How to Change Group Policy Settings for Agentless Exception Monitoring in Essentials
Applies To: System Center Essentials 2010
The SCECertPolicyConfigUtil utility (SCECertPolicyConfigUtil.exe) changes Group Policy settings and Agentless Exception Monitoring (AEM) settings from the command line.
To install the SCECertPolicyConfig utility
In the HelperObjects\i386 folder of the Essentials 2010 installation media, start SCECertPolicyConfig.msi.
To verify the installation, on the computer, open the folder %Program Files%\System Center Essentials and confirm the presence of the file SCECertPolicyConfigUtil.exe.
Example
The following table describes the command-line switches you can use with SCECertPolicyConfigUtil.exe to change policy settings.
| Switch | Required | Description |
|---|---|---|
/PolicyType <local/domain> |
Required, unless using /Uninstall |
<local/domain> controls whether client computers are configured with local or domain Group Policy settings. |
/Management Group <Essentials management server netbios name>_MG |
Required |
The name of the Essentials 2010 management group. This will always be <Essentials management server name>_MG. |
/SCEServer <Essentials management server FQDN> |
Required, unless using /Uninstall |
The FQDN of the Essentials management server. This is used when configuring Windows Update settings. |
/AEMFileShare <file share name> |
Required if ConfigureAEM=True |
The UNC path for the share that is used for error reporting. |
/AEMport <port> |
Required if ConfigureAEM=True |
The port that is used for error reporting. |
/ConfigureRemoteControl <true/false> |
Optional |
True enables Remote Assistance in the domain or local Group Policy. The default if this switch is omitted is False. |
/ConfigureFirewallPolicy <true/false> |
Optional |
True enables Windows Firewall exceptions in the domain or local Group Policy. The default if this switch is omitted is False. |
/ConfigureAEM <true/false> |
Optional |
If True, Error Reporting settings are configured in the domain or local Group Policy. The default if this switch is omitted is False. |
/Uninstall |
Optional |
Removes all AEM settings for the specified Essentials management server in the domain or local Group Policy. |
The Windows Firewall exceptions for client computers are configured in the computer’s policy settings under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile. When the SCECertPolicyConfigUtil.exe program or the Configure System Center Essentials Wizard is used to configure the policy, they enable the following settings:
| Name | Configuration | Description |
|---|---|---|
Windows Firewall: Allow file and printer sharing exception |
Allow unsolicited incoming messages from: <Essentials management server IP address> |
Opens UDP ports 137 and 138, and TCP ports 139 and 445. This allows for client push installation from the Essentials management server. |
Windows Firewall: Allow remote administration exception |
Allow unsolicited incoming messages from: <Essentials management server IP address> |
Opens TCP ports 135 and 445. This allows for Remote Assistance requests from the Essentials management server. |
SCECertPolicyConfigUtil.exe /PolicyType <local domain> /ManagementGroup <management group name> /SCEServer <server FQDN> /AEMFileShare <file share name> /AEMPort <port> /ConfigureRemoteControl <true/false> /ConfigureAEM <true/false> /ConfigureFirewallPolicy <true/false> /Uninstall
The following command will remove local or domain Group Policy settings. For example, you can this command to switch from using one to the other. After running the command, in the Essentials console, run the Configure System Center Essentials Wizard again.
SCECertPolicyConfigUtil.exe /Uninstall /ManagementGroup <Essentials management server netbios name>_MG