Configuring Settings for Client Management in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Use the following sections in this topic to help you configure client management settings in System Center 2012 Configuration Manager.

  • Configure Client Settings for Configuration Manager

  • Configure Settings for Client Approval and Conflicting Client Records

  • Configure a Fallback Site for Automatic Site Assignment

  • Configure Client Communication Port Numbers

  • Configure Custom Websites

  • Configure Wake on LAN

  • Configure Maintenance Windows

Configure Client Settings for Configuration Manager

Note

The information in this section also appears in How to Configure Client Settings in Configuration Manager.

You manage all client settings in System Center 2012 Configuration Manager from the Client Settings node in the Administration workspace of the Configuration Manager console. Modify the default settings when you want to configure settings for all users and devices in the hierarchy. If you want to apply different settings to just some users or devices, create custom settings and assign these to collections.

Use one of the following procedures to configure client settings:

How to Configure the Default Client Settings

Use the following procedure to configure the default client settings for all clients in the hierarchy.

To configure the default client settings

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Client Settings, and then select Default Client Settings.

  3. On the Home tab, click Properties.

  4. View and configure the client settings for each group of settings in the navigation pane. For more information about each setting, see About Client Settings in Configuration Manager.

  5. Click OK to close the Default Client Settings dialog box.

How to Create and Deploy Custom Client Settings

Use the following procedure to configure and deploy custom settings for a selected collection of users or devices. When you deploy these custom settings, they override the default client settings.

Note

Before you begin this procedure, ensure that you have a collection that contains the users or devices that require these custom client settings.

To configure and assign custom client settings

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, click Client Settings.

  3. On the Home tab, in the Create group, click Create Custom Client Settings, and then click one of the following options depending on whether you want to create custom client settings for devices or for users:

    - **Create Custom Client Device Settings**
    
    - **Create Custom Client User Settings**
    
  4. In the Create Custom Client Device Settings or Create Custom Client User Settings dialog box, specify a unique name for the custom settings, and an optional description.

  5. Select one or more of the available check boxes that display a group of settings.

  6. Click the first group settings from the navigation pane, and then view and configure the available custom settings. Repeat this process for any remaining group settings. For information about each client setting, see About Client Settings in Configuration Manager.

  7. Click OK to close the Create Custom Client Device Settings or Create Custom Client User Settings dialog box.

  8. Select the custom client setting that you have just created. On the Home tab, in the Client Settings group, click Deploy.

  9. In the Select Collection dialog box, select the collection that contains the devices or users to be configured with the custom settings, and then click OK. You can verify the assigned collection if you click the Assignments tab in the details pane.

  10. View the order of the custom client setting that you have just created. When you have multiple custom client settings, they are applied according to their order number. If there are any conflicts, the setting that has the lowest order number overrides the other settings. To change the order number, in the Home tab, in the Client Settings group, click Move Item Up or Move Item Down.

Configure Settings for Client Approval and Conflicting Client Records

Specify settings for client approval and conflicting client records to help Configuration Manager securely identify clients. These settings apply to the hierarchy for all clients.

  • Configure settings for Client approval method for when clients do not use a PKI certificate for client authentication. By default, Configuration Manager automatically approves computers in a trusted domain, and uses the computer account of the device and Kerberos authentication to verify that the device is trusted. With this setting, you must manually review each client that is displayed as Not Approved in the Configuration Manager console to ensure it is a trusted device, and then approve it to be managed by Configuration Manager. This scenario applies to computers that are in untrusted forests and in workgroups. It also applies if the Kerberos authentication failed for any reason.

    Although Configuration Manager has a configuration option to automatically approve all clients, do not use this configuration unless Configuration Manageris running in a secured test environment. You can also select a configuration option to always manually approve clients.

    Note

    Although some management functions might work for clients that are not approved, Configuration Manager does not support the management of these devices.

  • Configure settings for Conflicting client records for when Configuration Manager detects duplicate hardware IDs and cannot resolve the conflict. Configuration Manager uses the hardware ID to attempt to identify clients that might be duplicates and alert you to the conflicting records. For example, if you reinstall a computer, the hardware ID would be the same but the GUID used by Configuration Manager might be changed. When Configuration Manager can resolve a conflict by using Windows authentication of the computer account or a PKI certificate from a trusted source, the conflict is automatically resolved for you. However, when Configuration Manager cannot resolve the conflict, it uses a hierarchy setting that either automatically merges the records when it detects duplicate hardware IDs (the default setting), or allows you to decide when to merge, block, or create new client records. If you decide to manually manage duplicate records, you must manually resolve the conflicting records by using the Configuration Manager console.

To configure hierarchy settings for client approval and conflicting client records

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and then click Sites.

  3. On the Home tab, in the Sites group, click Hierarchy Settings, and then click the Client Approval and Conflicting Records tab.

  4. Configure options that you require for all clients in the hierarchy, and then click OK to close the properties dialog box.

To manually approve clients, see Managing Clients from the Devices Node.

To resolve conflicting records, see Manage Conflicting Records for Configuration Manager Clients.

Configure a Fallback Site for Automatic Site Assignment

You can specify a hierarchy-wide fallback site for automatic site assignment.

The fallback site is assigned to a new client that is configured to automatically discover its site when that client is on a network boundary that is not associated with any boundary group configured for site assignment.

To configure a fallback site for automatic site assignment

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration and select Sites.

  3. On the Home tab, in the Sites group, click Hierarchy Settings.

  4. On the General tab, select the checkbox for Use a fallback site, and then select a site from the Fallback site drop-down list.

  5. Click OK to save the configuration.

Configure Client Communication Port Numbers

The information in this section also appears in How to Configure Client Communication Port Numbers in Configuration Manager

You can change the request port numbers that System Center 2012 Configuration Manager clients use to communicate with site systems that use HTTP and HTTPS for communication. Beginning with Configuration Manager SP1, you can also specify a client notification port if you do not want to use HTTP or HTTPS. Although HTTP or HTTPS is more likely to be already configured for firewalls, client notification that uses HTTP or HTTPS requires more CPU usage and memory on the management point computer than if you use a custom port number. For all versions of Configuration Manager, you can also specify the site port number to use if you wake up clients by using traditional wake-up packets.

When you specify HTTP and HTTPS request ports, you can specify both a default port number and an alternative port number. Clients automatically try the alternative port after communication fails with the default port. You can specify settings for HTTP and HTTPS data communication.

The default values for client request ports are 80 for HTTP traffic and 443 for HTTPS traffic. Change them only if you do not want to use these default values. A typical scenario for using custom ports is when you use a custom website in IIS rather than the default website. If you change the default port numbers for the default website in IIS and other applications also use the default website, they are likely to fail.

Important

Do not change the port numbers in Configuration Manager without understanding the consequences. Examples:

  • If you change the port numbers for the client request services as a site configuration and existing clients are not reconfigured to use the new port numbers, these clients will become unmanaged.

  • Before you configure a nondefault port number, make sure that firewalls and all intervening network devices can support this configuration and reconfigure them as necessary. If you will manage clients on the Internet and change the default HTTPS port number of 443, routers and firewalls on the Internet might block this communication.

To make sure that clients do not become unmanaged after you change the request port numbers, clients must be configured to use the new request port numbers. When you change the request ports on a primary site, any attached secondary sites automatically inherit the same port configuration. Use the procedure in this topic to configure the request ports on the primary site.

Note

For System Center 2012 Configuration Manager SP1 and later:

For information about how to configure the request ports for clients on computers that run Linux and UNIX, see Configure Request Ports for the Client for Linux and UNIX.

When the Configuration Manager site is published to Active Directory Domain Services, new and existing clients that can access this information will automatically be configured with their site port settings and you do not need to take further action. Clients that cannot access this information published to Active Directory Domain Services include workgroup clients, clients from another Active Directory forest, clients that are configured for Internet-only, and clients that are currently on the Internet. If you change the default port numbers after these clients have been installed, reinstall them and install any new clients by using one of the following methods:

To reconfigure the port numbers for existing clients, you can also use the script PORTSWITCH.VBS that is provided with the installation media in the SMSSETUP\Tools\PortConfiguration folder.

Important

For existing and new clients that are currently on the Internet, you must configure the non-default port numbers by using the CCMSetup.exe client.msi properties of CCMHTTPPORT and CCMHTTPSPORT.

After changing the request ports on the site, new clients that are installed by using the site-wide client push installation method will be automatically configured with the current port numbers for the site.

To configure the client communication port numbers for a site

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Sites, and select the primary site to configure.

  3. In the Home tab, click Properties, and then click the Ports tab.

  4. Select any of the items and click the Properties icon to display the Port Detail dialog box.

  5. In the Port Detail dialog box, specify the port number and description for the item, and then click OK.

  6. Select Use custom web site if you will use the custom website name of SMSWeb for site systems that run IIS.

  7. Click OK to close the properties dialog box for the site.

Repeat this procedure for all primary sites in the hierarchy.

Configure Custom Websites

Before you configure Configuration Manager to use a custom website, review the planning information in Planning for Custom Websites with Configuration Manager.

Most Configuration Manager site system roles automatically configure to use a custom website, however the following site system roles require you to manually configure the custom website.

  • Application Catalog web service point

  • Application Catalog website point

  • Enrollment point

  • Enrollment proxy point

For these sites system roles, you must specify the custom website during the site system role installation. If any of these site system roles are already installed when you enable custom websites for the site, uninstall these site system roles, and then reinstall them. When you reinstall these site system roles, specify the custom website name of SMSWEB, and configure the port numbers.

Use the following procedures to enable custom websites at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.

How to Configure a Configuration Manager Site to Use a Custom Website

When you enable the site option to use a custom website, all client communications for that primary site and its secondary sites are directed to use a custom website named SMSWEB on each site system server instead of the IIS default website.

Use the following procedures to enable custom websites at a Configuration Manager site and then verify that they were successfully created. For information about configuring ports for client communication, see Configure Client Communication Port Numbers.

Note

Before you use this procedure, make sure that you have manually created the custom website named SMSWEB in IIS. When you enable the Configuration Manager option to use custom websites, Configuration Manager does not create the website in IIS. If the custom website is not already created, this procedure will fail. For more information, see How to Create the Custom Website in Internet Information Services (IIS).

To configure a Configuration Manager site to use a custom website

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, and click Sites.

  3. Select the site that will use custom websites.

  4. On the Home tab, in the Properties group, click Properties.

  5. In the Properties dialog box for the site, select the Ports tab.

  6. Select the checkbox for Use custom web site and then click OK to close the custom website warning.

  7. Click OK to save the configuration.

To verify the custom website

  • If the Active Directory schema has been extended for Configuration Manager and the site is publishing site information, you can review the sitecomp.log to verify that the site component manager successfully updated the site information published to Active Directory Domain Services.

  • Review the custom website in the Internet Information Services Manager console. Verify that the custom website is running and that the virtual directories for the site system roles have been created.

  • If the site system roles were already installed, review the site system role setup logs to verify that they successfully uninstalled and reinstalled with the new settings. For example, if you are configuring a custom website for a site system server that hosts the management point role, review the mpsetup.log.

Configure Wake on LAN

Specify Wake on LAN settings when you want to bring computers out of a sleep state to install required software, such as software updates, applications, task sequences, and programs.

Beginning with System Center 2012 Configuration Manager SP1, you can supplement Wake on LAN by using the wake-up proxy client settings. However, to use wake-up proxy, you must first enable Wake on LAN for the site and specify Use wake-up packets only and the Unicast option for the Wake on LAN transmission method. This wake-up solution also supports ad-hoc connections, such as a remote desktop connection.

Use the first procedure to configure a primary site for Wake on LAN. Then, to use wake-up proxy with System Center 2012 Configuration Manager SP1 or later, use the second procedure to configure the wake-up proxy client settings. This second procedure configures the default client settings for the wake-up proxy settings to apply to all computers in the hierarchy. If you want these settings to apply to only selected computers, create a custom device setting and assign it to a collection that contains the computers that you want to configure for wake-up proxy. For more information about how to create custom client settings, see How to Configure Client Settings in Configuration Manager

A computer that receives the wake-up proxy client settings will likely pause its network connection for 1-3 seconds. This occurs because the client must reset the network interface card to enable the wake-up proxy driver on it.

Warning

To avoid unexpected disruption to your network services, first evaluate wake-up proxy on an isolated and representative network infrastructure. Then use custom client settings to expand your test to a selected group of computers on several subnets. For more information about how wake-up proxy works, see the Planning How to Wake Up Clients section in the Planning for Communications in Configuration Manager topic.

To configure Wake on LAN for a site

  1. In the Configuration Manager console, click Administration.

  2. In the Administration workspace, expand Site Configuration, click Sites, and then click the primary site to configure.

  3. On the Home tab, in the Properties group, click Properties, and then click the Wake on LAN tab.

  4. Configure options that you require for this site, and then click OK to close the properties dialog box for the site.

    To support wake-up proxy in Configuration Manager SP1 or later, make sure that you select Use wake-up packets only and Unicast.

    Note

    For more information about the options, see the Planning How to Wake Up Clients section in Planning for Client Communication in Configuration Manager.

Repeat this procedure for all primary sites in the hierarchy.

To configure wake-up proxy client settings

  1. In the Configuration Manager console, click Administration.

  2. In the Administrative workspace, click Client Settings.

  3. Click Default Client Settings.

  4. On the Home tab, in the Properties group, click Properties,

  5. Select Power Management and then configure the following option:

    - **Enable wake-up proxy**: **Yes**
    
  6. Review and if necessary, configure the other wake-up proxy settings. For more information about these settings, see the Power Management section in the About Client Settings in Configuration Manager topic.

    Important

    Although there is a client setting to configure Windows Firewall for the wake-up proxy ports, System Center 2012 Configuration Manager SP1 does not configure Windows Firewall to allow the inbound ICMP ping commands that are required for wake-up proxy. Unless you are running System Center 2012 R2 Configuration Manager or later, you must manually configure Windows Firewall or your alternative host-based firewall to allow this communication.

    For more information about how to configure Windows Firewall for the inbound ICMP ping commands that are required for wake-up proxy, see the Wake-Up Proxy section in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic.

  7. Click OK to close the dialog box, and then click OK to close the Default Client Settings dialog box.

You can use the following Wake On LAN reports to monitor the installation and configuration of wake-up proxy:

  • Wake-Up Proxy Deployment State Summary

  • Wake-Up Proxy Deployment State Details

Tip

To test whether wake-up proxy is working, test a connection to a sleeping computer. For example, connect to a shared folder on that computer, or trying connecting to the computer by using Remote Desktop. If you use DirectAccess, check that the IPv6 prefixes work by trying the same tests for a sleeping computer that is currently on the Internet.

Configure Maintenance Windows

Note

The information in this section also appears in How to Manage Collections in Configuration Manager.

Maintenance windows in Configuration Manager provide a means by which administrative users can define a time period when members of a device collection can be updated by various Configuration Manager operations. You can use maintenance windows to help ensure that client configuration changes occur during periods which will not affect the productivity of the organization.

The following Configuration Manager operations support maintenance windows.

  • Software deployments

  • Software update deployments

  • Compliance settings deployment

  • Operating system deployments

  • Task sequence deployments

Maintenance windows are configured for a collection with a start date, a start and finish time, and a recurrence pattern. Each maintenance window must have a duration of less than 24 hours. Computer restarts caused by a deployment are by default, not allowed outside of a maintenance window, but you can override this in the settings for each deployment. Maintenance windows affect only when the deployment program runs; applications configured to download and run locally can download content outside of the maintenance window.

When a client computer is a member of a device collection that has a maintenance window configured, a deployment program will only run if the maximum allowed run time does not exceed the duration configured for the maintenance window. If the program fails to run, an alert will be generated and the deployment will be rerun during the next scheduled maintenance window that has time available.

Using Multiple Maintenance Windows

When a client computer is a member of multiple device collections that have configured maintenance windows, the following rules apply:

  • If the maintenance windows do not overlap, they are treated as two independent maintenance windows.

  • If the maintenance windows overlap, they are treated as a single maintenance window encompassing the time period covered by both maintenance windows. For example, if two maintenance windows, each an hour in duration overlap by 30 minutes, the effective duration of the maintenance window would be 90 minutes.

When a user initiates an application installation from Software Center, the application will be installed immediately, regardless of any configured maintenance.

If an application deployment with a purpose of Required reaches its installation deadline during the nonbusiness hours configured by a user in Software Center and a maintenance window is not available, the installation will wait until the next time a maintenance window is available.

How to Configure Maintenance Windows in Configuration Manager

Use the following procedure to configure maintenance windows.

To configure maintenance windows in Configuration Manager

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, click Device Collections.

  3. In the Device Collections list, select the collection for which you want to configure a maintenance window.

  4. In the Home tab, in the Properties group, click Properties.

  5. In the Maintenance Windows tab of the <collection name> Properties dialog box, click the New icon.

    Note

    You cannot create maintenance windows for the All Systems collection.

  6. In the <new> Schedule dialog box, specify a name, a schedule and a recurrence pattern for the maintenance window.

  7. Click OK to close the <new> Schedule dialog box and create the new maintenance window.

  8. Close the <collection name> Properties dialog box.