in this way, then the following definitions apply:

Local roaming boundary A roaming boundary in which the site distribution points are locally available to the Advanced Client and software packages are available to that client over a well-connected link. Advertisements sent to Advanced Clients specify whether the Advanced Client downloads the package source files from the locally available distribution point before running the program.

Remote roaming boundary A roaming boundary in which the site distribution points are not locally available to the Advanced Client. Advertisements sent to Advanced Clients specify whether the client downloads the software program from a remote distribution before running it, runs the package from a remote distribution point, or does nothing and waits until a distribution point becomes available locally.

As a best practice, specify local roaming boundaries for the well-connected segments of an SMS site (such as over a LAN). Specify remote roaming boundaries for the slow or unreliable network links in your SMS site (such as RAS, a wireless network, a 56 Kbps dial-up connection, or a branch office that is not configured as a separate site).

Remote and local roaming boundaries are considered equivalent for automatic site assignment.

For more information about roaming and roaming boundaries, see the "Configuration and Operation of Advanced Client Roaming"whitepaper on the Microsoft Download site.

Q. What is the difference between global and regional roaming? (Updated July 30, 2004)
A.

If Active Directory is not available, or if the Active Directory schema for SMS is not extended, Advanced Clients can roam only to the lower level sites of their assigned site. This is called regional roaming. In regional roaming, the Advanced Client can roam to lower level sites and still receive software packages from distribution points.

Global roaming allows the Advanced Client to roam to higher level sites, sibling sites, and sites in other branches of the SMS hierarchy, and still receive software packages from distribution points. Global roaming requires Active Directory and the SMS Active Directory schema extensions. Global roaming cannot be performed across Active Directory forests.

For more information about roaming and roaming boundaries, see the " Configuration and Operation of Advanced Client Roaming" whitepaper on the Microsoft Download site.

Troubleshooting clients

Q. I manually ran client.msi to install an Advanced Client on several computers, but one client isn't getting any policy. Why not?
A.Ensure that you entered the correct site code during installation. The client might finish the install successfully with correct control panel items but will not communicate with any existing SMS site to get policy if it does not have the correct site code specified. Check the ClientLocation.log to determine if the client is assigned. Check the Locationservices.log to verify that the client is able to find the site management point. If you do not see any errors in those log files, look for policy request and download in the DataTransferservice.log.
Q. None of my clients are receiving any policies. What should I check? (Added February 27, 2004)
A.

Simulate a simple client request to IIS on the management point. First, on the Start menu, Click Run and type http://<management point name>/sms_mp/.sms_aut?mplist. If you see a blank screen instead of an error message, the request is successful. Next, on the Start menu, Click Run and type

http://<management point name>/sms_mp/.sms_aut?mpcert. If the request is successful, you will see a long list of numbers and letters. Finally, run the MPGetPolicy tool from the SMS Toolkit1, available on the Microsoft Download site. If all of these tests fail, verify that your management point has been installed correctly. For more information about verifying the successful installation of a management point, see "Site Systems Frequently Asked Questions" on Microsoft TechNet.

Q. Why does the Client Push Installation Wizard not install a client? (Updated March 31, 2004)
A.

Verify that the client is assigned to the site. By default, the wizard only pushes to clients assigned to the site.

Verify that you have created the appropriate accounts and they have access to all chosen client computers. Client Push Installation requires that you grant administrator rights and permissions to either the SMS Service Account (if the site is running in standard security mode) or Client Push Installation Accounts that you create in the Client Push Installation Properties dialog box in the SMS Administrator console.

To troubleshoot Client Push Installation problems during Advanced Client installation, review the Ccm.log file on the SMS site server, which is located in the SMS\Logs folder. On the client, review the Ccmsetup.log and Client.msi.log file, which is located in %Windir%\System32\Ccmsetup.

Also, to enable Client Push Installation for client computers running Windows XP SP 2, enable File and Print Sharing in the Windows Firewall (formerly known as Internet Connection Firewall, or ICF) configuration on the Windows XP client.

Site-wide Client Push Installation cannot install the SMS client on computers that are running Windows NT 4.0, and are discovered only by Active Directory discovery methods. Instead, you can create a collection and deploy the client to the collection instead of the whole site.

For more information about using site-wide client push installation on Windows NT 4.0 computers, see the SMS 2003 Installation Release Notes. For information about how to configure Windows Firewall on Windows XP SP 2, search for "Windows Firewall" in Help and Support Center.

Q. I ran Capinst but I don't see any SMS client files. Is there a log telling me what happened?
A.

Yes. It is called capinst.log and is located in the logged in the user’s temp directory (I.e. D:\documents and settings\User1\Local Settings\temp).

Note The Local Settings folder is marked as hidden by default.

Q. Why does my Advanced Client not show as being installed in the All Systems collection, but it is installed?
A.First, verify that the SMS Agent Host service is installed and running. If it is, the Advanced Client really is installed. If it doesn’t show up in the All Systems collection, it might be either that the client is not assigned to a site or that the client cannot find the default management point in its assigned site. You can use the Advanced tab of the Systems Management program in Control Panel to verify that the client is assigned to a site. If not, you can configure the site code the client should be assigned to. If it is assigned to a site, view the LocationServices.log on the client (Windows\System32\CCM\Logs) to see if the client was able to retrieve the default management point for the assigned site. It may be that the management point installation failed due to lack of IIS or BITS services being installed prior to the management point role being assigned to the computer.
Q. Is there a way I can force my Advanced Client to see a management point? (added December 12, 2003)
A.

No. The management point is not stored on the client in a registry setting that can be manipulated to cause it to be assigned to a management point. Clients use a dynamic process to locate their management point. This is an important feature of the Advanced Client that allows computers to roam to other sites.

Management point lookup occurs periodically, such as when the SMS Agent Host service starts. If you need to force the client to relocate the management point. you can:

  • Stop and restart the SMS Agent Host service on the client. Restarting the computer will also cause this service to stop and restart.
  • Disconnect the computer from the network and reconnect it. You can physically disconnect and reconnect the cable, disable and re-enable the network adaptor, or release and renew a DHCP-assigned IP address.
  • Use Control Panel to force discovery of the local SMS site. Double-Click the Systems Management icon in Control Panel. On the Advanced tab in the Properties dialog box, Click Discover to automatically find the local SMS site and management points.

If you have extended the Active Directory schema, then the client will use an LDAP query to determine the management point. If the schema has not been extended, the client will perform a WINS record lookup.

Q. I upgraded my Legacy Clients to Advanced Clients. I received client status message 10022 and restarted the clients, but they still don’t indicate that the Advanced Client was installed (status message 10800). What’s wrong? (Updated June 30, 2004)
A.

This is a known issue. If the upgrade was set to restart the Legacy Client after installation, the client generates status message 10022, which indicates the operation was successful, but a restart of the system is required for the operation to be complete. This message overrides the 10800 message that indicates a successful installation of the Advanced Client.

There are three reports that are currently affected by this condition:

  • Status of an Advanced Client distribution
  • Advertisement status messages for a client being upgraded to the Advanced Client
  • All system resources for a specific Advanced Client distribution in a specific state

These reports will show that the program completed successfully, but there is a restart pending. Assuming these clients have completed a restart, you can consider them fully installed. You can also add the client version to the detail in the report and use the version number to determine which clients have successfully installed the Advanced Client.

Note You may find a larger-than-expected number of computers reported as Succeeded in Advertisement status messages for a client being upgraded to the Advanced Client. If an Advanced Client successfully upgrades once, it will not rerun the upgrade program. If the Advanced Client package is advertised to more than one collection and the same client is a member of both collections, then that client will send the Program will not rerun status message. This status message moves the client from the Advanced Client installed count to the Succeeded count. If it is not possible to avoid the collection overlap, use client version reports to determine whether upgrades were successful.

Windows XP SP2

Q. I would like to install Windows XP SP 2. Are there any application compatibility issues with SMS 2003? (Updated September 30, 2004)
A.

Yes. At this time there are two known compatibility issues that require hotfixes and five application compatibility issues caused by the secure configuration of the Windows Firewall (also known as Internet Connection Firewall, or ICF).

Hotfixes

Accessing SMS items in Control Panel Because of restrictions imposed on DCOM with Windows XP SP2, users will not be able to access Run Advertised Programs or Program Download Monitor in Control Panel when using SMS 2003 (no service pack.) Also, the Actions tab of the Systems Management in Control Panel is not accessible. A hotfix is available to correct this problem. The hotfix is included in SMS 2003 SP1. For more information about this hotfix, see article 832862 in the Microsoft Knowledge Base. To successfully deploy this hotfix to the clients using SMS software distribution, you must verify that the countdown feature is disabled on the Advertised Programs Client agent.

Downloading packages by using BITS Windows XP SP2 interferes with the Advanced Client’s ability to download packages by using BITS when using SMS 2003 (no service pack.) Downloading policy by using BITS is not affected. This issue is fixed by applying a hotfix to the BITS-enabled distribution points. For more information about this hotfix, see article 832860 in the Microsoft Knowledge Base. The hotfix is included in SMS 2003 SP1.

Application compatibility issues and workarounds

When you install Windows XP SP 2, the Windows Firewall is enabled by default. The default Windows Firewall settings will interfere with operations of several SMS functions.

To modify the programs and services permitted by Windows Firewall:

  1. On the computer running Windows XP, in Control Panel open Windows Firewall.
  2. On the Exceptions tab, select either the default service specified later in this section, or Click Add Program or Add Port to create custom programs or ports.
  3. If necessary, Click Change scope to define the set computers for which this port is open.



Remote Control SMS clients running Windows XP SP 2 cannot be remotely managed by using SMS Remote Tools. The recommended best practice is to use Remote Assistance on client computers that support it, such as Windows XP. To enable SMS Remote Tools, add the following port for each necessary remote tool:

PortFunction

TCP port 2701

Allows general contact, reboot, and ping

TCP port 2702

Remote Control

TCP port 2703

Chat

TCP port 2704

File Transfer

 

For more information about ports used by SMS remote control, see article 256884 in the Microsoft Knowledge Base. Remote Assistance is unavailable when initiated from the SMS Administrator console Remote assistance sessions initiated from the SMS Administrator console to a computer running Windows XP SP 2 will fail, although remote assistance sessions requested by the Windows XP client will succeed. To enable Remote Assistance to be initiated from the SMS Administrator console, add both the custom program helpsvc.exe and the custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the Windows XP client. Also, Windows Firewall must be configured to permit Remote Assistance and Remote Desktop. If a user initiates a request for Remote Assistance from that computer, Windows Firewall will automatically be configured to permit Remote Assistance and Remote Desktop.

Windows Event Viewer, System Monitor and Windows Diagnostics from the SMS Administrator console The SMS Administrator console cannot access Windows Event Viewer or System Monitor on computers running Windows XP SP2. To enable remote access to these features, enable File and Print Sharing in the Windows Firewall configuration on the Windows XP client. There is no workaround at this time to access Windows Diagnostics from the SMS Administrator console.

Client Push Installation Client Push Installation fails on client computers running Windows XP SP 2. To enable Client Push Installation, enable File and Print Sharing in the Windows Firewall configuration on the Windows XP client.

Queries If you run the SMS Administrator console on a Windows XP SP2, queries will fail the first time they run. After failing to run the first time, the operating system displays a dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future queries will run without errors. You can also manually add statview.exe to the list of programs and services on the Exceptions tab of the Windows Firewall prior to running a query.

SMS Administrator console Windows Firewall has three settings: On, On with no exceptions, and Off. When you select the Don’t allow exceptions check box,, the SMS Administrator console cannot connect to any SMS site database from the Windows XP client. This is by design. If Windows Firewall is set to On (recommended), the SMS Administrator console cannot display all of the items in the console tree until you add the program unsecapp.exe and the port TCP 135 to the list of programs and services on the Exceptions tab of Windows Firewall.

Advanced users can configure Windows Firewall by using the netsh.exe command line tool. For more information about this tool, search for "Configuring Windows Firewall from the command line" in Help and Support Center. Network administrators can also use Group Policy to configure Windows Firewall settings. For a complete list of Group Policy options, see "Deploying Internet Connection Firewall Settings for Microsoft Windows XP with Service Pack 2" at the Microsoft Download Center.

Q. I permitted unsecapp.exe and TCP port 135 through my firewall, but my SMS Administrator console running on Windows XP SP 2 still cannot connect to the SMS site database. What should I do next? (Added January 31, 2005)
A.

Some customers have reported this issue, but at this time, Microsoft has not been able to reproduce this condition. If you run the SMS Administrator console only from computers that belong to the same domain as the SMS Provider, permitting unsecapp.exe and port TCP 135 to pass through the Windows Firewall should be sufficient. However, some customers have reported that even after permitting these two exceptions, the SMS Administrator console still cannot connect to an SMS site database from the Windows XP SP 2 client, even when both computers are in the same domain. As a last resort, adding anonymous remote access rights in DCOM resolves the issue but increases your security risk.

If you grant anonymous remote access rights, you disable a layer of protection for the system. An attacker no longer needs to circumvent user authentication to discover and exploit potential vulnerabilities in the system. To avoid potential attacks related to granting anonymous remote access rights, you can use Remote Desktop to connect to the computer running the SMS Provider and run the SMS Administrator console remotely.

To allow anonymous remote access in DCOM:

  1. From the Start menu, Click Run and type Dcomcnfg.exe.
  2. In Component Services, Click Console Root, Click Component Services, Click Computers, and then Click My Computer. On the Action menu, Click Properties.
  3. In the My Computer Properties dialog box, on the COM Security tab, in the Access Permissions section, Click Edit Limits.
  4. In the Access Permission dialog box, select the check box to allow Remote Access for Anonymous Logon.
  5. Restart the computer.






For More Information

Did you find this information useful? Send your suggestions and comments about the FAQ to  smsdocs@microsoft.com.



Top of pageTop of page