Configuration Manager 2007 Release Notes

Aplica-se a: System Center Configuration Manager 2007

To search these Release Notes, press CTRL+F.

Read these Release Notes thoroughly before you install Microsoft System Center Configuration Manager 2007.

These Release Notes contain information that you need to successfully install Microsoft System Center Configuration Manager 2007. This document contains information that is not available in the product documentation. This document also contains Release Notes for Configuration Manager 2007 Inventory Tool for Microsoft Updates.

If there is a discrepancy between these Release Notes and other Configuration Manager 2007 documentation, the latest change should be considered authoritative. These release notes supersede the content included on this product DVD and the content on Microsoft TechNet dated August 2007.

Issues from previous versions have either been resolved or are documented in the Configuration Manager Documentation Library. Disregard Release Notes from previous versions.

In This Document:

About the Product Documentation

Comprehensive information about Configuration Manager 2007 is available in the Configuration Manager Documentation Library. The Library includes both introductory topics such as overviews of features and concepts, as well as in-depth technical discussions and technical reference information.

There are several ways to access the Library:

  • If you have not installed Configuration Manager 2007 yet, you can locate the file SMSv4.chm under the product DVD in SMSSETUP\HELP. You can also copy the SMSv4.chm file to your local hard drive and open it without installing the Configuration Manager 2007 console.

  • If you have installed Configuration Manager 2007, you can access the Library in the Configuration Manager 2007 console by pressing F1, by clicking Help buttons, clicking Help on the Action menus, or by clicking some hyperlinks. After Configuration Manager 2007 is installed, the file SMSv4.chm is installed in %windir%\Help.

  • The entire Configuration Manager Documentation Library is available on Microsoft TechNet in the System Center Configuration Manager TechCenter (

    To see a list of significant changes made to the Web version of the content, see the topic "What's New in the Configuration Manager Documentation Library."

Before You Install Configuration Manager 2007

Before you install Configuration Manager 2007, read the planning and deployment content. This content is available in Help and on Microsoft TechNet at

Protect Against Security Vulnerabilities and Viruses

To help protect against security vulnerabilities and viruses, it is important to install the latest available security updates for any new software being installed. For more information, see the Microsoft Security Web site at

Providing Feedback

If you would like to provide feedback, make a suggestion, or report an issue with Configuration Manager 2007, you can go to the Microsoft Connect site. You can right-click any node in the Configuration Manager 2007 console and click Give Feedback, or you can go directly to the Connect site at

  • Help the Configuration Manager documentation team ship the kind of product information you need most by giving us your feedback and comments. Send your documentation feedback to

System Requirements

The "Configuration Manager Supported Configurations" topic contains the information about hardware and software requirements and unsupported configurations and is available in Help and on Microsoft TechNet

Prerequisite Checking

When you install Configuration Manager 2007, Setup includes a prerequisite checker, which you can start from the autorun screen, splash.hta. The prerequisite checker identifies prerequisites that must be installed before Setup can complete. Run the prerequisite checker and then download and install any missing prerequisites prior to running Setup.

There are two prerequisites that are not detected by the prerequisite checker and are not listed in other prerequisite documentation. You must manually apply the following hotfixes prior to running Setup: and

For more information about prerequisites for installing Configuration Manager 2007, see "Prerequisites for Installing Configuration Manager" in the Configuration Manager Documentation Library on the DVD or on Microsoft TechNet

Automatic Downloading of Client Deployment Prerequisites

When you run Setup, you must tell Configuration Manager 2007 how to obtain the prerequisite components that must be installed on client computers prior to running the client Setup (CCMSetup). During site server Setup, Configuration Manager 2007 copies these files from the location you specify to a location on the site server. When a management point is installed, Configuration Manager 2007 copies the files from the location on the site server to the management point, so that CCMSetup can download and install them automatically on the client. For more information about the prerequisites, see the topic "Prerequisites for Configuration Manager Client Deployment" in the Configuration Manager Documentation Library.

If your site server has a connection to the Internet, Configuration Manager 2007 can check for updated versions of prerequisite files, download them to a location of your choice, and install them prior to installing Configuration Manager 2007. If your site server does not have a connection to the Internet, run Setup /download <path> on a computer with Internet connectivity, you must download the newest versions to a path accessible by the site server, and specify the alternate path when prompted. After you have downloaded the files, subsequent installations of Configuration Manager 2007 can copy the prerequisites from the same path.

Create the alternate path on an NTFS partition and restrict access to the path. During download, the account running Setup must have Write access to the path and during installation, the account running setup must have Read access.

If you are installing a secondary site and you install the source files from a location at the secondary site server computer, you must create a subfolder called \Redist under the SMSSetup directory at the secondary site and then copy to that location all of the prerequisite files that you previously downloaded. If you are installing a secondary site but select the option to copy the installation source files over the network from the parent site server, no additional action is required for the secondary site to obtain the prerequisite files.

If you are doing an unattended upgrade, you must first download the files using Setup /download <path> and then on the command line, provide the product ID key and the download path.

If you are doing an unattended installation using an .ini file, there are two settings required in the .ini file that control the prerequisite download behavior. In the [Options] section, specify the settings described in the following table.


Key Name Required Values Installation Type Description



0 or 1 (1 = already downloaded. 0 = need to download)

Primary site

Secondary site

Whether Configuration Manager 2007 should download the prerequisite components or use a path where prerequisites have already been downloaded




Primary site

Secondary site

If PrerequisiteComp = 1, this is the path where Configuration Manager 2007 should find the prerequisite files. If PrerequisiteComp = 0, this is the path where Configuration Manager 2007 should download the prerequisite files.

For more information about using unattended setup, see "Unattended Setup Overview" in the Configuration Manager Documentation Library.

Changes to Supported Configurations

The following information, that you need to know about changes to supported configurations, does not appear in the Configuration Manager Documentation Library on the product DVD:

  • The free disk space requirement for client hardware requirements was previously listed as 100 MB minimum. In the updated version, the free disk space requirement is as follows:

    • 350 MB minimum for a new installation

    • 265 MB minimum to upgrade an existing client (by default, the temporary program download folder on clients is preconfigured at client installation to automatically increase to 5 GB if necessary and if 5 GB or more is available.)

  • Installing the Configuration Manager 2007 console on computers running any site system role except the site server is not supported.

  • The following configuration items included in Configuration Manager 2007 will not function properly on Microsoft Windows Mobile 6 platform devices because of changes in the configuration service providers shipped in Windows Mobile 6:

    • Dial Up Network does not work.

    • WiFi Settings does not support Connects to (DestID) set to The Internet with This is a device-to-device (ad-hoc) connection selected if Authentication type is Shared and Encryption type is Disabled.

    • WiFi Settings cannot be set to Encryption type equals WEP if the Authentication type is set to WPA PSK.

    • Some configuration service providers shipping with Windows Mobile 6 do not have corresponding configuration items in Configuration Manager 2007 and so are not supported using Settings Manager. This includes settings such as enabling or disabling bluetooth, IRDa, and camera, in addition to the encryption settings enabled by Windows Mobile 6.

The online version of the supported configurations topic will be updated periodically at


The procedure to upgrade from Systems Management Server (SMS) 2003 is available in "Configuration Manager Upgrade Checklist" in Help and on Microsoft TechNet. The SMS 2003 site must be running at least SMS 2003 SP2.

Upgrading from pre-release versions of Configuration Manager 2007 is not supported.

The following section contains additional information not included in the Configuration Manager Upgrade Checklist:

  • If you are doing an unattended upgrade, you must first download the prerequisite files using Setup /download <path> and then on the command line, provide both the product ID key and the download path for the prerequisite files.

For the most recent information about changes to the upgrade checklist, see the version on Microsoft TechNet

Known Issues with System Center Configuration Manager 2007

The following sections provide the most up-to-date information about issues with Configuration Manager 2007. These issues do not appear in the product documentation and in some cases may contradict existing product documentation. Whenever possible, these issues will be addressed in later releases.

Cannot display the Configuration Manager 2007 Documentation link on the Start page

If you run splash.hta from a UNC path on a computer running Microsoft Windows Server 2003 SP1, the content for Configuration Manager 2007 Documentation might not be displayed. This is because Windows Server 2003 SP1 includes changes to the InfoTech protocol. For more information, see

WORKAROUND    Copy the file \smssetup\help\smswrapper.chm to your local hard drive and run the file locally.

If you capture all user profiles with standard options, you must restore local computer user profiles

In Task Sequence Editor, if you add a step for Capture User State and select Capture all user profiles with standard options, but do not select the option to Restore local computer user profiles in the in the Restore User State step, the task sequence will fail because Configuration Manager 2007 cannot migrate the new accounts without assigning them passwords. Also, if you use the New Task Sequence Wizard and create a task sequence to Install an exiting image package, the resulting task sequence defaults to Capture all user profiles with standard options, but does not select the option to Restore local computer user profiles.

WORKAROUND    Select Restore local computer user profiles and provide a password for the account to be migrated. In a manual task sequence, this setting is found under the Restore User State step. In a task sequence created by the New Task Sequence Wizard, this setting is found under the step Restore User Files and Settings.

If you have no local user accounts, this does not apply.

Extend Active Directory schema for Configuration Manager 2007 if Internet-based clients will be managed on both the Internet and the intranet.

If Internet-based clients will be managed on both the Internet and the intranet, extend the Active Directory Domain Services (AD DS) schema for Configuration Manager 2007. Managing Internet-based clients in this scenario without schema extensions is not supported.


Hash value errors when creating task sequences

If you are not an administrator on the computer where you are running the Configuration Manager 2007 console, you will get the error "The hash value is not correct" when trying to create task sequence media.

WORKAROUND    Use an account that is an administrator on the Configuration Manager 2007 console computer when creating task sequence media.

Boot image changes are not updated during scheduled updates

If you modify the Windows PE tab in boot image properties, such as adding drivers or enabling command support, the changes are not updated during scheduled updates.

WORKAROUND    When you make a change to the Windows PE tab, either click Yes in the Distribution Point Update Required dialog box to update distribution points immediately, or manually update the distribution points by right-clicking the boot image and clicking Update Distribution Points.

In large enterprise environments, CAL reports can take several minutes to generate

Because of data volume and database architecture, Client Access License (CAL) reports might take several minutes to run. For example, run times between five and ten minutes are not unusual, depending on server load and the amount of data.


Default collections will change Device Management Feature Pack collection criteria

When you upgrade an SMS 2003 site with the Device Management Feature Pack to Configuration Manager 2007, or you upgrade the parent of an SMS 2003 site with the Device Management Feature Pack, the default collections for All Windows Mobile Devices, and All Windows Mobile Pocket PC 2003 Devices are upgraded to use the new membership selection queries included with Configuration Manager 2007. When this happens, all of the SMS 2003 Device Management Feature Pack clients are dropped from the collections, because of a change in the query.

WORKAROUND    Before upgrading, in all SMS 2003 sites with Device Management Feature Pack installed on them, create new collections with different names that use same query as the default Device Management Feature Pack collections. Verify that all SMS 2003 mobile device clients are members of the collections before upgrading to Configuration Manager 2007. If you have a child site with the Device Management Feature Pack that will not upgrade to Configuration Manager 2007, you should also modify your advertisements to use the newly created collections. After the mobile device client is upgraded to Configuration Manager 2007, the mobile devices appear in the Configuration Manager 2007 default collections.

The Configuration Manager backup task might fail if the site database is hosted on a clustered SQL Server

The backup service must connect to the registry on all of the nodes of the cluster using the site server computer$ account. If you do not have a service principal name (SPN) configured and have Kerberos authentication enabled on the cluster instance, the backup task will fail.

WORKAROUND    Configure an SPN for the Microsoft SQL Server site database server and enable Kerberos authentication on the cluster instance. For more information, see the topic "How to Configure an SPN for SQL Server Site Database Servers" in the Web version of the Configuration Manager Documentation Library. If you need the SPN procedure in a language other than English, you can follow the similar procedure in and use the automatic translation service. For more information about applying Kerberos authentication in a clustered environment, see the Windows Server TechCenter.

Downloading large software update files might fail

If you run the Configuration Manager 2007 console on computers running Windows Server 2003 or Microsoft Windows XP, downloading large software updates might fail because of a known issue with operating systems earlier than the Windows Vista operating system. For example, when you use the Download Updates Wizard, Deploy Software Updates Wizard, or Updates List Wizard to download a large service pack, you might see the error "invalid certificate signature" on the confirmation page of the wizard.

WORKAROUND    Do one of the following:

  • Close the Download Updates Wizard, restart the Configuration Manager 2007 console, and attempt to download the large update again.

  • Run the Configuration Manager 2007 console on a computer running Windows Vista.

State message backlogs can create reporting delays

While it is normal to have some backlog as Configuration Manager 2007 processes state messages, a large and persistent backlog can prevent Configuration Manager 2007 from reporting critical information. Several features rely on state message information, such as software updates, desired configuration management, Asset Intelligence, and client deployment. Backlogs of state messages can develop for several reasons. The following activities generate significant numbers of state messages.

  • Client deployment

  • Initial software update scans after client installation

  • Software update scans during the regular security update release on the second Tuesday of the month

  • Asset Intelligence Client Access License (CAL) data collection

  • Client resynchronization

WORKAROUND    To reduce the changes of developing a large backlog:

  • Do not deploy clients using the Configuration Manager 2007 software updates feature at the same time you are deploying large numbers of security updates, for example on or around the second Tuesday of the month.

  • Limit the number of clients deployed at any one time. For example, use the Client Push Installation Wizard instead of enabling site-wide client push.

  • Do not configure the Asset Intelligence CALCollectionFrequencyDays more frequently than the default (one time per week), and set the CALCollectionType to only the minimum data required. For more information, see "About enabling Asset Intelligence Data Collection" in the Configuration Manager Documentation Library.

  • If using the desired configuration management feature, limit the number of configuration baselines per client and the number of configuration items per configuration baseline.

If you develop a significant backlog, it can be difficult for Configuration Manager 2007 to recover. Monitor the files in the inbox\incoming or use the Configuration Manager 2007 Management Pack for Operations Manager 2007 to monitor the SMS Inboxes counter. If you have child sites sending up state messages, you can monitor\incoming for backlogs.

If you determine that you have a significant backlog and it does not resolve itself over time, take action to reduce the number of state messages generated. For example, disable the Software Updates Client Agent or the Desired Configuration Management Client Agent until the backlog subsides, or disable Asset Intelligence CAL data collection, or temporarily stop client deployment.

Asset Intelligence cannot report the license channel correctly on applications that use ProductID to identify versions

When viewing Asset Intelligence reports License 01A, 01B, 01C, or 01D, the license channel information might not report correctly for some older applications, depending on how the application stores product ID information in the registry. For example, an enterprise that uses select Volume License Key editions might appear to have retail versions. This problem typically affects older products that use the ProductID instead of the DigitalProductID registry value.

WORKAROUND    There is no way to incorporate the correct information into the Configuration Manager 2007 Asset Intelligence reports. If you want to verify the versions, however, you can look at the Product ID in the registry of clients you suspect are reporting incorrect sales channel information. The ProductID registry entry for a software product is located in the system registry hive under the Registration subkey for the product. The ProductId registry entry for an operating system is located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

When you locate the value ProductID, in the data, note the group of numbers after the first dash and match it to the following table of common channel IDs. For example, if the ProductID is 73931-640-2474146-57484, locate 640 in the following table.


ID Description






SELECT (Network installation) [Volume License Key]






SELECT [Volume License Key]









365 - 367








471 - 499

Home Use Program (HUP)



630 - 636


640 - 650

OPEN [Volume License Key]


SELECT [Volume License Key]


SELECT [Volume License Key]

700 - 705

Visual Studio .NET

700 - 712

Office XP or Open License

721 - 744

Home Use Program



726 - 736


Changes to the Configuration Manager Documentation Library

Please note the following corrections and clarifications to the Configuration Manager Documentation Library included on this DVD.

Incorrectly documented value for default policy polling interval

The default value for the policy polling interval in the Computer Client Agent Properties: General tab was incorrectly specified as 5 minutes. The correct default value is 60 minutes.

Active Directory Group Policy configuration for software update point-based client installation and software updates

To install clients using the software update point-based client installation method, you must use the software update point in the client's assigned site. Additionally, the Active Directory Group Policy setting for the option Specify intranet Microsoft update service location must use the server name format as configured in Configuration Manager (short name or FQDN) and the port number. For example, if the site system with the software update point installed is configured to use an FQDN, the entry might look like this: For more information, see the updated version of "How to Install Clients Using Software Update Point Based Installation" on TechNet. (

Incorrectly documented setting for Active Directory publishing

The original version of the Library incorrectly states that publishing site information to Active Directory Domain Services is not enabled by default. The topic "How to Publish Configuration Manager Site Information to Active Directory Domain Services" has been updated with the following information:

"During Configuration Manager primary site setup, the Active Directory schema is queried to determine if it has been extended for Configuration Manager. If the schema has been extended for Configuration Manager, the site will be automatically configured to publish site information and will publish site information to Active Directory Domain Services at the completion of setup. If the Active Directory schema has not been extended for Configuration Manager, the site will not be configured to publish site data to Active Directory Domain Services."

The report License 06A was removed from the Asset Intelligence reports

Ignore references to the report License 06A - Processor Counts for Per-Processor Licensed Products in the topics "About Client Access License Reports" and "Asset Intelligence License Management Reports."

Corrections to mobile device client certificate requirements for native mode

The Configuration Manager 2007 enroller.exe program uses the Authenticated Session certificate template when enrolling a user authentication certificate. This template must be loaded on the certification authority (CA) or enroller.exe will fail to enroll a certificate even if another qualified certificate template is available. The user authentication certificate enrolled by enroller.exe will be stored in the personal store on the mobile device. Additional certificate requirements:

  • The Enhanced Key Usage value must contain Client Authentication (

  • The maximum supported key length for the certificate is 2048 bits

  • Certificates must be in Distinguished Encoding Rules (DER) encoded binary X.509 format. Base64 encoded X.509 format is not supported for mobile device management.

Incorrectly documented command line for manual key exchange

In the topic "How to Manually Exchange Public Keys Between Sites," in "To manually transfer the child site public key to the parent site", step 3 should read as follows.

"The Preinst /keyforparent command places the public key of the child site in the <site code>.CT4 file located at the root of the system drive."

Incorrectly documented SMB port

In the topic "Ports used by Configuration Manager," several SMB ports were incorrectly listed as 389. The correct SMB port is 445.

Additional Changes

Many other topics were added or updated on the Web. To see the full list of significant changes made to the Web version of the content, see the topic "What's New in the Configuration Manager Documentation Library" on Microsoft TechNet in the System Center Configuration Manager TechCenter (

Release Notes for Configuration Manager 2007 Inventory Tool for Microsoft Updates

Before You Install

For the very latest information on the Configuration Manager 2007 Inventory Tool for Microsoft Updates, see the Configuration Manager 2007 product home page at When you are ready to install and configure the Inventory Tool for Microsoft, read the Deployment Guide for Microsoft Configuration Manager 2007 Inventory Tool for Microsoft Updates.

Windows Update Catalog Entries

The Microsoft Update catalog supports security updates, critical updates, update rollups, and service packs for the following Microsoft products:

  • Microsoft Windows XP Embedded support

  • Windows 64-bit edition support

  • Microsoft Office XP and later

  • Microsoft Exchange Server 2000 and later

  • Microsoft Windows 2000 Service Pack 4 and later

  • All Windows components (such as Microsoft XML Parser (MSXML), Microsoft Data Access Components (MDAC), Microsoft Virtual Machine, etc.)

  • Microsoft SQL Server 2000 Service Pack 4 and later

  • Additional products, as published to Microsoft Update

Before you apply Microsoft Office updates, you must have installed Microsoft Office XP with Service Pack 3 or higher.

Automatic Updates Service Dependency

The Windows Update Agent used with the Configuration Manager 2007 Inventory Tool for Microsoft Updates has a dependency on the Automatic Updates service. Do not disable this service or prevent it from running. The Startup Type for this service should be Automatic or Manual. If you want to prevent users from installing updates from the Windows Update Web site, you can use the following Group Policy settings:

  • Disable Configure Automatic Updates under Computer Configuration\Administrative Templates\Windows Components\Windows Update.

  • Enable Remove links and access to Windows Update under User Configuration\Administrative Templates\Start Menu and Start Bar.

  • Enable Hide the "Add programs from Microsoft" option under User Configuration\Administrative Templates\Control Panel\Add or Remove Programs.

Do not enable Remove access to use all Windows Update features under User Configuration\Administrative Templates\Windows Components\Windows Update.

Software Update Installation Triggers a Scan of the Client Computer Using the Local, Cached Version of the Scan Tool and Catalog and Not Necessarily the Latest Version on the Distribution Points

When you deploy software updates prior to running a scan, especially in the case of a newly released catalog of updates, the update installation agent of the Advanced Client will perform a scan prior to deploying updates. However, the scan will be performed with the most recent, cached version of the scan tool and catalog in VPCache folder and not for an updated scan tool or catalog on the distribution points (as in the case of a recent synchronization of the latest catalog).

WORKAROUND    To work around this issue, a full scan from the advertised scan tool program must take place on a client computer to ensure that the latest scan tool and catalog is in the client cache prior to software update deployments. Otherwise, the latest software updates might not be installed because they are not applicable according to the last cached version of the scan tool and Microsoft Update catalog.

Windows Update Agent Setup Might Not Register Microsoft XML Parser 3.0

Windows Update Agent Setup might not register Microsoft XML Parser (MSXML) 3.0, resulting in scan failure. Scan failure is logged in WindowsUpdate.log in the Windows folder with an entry similar to the following:

Parse of package.xml failed with 0x80004002.

WORKAROUND    Perform one of the following actions:

  1. Manually register MSXML 3.0 by running the following command:

    regsvr32.exe %windir%\system32\msxml3.dll

  2. Install MSXML 3.0 Service Pack 4, available from the Microsoft Download Center Web site (

Antivirus Products Might Cause High CPU Usage

After you install the Configuration Manager 2007 Inventory Tool for Microsoft Updates, some antivirus products might cause 100 percent CPU usage for a sustained period of time while decompressing and scanning the file used by the inventory tool.

WORKAROUND    If the CPU usage is unacceptably high, you can reconfigure your antivirus scanner. The following workarounds are presented in the recommended order, from lowest risk to highest risk. Choose the option that best fits your risk profile and the configuration options for your antivirus scanner.

  • Option 1: Exclude scanning for the and files. Because these files contain several other files, excluding these file names might not be sufficient to significantly reduce the high CPU use unless you can also specify to exclude their contents.

  • Option 2: Add a detection exclusion for .cab files. If a virus is present in a .cab file, it should be detected when the file is uncompressed.

  • Option 3: Disable the option to scan inside archives, which prevents scanning compressed archives. If a virus is present in a .cab file, it should be detected when the file is uncompressed.

  • Option 4: Disable the option to scan the folders where the file is copied, which are in the following locations on the client:

    1. %windir%\SoftwareDistribution\Scanfile and all its subfolders.

    2. The SMS client cache folder, in %windir%\system32\CCM\Cache by default.

    3. The Package ID folder for the inventory tool in %windir%\system32\VPCache.

Release Notes Copyright Information

Information in this document, including URL and other Internet Web site references, is subject to change without notice, and is provided for informational purposes only. The entire risk of the use or results of the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows Server, Windows Vista, Active Directory, and ActiveSync are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email