Local Policy vs. Group Policy in System Center Essentials 2010

Applies To: System Center Essentials 2010

For System Center Essentials 2010 to correctly interoperate with other components running on Windows operating systems, some changes must be made to the Essentials management server, all managed computers, and any remote computer running an Essentials component, such as a remote console or remote database. How these changes are made is determined by whether you can log on to these computers using either Domain Administrator or Group Policy Administrator credentials.

Group Policy

If you can log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials 2010, you can select the Domain Group Policy option, and any computers running Essentials components or agents are configured automatically.

Selecting the Group Policy option directs Essentials 2010 to make the following changes to the domain:

  • An Active Directory security group is created.

  • The Essentials management server is added to the Active Directory security group.

  • Two Group Policy objects (GPOs) are created.

    • One GPO is targeted at all computers in the domain and contains both the Secure Sockets Layer (SSL) and Windows Server Update Services (WSUS) certificates and Windows Firewall exception settings.

    • The other GPO is specifically targeted at Essentials-managed computers. This GPO is applied to the Active Directory security group created by Essentials 2010 and contains settings related to the Windows Update agent, Agentless Exception Monitoring (AEM), and Remote Assistance.

In addition, selecting the Group Policy option directs Essentials 2010 to make the changes described in the following table.

On the Essentials management server On managed computers
  • Essentials 2010 checks whether the SSL certificate has been configured on the WSUS Web site and creates and configures a new certificate if it is not present.

  • Essentials 2010 checks whether the WSUS certificate is already configured on the Essentials management server and creates and configures a new certificate is it is not present.

  • For AEM, a file share is created, and an access control list (ACL) is created to give write access to the Domain and to Domain Users.

  • For AEM, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for WSUS Web site. Further, SSL and WindowsAuth are enabled for the port.

  • Proxy information is set on both the WSUS server and on the Essentials management server.

  • None (managed computers receive all the required settings through Group Policy).

Note

When a computer is added to the Active Directory security group, a task is performed automatically that refreshes the computer's group membership.

Local Policy

If you cannot log on with Domain Administrator or Group Policy Administrator credentials when configuring Essentials 2010, use local policy. If Windows Firewall or another vendor's firewall product is used on computers in your environment, you must create firewall exceptions on the Essentials management server and on managed computers. Also, you must import two certificates on any computer on which you installed a remote Essentials console if they are not also managed by the Essentials management server. For more information, see How to Install System Center Essentials 2010 Console on a Remote Computer.

Selecting the Local Policy option directs Essentials 2010 to make the changes described in the following table.

On the Essentials management server On managed computers
  • Essentials 2010 checks whether the SSL certificate has been configured on the WSUS Web site and creates and configures a new certificate if it is not present.

  • Essentials 2010 checks whether the WSUS certificate is already configured on the Essentials management server and creates and configures a new certificate if it is not present.

  • For AEM, a file share is created, and an ACL is created to give write access to the Domain and to Domain Users.

  • For AEM, the HttpListener port for AEM (port 51906) is configured with the same SSL certificate that is used for WSUS Web site. Further, SSL and WindowsAuth are enabled for the port.

  • Proxy information is set on both the WSUS server and on the Essentials management server.

  • The following certificates are exported to the <EssentialsFolder>\Certificates folder:

    • WSUSCodeSigning.cer

    • WSUSSSL.cer

  • The SCE_ConfigureAgentCertPolicy rule in the System Center Essentials Management Pack gets enabled.

  • The Essentials management server name and AEM file share property values are set for the LocalPolicyConfig rule.

  • When the agent is installed, the SCE_ConfigureAgentCertPolicy rule in the System Center Essentials Management Pack runs and configures the computer.