[This is prerelease documentation and is subject to change in future releases. Blank topics are included as placeholders.]

The SCECertPolicyConfigUtil utility (SCECertPolicyConfigUtil.exe) changes Group Policy settings and Agentless Exception Monitoring (AEM) settings from the command line.

To install the SCECertPolicyConfig utility

  1. In the HelperObjects\i386 folder of the Essentials 2007 installation media, start SCECertPolicyConfig.msi.

  2. To verify the installation, on the computer, open the folder Program Files\System Center Operations Manager 2007 and confirm the presence of the file SCECertPolicyConfigUtil.exe.

Example

The following table describes the command-line switches you can use with SCECertPolicyConfigUtil.exe to change policy settings.

Switch Required Description

/PolicyType <local/domain>

Required, unless using /Uninstall

<local/domain> controls whether client computers are configured with local or domain Group Policy settings.

/Management Group <Essentials management server netbios name>_MG

Required

The name of the Essentials 2007 management group. This will always be <Essentials management server name>_MG.

/SCEServer <Essentials management server FQDN>

Required, unless using /Uninstall

The FQDN of the Essentials server. This FQDN is used when configuring Windows Update settings.

/AEMFileShare <file share name>

Required if ConfigureAEM=True

The UNC path for the share that is used for error reporting.

/AEMport <port>

Required if ConfigureAEM=True

The port that is used for error reporting.

/ConfigureRemoteControl <true/false>

Optional

True enables Remote Assistance in the domain or local Group Policy. The default if this switch is omitted is False.

/ConfigureFirewallPolicy <true/false>

Optional

True enables Windows Firewall exceptions in the domain or local Group Policy. The default if this switch is omitted is False.

/ConfigureAEM <true/false>

Optional

If True, Error Reporting settings are configured in the domain or local Group Policy. The default if this switch is omitted is False.

/Uninstall

Optional

Removes the domain policy objects from Active Directory or removes the configuration from the local policy objects on managed computers – either operation result in computers not configured appropriately to be managed by Essentials 2007.

The Windows Firewall exceptions for client computers are configured in the computer’s policy settings under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile. When the SCECertPolicyConfigUtil.exe program or the Feature Configuration Wizard is used to configure the policy, they enable the following settings:

Name Configuration Description

Windows Firewall: Allow file and printer sharing exception

Allow unsolicited incoming messages from:

<Essentials management server IP address>

Opens UDP ports 137 and 138, and TCP ports 139 and 445. This allows for client push installation from the Essentials 2007 management server.

Windows Firewall: Allow remote administration exception

Allow unsolicited incoming messages from:

<Essentials management server IP address>

Opens TCP ports 135 and 445. This allows for Remote Assistance requests from the Essentials 2007 management server.

  Copy Code
SCECertPolicyConfigUtil.exe /PolicyType <local domain> /ManagementGroup <management group name> /SCEServer <server FQDN> /AEMFileShare <file share name> /AEMPort <port> /ConfigureRemoteControl <true/false> /ConfigureAEM <true/false> /ConfigureFirewallPolicy <true/false> /Uninstall

The following command will remove local or domain Group Policy settings. For example, you can this command to switch from using one to the other. After running the command, in the Essentials 2007 console, run the Feature Configuration Wizard again.

  Copy Code
SCECertPolicyConfigUtil.exe /Uninstall /ManagementGroup <Essentials management server netbios name>_MG

Copyright © 2009 by Microsoft Corporation. All rights reserved.