Share via


Frequently Asked Questions for Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Review the following sections for some frequently asked questions about System Center 2012 Configuration Manager:

  • The Configuration Manager Console and Collections

  • Sites and Hierarchies

  • Migration

  • Security and Role-Based Administration

  • Client Deployment and Operations

  • Mobile Devices

  • Remote Control

  • Software Deployment

  • Endpoint Protection

The Configuration Manager Console and Collections

The following frequently asked questions relate to the Configuration Manager console and collections.

Does the Configuration Manager console support a 64-bit operating system?

Yes. The Configuration Manager console is a 32-bit program that can run on a 32-bit version of Windows and on a 64-bit version of Windows.

What is a limiting collection and why would I use it?

In System Center 2012 Configuration Manager, all collections must be limited to the membership of another collection. When you create a collection, you must specify a limiting collection. A collection is always a subset of its limiting collection. For more information, see How to Create Collections in Configuration Manager.

Can I include or exclude the members of another collection from my collection?

Yes. System Center 2012 Configuration Manager includes two new collection rules, the Include Collections rule and the Exclude Collections rule that allow you to include or exclude the membership of specified collections. For more information, see How to Create Collections in Configuration Manager.

Are incremental updates supported for all collection types?

No. Collections configured by using query rules that use certain classes do not support incremental updates. For a list of these classes, see How to Create Collections in Configuration Manager.

What is the All Unknown Computers collection?

The All Unknown Computers collection contains two objects that represent records in the Configuration Manager database so that you can deploy operating systems to computers that are not managed by Configuration Manager, and so are unknown to Configuration Manager. These computers can include the following:

  • A computer where the Configuration Manager client is not installed

  • A computer that is not imported into Configuration Manager

  • A computer that is not discovered by Configuration Manager

For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager.

Why does Install Client from the ribbon install the client to the whole collection when I’ve selected a single computer but installs to the selected computer only if I right-click the computer and then select Install Client?

If you choose Install Client from the ribbon when the Collection ribbon tab is selected, the client installs to all computers in the collection rather than to just the selected computer. To install the client to just the selected computer, click the Home tab on the ribbon before you click Install Client from the ribbon, or use the right-click option.

How can I create a collection that contains only Mac computers, or only Linux servers?

For System Center 2012 Configuration Manager SP1 and later:

Because an ID for each device type (for example Windows computers, Mac computers, or Linux computers) is stored in the Configuration Manager database, you can create a collection that contains a query rule to return only devices with a specified ID. For an example query to use, see the Example WQL Queries section in the How to Create Queries in Configuration Manager topic. For information about how to create collections, see How to Create Collections in Configuration Manager.

How can I create a collection of Windows 8 computers that are Always On Always Connected capable?

For System Center 2012 Configuration Manager SP1 and later:

Create a collection with a query-based rule. Query the attribute class System Resource and the attribute Connected Standby Capable = TRUE to return computers that are Always On Always Connected capable.

Why does the Configuration Manager console use HTTP to the Internet and what would stop working if this is blocked by my firewall?

The Configuration Manager console uses HTTP to the Internet in two scenarios:

  • When you use the geographical view from the Site Hierarchy node in the Monitoring workspace, which uses Internet Explorer to access Bing Maps.

  • When you use the Configuration Manager help file and click a link to view or search for information on TechNet.

If you do not require these functions, your firewall can block HTTP connections from the console without additional loss of functionality to Configuration Manager.

For more information about the geographical view, see the About the Site Hierarchy Node section in the Monitor Configuration Manager Sites and Hierarchy topic.

How can I increase the number of search results in the Configuration Manager console?

By default, the Configuration Manager console limits search results to 1,000 items. You can change this value by using the Search tab. In the Options group. click Search Settings and then change the Search Results value in the Search Settings dialog box.

By default, the Configuration Manager console limits searches to the current folder. You can change this behavior by first clicking in the Search box in the results pane. Then, in the Search tab, in the Scope group. click All Subfolders. In the results pane, the search is extended to AND Path <Current Node + Subfolders>. Add criteria if required, and type your search text to search the current folder and its subfolders.

Sites and Hierarchies

The following frequently asked questions relate to sites and hierarchies in Configuration Manager.

Are there new Active Directory schema extensions for System Center 2012 Configuration Manager?

No. The Active Directory schema extensions for System Center 2012 Configuration Manager are unchanged from those used by Configuration Manager 2007. If you extended the schema for Configuration Manager 2007, you do not need to extend the schema again for System Center 2012 Configuration Manager or System Center 2012 Configuration Manager SP1.

Where is the documentation for Setup?

Can I upgrade a prerelease version of System Center 2012 Configuration Manager to the released version?

No. Unless you were in a prerelease program that was supported by Microsoft (such as the Technology Adoption Program or the Community Evaluation Program) there is no supported upgrade path for prerelease versions of System Center 2012 Configuration Manager. For more information, see the Release Notes for System Center 2012 Configuration Manager.

Can I manage SMS 2003 clients with System Center 2012 Configuration Manageror migrate SMS 2003 sites and clients to System Center 2012 Configuration Manager?

No. SMS 2003 sites and SMS 2003 clients are not supported by System Center 2012 Configuration Manager. You have two choices to move these sites and clients to System Center 2012 Configuration Manager:

  • Upgrade SMS 2003 sites and clients to Configuration Manager 2007 SP2, and then migrate them to System Center 2012 Configuration Manager.

  • Uninstall SMS 2003 sites and clients and then install System Center 2012 Configuration Manager sites and clients.

For more information about supported upgrade paths, see the Supported Upgrade Paths for Configuration Manager section in the Supported Configurations for Configuration Manager topic.

For more information about migrating Configuration Manager 2007 to System Center 2012 Configuration Manager, see the Migrating Hierarchies in System Center 2012 Configuration Manager guide.

Can I upgrade an evaluation version of System Center 2012 Configuration Manager?

Yes. If the evaluation version is not a prerelease version of System Center 2012 Configuration Manager, you can upgrade it to the full version.

For more information, see the Upgrade an Evaluation Installation to a Full Installation section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

Have the site types changed from Configuration Manager 2007?

System Center 2012 Configuration Manager introduces changes to both primary and secondary sites while the central administration site is new site type. The central administration site replaces the primary site referred to as a central site as the top-level site of a multi-primary site hierarchy. This site does not directly manage clients but does coordinate a shared database across your hierarchy, and it is designed to provide centralized reporting and configurations for your entire hierarchy.

Can I join a pre-existing site to another site in System Center 2012 Configuration Manager?

In System Center 2012 Configuration Manager with no service pack, you cannot change the parent relationship of an active site. You can only add a site as a child of another site at the time you install the new site. Because the database is shared between all sites, joining a site that has already created default objects or that has custom configurations can result in conflicts with similar objects that already exist in the hierarchy.

However, in System Center 2012 Configuration Manager SP1, you can expand a stand-alone primary site into a hierarchy that includes a new central administration site. For more information, see the Planning to Expand a Stand-Alone Primary Site section in the Planning for Sites and Hierarchies in Configuration Manager topic.

Why can’t I install a primary site as a child of another primary site as I did in Configuration Manager 2007?

With System Center 2012 Configuration Manager, primary sites have changed to support only secondary sites as child sites, and the new central administration site as a parent site. Unlike Configuration Manager 2007, primary sites no longer provide a security or configuration boundary. Because of this, you should only need to install additional primary sites to increase the maximum number of clients your hierarchy can support, or to provide a local point of contact for administration.

Why does Configuration Manager require SQL Server for my secondary site?

In System Center 2012 Configuration Manager, secondary sites require either SQL Server, or SQL Server Express to support database replication with their parent primary site. When you install a secondary site, Setup automatically installs SQL Server Express if a local instance of SQL Server is not already installed.

What is database replication?

Database replication uses SQL Server to quickly transfer data for settings and configurations to other sites in the Configuration Manager hierarchy. Changes that are made at one site merge with the information stored in the database at other sites. Content for deployments, and other file-based data, still replicate by file-based replication between sites. Database replication configures automatically when you join a new site to an existing hierarchy.

How can I monitor and troubleshoot replication in Configuration Manager?

See the Monitor Infrastructure for Configuration Manager section in the Monitor Configuration Manager Sites and Hierarchy topic. This section includes information about database replication and how to use the Replication Link Analyzer.

What is Active Directory forest discovery?

Active Directory Forest discovery is a new discovery method in System Center 2012 Configuration Manager that allows you to discover network locations from multiple Active Directory forests. This discovery method can also create boundaries in Configuration Manager for the discovered network locations and you can publish site data to another Active Directory forest to help support clients, sites, and site system servers in those locations.

Can I provide clients with unique client agent configurations without installing additional sites?

Yes. System Center 2012 Configuration Manager applies a hierarchy-wide set of default client settings (formerly called client agent settings) that you can then modify on clients by using custom client settings that you assign to collections. This creates a flexible method of delivering customized client settings to any client in your hierarchy, regardless of the site it is assigned to, or where it is located on your network. For more information, see How to Configure Client Settings in Configuration Manager.

Can a site or hierarchy span multiple Active Directory forests?

Configuration Manager supports site-to-site (intersite) communication when a two-way forest trust exists between the forests. Within a site, Configuration Manager supports placement of site system roles on computers in an untrusted forest. Configuration Manager also supports clients that are in a different forest from their site’s site server when the site system role that they connect to is in the same forest as the client. For more information, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

To support computers in an untrusted forest, do I have to create a new primary site and configure a two-way forest trust?

No. Because System Center 2012 Configuration Manager supports installing most site system roles in untrusted forests, there is no requirement to have a separate site for this scenario, unless you have exceeded the maximum number of supported clients for a site. For more information about communications across forests, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic. For more information about the number of computers that are supported, see the Site and Site System Role Scalability section in the Supported Configurations for Configuration Manager topic

Tip

The Application Catalog web service role and the enrollment point must be installed in the same forest as the site server. In this case, you can install the Application Catalog website point and the enrollment proxy point in the other forest, and these site system roles communicate with the site by using the Application Catalog web service role and the enrollment point, respectively. After these site system roles are installed in the other forest, they communicate with their counterpart role by using certificates (self-signed or PKI). For more information about how this communication is secured, see the “Cryptographic Controls for Server Communication” section in the Technical Reference for Cryptographic Controls Used in Configuration Manager topic.

How do clients find management points and has this changed since Configuration Manager 2007?

System Center 2012 Configuration Manager clients can find available management points by using the management point that you specify during client deployment, Active Directory Domain Services, DNS, and WINS. Clients can connect to more than one management point in a site, always preferring communication that uses HTTPS, when this is possible because the client and management point uses PKI certificates.

There are some changes here since Configuration Manager 2007, which accommodate the change that clients can now communicate with more than one management point in site, and that you can have a mix of HTTPS and HTTP site system roles in the same site.

For more information, see the Service Location and how clients determine their assigned management point section in the Planning for Communications in Configuration Manager topic.

How do I configure my sites for native-mode?

System Center 2012 Configuration Manager has replaced the native mode site configuration in Configuration Manager 2007 with individual site system role configurations that accept client communication over HTTPS or HTTP. Because you can have site system roles that support HTTPS and HTTP in the same site, you have more flexibility in how you introduce PKI to secure the intranet client endpoints within the hierarchy. Clients over the Internet and mobile devices must use HTTPS connections.

For more information, see the Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management section in the Planning for Security in Configuration Manager topic.

Where are the supported scenarios and network diagrams for Internet-based client management that you had for Configuration Manager 2007?

Unlike Configuration Manager 2007, there are no design restrictions to support clients on the Internet, providing you meet the requirements in the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. Because of the following improvements, you can more easily support clients on the Internet to fit your existing infrastructure:

  • The whole site does not have to be using HTTPS client connections

  • Support for installing most site system roles in another forest

  • Support for multiple management points in a site

If you use multiple management points and dedicate one or more for client connections from the Internet, you might want to consider using database replicas for management points. For more information, see Configure Database Replicas for Management Points.

Do I have to configure my site for Internet-based client management before I can use cloud-based distribution points in Configuration Manager SP1?

No. Although both configurations use the Internet, they are independent from each other. Clients on the intranet can use cloud-based distribution points and these clients do not require a PKI client certificate. However, you still require PKI certificates if you want to use cloud-based distribution points; one for the Windows Azure management certificate that you install on the site system server that hosts the cloud-based distribution points, and one for the cloud-based distribution point service certificate that you import when you configure the cloud-based distribution point.

For more information about the PKI certificate requirements for Internet-based client management and for cloud-based distribution points, see PKI Certificate Requirements for Configuration Manager.

For more information about cloud-based distribution points, see the Planning for Cloud-Based Distribution Points section in the Planning for Content Management in Configuration Manager topic.

Why isn’t the site system role that I want available in the Add Site System Roles Wizard?

Configuration Manager supports some site system roles only at specific sites in a hierarchy, and some site system roles have other limitations as to where and when you can install them. When Configuration Manager does not support the installation of a site system role, it is not listed in the wizard. For example, the Endpoint Protection point cannot be installed in a secondary site, or in a primary site if you have a central administration site. So if you have a central administration site, you will not see the Endpoint Protection point listed if you run the Add Site System Roles Wizard on a primary site.

Other examples include you cannot add a second management point to a secondary site, and you cannot add a management point or distribution point to a central administration site.

In addition, in Configuration Manager SP1, you do not see the Microsoft Intune connector listed as an available site system role until you have created the Microsoft Intune subscription. For more information about how to create the subscription, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.

For more information about which site system roles can be installed where, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic.

Where do I configure the Network Access Account?

Use the following procedure to configure the Network Access Account:

How to configure the Network Access Account for a site

  1. In the Administration workspace, expand Site Configuration, click Sites, and then select the site.

  2. On the Settings group, click Configure Site Components, and then click Software Distribution.

  3. Click the Network Access Account tab, configure the account, and then click OK.

What High Availability does Configuration Manager have?

Configuration Manager offers a number of high availability solutions. For information, see Planning for High Availability with Configuration Manager.

Migration

The following frequently asked questions relate to migrating Configuration Manager 2007 to System Center 2012 Configuration Manager.

What versions of Configuration Manager, or Systems Management Server are supported for migration?

The version of System Center 2012 Configuration Manager that you use to run migration determines the versions of Configuration Manager 2007 or System Center 2012 Configuration Manager that are supported for migration:

  • When you use System Center 2012 Configuration Manager with no service pack, Configuration Manager 2007 sites with SP2 are supported for migration.

  • When you use System Center 2012 Configuration Manager with SP1, Configuration Manager 2007 sites with SP2 and System Center 2012 Configuration Manager sites with SP1 are supported for migration.

Configuration Manager hierarchies that have data you want to migrate are called source hierarchies. The Configuration Manager hierarchy you re migrating data into, is called the destination hierarchy.

For more information about prerequisites for Migration, see Prerequisites for Migration in System Center 2012 Configuration Manager.

Can I use Configuration Manager SP1 to migrate my existing System Center 2012 Configuration Manager hierarchy with no service pack to a new Configuration Manager SP1 hierarchy?

No. The new functionality in Configuration Manager SP1 supports migration from an existing Configuration Manager SP1 hierarchy to another Configuration Manager SP1 hierarchy, in addition to supporting migration from Configuration Manager 2007 SP2 to Configuration Manager SP1.

For more information about the new migration functionality, see Introduction to Migration in System Center 2012 Configuration Manager.

Why can’t I upgrade my existing Configuration Manager 2007 sites to System Center 2012 Configuration Manager sites?

Several important changes introduced with System Center 2012 Configuration Manager prevent an in-place upgrade; however, System Center 2012 Configuration Manager does support migration from Configuration Manager 2007 with a side-by-side deployment. For example, System Center 2012 Configuration Manager is native 64 bit application with a database that is optimized for Unicode and that is shared between all sites. Additionally, site types and site relationships have changed. These changes, and others, mean that many existing hierarchy structures cannot be upgraded. For more information, see Migrating Hierarchies in System Center 2012 Configuration Manager.

Do I have to migrate my entire Configuration Manager 2007 hierarchy or System Center 2012 Configuration Manager hierarchy at one time?

Typically, you will migrate data from a Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy (the source hierarchy) over a period of time that you define. During the period of migration, you can continue to use your source hierarchy to manage clients that have not migrated to your new System Center 2012 Configuration Manager hierarchy (the destination hierarchy). Additionally if you update an object in the source hierarchy after you have migrated that object to your destination hierarchy, you can re-migrate that object again up until you decide to complete your migration.

After I migrate software and packages from a Configuration Manager 2007 hierarchy, do I have to use the new application model?

When you migrate a Configuration Manager 2007 package to System Center 2012 Configuration Manager, it remains a package after migration. If you want to deploy the software and packages that migrate from your Configuration Manager 2007 hierarchy by using the new application model, you can use Microsoft System Center Configuration Manager Package Conversion Manager to convert them into System Center 2012 Configuration Manager applications. For more information, see Configuration Manager Package Conversion Manager.

Why can’t I migrate inventory history or compliance data for my clients?

This type of information is easily recreated by an active client when it sends data to its new site in the destination hierarchy. Typically, it is only the current information from each client that provides useful information. To retain access to historical inventory information you can keep a Configuration Manager 2007 or System Center 2012 Configuration Manager source site active until the historical data is no longer required.

Why must I assign a site in my new hierarchy as a content owner for migrated content?

When you assign a site in the destination hierarchy to own the content, you are selecting the site that maintains that content in the destination hierarchy. Because the site that owns the content is responsible for monitoring the source files for changes, plan to specify a site that is near to the source file location on the network.

When you migrate content between a source and destination hierarchy, you are really migrating the metadata about that content. The content itself might remain hosted on a shared distribution point during migration, or on a distribution point that you will upgrade or reassign to the destination hierarchy.

What are shared distribution points and why can’t I use them after migration has finished?

Shared distribution points are distribution points at sites in the source hierarchy that can be used by clients in the destination herarchy during the migration period. A distribution point can be shared only when the source hierarchy that contains the distribution point remains the active source hierarchy and distribution point sharing is enabled for the source site that contains the distribution point. Sharing distribution points ends when you complete migration from the source hierarchy.

How can I avoid redistributing content that I migrate to a System Center 2012 Configuration Manager hierarchy?

System Center 2012 Configuration Manager can upgrade supported distribution points from Configuration Manager 2007 source hierarchies, and reassign supported distribution points from System Center 2012 Configuration Manager source hierarchies. When you upgrade or reassign a shared distribution point, the distribution point site system role and the distribution point computer are removed from the source hierarchy, and installed as a distribution point at a site you select in the destination hierarchy. This process allows you to maintain your existing distribution points with minimal effort or disruption to your network. For more information, see Planning a Content Deployment Migration Strategy in System Center 2012 Configuration Manager.

You can also use the prestage option for System Center 2012 Configuration Manager distribution points to reduce the transfer of large files across low-bandwidth network connections. For more information, see the Prestaging Content section in the Introduction to Content Management in Configuration Manager topic.

Can I perform an in-place upgrade of a Configuration Manager 2007 distribution point (including a branch distribution point) to a System Center 2012 Configuration Manager distribution point?

You can perform an in-place upgrade of a Configuration Manager 2007 distribution point that preserves all content during the upgrade. This includes an upgrade of a distribution point on a server share, a branch distributing point, or standard distribution point.

Can I perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point?

You can perform an in-place upgrade of a Configuration Manager 2007 secondary site to a System Center 2012 Configuration Manager distribution point. During the upgrade, all migrated content is preserved.

What happens to the content when I upgrade a Configuration Manager 2007 secondary site or distribution point to a System Center 2012 Configuration Manager distribution point?

During the upgrade to a System Center 2012 Configuration Manager distribution point, all migrated content is copied and then converted to the single instance store. When you migrate to a hierarchy that runs System Center 2012 Configuration Manager with no service pack, the original Configuration Manager 2007 content remains on the server until it is manually removed. However, when you migrate to a hierarchy that runs System Center 2012 Configuration Manager SP1, the original Configuration Manager 2007 content is removed after the copy of the content is converted.

Can I combine more than one Configuration Manager 2007 or System Center 2012 Configuration Manager hierarchy in a single System Center 2012 Configuration Manager hierarchy?

You can migrate data from more than one source hierarchy, and the source hierarchies do not need to be the same version as each other. This means you can migrate from one or more Configuration Manager 2007 hierarches, one or more System Center 2012 Configuration Manager hierarchies, and from one or more hierarchies that each run a different version of Configuration Manager. However, you can only migrate from one hierarchy at a time.

You can migrate the hierarchies in any order. However, you cannot migrate data from multiple hierarchies that use the same site code. If you try to migrate data from a site that uses the same site code as a migrated site, or that uses the same site code as a site in your destination hierarchy, this corrupts the data in the System Center 2012 Configuration Manager database.

What Configuration Manager 2007 hierarchy can I use as a source hierarchy?

System Center 2012 Configuration Manager supports migrating a Configuration Manager 2007 environment that is at a minimum of Service Pack 2. For more information, see Prerequisites for Migration in System Center 2012 Configuration Manager.

What objects can I migrate?

The list of objects you can migrate depends on the version of your source hierarchy. You can migrate most objects from Configuration Manager 2007 to System Center 2012 Configuration Manager, including the following:

  • Advertisements

  • Boundaries

  • Collections

  • Configuration baselines and configuration items

  • Operating system deployment boot images, driver packages, drivers, images, and packages

  • Software distribution packages

  • Software metering rules

  • Software update deployment packages and templates

  • Software update deployments

  • Software update lists

  • Task sequences

  • Virtual application packages

When you migrate between System Center 2012 Configuration Manager hierarchies, the list is similar, and includes objects that are only available in System Center 2012 Configuration Manager, such as Applications.

For more information, see Objects That You Can Migrate

Can I migrate maintenance windows?

Yes. When a collection migrates, Configuration Manager also migrates collection settings, which includes maintenance windows and collection variables. However, collection settings for AMT provisioning do not migrate.

Will advertisements rerun after they are migrated?

No. Clients that you upgrade from Configuration Manager 2007 will not rerun advertisements that you migrate. System Center 2012 Configuration Manager retains the Configuration Manager 2007 Package ID for packages you migrate and clients that upgrade retain their advertisement history.

Security and Role-Based Administration

The following frequently asked questions relate to security and role-based administration in Configuration Manager.

Where is the documentation for role-based administration?

Because role-based administration is integrated into the configuration of the hierarchy and management functions, there is no separate documentation section for role-based administration. Instead, information is integrated throughout the documentation library. For example, information about planning and configuring role-based administration is in the Planning for Security in Configuration Manager topic and the Configuring Security for Configuration Manager topic in the Site Administration for System Center 2012 Configuration Manager guide and the Security and Privacy for System Center 2012 Configuration Manager guide.

The Configuration Manager console lists the description of each role-based security role that is installed with Configuration Manager, and the minimum permissions and suitable security roles for each management function is included as a prerequisite in the relevant topic. For example, Prerequisites for Application Management in Configuration Manager in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide list the minimum security permissions to manage and to deploy applications, and the security roles that meet these requirements.

What is the minimum I have to configure if I don’t want to use role-based administration while I’m testing System Center 2012 Configuration Manager?

If you install System Center 2012 Configuration Manager, there is no additional configuration because the Active Directory user account used to install Configuration Manager is automatically assigned to the Full Administrator security role, assigned to All Scopes, and has access to the All Systems and All Users and User Groups collections. However, if you want to provide full administrative permissions for other Active Directory users to access System Center 2012 Configuration Manager, create new administrative users in Configuration Manager using their Windows accounts and then assign them to the Full Administrator security role.

How can I partition security with System Center 2012 Configuration Manager?

Unlike Configuration Manager 2007, sites no longer provide a security boundary. Instead, use role-based administration security roles to configure the permissions different administrative users have, and security scopes and collections to define the set of objects they can view and manage. These settings can be configured at a central administration site or any primary site and are enforced at all sites throughout the hierarchy.

Should I use security groups or user accounts to specify administrative users?

As a best practice, specify a security group rather than user accounts when you configure administrative users for role-based administration.

Can I deny access to objects and collections by using role-based administration?

Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user.

How do I find which object types can be assigned to security roles?

Run the report Security for a specific or multiple Configuration Manager objects to find the object types that can be assigned to security roles. Additionally you can view the list of objects for a security role by viewing the security roles Properties and selecting the Permissions tab.

Can I use security scopes to restrict which distribution points are shown in the Distribution Status node in the Monitoring workspace?

No, although you can configure role-based administration and security scopes so that administrative users can distribute content to selected distribution points only, Configuration Manager always displays all distribution points in the Monitoring workspace.

Client Deployment and Operations

The following frequently asked questions relate to deploying and managing clients on computers and mobile devices in Configuration Manager.

Does System Center 2012 Configuration Manager support the same client installation methods as Configuration Manager 2007?

Yes. System Center 2012 Configuration Manager supports the same client installation methods that Configuration Manager 2007 supports: client push, software update-based, group policy, manual, logon script, and image-based. For more information, see How to Install Clients on Windows-Based Computers in Configuration Manager.

What’s the minimum permission an administrative user requires for the Client Push Installation Wizard?

To install a Configuration Manager client by using the Client Push Installation Wizard, the administrative user must have at least the Modify resource permission.

What’s the difference between upgrading clients by using the supplied package definition file and a package and program, and using automatic client upgrade that also uses a package and program?

When you create a package and program to upgrade Configuration Manager clients, this installation method is designed to upgrade existing System Center 2012 Configuration Manager clients. You can control which distribution points hosts the package and the client computers that install the package. This installation method supports only System Center 2012 Configuration Manager clients and cannot upgrade Configuration Manager 2007 clients.

In comparison, the automatic client upgrade method automatically creates the client upgrade package and program and this installation method can be used with Configuration Manager 2007 clients as well as System Center 2012 Configuration Manager clients. The package is automatically distributed to all distribution points in the hierarchy and the deployment is sent to all clients in the hierarchy for evaluation. This installation method supports System Center 2012 Configuration Manager clients and Configuration Manager 2007 clients that are assigned to a System Center 2012 Configuration Manager site. Because you cannot restrict which distribution points are sent the upgrade package or which clients are sent the deployment, use automatic client upgrade with caution and do not use it as your main method to deploy the client software.

For more information, see How to Upgrade Configuration Manager Clients by Using a Package and Program and How to Automatically Upgrade the Configuration Manager Client for the Hierarchy in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

Do references to “devices” in System Center 2012 Configuration Manager mean mobile devices?

The term “device” in System Center 2012 Configuration Manager applies to a computer or a mobile device such as a Windows Mobile Phone.

How does System Center 2012 Configuration Manager support clients in a VDI environment?

For information about supporting clients for a virtual desktop infrastructure (VDI), see the Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) section in the Introduction to Client Deployment in Configuration Manager topic.

Why might there be differences between a client’s assigned, installed, and resident site values when I look at the client properties in the Configuration Manager console?

A client’s assigned site is the primary site that creates the client policy to manage the device. Clients are always assigned to primary sites, even if they roam into another primary site or reside within the boundaries of a secondary site. The client’s installed site refers to the site that sent the client the client installation files to run CCMSetup.exe. For example, if you used the Client Push Installation Wizard, you can specify Install the client software from a specified site and select any site in the hierarchy. The resident site refers to the site that owns the boundaries that the client currently resides in. For example, this might be a secondary site of the client’s primary site. Or, it might be another primary site if the client is roaming and temporarily connected to a network that belongs to another site in the hierarchy.

Is it true that System Center 2012 Configuration Manager has a new client health solution?

Yes, client status is new in System Center 2012 Configuration Manager and allows you to monitor the activity of clients and check and remediate various problems that can occur.

How do I find out what client health checks Configuration Manager makes and can I add my own?

Review the checks that client health makes in the section Monitoring the Status of Client Computers in Configuration Manager in the topic Introduction to Client Deployment in Configuration Manager. You can use compliance settings in Configuration Manager to check for additional items that you consider required for the health of your clients. For example, you might check for specific registry key entries, files, and permissions.

What improvements have you made for Internet-based client management?

Configuration Manager contains many improvements since Configuration Manager 2007 to help you manage clients when they are on the Internet:

  • Configuration Manager supports a gradual transition to using PKI certificates, and not all clients and site systems have to use PKI certificates before you can manage clients on the Internet. For more information, see Planning a Transition Strategy for PKI Certificates and Internet-Based Client Management.

  • The certificate selection process that Configuration Manager uses is improved by using a certificate issuers list. For more information, see Planning for the PKI Trusted Root Certificates and the Certificate Issuers List.

  • Although deploying an operating system is still not supported over the Internet, you can deploy generic task sequences for clients that are on the Internet.

  • If the Internet-based management point can authenticate the user, user polices are now supported when clients are on the Internet. This functionality supports user-centric management and user device affinity for when you deploy applications to users.

  • Configuration Manager Internet-based clients on the Internet first try to download any required software updates from Microsoft Update, rather than from an Internet-based distribution point in their assigned site. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point.

What is the difference between Internet-based client management and DirectAccess?

DirectAccess is a Windows solution for managing domain computers when they move from the intranet to the Internet. This solution requires the minimum operating systems of Windows Server 2008 R2 and Windows 7 on clients. Internet-based client management is specific to Configuration Manager, and it allows you to manage computers and mobile devices when they are on the Internet. The Configuration Manager clients can be on workgroup computers and never connect to the intranet, and they can also be mobile devices. The Configuration Manager solution works for all operating system versions that are supported by Configuration Manager.

Unless you are using Windows Server 2012 with only Windows 8 clients for DirectAccess, both solutions require PKI certificates on clients and servers. However, DirectAccess requires a Microsoft enterprise certification authority, whereas Configuration Manager can use any PKI certificate that meets the requirements documented in PKI Certificate Requirements for Configuration Manager.

Not all Configuration Manager features are supported for Internet-based client management. For more information, see the Planning for Internet-Based Client Management section in the Planning for Communications in Configuration Manager topic. In comparison, because a client that connects over DirectAccess behaves as if it is on the intranet, all features, with the exception of deploying an operating system, are supported by Configuration Manager.

Warning

Some Configuration Manager communications are server-initiated, such as client push installation and remote control. For these connections to succeed over DirectAccess, the initiating computer on the intranet and all intervening network devices must support IPv6.

For support information about how Configuration Manager supports DirectAccess, see the Support for DirectAccess section in the Supported Configurations for Configuration Manager topic.

Tip

Do not configure a Configuration Manager client for both intranet and Internet-based client management and DirectAccess. If DirectAccess allows access to intranet management points when computers are on the Internet, the client will never connect to the Internet-based site system roles.

Can I install the Configuration Manager client on my Windows Embedded devices that have very small disks?

Probably. You can reduce the disk space required to install the Configuration Manager client by using customized settings, such as excluding installation files that the client does not require and specifying the client cache to be smaller than the default size. For more information, see the Computer Client Hardware Requirements section in the Supported Configurations for Configuration Manager topic.

Where can I find information about managing vPro computers?

You can manage Intel vPro computers by using out of band management in System Center 2012 Configuration Manager. For more information, see Out of Band Management in Configuration Manager in the Assets and Compliance in System Center 2012 Configuration Manager guide.

I want to move my Intel AMT-based computers that I provisioned with Configuration Manager 2007 to System Center 2012 Configuration Manager. Can I use the same Active Directory security group, OU, and web server certificate template?

AMT-based computers that were provisioned with Configuration Manager 2007 must have their provisioning data removed before you migrate them to System Center 2012 Configuration Manager, and then provisioned again by System Center 2012 Configuration Manager. Because of functional changes between the versions, the security group, OU, and web server certificate template have different requirements:

  • If you used a security group in Configuration Manager 2007 for 802.1X authentication, you can continue to use this group if it is a universal security group. If it is not a universal group, you must convert it or create a new universal security group for System Center 2012 Configuration Manager. The security permissions of Read Members and Write Members for the site server computer account remain the same.

  • The OU can be used without modification. However, System Center 2012 Configuration Manager no longer requires Full Control to this object and all child objects. You can reduce these permissions to Create Computer Objects and Delete Computer Objects on this object only.

  • The web server certificate template from Configuration Manager 2007 cannot be used in System Center 2012 Configuration Manager without modification. This certificate template no longer uses Supply in the request and the site server computer account no longer requires Read and Enroll permissions.

For more information about the security group and OU, see Step 1 in How to Provision and Configure AMT-Based Computers in Configuration Manager.

For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager and the example deployment, Deploying the Certificates for AMT.

Is there a limit to the number of certificate templates that I can use with certificate profiles?

Yes, you are limited to three certificate templates per hierarchy and each of these certificate templates are restricted to the three key usages that the Network Device Enrollment Service supports: signing, encryption, and both signing and encryption. So, for example, you couldn’t use two certificate templates that supported both signing and encryption.

Although different servers running the Network Device Enrollment Service can be configured to use different certificate templates, Configuration Manager cannot support this configuration because you cannot assign clients to specific servers. If you have multiple certificate registration point site system servers in the hierarchy that communicate with multiple servers running the Network Device Enrollment Service, Configuration Manager non-deterministically assigns clients to the available servers to automatically load balance the requests.

For more information about the certificate templates that Configuration Manager uses to deploy certificate profiles, see the SCEP certificate information procedure in Step 3: Provide Information About the Certificate Profile from the How to Create Certificate Profiles in Configuration Manager topic.

Do I really need Windows Server 2012 R2 to deploy certificate profiles?

Yes, although you do not need Windows Server 2012 R2 for the certificate registration point, you do need this operating system version (or later) to install the Configuration Manager Policy Module on the server that runs the Network Device Enrollment Service.

Before this version of the operating system, the Network Device Enrollment Service was designed for secured intranet environments only, to accept interactive computer certificate requests for network equipment such as routers. Changes in Windows Server 2012 R2 now accommodate user certificates as well as computer certificates, and the new support for a policy module makes this solution scalable for an enterprise environment. In addition, the increased security now supports running this service in a perimeter network (also known as a DMZ), which is important for devices that you manage on the Internet, such as iOS and Android devices.

For more information about the changes to the Network Device Enrollment Service in Windows Server 2012 R2, see What's New in Certificate Services in Windows Server 2012 R2.

How can I tell which collections of computers have a power plan applied?

There is no report in System Center 2012 Configuration Manager that displays which collections of computers have a power plan applied. However, in the Device Collections list, you can select the Power Configurations column to display whether a collection has a power plan applied.

Does wake-up proxy have its own service?

Yes. Wake-up proxy in Configuration Manager SP1 has its own client service named ConfigMgr Wake-up Proxy that runs separately from the SMS Agent Host (CCMExec.exe). This service is installed when a client is configured for wake-up proxy and then new client checks make sure that this wake-up proxy service is running and that the startup type is automatic.

Does disabling the wake-up proxy client setting remove or just stop the wake-up proxy service on clients?

If you have enabled the wake-up proxy client setting on Configuration Manager SP1 clients, and then disable it, the ConfigMgr Wake-up Proxy service is removed from clients.

Why does my first connection attempt for Remote Desktop always fail to a sleeping a computer when I use wake-up proxy?

A manager computer for the sleeping computer’s subnet responds to the first connection attempt and wakes up the sleeping computer, which then contacts the network switch. After the computer is awake and the network switch is updated, subsequent connection attempts will successfully connect to the destination computer. Most TCP connections automatically retry and you will not see that the first connection (and possibly additional connections) time out. For Remote Desktop connections, however, you are more likely to see an initial failed connection and must manually retry. For computers that must come out of hibernation, you will probably experience a longer delay than for computers that are in other sleep states.

Why don’t clients run scheduled activities such as inventory, software updates, and application evaluation and installations at the time I schedule them?

To better support virtual desktop infrastructure (VDI) environments and large-scale client deployments, System Center 2012 Configuration Manager has a randomization delay for scheduled activities. This means that for scheduled activities, clients are unlikely to run the action at the exact time that you configure. In Configuration Manager SP1 only, you can use client settings to enable or disable the randomization delay for required software updates and required applications. By default, this setting is disabled.

For more information, see the Considerations for Managing the Configuration Manager Client in a Virtual Desktop Infrastructure (VDI) section in the Introduction to Client Deployment in Configuration Manager topic.

Where is the documentation for the Configuration Manager client for Mac Computers?

For System Center 2012 Configuration Manager SP1 and later:

Because the management of computers that run the Mac OS X operating system is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Mac computers. Instead, information is integrated throughout the documentation library. For example, information about how to install the client on Mac computers is in the Deploying Clients for System Center 2012 Configuration Manager guide, and information about how to deploy software to Mac computers is in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Some of the main topics that contain information about the Configuration Manager client for Mac computers include the following:

Topic

More information

Introduction to Client Deployment in Configuration Manager

See the Deploying the Configuration Manager Client to Mac Computers section in the Introduction to Client Deployment in Configuration Manager topic for information about the Configuration Manager client for Mac computers, which includes the following:

  • Configuration Manager functionality that the client supports

Supported Configurations for Configuration Manager

See the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic to check whether Configuration Manager can support your version of the Mac OS X operating system.

PKI Certificate Requirements for Configuration Manager

Contains certificate requirements for managing Mac computers in Configuration Manager.

How to Install Clients on Mac Computers in Configuration Manager

Contains information about how to install the Configuration Manager client on Mac computers.

How to Create and Deploy Applications for Mac Computers in Configuration Manager

Contains information to help you deploy software to Mac computers.

How to Create Mac Computer Configuration Items in Configuration Manager

Contains information about how to use compliance settings for Mac computers.

Where is the documentation for the Configuration Manager client for Linux and UNIX?

For System Center 2012 Configuration Manager SP1 and later:

Because the management of computers that run Linux and UNIX is similar to managing Windows-based computers in System Center 2012 Configuration Manager, there is no separate documentation section for Linux and UNIX. Instead, information is integrated throughout the documentation library. For example, information about how to install the client on computers that run Linux or UNIX is in the Deploying Clients for System Center 2012 Configuration Manager guide, and information about how to deploy software to computers that run Linux and UNIX computers is in the Deploying Software and Operating Systems in System Center 2012 Configuration Manager guide.

Some of the main topics that contain information about the Configuration Manager client for Linux and UNIX include the following:

Topic

More information

Introduction to Client Deployment in Configuration Manager

See the Deploying the Configuration Manager Client to Linux and UNIX Servers section in the Introduction to Client Deployment in Configuration Manager topic for information about the Configuration Manager client for Linux and UNIX, which includes:

  • Configuration Manager functionality that the client supports

Supported Configurations for Configuration Manager

See the Client Requirements for Linux and UNIX Servers section Supported Configurations for Configuration Manager topic to check whether Configuration Manager can support your version of Linux or UNIX.

PKI Certificate Requirements for Configuration Manager

Contains certificate requirements for the Configuration Manager client for Linux and UNIX.

Planning for Client Deployment for Linux and UNIX Servers

Contains information about deploying the Configuration Manager client to Linux and UNIX servers.

How to Install Clients on Linux and UNIX Computers in Configuration Manager

Contains information about installing the Configuration Manager client on Linux and UNIX servers.

Planning for Communications in Configuration Manager

For information about planning for communications from Linux and UNIX computers to Configuration Manager site system servers, see the Planning for Client Communication in Configuration Manager section of the Planning for Communications in Configuration Manager topic.

How to Manage Linux and UNIX Clients in Configuration Manager

Contains information about using the following functionality in Configuration Manager to manage clients that run Linux and UNIX:

  • Collections

  • Machine policy

  • Maintenance Windows

  • Client settings

Hardware Inventory for Linux and UNIX in Configuration Manager

Contains information about using hardware inventory with clients that run Linux and UNIX, including the following:

  • Configuring inventory

  • Extending hardware inventory

  • Viewing inventory

Deploying Software to Linux and UNIX Servers in Configuration Manager

Contains information about how to deploying software to Linux and UNIX clients.

How to Monitor Linux and UNIX Clients in Configuration Manager

Contains information about how to monitoring clients that run Linux and UNIX.

Mobile Devices

The following frequently asked questions relate specifically to mobile devices in Configuration Manager.

Where is the documentation for mobile devices?

A good place to begin is with Manage Mobile Devices with Configuration Manager and Microsoft Intune.

Some of the main topics that contain information about mobile devices include the following:

Topic

More information

Supported Configurations for Configuration Manager

See the Mobile Device Requirements section to check whether Configuration Manager can support your mobile device environment.

PKI Certificate Requirements for Configuration Manager

Contains certificate requirements if you install the Configuration Manager client on mobile devices. No certificates are required by Configuration Manager if you manage mobile devices that connect to Exchange Server.

Planning for Site Systems in Configuration Manager

Contains information about where to install the site system roles that are required to manage mobile devices.

Help protect your data with remote wipe, remote lock, or passcode reset using Configuration Manager

Contains information on how to wipe company content from mobile devices.

General settings for Mobile Devices in Configuration Manager

Contains information on compliance settings for mobile devices.

How to Create and Deploy Applications for Mobile Devices in Configuration Manager

Contains information on deploying apps to mobile devices.

How to Configure Hardware Inventory for Mobile Devices Enrolled by Microsoft Intune and Configuration Manager

Contains information on mobile device hardware inventory.

Introduction to Software Inventory in Configuration Manager

Contains information on gathering software inventory for personal or company-owned mobile devices.

Introduction to Wi-Fi Profiles in Configuration Manager

Contains information on deploying wireless network settings to mobile devices in your organization.

Introduction to Certificate Profiles in Configuration Manager

Contains information on provisioning authentication certificates for mobile devices so that users can seamlessly access company resources.

Introduction to VPN Profiles in Configuration Manager

Contains information on how to deploy VPN settings to users in your organization.

Technical Reference for Log Files in Configuration Manager

See the Mobile Devices section for the list of log files that are created when you manage mobile devices in Configuration Manager.

If you have mobile device legacy clients in your System Center 2012 Configuration Manager hierarchy, the installation and configuration for these mobile devices is the same as in Configuration Manager 2007. For more information, see Mobile Device Management in Configuration Manager in the Configuration Manager 2007 documentation library.

If I wipe a mobile device that is enrolled by Configuration Manager and discovered by the Exchange Server connector, will it be wiped twice?

No. In this dual management scenario, Configuration Manager sends the wipe command in the client policy and by using the Exchange Server connector, and then monitors the wipe status for the mobile device. As soon as Configuration Manager receives a wipe confirmation from the mobile device, it cancels the second and pending wipe command so that the mobile device is not wiped twice.

Can I configure the Exchange Server connector for read-only mode?

Yes, if you only want to find mobile devices and retrieve inventory data from them as a read-only mode of operation, you can do this by granting a subset of the cmdlets that the account uses to connect to the Exchange Client Access server. The required cmdlets for a read-only mode of operation are as follows:

  • Get-ActiveSyncDevice

  • Get-ActiveSyncDeviceStatistics

  • Get-ActiveSyncOrganizationSettings

  • Get-ActiveSyncMailboxPolicy

  • Get-ExchangeServer

  • Get-Recipient

  • Set-ADServerSettings

Warning

When the Exchange Server connector operates with these limited permissions, you cannot create access rules, or wipe mobile devices, and mobile devices will not be configured with the settings that you define. In addition, Configuration Manager will generate alerts and status messages to notify you that it could not complete operations that are related to the Exchange Server connector.

Do I need a work or school account to use the Microsoft Intune connector?

Yes. You must specify a work or school account before you can install the Microsoft Intune connector in Configuration Manager SP1.

Do I need special certificates before I can make applications available to users who have mobile devices that run Windows RT, Windows Phone 8, iOS, and Android?

Yes. You require specific application certificates before users can install applications on Windows RT, Windows Phone 8, and iOS. You do not require certificates to make applications available to mobile devices that run Android.

For more information about these certificates, see Manage Mobile Devices with Configuration Manager and Microsoft Intune.

Do I need a my own PKI to enroll mobile devices by using Microsoft Intune?

No. Although the Microsoft Intune connector uses PKI certificates, Microsoft Intune automatically requests and installs these certificates for you.

For more information about these certificates, see PKI Certificate Requirements for Configuration Manager.

Does enrolling mobile devices by using the Microsoft Intune connector install the Configuration Manager client on them?

No. Windows RT and Windows Phone 8 includes a management client that Configuration Manager uses, and Configuration Manager manages mobile devices that run iOS by directly calling APIs.

Do I need the Microsoft Intune connector to manage Android devices?

No. Without the Microsoft Intune connector, you can manage these devices by collecting hardware inventory, configure settings such as passwords and roaming, and remotely wipe the device. However, if you want to make company apps available to Android devices, you must install the Microsoft Intune connector.

Can users go to the Application Catalog to install apps on their mobile devices?

No. Mobile devices that are enrolled by Configuration Manager support only required apps, so users cannot choose company apps to install. Users who have mobile devices that are enrolled by Microsoft Intune install company apps from the company portal. However, if these apps require approval, users must first request approval from the Application Catalog.

Remote Control

The following frequently asked questions relate to remote control in Configuration Manager.

Is remote control enabled by default?

By default, remote control is disabled on client computers. Enable remote control as a default client setting for the hierarchy, or by using custom client settings that you apply to selected collections.

What ports does remote control use?

TCP 2701 is the only port that System Center 2012 Configuration Manager uses for remote control. When you enable remote control as a client setting, you can select one of three firewall profiles that automatically configure this port on Configuration Manager clients: Domain, Private, or Public.

What is the difference between a Permitted Viewers List and granting a user the role-based administration security role of Remote Tools Operator?

The Permitted Viewers List grants an administrative user the Remote Control permission for a computer, and the role-based administration security role of Remote Tools Operator grants an administrative user the ability to connect a Configuration Manager console to a site so that audit messages are sent when they manage computers by using remote control.

Can I send a CTRL+ALT+DEL command to a computer during a remote control session?

Yes. In the Configuration Manager remote control window, click Action, and then click Send Ctrl+Alt+Del.

How can I find out how the Help Desk is using remote control?

You can find this out by using the remote control reports: Remote Control – All computers remote controlled by a specific user and Remote Control – All remote control information. For more information, see How to Audit Remote Control Usage in Configuration Manager.

What happened to the Remote Control program in Control Panel on Configuration Manager clients?

The remote control settings for System Center 2012 Configuration Manager clients are now in Software Center, on the Options tab.

Software Deployment

The following frequently asked questions relate to content management, software updates, applications, packages and programs, scripts, and operating system deployment with supporting task sequences and device drivers in Configuration Manager.

When distribution points are enabled for bandwidth control, does the site server compress the content that it distributes to them in the same way as site-to-site data is compressed?

No, site servers do not compress the content that it distributes to distribution points that are enabled for bandwidth control. Whereas site-to-site transfers potentially resend files that might already be present, only to be discarded by the destination site server, a site server sends only the files that a distribution point requires. With a lower volume of data to transfer, the disadvantages of high CPU processing to compress and decompress the data usually outweigh the advantages of compressing the data.

What is an “application” and why would I use it?

System Center 2012 Configuration Manager applications contain the administrative details and Application Catalog information necessary to deploy a software package or software update to a computer or mobile device.

What is a “deployment type” and why would I use one?

A deployment type is contained within an application and specifies the installation files and method that Configuration Manager will use to install the software. The deployment type contains rules and settings that control if and how the software is installed on client computers.

What is the “deployment purpose” and why would I use this?

The deployment purpose defines what the deployment should do and represents the administrator’s intent. For example, an administrative user might require the installation of software on client computers or might just make the software available for users to install themselves. A global condition can be set to check regularly that required applications are installed and to reinstall them if they have been removed.

What is a global condition and how is it different from a deployment requirement?

Global conditions are conditions used by requirement rules. Requirement rules set a value for a deployment type for a global condition. For example, “operating system =” is a global condition; a requirement rule is “operating system = Win7.”

How do I make an application deployment optional rather than mandatory?

To make a deployment optional, configure the deployment purpose as Available in the applications deployment type. Available applications display in the Application Catalog where users can install them.

Can users request applications?

Yes. Users can browse a list of available software in the Application Catalog. Users can then request an application which, if approved, will be installed on their computer. To make a deployment optional, configure the deployment purpose as Available in the applications deployment type.

Why would I use a package and program to deploy software rather than an application deployment?

Some scenarios, such as the deployment of a script that runs on a client computer but that does not install software, are more suited to using a package and program rather than an application.

Can I deploy Office so that it installs locally on a user’s main workstation but is available to that user as a virtual application from any computer?

Yes. You can configure multiple deployment types for an application. Rules that specify which deployment type is run allows you to specify how the application is made available to the user.

Does Configuration Manager help identify which computers a user uses to support the user device affinity feature?

Yes. Configuration Manager collects usage statistics from client devices that can be used to automatically define user device affinities or to help you manually create affinities.

Can I change a simulated application deployment to a standard application deployment?

No. you must create a new deployment that can include extra options that include scheduling and user experience.

If the same application is deployed to a user and a device, which one takes priority?

In this case, the following rules apply:

  • If both deployments have a purpose of Available, the user deployment will be installed.

  • If both deployments have a purpose of Required, the deployment with the earliest deadline will be installed.

  • If one deployment has a purpose of Available and the other deployment has a purpose of Required, the deployment with the purpose of Required will be installed.

Note

A deployment to a user that is scheduled to be installed out of business hours is treated as a required deployment.

Can I migrate my existing packages and programs from Configuration Manager 2007 to a System Center 2012 Configuration Manager hierarchy?

Yes. You can see migrated packages and programs in the Packages node in the Software Library workspace. You can also use the Import Package from Definition Wizard to import Configuration Manager 2007 package definition files into your site.

Does the term “software” include scripts and drivers?

Yes. In System Center 2012 Configuration Manager, the term software includes software updates, applications, scripts, task sequences, device drivers, configuration items, and configuration baselines.

What does “state-based deployment” mean in reference to System Center 2012 Configuration Manager?

Depending on the deployment purpose you have specified in the deployment type of an application, System Center 2012 Configuration Manager periodically checks that the state of the application is the same as its purpose. For example, if an application’s deployment type is specified as Required, Configuration Manager reinstalls the application if it has been removed. Only one deployment type can be created per application and collection pair.

Do I have to begin using System Center 2012 Configuration Manager applications immediately after migrating from Configuration Manager 2007?

No, you can continue to deploy packages and programs that have been migrated from your Configuration Manager 2007 site. However, packages and programs cannot use some of the new features of System Center 2012 Configuration Manager such as requirement rules, dependencies and supersedence.

If an application that has been deployed to a user is installed on multiple devices, how is the deployment summarized for the user?

Deployments to users or devices are summarized based on the worst result. For example, if a deployment is successful on one device and the application requirements were not met on another device then the deployment for the user is summarized as Requirements Not Met. If none of the user’s devices has received the application, the deployment is summarized as Unknown.

Is there a quick guide to installing the Application Catalog?

If you don’t require HTTPS connections (for example, users will not connect from the Internet), you can use the following the quick guide instructions:

  1. Make sure that you have all the prerequisites for the Application Catalog site roles. For more information, see Prerequisites for Application Management in Configuration Manager.

  2. Install the following Application Catalog site system roles and select the default options:

    • Application Catalog web service point

    • Application Catalog website point

  3. Configure the following Computer Agent device client settings by editing the default client settings, or by creating and assigning custom client settings:

    • Default Application Catalog website point: Automatically detect

    • Add default Application Catalog website to Internet Explorer trusted site zone: True 

    • Install Permissions: All users

For full instructions, see Configuring the Application Catalog and Software Center in Configuration Manager.

How often are application deployments summarized?

Although you can configure the application deployment summarization interval, by default, the following values apply:

  • Deployments that were modified in the last 30 days – 1 hour

  • Deployments that were modified in the last 31 to 90 days – 1 day

  • Deployments that were modified over 90 days ago – 1 week

You can modify the application deployment summarization intervals from the Status Summarizers dialog box. Click Status Summarizers from the Sites node in the Administration workspace to open this dialog box.

How does the processing of requirements differ between a deployment with the action of Install and a deployment with the action of Uninstall?

In most cases, a deployment with an action of Uninstall will always uninstall a deployment type if it is detected unless the client type is different. For example, if you deploy a mobile device application with an action of Uninstall to a desktop computer, the deployment will fail with a status of Requirements not met as it is impossible to enforce this uninstall.

What happens if a simulated deployment and a standard deployment for the same application are deployed to a computer?

Although you cannot deploy a simulated and a standard deployment of an application to the same collection, you can target a computer with both if you deploy them to different collections and the computer is a member of both collections. In this scenario, for both deployments, the computer reports the results of the standard deployment. This explains how you might see deployment states for a simulated deployment that you would usually only see for a standard deployment, such as In Progress and Error.

Why do I see an error message about insufficient permissions from a Windows Embedded device when I try to install software from Software Center?

You can install applications only when the write filter on the Windows Embedded device is disabled. If you try to install an application on a Windows Embedded device that has write filters enabled, you see an error message that you have insufficient permissions to install the application and the installation fails.

Should I use collections or application requirements to control software deployments?

In Configuration Manager 2007, you had to use collections to identify which devices should install software, such as applications, task sequences, and software updates. In System Center 2012 Configuration Manager, you must continue to use collections for task sequences, but for applications, you can now use requirement rules as a method to control which devices install the software. For example, you could deploy an application to the All Desktop and Server Clients collection, but include a requirement rule that specifies that the application should be installed only on computers that run Windows 8. Software updates already have this requirements capability built in, so you do not need to configure this yourself.

Although defining the requirements within the application deployment usually requires more work initially, it has longer term benefits because it reduces the administrative overhead of maintaining, using, and searching many collections. Additionally, requirements are evaluated by the client at deployment time, whereas query-based collections are evaluated periodically and often depend on the results of hardware inventory collection that might run only once a week. Another consideration when you have many collections with complex query rules is that the collection evaluation can result in noticeable CPU processing on the site server.

In summary, we recommend that for most application deployments, you use requirement rules instead of collections. Continue to use collections for task sequences, package and programs, testing purposes, and one-off application deployments.

Can I use update lists in System Center 2012 Configuration Manager?

No. Software update groups are new in System Center 2012 Configuration Manager and replace update lists that were used in Configuration Manager 2007.

What is an “update group” and why would I use one?

Software update groups provide a more effective method for you to organize software updates in your environment. You can manually add software updates to a software update group or software updates can be automatically added to a new or existing software update group by using an automatic deployment rule. You can also deploy a software update group manually or automatically by using an automatic deployment rule. After you deploy a software update group, you can add new software updates to the group and they will automatically be deployed.

Does System Center 2012 Configuration Manager have automatic approval rules like Windows Server Update Services (WSUS)?

Yes. You can create automatic deployment rules to automatically approve and deploy software updates that meet specified search criteria.

What changes have been made in System Center 2012 Configuration Manager to manage superseded software updates?

In Configuration Manager 2007, superseded software updates are automatically expired during full software updates synchronization. In System Center 2012 Configuration Manager, you can choose to automatically expire superseded software updates during software updates synchronization just as it is in Configuration Manager 2007. Or, you can specify a number of months before a superseded software update is expired. This allows you to deploy a superseded software update for the period of time while you validate and approve the superseding software update in your environment.

How are superseded and expired software updates removed in System Center 2012 Configuration Manager?

System Center 2012 Configuration Manager might automatically remove expired and superseded software updates. Consider the following scenarios:

  • Expired software updates that are not associated with a deployment are automatically removed up every 7 days by a site maintenance task.

  • Expired software updates that are associated with a deployment are not automatically removed by the site maintenance task.

  • Superseded software updates that you have configured not to expire for a specified period of time are not removed or deleted by the site maintenance task.

You can remove expired software updates from all software update groups and software update deployments so that they are automatically removed. To do this, search for expired software updates, select the returned results, choose edit membership, and remove the expired software updates from any software update group for which they are members.

What do the software update group icons represent in Configuration Manager?

The software update group icons are different in the following scenarios:

  • When a software update group contains at least one expired software update, the icon for that software update group contains a black X.

  • When a software update group contains no expired software updates, but at least one superseded software update, the icon for that software update group contains a yellow star.

  • When a software update group has no expired or superseded software updates, the icon for that software update group contains a green arrow.

When you view the status of an application deployment in the Deployments node of the Monitoring workspace, how is the displayed Compliance % calculated?

The compliance percentage (Compliance %) is calculated by taking the number of users or devices with a deployment state of Success added to the number of devices with a deployment state of Requirements Not Met and then dividing this total by the number of users or devices that the deployment was sent to.

While monitoring the deployment of an application, the numbers displayed in the Completion Statistics do not match the numbers displayed in the View Status pane. What reasons might cause this?

The following reasons might cause the numbers shown in Completions Statistics and the View Status pane to differ:

  • The completion statistics are summarized and the View Status pane displays live data – Select the deployment in the Deployments node of the Monitoring workspace and then, in the Home tab, in the Deployment group, click Run Summarization. Refresh the display in the Configuration Manager console and after summarization completes, the updated completion statistics will display in the Configuration Manager console.

  • An application contains multiple deployment types. The completion statistics display one status for the application; the View Status pane displays status for each deployment type in the application.

  • The client encountered an error. It was able to report status for the application, but not for the deployment types contained in the application. You can use the report Application Infrastructure Errors to troubleshoot this scenario.

When I view the report named Distribution Point Usage Summary, why do I see a value for more clients than I expect to see in the column named Client Accessed (Unique)?

When a pull-distribution point downloads content from a source distribution point, that access is counted as a client access for the purpose of this report.

Why does the value for Bytes Sent (MB), in the Distribution Point Usage Summary report, not always reflect the actual volume of data I deploy?

The report does not track the value of bytes sent over multicast.

Can I deploy operating systems by using a DVD or a flash drive?

Yes. You can use media such as a CD, DVD set, or a USB flash drive to capture an operating system image and to deploy an operating system. Deployment media includes bootable media, prestaged media, and stand-alone media. For more information, see Planning for Media Operating System Deployments in Configuration Manager.

When I upgrade an operating system, can I retain the user’s information so that they have all their files, data, and preferences when they log on to the new operating system?

Yes. When you deploy an operating system you can add steps to your task sequence that capture and restore the user state. The captured data can be stored on a state migration point or on the computer where the operating system is deployed. For more information, see How to Manage the User State in Configuration Manager.

Can I deploy operating systems to computers that are not managed by Configuration Manager?

Yes. These types of computers are referred to as unknown computers. For more information about how to deploy operating systems to unknown computers, see How to Manage Unknown Computer Deployments in Configuration Manager.

When I deploy an operating system to multiple computers, can I optimize how the operating system image is sent to the destination computers?

Yes. Use multicast to simultaneously send data to multiple Configuration Manager clients rather than sending a copy of the data to each client over a separate connection. For more information, see Planning a Multicast Strategy in Configuration Manager.

Endpoint Protection

The following frequently asked questions relate to Endpoint Protection in Configuration Manager.

What’s new for Endpoint Protection in System Center 2012 Configuration Manager?

Endpoint Protection is fully integrated with System Center 2012 Configuration Manager and no longer requires a separate installation. In addition, there are a number of new features and enhancements in Endpoint Protection. For more information, see the Endpoint Protection section in the What's New in System Center 2012 Configuration Manager topic.

Can I deploy definitions by using Configuration Manager distribution points?

Yes, you can deploy Endpoint Protection definitions by using Configuration Manager software updates. For more information, see the How to Configure Endpoint Protection in Configuration Manager topic.

Are malware notifications faster in System Center 2012 Endpoint Protection than in Forefront Endpoint Protection 2010?

Yes, System Center 2012 Endpoint Protection uses Configuration Manager alerts to more quickly notify you when malware is detected on client computers.

Which antimalware solutions can Endpoint Protection uninstall?

For a list of the antimalware solutions that Configuration Manager can automatically uninstall when you install the Endpoint Protection client, see the Endpoint Protection section in the About Client Settings in Configuration Manager topic. For more information about how to configure Endpoint Protection to uninstall these antimalware solutions, see How to Configure Endpoint Protection in Configuration Manager.