Review the following sections for some frequently asked
questions about System Center 2012
Configuration Manager:
The following frequently asked questions relate to the
Configuration Manager console and collections.
Does the Configuration Manager console
support a 64-bit operating system?
Yes. The Configuration Manager console is a 32-bit
program that can run on a 32-bit version of Windows and on a 64-bit
version of Windows.
What is a limiting collection and why
would I use it?
In System Center 2012
Configuration Manager, all collections must be limited to the
membership of another collection. When you create a collection, you
must specify a limiting collection. A collection is always a subset
of its limiting collection. For more information, see How to Create
Collections in Configuration Manager.
Can I include or exclude the members of
another collection from my collection?
Yes. System Center 2012
Configuration Manager includes two new collection rules, the
Include Collections rule and the Exclude Collections
rule that allow you to include or exclude the membership of
specified collections. For more information, see How to Create
Collections in Configuration Manager.
Are incremental updates supported for all
collection types?
What is the All Unknown Computers
collection?
The All Unknown Computers collection contains
two objects that represent records in the Configuration Manager
database so that you can deploy operating systems to computers that
are not managed by Configuration Manager, and so are unknown to
Configuration Manager. These computers can include the
following:
- A computer where the Configuration Manager
client is not installed
- A computer that is not imported into
Configuration Manager
- A computer that is not discovered by
Configuration Manager
For more information about how to deploy operating
systems to unknown computers, see How to Manage Unknown
Computer Deployments in Configuration Manager.
Why does Install Client from the ribbon
install the client to the whole collection when I’ve selected a
single computer but installs to the selected computer only if I
right-click the computer and then select Install Client?
If you choose Install Client from the ribbon
when the Collection ribbon tab is selected, the client
installs to all computers in the collection rather than to just the
selected computer. To install the client to just the selected
computer, click the Home tab on the ribbon before you click
Install Client from the ribbon, or use the right-click
option.
How can I create a collection that
contains only Mac computers, or only Linux servers?
How can I create a collection of Windows
8 computers that are Always On Always Connected capable?
For Configuration Manager SP1 only:
Create a collection with a query-based rule. Query the
attribute class System Resource and the attribute
Connected Standby Capable = Yes to return computers
that are Always On Always Connected capable.
Why does the Configuration Manager
console use HTTP to the Internet and what would stop working if
this is blocked by my firewall?
The Configuration Manager console uses HTTP to the
Internet in two scenarios:
- When you use the geographical view from the
Site Hierarchy node in the Monitoring workspace,
which uses Internet Explorer to access Bing Maps.
- When you use the Configuration Manager help
file and click a link to view or search for information on
TechNet.
If you do not require these functions, your firewall
can block HTTP connections from the console without additional loss
of functionality to Configuration Manager.
For more information about the geographical view, see
the About the
Site Hierarchy Node section in the Monitor Configuration
Manager Sites and Hierarchy topic.
The following frequently asked questions relate to
sites and hierarchies in Configuration Manager.
Are there new Active Directory schema
extensions for System Center 2012 Configuration
Manager?
No. The Active Directory schema extensions for
System Center 2012 Configuration Manager are
unchanged from those used by Configuration Manager 2007. If you
extended the schema for Configuration Manager 2007, you do not need
to extend the schema again for System Center 2012
Configuration Manager or System Center 2012
Configuration Manager SP1.
Where is the documentation for
Setup?
Can I upgrade a prerelease version of
System Center 2012 Configuration Manager to the
released version?
No. Unless you were in a prerelease program that was
supported by Microsoft (such as the Technology Adoption Program or
the Community Evaluation Program) there is no supported upgrade
path for prerelease versions of System Center 2012
Configuration Manager. For more information, see the Release Notes for System Center 2012
Configuration Manager.
Can I manage SMS 2003 clients with System
Center 2012 Configuration Manageror migrate SMS 2003 sites and
clients to System Center 2012 Configuration Manager?
No. SMS 2003 sites and SMS 2003 clients are
not supported by System Center 2012
Configuration Manager. You have two choices to move these
sites and clients to System Center 2012
Configuration Manager:
- Upgrade SMS 2003 sites and clients to
Configuration Manager 2007 SP2, and then migrate them to
System Center 2012 Configuration Manager.
- Uninstall SMS 2003 sites and clients and
then install System Center 2012
Configuration Manager sites and clients.
For more information about supported upgrade paths, see
the
Supported Upgrade Paths section in the Supported Configurations
for Configuration Manager topic.
For more information about migrating Configuration
Manager 2007 to System Center 2012
Configuration Manager, see the Migrating Hierarchies in
System Center 2012 Configuration Manager guide.
Can I upgrade an evaluation version of
System Center 2012 Configuration Manager?
Have the site types changed from
Configuration Manager 2007?
System Center 2012 Configuration Manager
introduces changes to both primary and secondary sites while the
central administration site is new site type. The central
administration site replaces the primary site referred to as a
central site as the top-level site of a multi-primary site
hierarchy. This site does not directly manage clients but does
coordinate a shared database across your hierarchy, and it is
designed to provide centralized reporting and configurations for
your entire hierarchy.
Can I join a pre-existing site to another
site in System Center 2012
Configuration Manager?
In System Center 2012
Configuration Manager with no service pack, you cannot change
the parent relationship of an active site. You can only add a site
as a child of another site at the time you install the new site.
Because the database is shared between all sites, joining a site
that has already created default objects or that has custom
configurations can result in conflicts with similar objects that
already exist in the hierarchy.
However, in System Center 2012
Configuration Manager SP1, you can expand a stand-alone
primary site into a hierarchy that includes a new central
administration site. For more information, see the Planning
to Expand a Stand-Alone Primary Site section in the Planning for Sites and
Hierarchies in Configuration Manager topic.
Why can’t I install a primary site as a
child of another primary site as I did in Configuration Manager
2007?
With System Center 2012
Configuration Manager, primary sites have changed to support
only secondary sites as child sites, and the new central
administration site as a parent site. Unlike Configuration Manager
2007, primary sites no longer provide a security or configuration
boundary. Because of this, you should only need to install
additional primary sites to increase the maximum number of clients
your hierarchy can support, or to provide a local point of contact
for administration.
Why does Configuration Manager require
SQL Server for my secondary site?
In System Center 2012
Configuration Manager, secondary sites require either
SQL Server, or SQL Server Express to support
database replication with their parent primary site. When you
install a secondary site, Setup automatically installs
SQL Server Express if a local instance of SQL Server
is not already installed.
What is database replication?
Database replication uses SQL Server to quickly
transfer data for settings and configurations to other sites in the
Configuration Manager hierarchy. Changes that are made at one site
merge with the information stored in the database at other sites.
Content for deployments, and other file-based data, still replicate
by file-based replication between sites. Database replication
configures automatically when you join a new site to an existing
hierarchy.
How can I monitor and troubleshoot
replication in Configuration Manager?
What is Active Directory forest
discovery?
Active Directory Forest discovery is a new discovery
method in System Center 2012 Configuration Manager
that allows you to discover network locations from multiple Active
Directory forests. This discovery method can also create boundaries
in Configuration Manager for the discovered network locations and
you can publish site data to another Active Directory forest to
help support clients, sites, and site system servers in those
locations.
Can I provide clients with unique client
agent configurations without installing additional sites?
Yes. System Center 2012
Configuration Manager applies a hierarchy-wide set of default
client settings (formerly called client agent settings) that you
can then modify on clients by using custom client settings that you
assign to collections. This creates a flexible method of delivering
customized client settings to any client in your hierarchy,
regardless of the site it is assigned to, or where it is located on
your network. For more information, see How to Configure Client
Settings in Configuration Manager.
Can a site or hierarchy span multiple
Active Directory forests?
Configuration Manager supports site-to-site (intersite)
communication when a two-way forest trust exists between the
forests. Within a site, Configuration Manager supports placement of
site system roles on computers in an untrusted forest.
Configuration Manager also supports clients that are in a different
forest from their site’s site server when the site system role that
they connect to is in the same forest as the client. For more
information, see the Planning
for Communications Across Forests in Configuration Manager
section in the Planning for
Communications in Configuration Manager topic.
To
support computers in an untrusted forest, do I have to create a new
primary site and configure a two-way forest trust?
No. Because System Center 2012
Configuration Manager supports installing most site system
roles in untrusted forests, there is no requirement to have a
separate site for this scenario, unless you have exceeded the
maximum number of supported clients for a site. For more
information about communications across forests, see the Planning
for Communications Across Forests in Configuration Manager
section in the Planning for
Communications in Configuration Manager topic. For more
information about the number of computers that are supported, see
the Site
and Site System Role Scalability section in the Supported Configurations
for Configuration Manager topic
Tip |
The Application Catalog web service role and the enrollment
point must be installed in the same forest as the site server. In
this case, you can install the Application Catalog website point
and the enrollment proxy point in the other forest, and these site
system roles communicate with the site by using the Application
Catalog web service role and the enrollment point, respectively.
After these site system roles are installed in the other forest,
they communicate with their counterpart role by using certificates
(self-signed or PKI). For more information about how this
communication is secured, see the “Cryptographic Controls for
Server Communication” section in the Technical Reference for
Cryptographic Controls Used in Configuration Manager
topic. |
How do clients find management points and
has this changed since Configuration Manager 2007?
System Center 2012 Configuration Manager
clients can find available management points by using the
management point that you specify during client deployment, Active
Directory Domain Services, DNS, and WINS. Clients can connect to
more than one management point in a site, always preferring
communication that uses HTTPS, when this is possible because the
client and management point uses PKI certificates.
There are some changes here since Configuration Manager
2007, which accommodate the change that clients can now communicate
with more than one management point in site, and that you can have
a mix of HTTPS and HTTP site system roles in the same site.
For more information, see the
Planning for Service Location by Clients section in the
Planning for
Communications in Configuration Manager topic.
How do I configure my sites for
native-mode?
System Center 2012 Configuration Manager
has replaced the native mode site configuration in Configuration
Manager 2007 with individual site system role configurations that
accept client communication over HTTPS or HTTP. Because you can
have site system roles that support HTTPS and HTTP in the same
site, you have more flexibility in how you introduce PKI to secure
the intranet client endpoints within the hierarchy. Clients over
the Internet and mobile devices must use HTTPS connections.
For more information, see the
Planning a Transition Strategy for PKI Certificates and
Internet-Based Client Management section in the Planning for Security in
Configuration Manager topic.
Where are the supported scenarios and
network diagrams for Internet-based client management that you had
for Configuration Manager 2007?
Unlike Configuration Manager 2007, there are no design
restrictions to support clients on the Internet, providing you meet
the requirements in the
Planning for Internet-Based Client Management section in the
Planning for
Communications in Configuration Manager topic. Because of the
following improvements, you can more easily support clients on the
Internet to fit your existing infrastructure:
- The whole site does not have to be using
HTTPS client connections
- Support for installing most site system roles
in another forest
- Support for multiple management points in a
site
If you use multiple management points and dedicate one
or more for client connections from the Internet, you might want to
consider using database replicas for management points. For more
information, see Configure Database
Replicas for Management Points.
Do
I have to configure my site for Internet-based client management
before I can use cloud-based distribution points in
Configuration Manager SP1?
No. Although both configurations use the Internet, they
are independent from each other. Clients on the intranet can use
cloud-based distribution points and these clients do not require a
PKI client certificate. However, you still require PKI certificates
if you want to use cloud-based distribution points; one for the
Windows Azure management certificate that you install on the site
system server that hosts the cloud-based distribution points, and
one for the cloud-based distribution point service certificate that
you import when you configure the cloud-based distribution
point.
For more information about the PKI certificate
requirements for Internet-based client management and for
cloud-based distribution points, see PKI Certificate
Requirements for Configuration Manager.
For more information about cloud-based distribution
points, see the Planning
for Cloud-Based Distribution Points section in the Planning for Content
Management in Configuration Manager topic.
Why isn’t the site system role that I
want available in the Add Site System Roles Wizard?
Configuration Manager supports some site system roles
only at specific sites in a hierarchy, and some site system roles
have other limitations as to where and when you can install them.
When Configuration Manager does not support the installation of a
site system role, it is not listed in the wizard. For example, the
Endpoint Protection point cannot be installed in a secondary site,
or in a primary site if you have a central administration site. So
if you have a central administration site, you will not see the
Endpoint Protection point listed if you run the Add Site System
Roles Wizard on a primary site.
Other examples include you cannot add a second
management point to a secondary site, and you cannot add a
management point or distribution point to a central administration
site.
In addition, in Configuration Manager SP1, you do
not see the Windows Intune connector listed as an available
site system role until you have created the Windows Intune
subscription. For more information about how to create the
subscription, see How to Manage Mobile
Devices by Using the Windows Intune Connector in Configuration
Manager.
For more information about which site system roles can
be installed where, see the
Planning Where to Install Sites System Roles in the Hierarchy
section in the Planning for Site
Systems in Configuration Manager topic.
Where do I configure the Network Access
Account?
Use the following procedure to configure the Network
Access Account:
How to configure the Network
Access Account for a site
-
In the Administration workspace, expand Site
Configuration, click Sites, and then select the
site.
-
On the Settings group, click Configure Site
Components, and then click Software Distribution.
-
Click the Network Access Account tab, configure
the account, and then click OK.
What High Availability does Configuration
Manager have?
The following frequently asked questions relate to
migrating Configuration Manager 2007 to
System Center 2012 Configuration Manager.
What versions of Configuration Manager,
or Systems Management Server are supported for migration?
The version of System Center 2012
Configuration Manager that you use to run migration determines
the versions of Configuration Manager 2007 or
System Center 2012 Configuration Manager that are
supported for migration:
- When you use System Center 2012
Configuration Manager with no service pack, Configuration
Manager 2007 sites with SP2 are supported for migration.
- When you use System Center 2012
Configuration Manager with SP1, Configuration Manager 2007
sites with SP2 and System Center 2012
Configuration Manager sites with SP1 are supported for
migration.
Configuration Manager hierarchies that have data you
want to migrate are called source hierarchies. The Configuration
Manager hierarchy you re migrating data into, is called the
destination hierarchy.
For more information about prerequisites for Migration,
see Prerequisites for
Migration in System Center 2012 Configuration Manager.
Can I use Configuration Manager SP1
to migrate my existing System Center 2012 Configuration Manager
hierarchy with no service pack to a new Configuration Manager SP1
hierarchy?
No. The new functionality in Configuration
Manager SP1 supports migration from an existing Configuration
Manager SP1 hierarchy to another Configuration
Manager SP1 hierarchy, in addition to supporting migration
from Configuration Manager 2007 SP2 to Configuration
Manager SP1.
For more information about the new migration
functionality, see Introduction to
Migration in System Center 2012 Configuration Manager.
Why can’t I upgrade my existing
Configuration Manager 2007 sites to System Center 2012
Configuration Manager sites?
Several important changes introduced with
System Center 2012 Configuration Manager prevent an
in-place upgrade; however, System Center 2012
Configuration Manager does support migration from
Configuration Manager 2007 with a side-by-side deployment. For
example, System Center 2012 Configuration Manager is
native 64 bit application with a database that is optimized for
Unicode and that is shared between all sites. Additionally, site
types and site relationships have changed. These changes, and
others, mean that many existing hierarchy structures cannot be
upgraded. For more information, see Migrating Hierarchies in
System Center 2012 Configuration Manager.
Do
I have to migrate my entire Configuration Manager 2007
hierarchy or System Center 2012 Configuration Manager hierarchy at
one time?
Typically, you will migrate data from a Configuration
Manager 2007 or System Center 2012
Configuration Manager hierarchy (the source hierarchy) over a
period of time that you define. During the period of migration, you
can continue to use your source hierarchy to manage clients that
have not migrated to your new System Center 2012
Configuration Manager hierarchy (the destination hierarchy).
Additionally if you update an object in the source hierarchy after
you have migrated that object to your destination hierarchy, you
can re-migrate that object again up until you decide to complete
your migration.
After I migrate software and packages
from a Configuration Manager 2007 hierarchy, do I have to use the
new application model?
When you migrate a Configuration Manager 2007 package
to System Center 2012 Configuration Manager, it
remains a package after migration. If you want to deploy the
software and packages that migrate from your Configuration Manager
2007 hierarchy by using the new application model, you can use
Microsoft System Center Configuration Manager Package Conversion
Manager to convert them into System Center 2012
Configuration Manager applications. For more information, see
Configuration Manager Package
Conversion Manager.
Why can’t I migrate inventory history or
compliance data for my clients?
This type of information is easily recreated by an
active client when it sends data to its new site in the destination
hierarchy. Typically, it is only the current information from each
client that provides useful information. To retain access to
historical inventory information you can keep a Configuration
Manager 2007 or System Center 2012
Configuration Manager source site active until the historical
data is no longer required.
Why must I assign a site in my new
hierarchy as a content owner for migrated content?
When you assign a site in the destination hierarchy to
own the content, you are selecting the site that maintains that
content in the destination hierarchy. Because the site that owns
the content is responsible for monitoring the source files for
changes, plan to specify a site that is near to the source file
location on the network.
When you migrate content between a source and
destination hierarchy, you are really migrating the metadata about
that content. The content itself might remain hosted on a shared
distribution point during migration, or on a distribution point
that you will upgrade or reassign to the destination hierarchy.
What are shared distribution points and
why can’t I use them after migration has finished?
Shared distribution points are distribution points at
sites in the source hierarchy that can be used by clients in the
destination herarchy during the migration period. A distribution
point can be shared only when the source hierarchy that contains
the distribution point remains the active source hierarchy and
distribution point sharing is enabled for the source site that
contains the distribution point. Sharing distribution points ends
when you complete migration from the source hierarchy.
How can I avoid redistributing content
that I migrate to a System Center 2012
Configuration Manager hierarchy?
System Center 2012 Configuration Manager
can upgrade supported distribution points from Configuration
Manager 2007 source hierarchies, and reassign supported
distribution points from System Center 2012
Configuration Manager source hierarchies. When you upgrade or
reassign a shared distribution point, the distribution point site
system role and the distribution point computer are removed from
the source hierarchy, and installed as a distribution point at a
site you select in the destination hierarchy. This process allows
you to maintain your existing distribution points with minimal
effort or disruption to your network. For more information, see
Planning a
Content Deployment Migration Strategy in System Center 2012
Configuration Manager.
You can also use the prestage option for
System Center 2012 Configuration Manager
distribution points to reduce the transfer of large files across
low-bandwidth network connections. For more information, see the
Prestaging
Content section in the Introduction to Content
Management in Configuration Manager topic.
Can I perform an in-place upgrade of a
Configuration Manager 2007 distribution point (including a branch
distribution point) to a System Center 2012
Configuration Manager distribution point?
You can perform an in-place upgrade of a Configuration
Manager 2007 distribution point that preserves all content during
the upgrade. This includes an upgrade of a distribution point on a
server share, a branch distributing point, or standard distribution
point.
Can I perform an in-place upgrade of a
Configuration Manager 2007 secondary site to a
System Center 2012 Configuration Manager
distribution point?
You can perform an in-place upgrade of a Configuration
Manager 2007 secondary site to a System Center 2012
Configuration Manager distribution point. During the upgrade,
all migrated content is preserved.
What happens to the content when I
upgrade a Configuration Manager 2007 secondary site or distribution
point to a System Center 2012 Configuration Manager
distribution point?
During the upgrade to a System Center 2012
Configuration Manager distribution point, all migrated content
is copied and then converted to the single instance store. When you
migrate to a hierarchy that runs System Center 2012
Configuration Manager with no service pack, the original
Configuration Manager 2007 content remains on the server until it
is manually removed. However, when you migrate to a hierarchy that
runs System Center 2012
Configuration Manager SP1, the original Configuration
Manager 2007 content is removed after the copy of the content is
converted.
Can I combine more than one Configuration
Manager 2007 or System Center 2012 Configuration Manager
hierarchy in a single System Center 2012 Configuration Manager
hierarchy?
You can migrate data from more than one source
hierarchy, and the source hierarchies do not need to be the same
version as each other. This means you can migrate from one or more
Configuration Manager 2007 hierarches, one or more
System Center 2012 Configuration Manager
hierarchies, and from one or more hierarchies that each run a
different version of Configuration Manager. However, you can only
migrate from one hierarchy at a time.
You can migrate the hierarchies in any order. However,
you cannot migrate data from multiple hierarchies that use the same
site code. If you try to migrate data from a site that uses the
same site code as a migrated site, or that uses the same site code
as a site in your destination hierarchy, this corrupts the data in
the System Center 2012 Configuration Manager
database.
What Configuration Manager 2007
hierarchy can I use as a source hierarchy?
What objects can I migrate?
The list of objects you can migrate depends on the
version of your source hierarchy. You can migrate most objects from
Configuration Manager 2007 to System Center 2012
Configuration Manager, including the following:
- Advertisements
- Boundaries
- Collections
- Configuration baselines and configuration
items
- Operating system deployment boot images,
driver packages, drivers, images, and packages
- Software distribution packages
- Software metering rules
- Software update deployment packages and
templates
- Software update deployments
- Software update lists
- Task sequences
- Virtual application packages
When you migrate between System Center 2012
Configuration Manager hierarchies, the list is similar, and
includes objects that are only available in
System Center 2012 Configuration Manager, such as
Applications.
For more information, see
Objects That Can Migrate by Migration Job Type
Can I migrate maintenance windows?
Yes. When a collection migrates, Configuration Manager
also migrates collection settings, which includes maintenance
windows and collection variables. However, collection settings for
AMT provisioning do not migrate.
Will advertisements rerun after they are
migrated?
No. Clients that you upgrade from Configuration Manager
2007 will not rerun advertisements that you migrate.
System Center 2012 Configuration Manager retains the
Configuration Manager 2007 Package ID for packages you migrate and
clients that upgrade retain their advertisement history.
The following frequently asked questions relate to
security and role-based administration in Configuration
Manager.
Where is the documentation for role-based
administration?
What is the minimum I have to configure
if I don’t want to use role-based administration while I’m testing
System Center 2012 Configuration Manager?
If you install System Center 2012
Configuration Manager, there is no additional configuration
because the Active Directory user account used to install
Configuration Manager is automatically assigned to the Full
Administrator security role, assigned to All Scopes, and
has access to the All Systems and All Users and User
Groups collections. However, if you want to provide full
administrative permissions for other Active Directory users to
access System Center 2012 Configuration Manager,
create new administrative users in Configuration Manager using
their Windows accounts and then assign them to the Full
Administrator security role.
How can I partition security with System
Center 2012 Configuration Manager?
Unlike Configuration Manager 2007, sites no longer
provide a security boundary. Instead, use role-based administration
security roles to configure the permissions different
administrative users have, and security scopes and collections to
define the set of objects they can view and manage. These settings
can be configured at a central administration site or any primary
site and are enforced at all sites throughout the hierarchy.
Should I use security groups or user
accounts to specify administrative users?
As a best practice, specify a security group rather
than user accounts when you configure administrative users for
role-based administration.
Can I deny access to objects and
collections by using role-based administration?
Role-based administration does not support an explicit
deny action on security roles, security scopes, or collections
assigned to an administrative user. Instead, configure security
roles, security scopes, and collections to grant permissions to
administrative users. If users do not have permissions to objects
by use of these role-based administration elements, they might have
only partial access to some objects, for example they might be able
to view, but not modify specific objects. However, you can use
collection membership to exclude collections from a collection that
is assigned to an administrative user.
How do I find which object types can be
assigned to security roles?
Run the report Security for a specific or multiple
Configuration Manager objects to find the object types that can
be assigned to security roles. Additionally you can view the list
of objects for a security role by viewing the security roles
Properties and selecting the Permissions tab.
Can I use security scopes to restrict
which distribution points are shown in the Distribution Status node
in the Monitoring workspace?
No, although you can configure role-based
administration and security scopes so that administrative users can
distribute content to selected distribution points only,
Configuration Manager always displays all distribution points in
the Monitoring workspace.
The following frequently asked questions relate to
deploying and managing clients on computers and mobile devices in
Configuration Manager.
Does System Center 2012 Configuration
Manager support the same client installation methods as
Configuration Manager 2007?
What’s the minimum permission an
administrative user requires for the Client Push Installation
Wizard?
To install a Configuration Manager client by using the
Client Push Installation Wizard, the administrative user must have
at least the Modify resource permission.
What’s the difference between upgrading
clients by using the supplied package definition file and a package
and program, and using automatic client upgrade that also uses a
package and program?
When you create a package and program to upgrade
Configuration Manager clients, this installation method is designed
to upgrade existing System Center 2012
Configuration Manager clients. You can control which
distribution points hosts the package and the client computers that
install the package. This installation method supports only
System Center 2012 Configuration Manager clients and
cannot upgrade Configuration Manager 2007 clients.
In comparison, the automatic client upgrade method
automatically creates the client upgrade package and program and
this installation method can be used with Configuration Manager
2007 clients as well as System Center 2012
Configuration Manager clients. The package is automatically
distributed to all distribution points in the hierarchy and the
deployment is sent to all clients in the hierarchy for evaluation.
This installation method supports System Center 2012
Configuration Manager clients and Configuration Manager 2007
clients that are assigned to a System Center 2012
Configuration Manager site. Because you cannot restrict which
distribution points are sent the upgrade package or which clients
are sent the deployment, use automatic client upgrade with caution
and do not use it as your main method to deploy the client
software.
For more information, see How to
Upgrade Configuration Manager Clients by Using a Package and
Program and How to
Automatically Upgrade the Configuration Manager Client for the
Hierarchy in the How to Install Clients
on Windows-Based Computers in Configuration Manager topic.
Do
references to “devices” in System Center 2012
Configuration Manager mean mobile devices?
The term “device” in System Center 2012
Configuration Manager applies to a computer or a mobile device
such as a Windows Mobile Phone.
How does System Center 2012 Configuration
Manager support clients in a VDI environment?
Why might there be differences between a
client’s assigned, installed, and resident site values when I look
at the client properties in the Configuration Manager
console?
A client’s assigned site is the primary site that
creates the client policy to manage the device. Clients are always
assigned to primary sites, even if they roam into another primary
site or reside within the boundaries of a secondary site. The
client’s installed site refers to the site that sent the client the
client installation files to run CCMSetup.exe. For example, if you
used the Client Push Installation Wizard, you can specify
Install the client software from a specified site and select
any site in the hierarchy. The resident site refers to the site
that owns the boundaries that the client currently resides in. For
example, this might be a secondary site of the client’s primary
site. Or, it might be another primary site if the client is roaming
and temporarily connected to a network that belongs to another site
in the hierarchy.
Is
it true that System Center 2012 Configuration Manager has a new
client health solution?
Yes, client status is new in
System Center 2012 Configuration Manager and allows
you to monitor the activity of clients and check and remediate
various problems that can occur.
How do I find out what client health
checks Configuration Manager makes and can I add my own?
What improvements have you made for
Internet-based client management?
Configuration Manager contains many improvements since
Configuration Manager 2007 to help you manage clients when they are
on the Internet:
- Configuration Manager supports a gradual
transition to using PKI certificates, and not all clients and site
systems have to use PKI certificates before you can manage clients
on the Internet. For more information, see
Planning a Transition Strategy for PKI Certificates and
Internet-Based Client Management.
- The certificate selection process that
Configuration Manager uses is improved by using a certificate
issuers list. For more information, see Planning
for the PKI Trusted Root Certificates and the Certificate Issuers
List.
- Although deploying an operating system is
still not supported over the Internet, you can deploy generic task
sequences for clients that are on the Internet.
- If the Internet-based management point can
authenticate the user, user polices are now supported when clients
are on the Internet. This functionality supports user-centric
management and user device affinity for when you deploy
applications to users.
- Configuration Manager Internet-based clients
on the Internet first try to download any required software updates
from Microsoft Update, rather than from an Internet-based
distribution point in their assigned site. Only if this fails, will
they then try to download the required software updates from an
Internet-based distribution point.
What is the difference between
Internet-based client management and DirectAccess?
DirectAccess is a Windows solution for managing domain
computers when they move from the intranet to the Internet. This
solution requires the minimum operating systems of Windows
Server 2008 R2 and Windows 7 on clients. Internet-based
client management is specific to Configuration Manager, and it
allows you to manage computers and mobile devices when they are on
the Internet. The Configuration Manager clients can be on workgroup
computers and never connect to the intranet, and they can also be
mobile devices. The Configuration Manager solution works for all
operating system versions that are supported by Configuration
Manager.
Both solutions require PKI certificates on clients and
servers. However, DirectAccess requires a Microsoft enterprise
certification authority, whereas Configuration Manager can use any
PKI certificate that meets the requirements documented in PKI Certificate
Requirements for Configuration Manager.
Not all Configuration Manager features are supported
for Internet-based client management. For more information, see the
Planning for Internet-Based Client Management section in the
Planning for
Communications in Configuration Manager topic. In comparison,
because a client that connects over DirectAccess behaves as if it
is on the intranet, all features, with the exception of deploying
an operating system, are supported by Configuration Manager.
Warning |
Some Configuration Manager communications are server-initiated,
such as client push installation and remote control. For these
connections to succeed over DirectAccess, the initiating computer
on the intranet and all intervening network devices must support
IPv6. |
For support information about how Configuration Manager
supports DirectAccess, see the
DirectAccess Feature Support section in the Supported Configurations
for Configuration Manager topic.
Can I install the Configuration Manager
client on my Windows Embedded devices that have very small
disks?
Where can I find information about
managing vPro computers?
I
want to move my Intel AMT-based computers that I provisioned with
Configuration Manager 2007 to System Center 2012 Configuration
Manager. Can I use the same Active Directory security group,
OU, and web server certificate template?
AMT-based computers that were provisioned with
Configuration Manager 2007 must have their provisioning data
removed before you migrate them to System Center 2012
Configuration Manager, and then provisioned again by
System Center 2012 Configuration Manager. Because of
functional changes between the versions, the security group, OU,
and web server certificate template have different
requirements:
- If you used a security group in Configuration
Manager 2007 for 802.1X authentication, you can continue to use
this group if it is a universal security group. If it is not a
universal group, you must convert it or create a new universal
security group for System Center 2012
Configuration Manager. The security permissions of Read
Members and Write Members for the site server computer account
remain the same.
- The OU can be used without modification.
However, System Center 2012 Configuration Manager no
longer requires Full Control to this object and all child objects.
You can reduce these permissions to Create Computer Objects and
Delete Computer Objects on this object only.
- The web server certificate template from
Configuration Manager 2007 cannot be used in
System Center 2012 Configuration Manager without
modification. This certificate template no longer uses Supply in
the request and the site server computer account no longer
requires Read and Enroll permissions.
For more information about the security group and OU,
see Step 1 in How to Provision and
Configure AMT-Based Computers in Configuration Manager.
For more information about the certificate
requirements, see PKI Certificate
Requirements for Configuration Manager and the example
deployment, Deploying
the Certificates for AMT.
How can I tell which collections of
computers have a power plan applied?
There is no report in System Center 2012
Configuration Manager that displays which collections of
computers have a power plan applied. However, in the Device
Collections list, you can select the Power
Configurations column to display whether a collection has a
power plan applied.
Does wake-up proxy have its own
service?
Yes. Wake-up proxy in Configuration Manager SP1
has its own client service named ConfigMgr Wake-up Proxy that runs
separately from the SMS Agent Host (CCMExec.exe). This service is
installed when a client is configured for wake-up proxy and then
new client checks make sure that this wake-up proxy service is
running and that the startup type is automatic.
Does disabling the wake-up proxy client
setting remove or just stop the wake-up proxy service on
clients?
If you have enabled the wake-up proxy client setting on
Configuration Manager SP1 clients, and then disable it, the
ConfigMgr Wake-up Proxy service is removed from clients.
Why does my first connection attempt for
Remote Desktop always fail to a sleeping a computer when I use
wake-up proxy?
A manager computer for the sleeping computer’s subnet
responds to the first connection attempt and wakes up the sleeping
computer, which then contacts the network switch. After the
computer is awake and the network switch is updated, subsequent
connection attempts will successfully connect to the destination
computer. Most TCP connections automatically retry and you will not
see that the first connection (and possibly additional connections)
time out. For Remote Desktop connections, however, you are more
likely to see an initial failed connection and must manually retry.
For computers that must come out of hibernation, you will probably
experience a longer delay than for computers that are in other
sleep states.
Why don’t clients run scheduled
activities such as inventory, software updates, and application
evaluation and installations at the time I schedule them?
Where is the documentation for the
Configuration Manager client for Mac Computers?
For Configuration Manager SP1 only:
Because the management of computers that run the Mac OS
X operating system is similar to managing Windows-based computers
in System Center 2012 Configuration Manager, there
is no separate documentation section for Mac computers. Instead,
information is integrated throughout the documentation library. For
example, information about how to install the client on Mac
computers is in the Deploying Clients for
System Center 2012 Configuration Manager guide, and information
about how to deploy software to Mac computers is in the Deploying Software and
Operating Systems in System Center 2012 Configuration Manager
guide.
Some of the main topics that contain information about
the Configuration Manager client for Mac computers include the
following:
Where is the documentation for the
Configuration Manager client for Linux and UNIX?
For Configuration Manager SP1 only:
Because the management of computers that run Linux and
UNIX is similar to managing Windows-based computers in
System Center 2012 Configuration Manager, there is
no separate documentation section for Linux and UNIX. Instead,
information is integrated throughout the documentation library. For
example, information about how to install the client on computers
that run Linux or UNIX is in the Deploying Clients for
System Center 2012 Configuration Manager guide, and information
about how to deploy software to computers that run Linux and UNIX
computers is in the Deploying Software and
Operating Systems in System Center 2012 Configuration Manager
guide.
Some of the main topics that contain information about
the Configuration Manager client for Linux and UNIX include the
following:
The following frequently asked questions relate
specifically to mobile devices in Configuration Manager.
Where is the documentation for mobile
devices?
How do I re-enroll mobile devices by
using Configuration Manager?
When the certificate on the mobile device is due for
renewal, users are automatically prompted to accept the new
certificate. When they confirm the prompt, Configuration Manager
automatically re-enrolls their mobile device.
What action must I take if I no longer
want a mobile device enrolled by Configuration Manager?
You must wipe the mobile device if you no longer want
it to be enrolled by System Center 2012
Configuration Manager. When you wipe a mobile device, this
action deletes all data that is stored on the mobile device and on
any attached memory cards. In addition, the certificate that was
issued during enrollment is revoked with the following reason:
Cease of Operation.
If
I wipe a mobile device that is enrolled by Configuration Manager
and discovered by the Exchange Server connector, will it be wiped
twice?
No. In this dual management scenario, Configuration
Manager sends the wipe command in the client policy and by using
the Exchange Server connector, and then monitors the wipe status
for the mobile device. As soon as Configuration Manager receives a
wipe confirmation from the mobile device, it cancels the second and
pending wipe command so that the mobile device is not wiped
twice.
Can I configure the Exchange Server
connector for read-only mode?
Yes, if you only want to find mobile devices and
retrieve inventory data from them as a read-only mode of operation,
you can do this by granting a subset of the cmdlets that the
account uses to connect to the Exchange Client Access server. The
required cmdlets for a read-only mode of operation are as
follows:
- Get-ActiveSyncDevice
- Get-ActiveSyncDeviceStatistics
- Get-ActiveSyncOrganizationSettings
- Get-ActiveSyncMailboxPolicy
- Get-ExchangeServer
- Get-Recipient
- Set-ADServerSettings
Warning |
When the Exchange Server connector operates with these limited
permissions, you cannot create access rules, or wipe mobile
devices, and mobile devices will not be configured with the
settings that you define. In addition, Configuration Manager will
generate alerts and status messages to notify you that it could not
complete operations that are related to the Exchange Server
connector. |
Do
I need a Windows Intune organizational account to use the Windows
Intune connector?
Yes. You must specify a Windows Intune organizational
account before you can install the Windows Intune connector in
Configuration Manager SP1.
Do
I need special certificates before I can make applications
available to users who have mobile devices that run
Windows RT, Windows Phone 8, iOS, and Android?
Do
I need a my own PKI to enroll mobile devices by using
Windows Intune?
Does enrolling mobile devices by using
the Windows Intune connector install the
Configuration Manager client on them?
No. Windows RT and Windows Phone 8 includes a
management client that Configuration Manager uses, and
Configuration Manager manages mobile devices that run iOS by
directly calling APIs.
Do
I need the Windows Intune connector to manage Android devices?
No. Without the Windows Intune connector, you can
manage these devices by collecting hardware inventory, configure
settings such as passwords and roaming, and remotely wipe the
device. However, if you want to make company apps available to
Android devices, you must install the Windows Intune connector.
Can users go to the Application Catalog
to install apps on their mobile devices?
No. Mobile devices that are enrolled by Configuration
Manager support only required apps, so users cannot choose company
apps to install. Users who have mobile devices that are enrolled by
Windows Intune install company apps from the company portal.
However, if these apps require approval, users must first request
approval from the Application Catalog.
The following frequently asked questions relate to
remote control in Configuration Manager.
Is
remote control enabled by default?
By default, remote control is disabled on client
computers. Enable remote control as a default client setting for
the hierarchy, or by using custom client settings that you apply to
selected collections.
What ports does remote control use?
TCP 2701 is the only port that
System Center 2012 Configuration Manager uses for
remote control. When you enable remote control as a client setting,
you can select one of three firewall profiles that automatically
configure this port on Configuration Manager clients:
Domain, Private, or Public.
What is the difference between a
Permitted Viewers List and granting a user the role-based
administration security role of Remote Tools Operator?
The Permitted Viewers List grants an administrative
user the Remote Control permission for a computer, and the
role-based administration security role of Remote Tools Operator
grants an administrative user the ability to connect a
Configuration Manager console to a site so that audit messages are
sent when they manage computers by using remote control.
Can I send a CTRL+ALT+DEL command to a
computer during a remote control session?
Yes. In the Configuration Manager remote control
window, click Action, and then click Send
Ctrl+Alt+Del.
How can I find out how the Help Desk is
using remote control?
What happened to the Remote Control
program in Control Panel on Configuration Manager clients?
The remote control settings for
System Center 2012 Configuration Manager clients are
now in Software Center, on the Options tab.
The following frequently asked questions relate to
content management, software updates, applications, packages and
programs, scripts, and operating system deployment with supporting
task sequences and device drivers in Configuration Manager.
When distribution points are enabled for
bandwidth control, does the site server compress the content that
it distributes to them in the same way as site-to-site data is
compressed?
No, site servers do not compress the content that it
distributes to distribution points that are enabled for bandwidth
control. Whereas site-to-site transfers potentially resend files
that might already be present, only to be discarded by the
destination site server, a site server sends only the files that a
distribution point requires. With a lower volume of data to
transfer, the disadvantages of high CPU processing to compress and
decompress the data usually outweigh the advantages of compressing
the data.
What is an “application” and why would I
use it?
System Center 2012 Configuration Manager
applications contain the administrative details and
Application Catalog information necessary to deploy a software
package or software update to a computer or mobile device.
What is a “deployment type” and why would
I use one?
A deployment type is contained within an application
and specifies the installation files and method that Configuration
Manager will use to install the software. The deployment type
contains rules and settings that control if and how the software is
installed on client computers.
What is the “deployment purpose” and why
would I use this?
The deployment purpose defines what the deployment
should do and represents the administrator’s intent. For example,
an administrative user might require the installation of software
on client computers or might just make the software available for
users to install themselves. A global condition can be set to check
regularly that required applications are installed and to reinstall
them if they have been removed.
What is a global condition and how is it
different from a deployment requirement?
Global conditions are conditions used by requirement
rules. Requirement rules set a value for a deployment type for a
global condition. For example, “operating system =” is a global
condition; a requirement rule is “operating system = Win7.”
How do I make an application deployment
optional rather than mandatory?
To make a deployment optional, configure the deployment
purpose as Available in the applications deployment type.
Available applications display in the Application Catalog where
users can install them.
Can users request applications?
Yes. Users can browse a list of available software in
the Application Catalog. Users can then request an application
which, if approved, will be installed on their computer. To make a
deployment optional, configure the deployment purpose as
Available in the applications deployment type.
Why would I use a package and program to
deploy software rather than an application deployment?
Some scenarios, such as the deployment of a script that
runs on a client computer but that does not install software, are
more suited to using a package and program rather than an
application.
Can I deploy Office so that it installs
locally on a user’s main workstation but is available to that user
as a virtual application from any computer?
Yes. You can configure multiple deployment types for an
application. Rules that specify which deployment type is run allows
you to specify how the application is made available to the
user.
Does Configuration Manager help
identify which computers a user uses to support the user device
affinity feature?
Yes. Configuration Manager collects usage statistics
from client devices that can be used to automatically define user
device affinities or to help you manually create affinities.
Can I change a simulated application
deployment to a standard application deployment?
No. you must create a new deployment that can include
extra options that include scheduling and user experience.
If
the same application is deployed to a user and a device, which one
takes priority?
In this case, the following rules apply:
- If both deployments have a purpose of
Available, the user deployment will be installed.
- If both deployments have a purpose of
Required, the deployment with the earliest deadline will be
installed.
- If one deployment has a purpose of
Available and the other deployment has a purpose of
Required, the deployment with the purpose of Required
will be installed.
Note |
A deployment to a user that is scheduled to be installed out of
business hours is treated as a required deployment. |
Can I migrate my existing packages and
programs from Configuration Manager 2007 to a
System Center 2012 Configuration Manager
hierarchy?
Yes. You can see migrated packages and programs in the
Packages node in the Software Library workspace. You
can also use the Import Package from Definition Wizard to import
Configuration Manager 2007 package definition files into
your site.
Does the term “software” include scripts
and drivers?
Yes. In System Center 2012
Configuration Manager, the term software includes software
updates, applications, scripts, task sequences, device drivers,
configuration items, and configuration baselines.
What does “state-based deployment” mean
in reference to System Center 2012 Configuration Manager?
Depending on the deployment purpose you have specified
in the deployment type of an application,
System Center 2012 Configuration Manager
periodically checks that the state of the application is the same
as its purpose. For example, if an application’s deployment type is
specified as Required, Configuration Manager reinstalls the
application if it has been removed. Only one deployment type can be
created per application and collection pair.
Do
I have to begin using System Center 2012 Configuration Manager
applications immediately after migrating from Configuration Manager
2007?
No, you can continue to deploy packages and programs
that have been migrated from your Configuration Manager 2007 site.
However, packages and programs cannot use some of the new features
of System Center 2012 Configuration Manager such as
requirement rules, dependencies and supersedence.
If
an application that has been deployed to a user is installed on
multiple devices, how is the deployment summarized for the
user?
Deployments to users or devices are summarized based on
the worst result. For example, if a deployment is successful on one
device and the application requirements were not met on another
device then the deployment for the user is summarized as
Requirements Not Met. If none of the user’s devices has
received the application, the deployment is summarized as
Unknown.
Is
there a quick guide to installing the Application Catalog?
If you don’t require HTTPS connections (for example,
users will not connect from the Internet), you can use the
following the quick guide instructions:
- Make sure that you have all the prerequisites for the
Application Catalog site roles. For more information, see Prerequisites for
Application Management in Configuration Manager.
- Install the following Application Catalog site system roles and
select the default options:
- Application Catalog web service point
- Application Catalog website point
- Configure the following Computer Agent device client
settings by editing the default client settings, or by creating and
assigning custom client settings:
- Default Application Catalog website
point: Automatically detect
- Add default Application Catalog website to
Internet Explorer trusted site zone: True
- Install Permissions: All
users
For full instructions, see Configuring the
Application Catalog and Software Center in Configuration
Manager.
Can I deploy applications by using task
sequences?
You can use a task sequence to deploy applications.
However, when you configure an application deployment rather than
use a task sequence, you benefit from the following:
- You have a richer monitoring and compliance
experience.
- You can supersede a previous version of the
application and can uninstall or upgrade the previous version.
- You can deploy applications to users.
For more information about how to deploy applications,
see Introduction
to Application Management in Configuration Manager.
How often are application deployments
summarized?
Although you can configure the application deployment
summarization interval, by default, the following values apply:
- Deployments that were modified in the last 30
days – 1 hour
- Deployments that were modified in the last 31
to 90 days – 1 day
- Deployments that were modified over 90 days
ago – 1 week
You can modify the application deployment summarization
intervals from the Status Summarizers dialog box. Click
Status Summarizers from the Sites node in the
Administration workspace to open this dialog box.
How does the processing of requirements
differ between a deployment with the action of Install and a
deployment with the action of Uninstall?
In most cases, a deployment with an action of
Uninstall will always uninstall a deployment type if it is
detected unless the client type is different. For example, if you
deploy a mobile device application with an action of
Uninstall to a desktop computer, the deployment will fail
with a status of Requirements not met as it is impossible to
enforce this uninstall.
What happens if a simulated deployment
and a standard deployment for the same application are deployed to
a computer?
Although you cannot deploy a simulated and a standard
deployment of an application to the same collection, you can target
a computer with both if you deploy them to different collections
and the computer is a member of both collections. In this scenario,
for both deployments, the computer reports the results of the
standard deployment. This explains how you might see deployment
states for a simulated deployment that you would usually only see
for a standard deployment, such as In Progress and
Error.
Why do I see an error message about
insufficient permissions from a Windows Embedded device when I try
to install software from Software Center?
You can install applications only when the write filter
on the Windows Embedded device is disabled. If you try to install
an application on a Windows Embedded device that has write filters
enabled, you see an error message that you have insufficient
permissions to install the application and the installation
fails.
Can I use update lists in System Center
2012 Configuration Manager?
No. Software update groups are new in
System Center 2012 Configuration Manager and replace
update lists that were used in Configuration Manager 2007.
What is an “update group” and why would I
use one?
Software update groups provide a more effective method
for you to organize software updates in your environment. You can
manually add software updates to a software update group or
software updates can be automatically added to a new or existing
software update group by using an automatic deployment rule. You
can also deploy a software update group manually or automatically
by using an automatic deployment rule. After you deploy a software
update group, you can add new software updates to the group and
they will automatically be deployed.
Does System Center 2012 Configuration
Manager have automatic approval rules like Windows Server Update
Services (WSUS)?
Yes. You can create automatic deployment rules to
automatically approve and deploy software updates that meet
specified search criteria.
What changes have been made in
System Center 2012 Configuration Manager to manage
superseded software updates?
In Configuration Manager 2007, superseded software
updates are automatically expired during full software updates
synchronization. In System Center 2012
Configuration Manager, you can choose to automatically expire
superseded software updates during software updates synchronization
just as it is in Configuration Manager 2007. Or, you can specify a
number of months before a superseded software update is expired.
This allows you to deploy a superseded software update for the
period of time while you validate and approve the superseding
software update in your environment.
How are superseded and expired software
updates removed in System Center 2012
Configuration Manager?
System Center 2012 Configuration Manager
might automatically remove expired and superseded software updates.
Consider the following scenarios:
- Expired software updates that are not
associated with a deployment are automatically removed up every
7 days by a site maintenance task.
- Expired software updates that are associated
with a deployment are not automatically removed by the site
maintenance task.
- Superseded software updates that you have
configured not to expire for a specified period of time are not
removed or deleted by the site maintenance task.
You can remove expired software updates from all
software update groups and software update deployments so that they
are automatically removed. To do this, search for expired software
updates, select the returned results, choose edit membership, and
remove the expired software updates from any software update group
for which they are members.
What do the software update group icons
represent in Configuration Manager?
The software update group icons are different in the
following scenarios:
- When a software update group contains at
least one expired software update, the icon for that software
update group contains a black X.
- When a software update group contains no
expired software updates, but at least one superseded software
update, the icon for that software update group contains a yellow
star.
- When a software update group has no expired
or superseded software updates, the icon for that software update
group contains a green arrow.
When you view the status of an
application deployment in the Deployments node of the Monitoring
workspace, how is the displayed Compliance % calculated?
The compliance percentage (Compliance %) is
calculated by taking the number of users or devices with a
deployment state of Success added to the number of devices
with a deployment state of Requirements Not Met and then
dividing this total by the number of users or devices that the
deployment was sent to.
While monitoring the deployment of an
application, the numbers displayed in the Completion Statistics do
not match the numbers displayed in the View Status pane. What
reasons might cause this?
The following reasons might cause the numbers shown in
Completions Statistics and the View Status pane to differ:
- The completion statistics are summarized and
the View Status pane displays live data – Select the
deployment in the Deployments node of the Monitoring
workspace and then, in the Home tab, in the
Deployment group, click Run Summarization. Refresh
the display in the Configuration Manager console and after
summarization completes, the updated completion statistics will
display in the Configuration Manager console.
- An application contains multiple deployment
types. The completion statistics display one status for the
application; the View Status pane displays status for each
deployment type in the application.
- The client encountered an error. It was able
to report status for the application, but not for the deployment
types contained in the application. You can use the report
Application Infrastructure Errors to troubleshoot this
scenario.
Can I deploy operating systems by using a
DVD or a flash drive?
When I upgrade an operating system, can I
retain the user’s information so that they have all their files,
data, and preferences when they log on to the new operating
system?
Yes. When you deploy an operating system you can add
steps to your task sequence that capture and restore the user
state. The captured data can be stored on a state migration point
or on the computer where the operating system is deployed. For more
information, see How to Manage the User
State in Configuration Manager.
Can I deploy operating systems to
computers that are not managed by Configuration Manager?
When I deploy an operating system to
multiple computers, can I optimize how the operating system image
is sent to the destination computers?