Managing

70-247
Exam Ref Coniguring and Deploying a
Coniguring and
real-world mastery of coniguring and deploying a private cloud
with Microsoft System Center 2012 R2. Designed for experienced
Deploying a Private Cloud

on the critical-thinking and decision-making acumen needed for

success at the MCSE level.

certiication track.
Enterprise
•
•
•
•
Design and deploy System Center
Conigure System Center infrastructure
Conigure the fabric
Conigure System Center integration
Certiication
Microsoft Certiied Solutions
(MCSE) certiication for Private
Devices and Apps
• Conigure and deploy virtual machines and services

System Center.
Microsoft Certiied Solutions
• (MCSA) certiication for
• Windows Server 2012 is a prerequisite.
•
path from other Microsoft certiications.
networking in an enterprise environment—plus basic
microsoft.com/learning/certiication
and application coniguration

server administrator, speaker, and

more than 30 books for Microsoft Press.

Thomas
Exam Ref 70 696
Canada $45.99
Recommended

Certiication/Microsoft Cloud
Orin Thomas
www.allitebooks.com
From the Library of Ida Schander
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2014 by Orin Thomas
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any
means without the written permission of the publisher.
Library of Congress Control Number: 2014951937
ISBN: 978-0-7356-9559-7

Printed and bound in the United States of America.

First Printing

Microsoft Press books are available through booksellers and distributors worldwide. If you need support related
to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of
this book at http://www.microsoft.com/learning/booksurvey.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/

Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of
their respective owners.

The example companies, organizations, products, domain names, email addresses, logos, people, places, and
events depicted herein are ictitious. No association with any real company, organization, product, domain name,
email address, logo, person, place, or event is intended or should be inferred.

This book expresses the author’s views and opinions. The information contained in this book is provided without
any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or
distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by
this book.

Acquisitions Editor: Alison Hirsch

Developmental Editor: Alison Hirsch
Editorial Production: nSight, Inc.
Technical Reviewer: Randall Galloway; Technical Review services provided by Content Master, a member of
CM Group, Ltd.
Copyeditor: Kerin Forsyth
Indexer: Lucie Haskins
Cover: Twist Creative • Seattle

www.allitebooks.com
From the Library of Ida Schander
Contents at a glance

Introduction xiii

CHAPTER 1 Deploy and manage virtual applications 1

CHAPTER 2 Deploy and manage desktop and mobile applications 39
CHAPTER 3 Plan and implement software updates 123
CHAPTER 4 Manage compliance and endpoint protection settings 175
CHAPTER 5 Manage Coniguration Manager clients 221
CHAPTER 6 Manage inventory using Coniguration Manager 269
CHAPTER 7 Provision and manage mobile devices 315

Index 345

www.allitebooks.com
From the Library of Ida Schander
This page intentionally left blank

www.allitebooks.com
From the Library of Ida Schander
Contents

Introduction xiii
Microsoft certiications xiii
Free ebooks from Microsoft Press xiv
Errata, updates, & book support xiv
We want to hear from you xiv
Stay in touch xiv

Chapter 1 Deploy and manage virtual applications 1

Objective 1.1: Prepare virtual applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Application virtualization concepts 2
Sequencing an application 3
Preparing the Sequencer environment 6
App-V Connection Groups 7
Objective summary 11
Objective review 11

Objective 1.2: Manage application virtualization environments . . . . . . . . 12

App-V infrastructure 12
App-V deployment models 13
Deploying sequenced applications 16
App-V Group Policy 20
Objective summary 22
Objective review 23

Objective 1.3: Deploy and manage RemoteApp . . . . . . . . . . . . . . . . . . . . . . 24

Application presentation strategies 24

What do you think of this book? We want to hear from you!

Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/
v

www.allitebooks.com
From the Library of Ida Schander
 Preparing RemoteApp applications 26
Publishing and coniguring RemoteApps 27
Managing connections to RemoteApp applications 28
Group Policy settings 29
Objective summary 32
Objective review 32

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Objective 1.1 34
Objective 1.2 35
Objective 1.3 36

Chapter 2 Deploy and manage desktop and mobile applications 39

Objective 2.1: Plan an application distribution strategy . . . . . . . . . . . . . . . 39
Application management by using Coniguration Manager 40
Applications and packages 42
Application management features 43
Application management server roles 45
Software Center 47
Application Catalog 48
Software distribution to mobile devices 49
Objective summary 49
Objective review 50

Objective 2.2: Deploy applications using Microsoft System Center 2012

Coniguration Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Creating applications 52
Application deployment 55
Detection methods 59
Dependencies 60
Global conditions 61
Requirements 62
User device afinity 65
Deploy software wizard 67
Simulated deployment 73
Objective summary 73

vi Contents
www.allitebooks.com
From the Library of Ida Schander
 Objective review 74

Objective 2.3: Deploy applications using Microsoft Intune . . . . . . . . . . . . . 75

Intune operating system support 76
Deploy software to the company portal 78
Deploy software for automatic installation 78
Intune update policies 79
Objective summary 81
Objective review 81

Objective 2.4: Plan for application upgrades . . . . . . . . . . . . . . . . . . . . . . . . . 82

Application supersedence 83
Application revision history 84
Retiring applications 85
Uninstalling applications 86
Objective summary 86
Objective review 87

Objective 2.5: Monitor applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Monitoring application deployment 88
Asset Intelligence 89
Software metering 93
Objective summary 97
Objective review 97

Objective 2.6: Manage content distribution. . . . . . . . . . . . . . . . . . . . . . . . . . 98

Content management 99
Distribution points 100
Network bandwidth considerations 103
Content library 105
Prerequisites for content management 105
Distribution point monitoring 108
Content distribution 109
Prestaging content 111
Objective summary 113
Objective review 114

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Objective 2.1 115

Contents vii
www.allitebooks.com
From the Library of Ida Schander
 Objective 2.2 116
Objective 2.3 117
Objective 2.4 118
Objective 2.5 119
Objective 2.6 120

Chapter 3 Plan and implement software updates 123

Objective 3.1: Plan and deploy third-party updates. . . . . . . . . . . . . . . . . . 123
System Center Updates Publisher 124
SCUP options 125
Managing updates 129
Objective summary 134
Objective review 135

Objective 3.2: Deploy software updates by using Coniguration

Manager and WSUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Software updates in Coniguration Manager 136
Coniguration Manager software update point 137
Software update client settings 140
Managing updates 145
Monitoring and troubleshooting software updates 148
Automatic deployment rules 153
Objective summary 156
Objective review 157

Objective 3.3: Deploy software updates by using Microsoft Intune . . . . 158

Microsoft Intune update policies 158
Updating categories and classiications 161
Approving updates 162
Automatic approval rules 164
Third-party updates 167
Objective summary 168
Objective review 169

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Objective 3.1 170
Objective 3.2 171
Objective 3.3 172
viii Contents
www.allitebooks.com
From the Library of Ida Schander
Chapter 4 Manage compliance and endpoint protection
settings 175
Objective 4.1: Build a coniguration item . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Overview of compliance settings 176
Coniguration items 176
Creating coniguration items 178
Create a child coniguration item 180
Coniguration item settings 182
Mobile device settings 183
Remediation 185
Objective summary 187
Objective review 187

Objective 4.2: Create and monitor a baseline . . . . . . . . . . . . . . . . . . . . . . . 189

Coniguration baselines 189
Creating coniguration baselines 191
Deploying coniguration baselines 192
Coniguration packs 193
Viewing compliance information 194
Objective summary 197
Objective review 197

Objective 4.3: Conigure Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . 198

System Center Endpoint Protection 199
Implement Endpoint Protection 200
Antimalware policies 204
Windows Firewall policies 207
Policy management 209
Monitoring Endpoint Protection status 210
Coniguring alerts 211
Objective summary 213
Objective review 213

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Objective 4.1 215
Objective 4.2 216
Objective 4.3 217

Contents ix
www.allitebooks.com
From the Library of Ida Schander
 Chapter 5 Manage Coniguration Manager clients 221
Objective 5.1: Deploy and manage the client agent . . . . . . . . . . . . . . . . . 221
The Coniguration Manager client 222
Client installation 230
Extending the schema 234
Site systems used in client deployment 235
Client assignment 237
Client settings 238
Objective summary 240
Objective review 241

Objective 5.2: Manage collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Collections 242
Collection rules 244
Maintenance windows 245
Power management 247
Monitoring collections 254
Objective summary 256
Objective review 256

Objective 5.3: Conigure and monitor client status . . . . . . . . . . . . . . . . . . 257

Verifying client installation 257
Client status 259
Client health evaluation and remediation 260
Client health reports 261
Client health alerts 262
Objective summary 263
Objective review 263

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Objective 5.1 265
Objective 5.2 266
Objective 5.3 267

Chapter 6 Manage inventory using Coniguration Manager 269

Objective 6.1: Manage hardware and software inventory. . . . . . . . . . . . . 269
Inventory collection 270

x Contents
www.allitebooks.com
From the Library of Ida Schander
 Hardware inventory collection 272
Extending hardware inventory 274
Software inventory collection 276
File collection 279
Managing inventory collection 280
Objective summary 284
Objective review 285

Objective 6.2: Manage software metering . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Software metering 286
Software-metering rules 288
Manage software-metering tasks 290
Objective summary 292
Objective review 292

Objective 6.3: Create reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Queries 294
Coniguration Manager reporting 296
Managing reports 299
Asset Intelligence 302
Objective summary 309
Objective review 309

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Objective 6.1 311
Objective 6.2 312
Objective 6.3 313

Contents xi

From the Library of Ida Schander

 Chapter 7 Provision and manage mobile devices 315
Objective 7.1: Integrate Coniguration Manager with the Microsoft
Exchange ActiveSync Connector 315
Exchange Server connector 316
Connector coniguration 321
Objective summary 323
Objective review 324

Objective 7.2: Manage devices with Microsoft Intune . . . . . . . . . . . . . . . . 325

Microsoft Intune 325
Application deployment with Microsoft Intune 326
Integrating Microsoft Intune with Coniguration Manager 326
Device enrollment 328
Objective summary 331
Objective review 331

Objective 7.3: Manage connection proiles by using Coniguration

Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Remote connection proiles 332
VPN proiles 334
Certiicate proiles 335
Email proiles 336
Wi-Fi proiles 337
Objective summary 338
Objective review 339

Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Objective 7.1 340
Objective 7.2 341
Objective 7.3 342

Index 345

What do you think of this book? We want to hear from you!

Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:

www.microsoft.com/learning/booksurvey/

xii Contents

From the Library of Ida Schander

Introduction
The Microsoft 70-696 Managing Enterprise Devices and Apps certiication exam deals with
advanced topics including virtual application management, RemoteApp, third-party software
updates, coniguration and compliance management. Some of the exam comprises topics
that even experienced Coniguration Manager administrators encounter on an infrequent
basis.
Candidates for this exam are Information Technology (IT) Professionals who want to
validate their advanced System Center 2012 R2 and Microsoft Intune device and application
management skills and knowledge. To pass this exam, candidates require strong under-
standing of how to conigure and manage virtual, mobile, and desktop applications. They
also need to know how to manage software updates, compliance settings, inventory, and
endpoint protection coniguration using System Center 2012 R2 Coniguration Manager and
Microsoft Intune. To pass, candidates require a thorough theoretical understanding as well as
meaningful practical experience implementing the technologies involved.
This book covers every exam objective, but it does not cover every exam question. Only
the Microsoft exam team has access to the exam questions themselves, and Microsoft regu-
larly adds new questions to the exam, making it impossible to cover speciic questions. You
should consider this book a supplement to your relevant real-world experience and other
study materials. If you encounter a topic in this book with which you do not feel completely
comfortable, use the links in the text to ind more information and take the time to research
and study the topic. Great information is available on TechNet, Channel 9, product team
blogs, and online forums.

Microsoft certiications
Microsoft certiications distinguish you by proving your command of a broad set of skills and
experience with current Microsoft products and technologies. The exams and corresponding
certiications are developed to validate your mastery of critical competencies as you design
and develop—or implement and support—solutions with Microsoft products and technolo-
gies both on-premises and in the cloud. Certiication brings a variety of beneits to the indi-
vidual and to employers and organizations.

MORE INFO ALL MICROSOFT CERTIFICATIONS

For information about Microsoft certiications, including a full list of available
certiications, go to http://www.microsoft.com/learning/en/us/certiication/cert-default
.aspx.

xiii

From the Library of Ida Schander

Free ebooks from Microsoft Press
From technical overviews to in-depth information on special topics, the free ebooks from
Microsoft Press cover a wide range of topics. These ebooks are available in PDF, EPUB, and
Mobi for Kindle formats, ready for you to download at:

http://aka.ms/mspressfree

Check back often to see what is new!

Errata, updates, & book support

We’ve made every effort to ensure the accuracy of this book. If you discover an error, please
submit it to us via [email protected]. You can also reach the Microsoft Press Book
Support team for other assistance via the same email address. Please note that product sup-
port for Microsoft software and hardware is not offered through the previous addresses. For
help with Microsoft software or hardware, go to http://support.microsoft.com.

We want to hear from you

At Microsoft Press, your satisfaction is our top priority, and your feedback our most valuable
asset. Please tell us what you think of this book at:

http://aka.ms/tellpress

The survey is short, and we read every one of your comments and ideas. Thanks in
advance for your input!

Stay in touch
Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.

From the Library of Ida Schander

CHAPTER 1

Deploy and manage virtual

applications
Virtualized applications provide administrators with more options than traditional
applications. Rather than always requiring deployment through local installation, you can
stream virtualized applications to clients. Virtualized applications don’t make modiications
to a client’s registry or ile system, so they can be removed as cleanly as they are installed.
In this chapter, you learn about how to virtualize traditional applications, how to manage a
virtualized application environment, and how to use RemoteApp to provide users with local
access to applications running on remote servers.

Objectives in this chapter:

■ Objective 1.1: Prepare virtual applications.
■ Objective 1.2: Manage application virtualization environments.
■ Objective 1.3: Deploy and manage RemoteApp.

Objective 1.1: Prepare virtual applications

Microsoft Application Virtualization (App-V) is a technology that enables you to virtualize
applications so that they run in an environment that shields them from directly interacting
with the operating system. Then you can run applications concurrently that are incompat-
ible with each other. You use a special tool known as a sequencer to virtualize applications.

This section covers the following topics:

■ Application virtualization concepts
■ Sequencing an application
■ Preparing the Sequencer environment
■ App-V Connection Groups

From the Library of Ida Schander

 Application virtualization concepts
Users can use application virtualization to run applications locally even though those applica-
tions are not installed directly on the client computers. This works because App-V client soft-
ware is installed directly on the client computers and simulates a specially prepared operating
system environment. Virtualized applications run within that specially prepared simulated
environment.
Virtualized applications do not interact directly with the client operating system but
instead interact with the App-V client. The App-V client functions as a proxy through which
the application uses operating system resources.
App-V provides the following beneits over traditionally deployed, locally installed applica-
tions. With App-V, you can:
■ Run multiple versions of applications without conlict You can use App-V to
run different versions of applications concurrently on the same client computer. For
example, it is possible to run Microsoft Word 2007, Word 2010, and Word 2013 concur-
rently if they are all set up as App-V applications; otherwise, you cannot run these
applications side by side on the same client computer. It also is possible to use App-V
in conjunction with Remote Desktop Services (RDS). This enables users to run applica-
tions side by side on Remote Desktop Session Host servers.
■ Minimize application conlict Sometimes two or more applications cause conlicts
with each other because of dynamic-link library (DLL) or application programming
interface (API) conlicts. However, when you install these applications as App-V
applications, there is no conlict because each App-V application runs in its own iso-
lated environment.
■ Simplify application removal App-V applications are not installed locally, so they
can be removed completely. Clean removal is not always possible with applications
that are installed directly on Windows-based clients, even if an application has been
designed to remove all iles and settings when it is uninstalled. Virtualized applica-
tions are easily removed after the user signs out from the computer and can be purged
automatically from the App-V client cache.
■ Simplify application upgrades Instead of upgrading a locally installed application
on all computers in your organization with a hotix, service pack, or new versions, the
modular nature of virtualized applications enables you to replace one version of an
application with an updated version with less effort.
■ Minimize license compliance risks App-V has license group functionality, so you
can ensure that only a speciic number of users can run an application at any point in
time.
■ Scale infrastructure Depending on the infrastructure model you use, you can add
publishing servers to an App-V deployment as necessary to ensure that service levels
are maintained as demand grows.

2 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 ■ Take advantage of client hardware resources Even though App-V applications are
not installed locally, they can use the local computer’s processor and RAM resources.
In environments where client computers have inadequate hardware resources, this can
lead to a better experience for the user than running applications on a Remote
Desktop Session Host server would.
■ Enable users to use roaming applications If applications are streamed rather than
locally installed, users can sign in to any computer that has an App-V client installed
and quickly access their application. You can also conigure App-V to work with
Microsoft User Experience Virtualization to allow users to have application settings for
App-V applications roam across client computers.
■ Give users quick access to their applications Because the application is streamed,
access is faster than if the application is fully deployed from the server after the user
is signed in. Depending on how you conigure App-V, only some parts of the applica-
tion prepared with App-V might be downloaded to the client computer. This means
the user can start using an application without waiting for the entire application to be
streamed from the server. App-V application components can be stored in a nonvola-
tile cache, so an App-V application can run when a computer is ofline and cannot
access the server from which it originally streamed the application.
■ Increase security for sensitive applications You can also conigure the App-V
client through Group Policy to ensure that applications can be run only when the
computer is online. You can use Group Policy to provide sensitive applications to users
in environments where employees are using their personal devices while ensuring that
these sensitive applications are not available when the user leaves the organization
premises.

MORE INFO APP-V 5.0 OVERVIEW

You can learn more about App-V 5.0 at http://technet.microsoft.com/en-us/windows

/jj835807.aspx.

Sequencing an application
Sequencing enables you to create a special version of a normal application that can run in the
virtual environment the App-V client provides. In the sequencing process, the Application
Virtualization Sequencer records all the modiications the application makes to iles and set-
tings during installation.
For example, when you install an application, sequencing writes program iles to a particu-
lar directory, writes entries to the registry, and creates or modiies initialization (.ini) iles and
environment variables. The sequencing process records all the information necessary to run
the program within the environment the App-V client provides.

Objective 1.1: Prepare virtual applications CHAPTER 1 3

From the Library of Ida Schander

 The sequencing process involves the following general steps:
1. The Sequencer triggers the application’s standard installation process. It then records
the following:
■ Files that have been installed
■ Registry settings that have been modiied
■ Environment variables that have been conigured
■ Dynamic-link libraries (DLLs) that have been registered
■ Any other changes that have occurred to the system
2. The Sequencer creates a virtual environment and loads the application into this
environment, including any data and modiications that occurred during the standard
installation process.
3. The application starts so that any post-installation coniguration tasks can be per-
formed. If this step is not performed during sequencing, users will have to perform
these post-installation tasks manually after deployment, storing any coniguration
settings locally on the client. During this process, the Sequencer determines which
program components are required to start the application.
In more detail, to sequence an application you use the Application Virtualization
Sequencing Wizard to install the application by performing the following general steps:
1. Open the Sequencer on the client.
2. Create a new virtual application package.
3. Verify that the operating system environment has no issues that might interrupt the
sequencing process.
4. Choose the application type.
5. Choose the application installer location.
6. Provide a virtual application package name and a primary virtual application directory.
The Sequencer will trigger the installation.
7. Answer questions that the installation routine presents.
These can include questions about license agreements, installation location, and other
application installation options.
8. Run any additional iles the installation might require.
9. Complete the installation.
10. Perform any post-installation coniguration tasks.
11. Review the installation report.
12. Conigure the streaming options.
13. Select the target operating system.
14. Create the package.

4 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 The Sequencer supports applications that need the computer to restart during the installa-
tion process. In these cases, the Sequencer will begin again after the client computer restarts
and continues to sequence the application.
The App-V 5.0 Sequencer produces applications that you can use only with the App-V 5.0
client. The App-V 5.0 client cannot run applications sequenced for earlier versions of App-V.
You must convert those applications to the App-V 5.0 format before they can run on com-
puters running the App-V 5.0 client. You can run App-V 5.0–sequenced applications only on
computers running Windows 8.1, Windows 8, Windows 7, Windows Server 2012, Windows
Server 2012 R2, and Windows Server 2008 R2 with the Remote Desktop feature.

Custom installation
When you perform a custom application installation, you do not provide the Sequencer with
the path to the application installer. Instead, you perform the application installation out-
side the Sequencer and have it record the changes that occur to iles and settings. Custom
installation is similar to a standard installation except that for a custom installation, you must
manually trigger the installation rather than use the Sequencer to do this.

Sequencer options
Generally, the default Sequencer settings are appropriate for most application sequencing
procedures. In some instances, though, you will want to change some or all of the settings.
You can see the settings by clicking Options on the Tools menu of the Sequencer, which
opens the Options dialog box. The advanced settings include the following:
■ Scratch Directory Temporary iles are saved in this location.
■ Allow Microsoft Update To Run During Monitoring Microsoft Update runs during
the monitoring process. This setting is disabled by default.
■ Append Package Version To Filename The version number is added to the ile
name. When an application is resequenced, the version is increased by 1.
■ Always Trust The Source Of Package Accelerators The Sequencer does not gener-
ate a prompt when a package accelerator is not signed by a trusted source.
■ Parse Items The Sequencer monitors these areas of the ile system and settings
when sequencing an application.
■ Exclusion Items The Sequencer does not monitor these areas of the ile system and
settings when sequencing an application.
The App-V Sequencer also supports the following:
■ Package accelerators Package accelerators automate the sequencing process. They
are useful when you need to sequence a particular application frequently.
■ Add-ons or plug-ins You can use the Sequencer to create an add-on or plug-in to
extend the functionality of an application. For example, you could create an add-on for
a sequenced web browser or a graphic design program. When you install an add-on or
plug-in, you install the application irst and then add the component.

Objective 1.1: Prepare virtual applications CHAPTER 1 5

From the Library of Ida Schander

 ■ Middleware applications Use the middleware application type to sequence middle-
ware or framework software that another sequenced application package requires. For
example, a particular environment might be required to run a sequenced application.
You can sequence this as middleware.

MORE INFO SEQUENCING AN APPLICATION

You can learn more about sequencing an application at http://technet.microsoft.com/en-us

/library/jj713438.aspx.

Preparing the Sequencer environment

The App-V Sequencer requires the following software:
■ Windows 7 (x86 and x64), Windows 8 (x86 or x64), or Windows 8.1 (x86 or x64)
■ Microsoft .NET Framework 3.51 and .NET Framework 4.5 (Full)
■ Windows PowerShell 3.0 (included with Windows 8.1 and Windows 8)
■ Microsoft KB2533623 (an update for Windows 7)
■ Microsoft Visual C++ 2008 Redistributable (x86 and x64; executable ile install only)
Installing the Sequencer involves running an executable ile (.exe) or installing from a
Windows installer package ile (.msi). If you install from the .msi ile, you do not need to install
the Visual C++ 2008 Redistributable manually.
You should install the Sequencer on a client computer that runs the same operating sys-
tem as the clients that will run the sequenced applications. When you are selecting the client
on which to install the Sequencer, keep the following guidelines in mind:
■ If your end users are using an x64 version of Windows 7, you should sequence applica-
tions on a computer running the x64 version of Windows 7 with the App-V Sequencer
installed.
■ If you have a mix of x86 and x64 clients, you can either sequence the x86 version of an
application and deploy it to both architectures or sequence the x86 and x64 versions
separately.
■ A computer running the Windows 8.1 or Windows 8 operating system will be able
to run an application sequenced on a computer running the Windows 7 operating
system.
■ Although an application sequenced on a computer running the Windows 8.1 or
Windows 8 operating system will likely run when deployed through App-V to a com-
puter running the Windows 7 operating system, Microsoft does not recommend this
strategy. Instead, you should sequence applications that you intend to run on comput-
ers running the Windows 7 operating system on a computer running the
Windows 7 operating system.

6 Chapter 1 Deploy and manage virtual applications

www.allitebooks.com
From the Library of Ida Schander
 The client that runs the Sequencer should have no applications installed beyond the base
operating system and should be as close to the out-of-the-box experience (OOBE) as possible.
As a best practice, do not use an existing computer that has had applications installed and
then removed, because some applications might not uninstall fully and thus might affect the
sequencing process. This is an important part of ensuring that sequencing works correctly.
Sequencing involves capturing only those modiications made during application installation;
additional applications and certain services can interrupt the sequencing process, causing it
to fail.
In addition to these considerations, avoid using operating system images that include
clients from antimalware applications and products such as System Center 2012 Coniguration
Manager or System Center 2012 Data Protection Manager.
Before performing a sequencing operation on a newly installed computer running the
Windows 8.1 operating system, you should disable the following services:
■ Windows Defender service
■ Windows Search service
Because you need to have the client in as close to an OOBE state as possible each time you
sequence an application, it is much more eficient to install the Sequencer on a client that is
running as a virtual machine. Then you can use a virtual machine snapshot to return the client
to an unmodiied coniguration after you sequence each application. Ensure that you transfer
the sequenced application to a network location before reverting the computer that performs
the sequencing role.

MORE INFO DEPLOYING THE SEQUENCER

You can learn more about deploying the App-V Sequencer at http://technet.microsoft.com
/en-us/library/jj713464.aspx.

App-V Connection Groups

Use App-V Connection Groups to group one or more App-V 5.0 packages. All the applications
in an App-V Connection Group can interact with one another as if you had installed them on
the same device while still isolating them from the rest of the system. System Center 2012
R2 Coniguration Manager (or System Center 2012 Coniguration Manager SP1) uses App-V
virtual environments to take advantage of the functionality of App-V Connection Groups. An
administrator deines the requirements for a virtual environment. When a client system meets
those requirements, an App-V Connection Group is created on the client.
To create a virtual environment, perform the following general steps:
1. In the Software Library workspace of the Coniguration Manager console, expand the
Application Management node and click App-V Virtual Environments.
2. On the ribbon of the Coniguration Manager console, click Create Virtual Environment.

Objective 1.1: Prepare virtual applications CHAPTER 1 7

From the Library of Ida Schander

 3. In the Create Virtual Environment dialog box, provide a name for the virtual environ-
ment. Figure 1-1 shows this name set to the Adatum App-V virtual environment. Click
Add to add an App-V deployment type.

FIGURE 1-1 The Create Virtual Environment dialog box

4. In the Add Applications dialog box, provide a name for the group and click Add to add
applications.
5. In the Specify Application dialog box, shown in Figure 1-2, select the application you
want to add to the group. Click OK.

FIGURE 1-2 The Specify Application dialog box

8 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

6. In the Add Applications dialog box, add all the applications you want to use with the
Connection Group. Figure 1-3 shows ExcelViewer and WordViewer added to the same
virtual environment. Click OK.

FIGURE 1-3 The Add Applications dialog box

7. In the Create Virtual Environment dialog box, review the applications that have been
added to the virtual environment, as shown in Figure 1-4, and then click OK.

FIGURE 1-4 The Create Virtual Environment dialog box

Objective 1.1: Prepare virtual applications CHAPTER 1 9

From the Library of Ida Schander

 When migrating existing connection groups from standalone App-V 5.0 virtual environ-
ments to virtual environments in which App-V 5.0 is integrated with System Center 2012
R2 Coniguration Manager, you must create virtual environments that match the existing
connection groups on client computers. You do this so that Coniguration Manager manages
the clients correctly, and the user’s environment within those connection groups remains the
same.
The general process for migrating from App-V Connection Groups to a Coniguration
Manager virtual environment is as follows:
1. Create applications with Application Virtualization 5.0 deployment types for all existing
App-V 5.0 packages for the virtual environments that you want to migrate.
2. Deploy the new applications with the purpose of Required.
3. After you deploy the applications, create virtual environments that match the connec-
tion groups they are replacing. The virtual environments must have the same App-V
5.0 deployments types in the same order. If the virtual environments do not match the
App-V 5.0 Connection Groups, new connection groups will be created, and any user
customizations in the shared isolation environment will be lost.
You can create new virtual environments in System Center 2012 R2 Coniguration
Manager. New virtual environments must contain at least one App-V deployment. When you
deploy an App-V deployment type, the virtual environments associated with the deployment
type also are deployed. This enables you to create App-V Connection Groups before all the
applications for the new virtual environment are available. To create new App-V virtual envi-
ronments in the Coniguration Manager console, navigate to the Software Library workspace,
the Application Management folder, and then the App-V Virtual Environments node. You add
App-V deployment types to the virtual environments by using simple rules. An App-V deploy-
ment type can belong to more than one virtual environment.

MORE INFO APP-V CONNECTION GROUPS

You can learn more about App-V Connection Groups at http://technet.microsoft.com

/en-us/library/jj713417.aspx.

EXAM TIP
Remember what steps you need to take to allow virtualized applications to share data.

10 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 Thought experiment
Application sequencing at Contoso
You are preparing to sequence an important application at Contoso. This applica-
tion has two versions, an x86 version and an x64 version. You intend to deploy
the x86 version to computers running an x86 version of Windows 7. You intend to
deploy the x64 version to computers running an x64 version of Windows 8.1. With
this information in mind, answer the following questions:

1. How many times should you sequence the application?

2. Which services should you disable on the computer running Windows 8.1 x64
prior to sequencing the application?

Objective summary
■ A virtualized application is isolated from the host operating system and interacts indi-
rectly with it through the App-V client.
■ You should sequence an application on the same platform as you intend to run it.
■ Applications sequenced on x64 platforms cannot run on x86 platforms, but applica-
tions sequenced on x86 platforms can run on x64 platforms.
■ App-V Connection Groups allow virtualized applications to share data.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You use the App-V Sequencer to sequence an x64 application on a computer running
Windows 8.1. Which of the following computers can run this application if the App-V
client software has been installed? (Choose the best answer.)
a. The x64 version of Windows 8.1
B. The x86 version of Windows 8.1
C. The x64 version of Windows 7
D. The x86 version of Windows 7
2. You want to allow two virtualized applications, App-A and App-B, to share data when
running on the same computer. Which of the following should you conigure to allow
this to occur? (Choose two. Each answer forms a complete solution.)
a. App-V Connection Group
B. App-V virtual environment
C. Plug-ins
D. Middleware application

Objective 1.1: Prepare virtual applications CHAPTER 1 11

From the Library of Ida Schander

 3. You need to sequence an application that is updated on a regular basis. Which of the
following should you use with the App-V Sequencer to automate this process?
a. Connection group
B. Middleware application
C. Add-on or plug-in
D. Package accelerator

Objective 1.2: Manage application virtualization

environments
App-V can be run in several ways. You can run an App-V infrastructure with its own servers to
stream apps and use a simpler structure by which to virtualize applications but deploy them
in a traditional manner. You can also integrate App-V with Coniguration Manager. Depend-
ing on how you’ve conigured your organization’s infrastructure, you can manage App-V apps
through Group Policy or through Coniguration Manager.

This section covers the following topics:

■ App-V infrastructure
■ App-V deployment models
■ Deploying sequenced applications
■ App-V Group Policy

App-V infrastructure
An App-V 5.0 deployment includes several elements, some of which must be present in all
App-V 5.0 models and some of which are used only in speciic App-V deployments.
These elements are as follows:
■ Management Server The Management Server hosts a Microsoft Silverlight–enabled
web application that App-V administrators use to manage the App-V infrastructure.
The Management Server must have a good connection to the Management Server
database. You can deploy the Management Server and Management Server database
on the same server or on different servers.
■ Publishing Server The Publishing Server is a web server that deploys applications to
App-V clients. In previous versions of App-V, the Publishing Server was known as the
streaming server. You deploy App-V applications to the Publishing Server in the App-V
full infrastructure model by using the App-V Management Server console. App-V 5.0
applications are streamed from the Publishing Server by using HTTP.

12 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 ■ Management Server database The Management Server database stores App-V
coniguration and settings data. The database is hosted on an SQL instance running
SQL Server 2008 SP2, SQL Server 2008 R2, or SQL Server 2012. You can install the
Management Server database separately from the Management Server, but if you do,
you need to deploy the database irst and then specify its location when you deploy
the Management Server.
■ Reporting Server The Reporting Server records the following information:
application use, client information, package information, schema changes, and system
options. You conigure the address of the Reporting Server by using App-V Group
Policy settings. Clients forward data to this address, which the Reporting Server then
forwards to the Reporting Server database.
■ Reporting Server database The Reporting Server database stores all the informa-
tion forwarded to the Reporting Server. The instance that hosts the Reporting Server
database must meet the same requirements as the instance that hosts the
Management Server database. You can host both databases on the same server. You
do not have to install SQL Server Reporting Services to deploy an App-V Reporting
Server.

App-V deployment models

App-V has three deployment models, each of which has separate infrastructure requirements.
These are the full infrastructure model, the standalone model, and the Coniguration
Manager integrated model.

MORE INFO APP-V DEPLOYMENT MODELS

You can learn more about the full infrastructure model and the standalone model at
http://technet.microsoft.com/en-us/library/dn595131.aspx.

Full infrastructure model

The App-V full infrastructure model, also known as the Enterprise model, uses all App-V
server elements. It also requires the Sequencer to sequence applications and the App-V client
deployed on client computers.
The App-V full infrastructure model provides an organization with all the functions of the
Management Server, including authentication, instance limitation, and application metering.
These functions have the following properties:
■ Authentication You can use this to limit applications to speciic authorized users.
For example, members of the Research department can run a speciic application but
members of the Management department cannot run the application.
■ Instance limitation You can use a Management Server to limit the number of
execution instances of a speciic application to ensure that your organization meets its

Objective 1.2: Manage application virtualization environments CHAPTER 1 13

From the Library of Ida Schander

 licensing obligations. Virtualized applications can be streamed to multiple computers,
making it more challenging to ensure that instances of the application for which the
organization is not licensed are not being run.
■ Application metering You can generate historical data, recording how often an
application is used and by which clients.
When you use the App-V full infrastructure model, you should ensure that Publishing
Servers have high-speed connections to the clients that use these applications. This ensures
that users who use streaming applications get access to them quickly. Users who access
applications from publishing servers located across wide area network (WAN) links have to
wait much longer for their applications to open than users who access publishing servers on
the local area network (LAN).
The App-V full infrastructure model is appropriate for organizations that:
■ Need support for streamed applications.
■ Need authentication, instance limitation, and metering.
■ Have not already deployed Coniguration Manager.
If an organization does not need to support streamed applications and does not require
authentication, instance limitation, and metering functionality, it could use the standalone
deployment method, which needs less infrastructure investment.

Standalone deployment model

The standalone deployment model is the least infrastructure-intensive version of application
virtualization. It needs only a computer conigured as an App-V Sequencer and clients with
the App-V client installed. The standalone deployment model does not need a Management
Server database, Publishing Server, or Management Server.
In the standalone deployment model, you use the App-V Sequencer to create sequenced
App-V applications as packages in MSI format. You then deploy those sequenced applica-
tions in the same way you would deploy other applications in MSI format―for example, by
using Group Policy, Microsoft Intune, System Center 2012 Coniguration Manager SP1, or
third-party application deployment technologies. The primary difference between deploying
a traditional application in MSI format and deploying a sequenced, virtualized application in
MSI format is that with the virtualized applications, you have to ensure that the App-V client
is installed on the target device.
The standalone deployment model is appropriate for organizations that:
■ Want the beneit of virtualized applications but do not need metering or application
streaming.
■ Want to deploy virtualized applications to clients on the Internet through Intune.
■ Need to deploy only a small number of virtualized applications and so do not need to
deploy the App-V full infrastructure model Coniguration Manager.

14 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

Coniguration Manager integrated model
The integrated model uses Coniguration Manager to manage and measure the deployment
of App-V virtualized applications. This deployment model uses the following components:
■ App-V Sequencer You use this to create sequence App-V applications in App-V 5.0
format. You can also use the Sequencer to sequence applications in MSI format, which
you can deploy using Coniguration Manager.
■ App-V client You need to deploy the App-V client to devices that want to access
virtualized applications.
■ Coniguration Manager You manage and deploy virtualized applications to col-
lections of computers by using Coniguration Manager. Virtualized applications are
streamed from Coniguration Manager distribution points. To use all the features of
App-V 5.0, you must have deployed System Center 2012 Coniguration Manager SP1
or System Center 2012 R2 Coniguration Manager.
In this integrated model, virtualized applications are deployed as Coniguration Manager
applications by using the special App-V 5.0 application type rather than from a Publishing
Server.
When you use the App-V application type with Coniguration Manager, virtualized
applications can be streamed from distribution points in the same manner as when you use
a Publishing Server in the App-V full infrastructure model. The advantage of the integrated
model over the App-V full infrastructure model is that in the integrated model, virtualized
applications can stream off any existing Coniguration Manager distribution point.
Coniguration Manager distribution points can also take advantage of BranchCache and
Background Intelligent Transfer Service (BITS) functionality.
Another advantage of the integrated model is that its deployment process can automati-
cally determine whether the App-V client is present during application deployment and, if
not, deploy the client before deploying the virtualized application. For example, if you deploy
a virtualized application to a collection of 10 computers, and 5 of those computers do not
have the App-V client installed, Coniguration Manager can be set to deploy the App-V client
automatically before deploying the virtualized application.
App-V applications can be listed as a deployment type in Coniguration Manager. You can
choose to deploy an application such as Microsoft Word to a computer and then build logic
into the deployment so that, in some cases, the application is installed locally in a traditional
manner, and in other cases, the application is installed as an App-V application. For example,
Microsoft Word is installed locally if the computer is designated as the user’s primary device,
but it is installed as an App-V application if the computer is not designated as the user’s
primary device. The App-V deployment type enables administrators to perform temporary
application deployment, which deploys the application to the client but does not make an
ongoing coniguration change in the client.

Objective 1.2: Manage application virtualization environments CHAPTER 1 15

From the Library of Ida Schander

 Although you can also use sequenced applications in MSI format with Coniguration
Manager, these applications will be deployed in their entirety to the target device and will not
be streamed to the device through the Coniguration Manager distribution point.
The integrated model still requires use of Group Policy if you want to conigure App-V
client cache settings. You can use this policy to control whether streamed applications will
persist in the client cache.

MORE INFO CONFIGURATION MANAGER INTEGRATED MODEL

You can learn more about the Coniguration Manager integrated model at
http://technet.microsoft.com/en-us/library/jj822982.aspx.

Deploying sequenced applications

The irst decision you need to make when deploying sequenced applications is which type
of delivery mechanism you will use. You can stream the applications, install the applications
locally, or use a mixture of streaming and local installation. Independent of the method you
use, you can run a sequenced application only if the App-V client is present on the client
device. When you are deciding which mechanism to use, keep in mind the following
information.

Streaming applications
When applications are streamed, the application is available to the user as soon as enough of
the application has transferred from the server to the client that the application can start. You
can conigure streaming so that applications are available only when the client is online. You
might want to use this option with sensitive applications to which you want to control access.
You can also conigure streaming so that applications are available when the client is ofline.
In this situation, the application is stored in the client’s cache. Streaming sequenced applica-
tions use the .appv ile format.

Local installation of applications

A local installation has the beneits of a virtualized application (such as minimizing compat-
ibility problems with other applications) while also keeping the application available when
the client is ofline without relying on the application remaining in the client’s App-V cache.
Locally installed applications are delivered to the client by using local install, Group Policy,
Intune, System Center 2012 Coniguration Manager SP1 or System Center 2012 R2 Conigura-
tion Manager, or another application deployment solution.
When you deploy a sequenced application and locally install it, the entire sequenced
application is downloaded to the client before the application is run. The application is always
available for ofline use—unlike with streamed applications, you cannot ensure that a user will
not have access to a sequenced application when that user’s computer is not connected to
the organizational network.

16 Chapter 1 Deploy and manage virtual applications

www.allitebooks.com
From the Library of Ida Schander
 Locally installed sequenced applications use the .msi format rather than the .appv format.
Using the .msi format enables you to treat a sequenced application in the same way that you
would treat a traditional local installation. You can deploy a sequenced application by using
Intune and Group Policy, an approach that was not possible with earlier versions of App-V.
You cannot import sequenced applications to an App-V Publishing Server by using the .msi
format.
When you deploy a sequenced application in .msi format, you need to ensure that the
App-V client is present on the target client; if it is not, the application cannot run. You can
use Programs And Features on a client to remove a sequenced application deployed in .msi
format.
You can use the .msi format with sequenced applications when you create thick images for
operating system deployment.

Streaming and local installation of applications combined

You might use a mixture of streaming and local installation. For example, when some
applications don’t need to be on the client devices permanently but you want the users to
have access to them quickly, stream these applications; when other applications need to be
on the client devices permanently but need to be isolated from other applications, install
these applications locally as App-V applications.
After you decide which delivery mechanism you want to use, you need to select a deploy-
ment technology. You can use the following products to deploy sequenced applications:
■ System Center 2012 Coniguration Manager SP1 and System Center 2012 R2
Coniguration Manager Coniguration Manager supports both streaming and local
installation. You can conigure a single application to be streamed or locally installed,
depending on the conditions that exist on the client. You can conigure
Coniguration Manager to detect whether the App-V client is present on the device.
If App-V is not present, Coniguration Manager will deploy it before deploying the
sequenced application. You can use Coniguration Manager reporting functionality to
monitor application use.
■ App-V Publishing Server You can stream applications from App-V Publishing
Servers. Use Group Policy to provide clients with the location of publishing servers.
Administrators can use App-V Reporting Server functionality to meter application use.
If you want to allow application streaming and you are not using System Center 2012
Coniguration Manager SP1, you must deploy an App-V Publishing Server.
■ Group Policy deployment Use Group Policy software deployment to deploy
sequenced applications in .msi format locally. You cannot use Group Policy to meter
application use.
■ Manual deployment Use the .msi ile to install the sequenced application manually
on a computer. Use this method infrequently because it requires substantially more
time than an automated deployment method.

Objective 1.2: Manage application virtualization environments CHAPTER 1 17

From the Library of Ida Schander

 ■ Logon scripts Use the Msiexec.exe command to install an .msi ile.
■ Microsoft Intune Use Intune to deploy the .msi ile to remote clients that infre-
quently connect to the organizational network.

Streaming and the App-V application cache

Streamed applications are transferred from App-V Publishing Servers or Coniguration
Manager distribution points to App-V clients over the HTTPS protocol. Streamed applications
start running on the client as soon as enough of the virtualized application has transferred to
the client to begin running. For example, rather than downloading an entire 1 GB application
before beginning to run, the application might start to run when only some of its iles have
been transferred. The rest of the application streams to the client as necessary.
The App-V client stores streamed applications in the local App-V cache. As long as a
particular application is in the cache, it will be loaded from there the next time the user wants
to run it—the device will not need to reacquire the application from the publishing server or
distribution point. As long as an application is in the cache, that application can be used when
the device is not connected to the Publishing Server or distribution point.
You can conigure the Shared Content Store (SCS) Mode Group Policy item so that
sequenced applications can run only when the device is connected to the Publishing Server or
distribution point. When you enable this policy, the streamed application will not be stored in
the App-V cache and must be reacquired each time the user wants to run it. This policy is only
available if the App-V templates are present in Group Policy.
Not all virtualized application deployment methods ensure that the sequenced application
can be streamed to the client. Applications can be streamed when you do the following:
■ Deploy the application by using the App-V full infrastructure model.
■ Deploy the application by using the App-V deployment type in Coniguration
Manager.
If you are using the App-V full infrastructure model, you need to conigure clients with the
address of the Publishing Server by using Group Policy. You can conigure Group Policy with
the address of up to ive publishing servers. You use the App-V Management Server web
application to import applications in App-V format and publish them to publishing servers.
You also use the App-V Management Server web application to conigure permissions.
When using App-V sequenced applications with Coniguration Manager, clients use
Coniguration Manager distribution points as the source for streamed applications. These
clients use the Coniguration Manager client to determine which applications they are eligible
to consume.

Coniguring dependencies
An advantage of using Coniguration Manager as opposed to other deployment methods is
that you can conigure dependencies. When you conigure a dependency, the client checks
whether the speciied prerequisite software environment is present. In the case of sequenced

18 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

applications, you can conigure Coniguration Manager to check whether the App-V software
is present on the client. If the App-V software is present, the deployment proceeds as usual. If
the App-V software is not present, Coniguration Manager will deploy it before deploying the
sequenced application.
To conigure the App-V client as a dependency for an application, perform the following
steps:
1. In the Software Workspace of Coniguration Manager, click Software Library.
2. In the Application Management folder, click Applications.
3. Right-click the virtualized application and then click Properties.
4. On the Deployment Types tab, click the deployment associated with App-V 5, as shown
in Figure 1-5, and then click Edit.

FIGURE 1-5 Deployment types

5. Click the Dependencies tab and then click Add.

6. In the Add Dependency dialog box, click Add.
7. In the Specify Required Application dialog box, click Microsoft Application
Virtualization (App-V) Client 5.0. You must have already added Microsoft Application
Virtualization (App-V) Client 5.0 to Coniguration Manager before you can perform
this step.

Objective 1.2: Manage application virtualization environments CHAPTER 1 19

From the Library of Ida Schander

 8. On the Deployment Types page for the selected application, click Microsoft
Application Virtualization, as shown in Figure 1-6, and then click OK.

FIGURE 1-6 Specify Required Application dialog box

9. In the Add Dependency dialog box, type App-V Apps in the Dependency Group
Name box and then click OK.
10. In the Application Properties dialog box, click OK.

App-V Group Policy

When you use the App-V full infrastructure model, you use Group Policy to conigure impor-
tant App-V settings, including the location of publishing servers and the behavior of the client
cache. You do not need to use Group Policy to conigure App-V if you are using the stand-
alone deployment model.
To conigure App-V Group Policy, add the App-V policy template to the Group Policy store
on your domain controller. These policies can be downloaded from the Microsoft website.
After you place the templates in the Group Policy store, you can ind App-V policies in the
Computer Coniguration\Policies\Administrative Templates\System\App-V node of a Group
Policy Object (GPO). App-V policies are spread across the following six nodes:
■ Client Coexistence Use the policy in this node to enable automatic migration to
App-V 5.0 of packages that were created by using a previous version of App-V.
■ Integration Use the policies in this node to specify the ile paths in a user proile that
do not roam with the user proile when used with App-V. Also, use the policies in this
node to conigure the location of symbolic links to the current version of the published
package.

20 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

■ Publishing Use the policies in this node to specify the location of the Publishing
Server.
■ Reporting Use the policy in this node to specify the location of the App-V Reporting
Server to client devices.
■ Scripting Use the policy in this node to conigure whether scripts deined in the
package manifest coniguration iles should run.
■ Streaming Use the policies in this node to conigure settings related to package
streaming.
Notable policies include the following:
■ Publishing Server 1 Settings This policy is located in the Publishing node. Use it to
specify the location of the irst publishing server and the properties of that publishing
server. There are ive publishing server settings policies, so you can conigure up to ive
publishing servers for each App-V client. In each of these policies, you can conigure
the following publishing server settings:
■ Publishing Server Display Name This is the name of the publishing server
shown in the App-V client interface.
■ Publishing Server URL This is the URL of the publishing server.
■ Global Publishing Refresh Use this setting to enable global publishing refresh.
This performs a global refresh to update the list of available published applications.
■ Global Publishing Refresh On Logon Use this setting to enable a global pub-
lishing refresh at logon.
■ Global Publishing Refresh Interval When you enable global publishing refresh,
you need to specify a frequency. Use the interval setting to specify the refresh
interval for global publishing refresh.
■ Global Publishing Refresh Interval Unit When you have set the number of
units, you need to set the unit itself. You can select either Hour or Day.
■ User Publishing Refresh Use this setting to conigure user publishing refresh.
This refresh occurs on a user basis for the applications published to the user rather
than globally.
■ User Publishing Refresh On Logon Use this setting to conigure user publishing
refresh at logon.
■ User Publishing Refresh Interval Use this setting to specify the refresh interval
for user publishing refresh.
■ User Publishing Refresh Interval Unit Use this setting to specify the interval
unit, in either hours or days, for the user publishing refresh cycle.
■ Package Installation Root Use this policy to specify where all new App-V applica-
tions and updates will be installed on the client.
■ Shared Content Store (SCS) mode Use this policy to specify whether streamed
package contents are saved to the local hard disk. This policy is useful when you want

Objective 1.2: Manage application virtualization environments CHAPTER 1 21

From the Library of Ida Schander

 to grant access to streamed applications but do not want those applications to be
available when the client is ofline.
■ Specify what to load in background (that is, Autoload) This policy enables you
to specify which packages App-V acquires automatically on a client computer from a
publishing server. The options are Previously Used, None, and All. When enabled, the
Previously Used option is the default; previously used applications will be downloaded
automatically from the App-V Publishing Server in the background, which increases
the speed at which an application loads.
Depending on security concerns, organizations that use the App-V full Infrastructure
model and the integrated model might choose to prevent streamed package contents from
being saved to the local hard disk by using the SCS Mode policy. For example, you would use
this policy if an application needed to be used on a client in an unsecure location where the
application should not be stored locally, or if the application should not be accessible when
the device cannot connect to the publishing server.

EXAM TIP
Remember the different App-V models.

Thought experiment
App-V deployment planning at Contoso
You are planning the deployment of App-V at Contoso. Your primary interest is the
ability to meter application usage and limit the number of concurrent instances of
application execution. Contoso does not have a Coniguration Manager deploy-
ment. With this information in mind, answer the following questions:

1. Which deployment model is suitable for Contoso?

2. Which protocol will clients use to access streamed applications?

Objective summary
■ You can deploy App-V by using the full infrastructure, standalone, or Coniguration
Manager integrated model.
■ App-V applications can run only on computers on which a compatible App-V client is
installed.
■ App-V applications can stream from an App-V server or a Coniguration Manager
distribution point. This enables the applications to deploy more quickly.
■ When sequenced, App-V applications are available in .msi format. You can deploy
App-V applications locally in the same manner as you would deploy any other applica-
tion in .msi format.

22 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 ■ When deploying App-V applications by using Coniguration Manager, you can con-
igure the App-V client as a dependency. This means that the App-V client will be
deployed if it is not present on the target computer.
■ You can use Group Policy to manage App-V settings, but you must import the
App-V–related Group Policy template.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You have deployed the Coniguration Manager integrated model. You want to deploy
App-V applications to some of the computers in your organization; however, the
App-V client is not installed on every computer that is a Coniguration Manager client.
The App-V client should be deployed only to computers that need it to run applica-
tions. How can you ensure that computers that are subject to an App-V application
deployment are able to run those applications?
a. Deploy the App-V client to all computers.
B. Conigure the App-V client as a dependency for each App-V application.
C. Conigure each App-V application as a dependency for the App-V client.
D. Conigure each computer to subscribe to the RemoteApp feed.
2. You want to ensure that users with laptop computers have access to App-V applica-
tions only when they are on site. Which of the following strategies could you pursue to
accomplish this goal? (Choose two. Each correct answer provides a complete solution.)
a. Use the App-V full infrastructure model.
B. Use the standalone deployment model.
C. Use the Coniguration Manager integrated model.
D. Use RD Web Access.
3. Which of the following servers must you deploy to support the App-V full
infrastructure model?
a. Management Server
B. Publishing Server
C. Coniguration Manager site server
D. Remote Desktop Session Host server

Objective 1.2: Manage application virtualization environments CHAPTER 1 23

From the Library of Ida Schander

 Objective 1.3: Deploy and manage RemoteApp
Session virtualization is the process by which an application or desktop environment runs
remotely, but the display of that application or desktop environment occurs locally. The
advantage of this approach is that applications that might otherwise require resources the
local device might not have, such as an appropriate processor or enough RAM, can be used
locally with the processing, memory, and storage resources the back-end infrastructure
provides.

This section covers the following topics:

■ Application presentation strategies
■ Preparing RemoteApp applications
■ Group Policy settings

Application presentation strategies

Remote Desktop Session Host servers provide session virtualization and can exist in the form
of either a full desktop session or a remote application. The following sections describe these
two application presentation methods.

Remote desktops
Remote Desktop Session Host servers (formerly known as Terminal Servers) provide users
with access to a full remote desktop experience. In this scenario, users securely connect to the
remote session through their local Remote Desktop Connection (RDC) client. From the users’
perspective, their desktop environment appears the same, even though it actually is running
on a remote server. Users have access to applications in the same way as if those applications
were running locally, even though the applications are running on the Remote Desktop
Session Host. Each user establishes his or her own private session that does not affect any
other users that are connected to the same Remote Desktop Session Host.
To access a remote desktop, the user account (or domain global group) of the connecting
user must be added to the Remote Desktop Users group on the computer to which he or she
is connecting. By default, this group has no members.
Installing the Remote Desktop Session Host role on a server automatically enables Remote
Desktop connections to the local computer. If you do not install the Remote Desktop Session
Host role, you can still enable Remote Desktop access to any Windows-based operating sys-
tem by modifying the system properties to allow remote connections. You can allow remote
connections and select the users who can connect remotely by using System Properties in
Control Panel.
Remote Desktop is well suited to single-task workers such as point-of-sale terminals or
data entry workers. In such scenarios, it is important to provide a consistent desktop

24 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

experience for all workers. Remote desktops also perform well over limited bandwidth,
making this solution suitable for branch ofices where IT support might be limited. Another
common use for Remote Desktop is to enable users to access their corporate desktop. For
example, users can work from home by connecting to their workstations, or users in bring
your own device (BYOD) scenarios can connect to a standard operating system environment
from their personal devices.

Remote applications
Users access Remote Application (RemoteApp) programs remotely through Remote Desktop
Services, but the programs appear as if they are running on the end user’s local computer.
These applications can appear on the Start menu like any locally installed application. Users
can interact with RemoteApp applications in the same manner that they interact with locally
installed applications. Running the application on the server avoids compatibility issues that
might prevent you from installing the application locally. RemoteApp is suited to applications
that you need to manage centrally or that require higher computing requirements than the
users’ desktops might have—for example, an application that requires large amounts of RAM
or one that requires intensive graphics processing. RemoteApp works with Windows clients
that include the Remote Desktop software and Windows RT clients on which the Remote
Desktop Connection app is installed.

Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access) allows end users to access applications
through a special website. RD Web Access provides a secure way to:
■ Present remote applications.
■ Provide access to remote virtual desktops.
■ Connect to a remote computer.
Users can access a secure site, typically at https://ServerFQDN/RDWeb, and establish an SSL
session between the client and the RD Web Access server. After authentication, users see a list
of any applications or desktops that they have permission to use.
Users also see a link to connect to a remote desktop. This link presents a web-based ver-
sion of the Remote Desktop Protocol (RDP) client where the users can conigure devices,
resources, and additional options. Users enter the name of the computer to which they want
to connect and conigure the options they require. Then they have to sign in to the computer
to which they are connecting by using a valid user name and password.
For users who do not need a full desktop or users who are not on the corporate network,
RD Web Access is an attractive solution because you need to provide users with only the URL
of the RD Web Access server. Applications started from this interface are fully functional and
save iles back to the company network by default, although users can save iles to the local
computer if required. RD Web Access is suitable for:
■ Users outside the corporate network who need to run corporate applications—for
example, users who work from home or use laptops in the ield.

Objective 1.3: Deploy and manage RemoteApp CHAPTER 1 25

From the Library of Ida Schander

 ■ Users in remote ofices where no VPN is in place.
■ Users who need to access corporate applications from a computer in a public location
such as a hotel or an airport.
■ Kiosk machines that are locked down so that they grant access to only a limited set of
applications through the Internet—for example, public access machines that grant any
user access to a certain corporate application.

Preparing RemoteApp applications

Before you can make an application available remotely, you must install it on each Remote
Desktop Session Host server that will offer that application. Proper planning and installation
of the application ensures that your users can access it in a multiuser environment. You can
deploy applications that you want to make remotely available only after you have deployed
the Remote Desktop Session Host role.
When you are planning a remote application deployment, consider the following factors:
■ Suitability for multiuser environments This consideration is the most important.
Historically, most end user applications have functioned well in a multiuser environ-
ment; however, this is not always the case. You must check with the application vendor
to see whether a multiuser coniguration is supported. Some vendors can provide ixes
that enable you to deploy an application in a multiuser environment. If they cannot,
you might have to deploy the application to traditional desktops or ind another
application that can support a multiuser environment.
■ Application compatibility You have to investigate whether there are compatibility
issues with existing applications on the Remote Desktop Session Host server. Ensure
that you thoroughly test the proposed application before putting it into the produc-
tion environment. You might need multiple Remote Desktop Session Hosts so that
incompatible applications can be run separately from each other, and you might need
multiple session collections to create silos of applications.
■ Application dependencies Install, on the same Remote Desktop Session Host
server, related applications or applications that have dependencies on other local
applications. For example, all the applications of an application suite should be
installed on the same Remote Desktop Session Host unless otherwise prescribed by
the vendor.
■ Capacity requirements There are no irm numbers that indicate how many clients
a single Remote Desktop Session Host server can support. Resource requirements for
remotely delivered applications depend on several factors, including the application
requirements, the number of concurrent sessions, and how many applications (and
other services) the Remote Desktop Session Host is running. Several tools can provide
sizing guidance. Server administrators should monitor their server performance closely
in Remote Desktop Session Hosts and listen to the feedback end users provide, adding

26 Chapter 1 Deploy and manage virtual applications

www.allitebooks.com
From the Library of Ida Schander
 server resources as required. Microsoft offers white papers to assist in capacity
planning.
Installing an application on a Remote Desktop Session Host is not like installing an applica-
tion on a traditional desktop. Remote Desktop Session Hosts operate in two modes, install
mode and execute mode. The server must be placed into install mode to install multiuser
applications properly. In install mode, Windows ensures that the appropriate registry entries
and initialization (.ini) ile settings are conigured for the application to function in multiuser
environments. After the application is successfully installed, the server must be returned to
execute mode. You can change the mode of the server in two ways:
■ Use the command prompt To use the command prompt, from a command prompt,
perform these steps:
a. Use the change user /install command to place the server into install mode.
B. Install the application.
C. Use the change user /execute command to return the server to execute mode so
that users can access the application.
■ Use Control Panel The Programs section of Control Panel lists the Install
Application On Remote Desktop applet. This applet starts a wizard that automatically
puts the server into install mode and then prompts for the location of the application’s
installation executable ile. The administrator installs the application and completes the
wizard. This returns the server to execute mode.

Publishing and coniguring RemoteApps

The session collection interface in Remote Desktop Management Service (RDMS) provides a
link for you to publish RemoteApp programs, or you can publish from the link on the Tasks
drop-down menu. Clicking the Publish RemoteApps Programs link starts the Publish
RemoteApp Programs Wizard. The wizard presents a list of all the default applications that
are available for publishing. Other applications must be mapped by manually adding the path
to the executable ile that starts the program.
After the applications are published, you can conigure them further by editing the
application properties:
■ Choose whether to show the remote application in RD Web Access. By default, the set-
ting is Yes.
■ Create web folders by typing the name of the folder you want to create.
■ Assign command-line parameters.
■ Restrict access to the remote application to speciic users or groups. By default, all
users who can access the collection have access to the application.
■ Set ile type associations for the remote application. File type associations apply only
to users who are connected by the RemoteApp and Desktop Connections feed. Users
who are connected by RD Web Access cannot use ile type associations.

Objective 1.3: Deploy and manage RemoteApp CHAPTER 1 27

From the Library of Ida Schander

 You can also use the Remote Desktop Services PowerShell module to create, update, and
delete RemoteApp applications. To publish a new remote application, use the New
RDRemoteApp cmdlet. For example, to publish the Windows PowerPoint Viewer application
and have it display in RD Web Access, use the following command:
New-RDRemoteApp -Alias PPTViewer -DisplayName PPTViewer -FilePath "C:\
Program Files(x86)\Microsoft Office\Office14\PPTVIEW.exe" -ShowInWebAccess True
-CollectionName RemoteApps -ConnectionBroker LON-SVR1.Adatum.com

Managing connections to RemoteApp applications

After a collection is created and RemoteApp applications are added to the collection, a user
can connect to the collection and run RemoteApp applications by using the RDC, by signing
in to the RDWeb page, or by subscribing to the RemoteApp feed. If users subscribe to the
RemoteApp feed, the applications appear on the Start screen of their computer if it is running
Windows 8.1 or Windows 8 or on the Start menu of their Windows 7–based computer.

Connecting with RDC

Users can connect to a remote desktop by using the standard RDP client, Remote Desktop
Connection (RDC). The user needs to enter the name of the remote computer in the
Computer box and then click Connect. If the computer to which the user is trying to connect
allows remote access and if the user is in the Remote Desktop Users group for that computer,
the user can sign in to that computer. The user will be presented with a desktop just as if he
or she were signing in locally. A user connecting in this fashion has access to all the resources
of the remote computer just as if he or she were sitting at the local console.
The RDC client has a number of tabs with options that can be conigured to control the
user experience. These tabs are as follows:
■ General Provide the name of the computer to which you want to connect and the
user name you are using to connect. You can also save this coniguration in an RDP ile
or open an RDP ile that might have been provided to you.
■ Display Conigure the resolution and color depth of the remote session.
■ Local Resources Specify which local resources will be available to the client com-
puter, such as printers, the Clipboard, local drives, and audio settings.
■ Programs Conigure a speciic program to start upon connection.
■ Experience Choose the level of visual quality to transmit to the client computer from
the remote computer based on the available bandwidth of the connection.
■ Advanced Specify how authentication to the server will occur and conigure the
Remote Desktop Gateway (RD Gateway) settings.

28 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

Connecting with the RemoteApp and Desktop Connections feed
Computers running Windows 8, Windows 8.1, Windows RT, and Windows RT 8.1 can sub-
scribe to the Remote Desktop web feed. With the subscription, applications published to the
feed are automatically added to the Start screen on the subscribed device.
After the subscription is established, the Remote Desktop web feed is available from the
Start screen or Start menu. Users can manually enter the URL to connect to the feed by using
the RemoteApp And Desktop Connections applet in Control Panel, as shown in Figure 1-7, or
an administrator can conigure the default connection URL with Group Policy.

FIGURE 1-7 Access RemoteApp And Desktops dialog box

You can access the feed by using the following URL: https://<fqdn of rdweb server>
/Rdweb/webfeed.aspx, or users can use their email addresses to subscribe to the feed. If you
intend to allow use of an email address to subscribe to the feed, create a TXT record on the
DNS server. The record name must be named _msadc, and the text ield must contain the URL
for the Remote Desktop web feed.

Group Policy settings

In a large organization, it is not practical to conigure each remote desktop connection sepa-
rately. Many Group Policy settings are available to manage the remote desktop or
remote application experience for users. After the application presentation method has been
determined and the applications have been published, you can use Group Policy to control
how the session hosts that house those applications will be accessed. Group Policy enables
you to conigure settings that can be applied to both users and computers. Many of the same
settings appear in both user and computer conigurations—for example, session time limits.
Typically, if the same settings are conigured for both users and computers, the computer set-
ting will override the user setting.

Objective 1.3: Deploy and manage RemoteApp CHAPTER 1 29

From the Library of Ida Schander

 Computer settings
Computer settings affect all users connecting to the remote computer. Computer settings,
shown in Figure 1-8, include the following categories:
■ RD Licensing Control which Remote Desktop Session Host servers are issued Remote
Desktop Services client access licenses
■ Remote Desktop Connection Client Control security aspects of the connection,
such as allowing .rdp iles or determining whether passwords can be saved
■ Remote Desktop Session Host Control many aspects of the Remote Desktop
Session Host, such as device redirection, limiting the number of connections, user pro-
iles, security, detection of network quality, and session limits

FIGURE 1-8 Remote Desktop Services policies showing computer settings

User settings
User settings are settings for particular groups of users connecting to remote computers. User
settings, shown in Figure 1-9, include the following categories:

FIGURE 1-9 Remote Desktop Services policies showing user settings

30 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 ■ RD Gateway Set the gateway server address and authentication method.
■ Remote Desktop Connection Client Control .rdp iles and the saving of passwords.
■ Remote Desktop Session Host Control many aspects of the user session, such as
device redirection, user proiles, security, and session limits.
■ RemoteApp And Desktop Connections Specify the default connection URL. This
setting is new for Windows Server 2012, and it’s particularly useful for distributing the
Remote Desktop web feed URL. This Group Policy setting is shown in Figure 1-10.

FIGURE 1-10 Specify default connection URL

EXAM TIP
Remember how to conigure a computer running Windows 8.1 or Windows 8 to subscribe
to the RemoteApp feed.

Objective 1.3: Deploy and manage RemoteApp CHAPTER 1 31

From the Library of Ida Schander

 Thought experiment
BYOD at Tailspin Toys
Interns at Tailspin Toys have been given Microsoft Surface 2 devices, which run the
Windows RT 8.1 operating system. The Remote Desktop app has been installed on
these devices. Interns are to use these devices to run x86 and x64 applications run-
ning on a server running Windows Server 2012 R2 with Remote Desktop Services
installed.

1. What method could you use to enable an intern to access x86 and x64
RemoteApp applications quickly?

2. What steps would you take to ensure that RemoteApp applications automatically
appeared on the Start screens of the Surface 2 devices the interns use?

Objective summary
■ Remote Desktop enables a user to access a desktop environment remotely that was
hosted on another computer where that desktop is displayed on the local device.
■ RemoteApp uses the same technology as remote desktop but involves displaying an
application that is running on a remote computer on a local device.
■ RD Web Access allows users to launch remote desktop sessions and RemoteApp ses-
sions from a specially conigured web page.
■ Group Policy settings enable you to conigure how a remote desktop and RemoteApp
are conigured.
■ Computers running Windows 8.1 and Windows 8 can subscribe to a RemoteApp feed
through Group Policy or through an item in Control Panel.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. What steps can you take to make RemoteApp applications automatically available to
users who have computers running Windows 8.1 that are joined to the domain while
expending the least amount of administrative effort?
a. Conigure a subscription to the Remote Desktop web feed by using Group Policy.
B. Conigure a subscription to the Remote Desktop web feed by using Control Panel.
C. Conigure the address of the RD Web Access server as the home page in Windows
Internet Explorer on each client.
D. Place shortcuts to each RemoteApp in a shared folder.

32 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

2. Which of the following Windows PowerShell cmdlets could you use to create a
RemoteApp application?
a. Remove-RDRemoteApp
B. Get-RDRemoteApp
C. New-RDRemoteApp
D. Set-RDRemoteApp
3. You want to enable users to subscribe to the RemoteApp feed by using their orga-
nizational email address from the Control Panel setting on their computers running
Windows 8.1. Which of the following steps must you take to prepare DNS to support
this coniguration?
a. Create a TXT record named _msadc with the URL for the Remote Desktop web
feed in the text ield.
B. Create an MX record with the FQDN for the RD Web Access server
C. Create an NS record with the FQDN for the RD Web Access server.
D. Create a CNAME record with the FQDN of the RD Web Access server.

Objective 1.3: Deploy and manage RemoteApp CHAPTER 1 33

From the Library of Ida Schander

 Answers

Objective 1.1
Thought experiment
1. You should sequence the application twice, once for the computers running
Windows 7 x86 and once for the computers running Windows 8.1 x64.
2. You should disable the Windows Defender and Windows Search services before
sequencing the application on a computer running Windows 8.1 x64.

Objective review
1. Correct answer: A
a. Correct: You should sequence an application on the platform on which you run
it. An x64 application can only be sequenced on an x64 version of an operating
system.
B. Incorrect: You cannot use an x86 version of Windows to sequence an x64
application.
C. Incorrect: You should sequence an application on the platform on which you run
it. Even though this might work, it is not the best answer because it is not the plat-
form on which it will be run.
D. Incorrect: You cannot use an x86 version of Windows to sequence an x64
application.
2. Correct answers: A and B
a. Correct: App-V Connection Groups allow virtualized applications to share data
when running on the same computer.
B. Correct: Virtual environments function in a similar manner to App-V Connection
Groups, but they use Coniguration Manager rather than an App-V server.
C. Incorrect: Plug-ins extend the functionality of the application. They don’t allow
virtualized applications to interact.
D. Incorrect: A middleware application type enables you to sequence middleware or
framework software that another sequenced application package requires.
3. Correct answer: D
a. Incorrect: You use a connection group when you need applications to share data
with each other.
B. Incorrect: The middleware application type enables you to sequence middleware
or framework software that another sequenced application package requires.

34 Chapter 1 Deploy and manage virtual applications

From the Library of Ida Schander

 C. Incorrect: You can use the Sequencer to create an add-on or plug-in to extend
the functionality of an application.
D. Correct: Package accelerators automate the sequencing process. They are useful
when you need to sequence a particular application frequently.

Objective 1.2
Thought experiment
1. Because you want to use application metering and instance limitation, the full infra-
structure model is appropriate.
2. The HTTPS protocol delivers streamed applications to clients.

Objective review
1. Correct answer: B
a. Incorrect: You should deploy the client only to computers that need it.
B. Correct: Coniguring the App-V client as a dependency will trigger a check to
verify that the App-V client is installed before attempting to deploy the applica-
tion. If the client is not present, it will be installed.
C. Incorrect: This sequence is reversed. The client should be a dependency for the
application.
D. Incorrect: RemoteApp is not related to the App-V client application.
2. Correct answers: A and C
a. Correct: You can conigure the App-V full infrastructure model so that App-V
applications are streamed and not stored in the cache. This means that the appli-
cation can run only if connectivity can be established.
B. Incorrect: This model involves local installation and allows ofline use.
C. Correct: You can conigure Coniguration Manager so that only streaming versions
of the app are deployed and conigure the cache so that applications are not avail-
able ofline.
D. Incorrect: Although it is possible to deploy App-V on a Remote Desktop Session
Host server to host virtualized applications, this is not an optimal solution to this
situation.
3. Correct answers: A and B
a. Correct: You need to deploy an App-V Management Server for the App-V full
infrastructure model.
B. Correct: You need to deploy an App-V Publishing Server for the App-V full infra-
structure model.

Answers Chapter 1 35

From the Library of Ida Schander

 C. Incorrect: You don’t need to deploy a Coniguration Manager site server for the
App-V full infrastructure model.
D. Incorrect: You don’t need to deploy a Remote Desktop Session Host server for the
App-V full infrastructure model.

Objective 1.3
Thought experiment
1. You could conigure RD Web Access. Interns could access the RD Web Access website
and use it to launch RemoteApp applications.
2. You would subscribe the Surface 2 devices to the Remote Desktop web feed.
RemoteApp applications would automatically be published to the Surface 2 Start
screens.

Objective review
1. Correct answer: A
a. Correct: Coniguring a subscription to the Remote Desktop web feed by using
Group Policy accomplishes the objective with minimum administrative effort.
B. Incorrect: Coniguring a subscription to the Remote Desktop web feed by using
Control Panel involves substantial administrative effort.
C. Incorrect: Coniguring the address of the RD Web Access server as the home page
in Windows Internet Explorer on each client involves substantial administrative
effort.
D. Incorrect: Placing shortcuts to each RemoteApp in a shared folder involves sub-
stantial administrative effort.
2. Correct answer: C
a. Incorrect: The Remove-RDRemoteApp Windows PowerShell cmdlet enables you
to remove an existing RemoteApp application.
B. Incorrect: The Get-RDRemoteApp Windows PowerShell cmdlet enables you to
view the properties of a RemoteApp application.
C. Correct: The New-RDRemoteApp Windows PowerShell cmdlet enables you to cre-
ate a RemoteApp application.
D. Incorrect: The Set-RDRemoteApp Windows PowerShell cmdlet enables you to
modify an existing RemoteApp application.

36 Chapter 1 Deploy and manage virtual applications

www.allitebooks.com
From the Library of Ida Schander
3. Correct answer: A
a. Correct: You need to create a TXT record named _msadc with the URL for the
Remote Desktop web feed in the text ield.
B. Incorrect: You need to create a TXT record named _msadc with the URL for the
Remote Desktop web feed in the text ield.
C. Incorrect: You need to create a TXT record named _msadc with the URL for the
Remote Desktop web feed in the text ield.
D. Incorrect: You need to create a TXT record named _msadc with the URL for the
Remote Desktop web feed in the text ield.

Answers Chapter 1 37

From the Library of Ida Schander

This page intentionally left blank

From the Library of Ida Schander

CHAPTER 2

Deploy and manage desktop

and mobile applications
The ability to manage desktop and mobile applications is one of the main reasons that
many organizations deploy System Center 2012 R2 Coniguration Manager. Understanding
how you deploy and manage software to computers and mobile devices by using
Coniguration Manager and the cloud-based Microsoft Intune is critical for someone inter-
ested in passing the Managing Enterprise Devices and Apps Using System Center
Coniguration Manager exam.

Objectives in this chapter:

■ Objective 2.1: Plan an application distribution strategy.
■ Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration
Manager.
■ Objective 2.3: Deploy applications using Microsoft Intune.
■ Objective 2.4: Plan for application upgrades.
■ Objective 2.5: Monitor applications.
■ Objective 2.6: Manage content distribution.

Objective 2.1: Plan an application distribution

strategy
Coniguration Manager provides organizations with a variety of features for comprehen-
sively managing the application life cycle. This includes the ability to manage the process
of initial application deployment, application maintenance and monitoring, and application
supersedence and removal.

39

From the Library of Ida Schander

 This section covers the following topics:
■ Application management by using Coniguration Manager
■ Applications and packages
■ Application management features
■ Application management server roles
■ Software Center
■ Application Catalog

Application management by using Coniguration Manager

In System Center 2012 R2 Coniguration Manager, you can deploy software by coniguring
what are termed applications, or you can use the traditional method of coniguring what are
termed packages and programs. Although they have separate names and function in differ-
ent ways, both these methods enable you to deploy software to client computers.
Applications contain built-in intelligence, such as the ability to deploy different types of
software based on the properties of the client device. Many administrators ind packages and
programs a more eficient method for running simple commands or running custom scripts
on Coniguration Manager clients.
When using packages and programs for software distribution, the process consists of the
following elements:
■ Packages Package objects represent the actual iles the targeted client requires to
run a program that Coniguration Manager deploys. For example, a package could
contain the installation iles that Coniguration Manager uses to install a software
application on the client computer. Alternatively, a package might not contain any
source iles if Coniguration Manager only uses it to run an executable that is present
on the computers of the members of the targeted collection. When you create a pack-
age, you can specify many of its properties, such as the package’s name, the location
of source iles that it contains, and whether it includes one or more programs. For
example, you can use the Microsoft PowerPoint Viewer iles to create a package.
■ Programs A program is the command that indicates how to manage the pack-
age iles. You can create a program only after you create the package in which you
deine the program. Programs include commands that the client runs during software
deployment. For example, a package that you use to install an application will include
a program that runs a command, such as Setup.exe, which installs the application. A
package must contain at least one program before you can deploy it to clients, but
you can create multiple programs for a package. For example, you could create one
program that installs an application silently and another program that installs the same
application by using an installation wizard. In addition, the program includes informa-
tion about how the command will run, such as whether user or administrative rights

40 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 are necessary to run the command, the basic requirements to run the program, and
whether another program must be run irst.
■ Deployments Deployments, which are similar to advertisements in prior versions of
Coniguration Manager, associate a program with a target collection. In addition,
deployments specify other options regarding how the source iles for a program
should be accessed by clients and run. For example, you can conigure a software
deployment to be available as an optional installation or as a required installation on
the client. A deployment also can specify an installation schedule and how a program
should run, depending on whether the client’s current boundary group has a fast or
slow connection to the distribution point. For example, you can specify that the pro-
gram will not run if the client’s boundary group has a slow connection to the selected
distribution point. Traditional software distribution uses the following process: pack-
ages contain programs, and you use deployments to make the programs available to
the collections.
Software deployment also involves a number of other components and concepts:
■ Distribution points Distribution points are site systems that store the package iles,
which clients access when running a deployed program. After you create a new pack-
age that contains source iles, you must distribute the package to at least one distribu-
tion point before clients can access it and run any of its programs. Typically, you should
place the content on a distribution point that is closest to the clients to which you want
to deploy it.
■ Package deinition iles You do not always need to create all packages and pro-
grams manually. Many software publishers provide package deinition iles for their
applications, which allow for automatic creation of packages and programs. Package
deinition iles specify a package’s properties, such as its name and version, and one or
more program deinitions. Program deinitions in package deinition iles include the
program command and can include other properties such as disk-space requirements
and supported client architectures and operating systems.
■ Access accounts If you need to restrict access to a package, you conigure which
accounts or groups have permission to access it. By default, administrators have Full
permissions, which enable them to perform any action on a package; users have Read
permissions.

Objective 2.1: Plan an application distribution strategy CHAPTER 2 41

From the Library of Ida Schander

 Applications and packages
Table 2-1 describes the differences between applications and packages based on application
management features.
TABLE 2-1 Applications and packages
Feature Application
Basic software information Options include location of iles
used in the deployment and some
additional deployment settings.
Extended software and support The application model includes
information extended information.
Software command options Deployment types specify:
■ The command to run.
■ The optional Uninstall
command.
■ Detection methods.
■ User experience settings.
■ Advanced requirements.
■ Advanced dependency
settings.
Multiple deployment options A single application can contain
multiple deployment types.
Deployment by Application.
Deployment option used The deployment type that
Coniguration Manager uses is
based on requirements, and it
determines which to use at run
time.
Revision history Revisions are maintained, and you
can revert the application to previ-
ous versions.
Supersedence Supersedence enables you to
deine a replacement relationship
between applications.
Uninstall action You can deploy applications to
install or uninstall an application.
State-based deployment By using detection methods, the
Coniguration Manager client can
determine the state of an applica-
tion in relationship to its action
and purpose and then perform the
appropriate actions if necessary.
There is some additional information that you can include in an application and not in a
package. This information includes:
■ General information, including administrative categories, date published, owners, and
support contacts.
42 Chapter 2 Deploy and manage desktop and mobile applications
Package
Options include location of iles
used in the deployment and some
additional deployment settings.
This feature is not part of the
package model.
Programs specify:
■ The command to run.
■ Basic requirements.
■ Basic environment
settings.
■ Basic dependency settings.
■ Requirements are con-
tained in query rules for
the target collection.
A package can contain multiple
programs.
Package and program.
Only one program is available
per deployment; all clients in the
targeted collection run the same
command.
Revision history is not maintained.
Packages do not include a similar
feature.
You always deploy packages by
using the Install action.
Packages do not include a similar
feature.
From the Library of Ida Schander
 ■ Application Catalog information, including localization information, keywords, and
user categories that help users search in the Application Catalog and user documenta-
tion.
■ Relationship information between the application and other applications.
You will typically use applications to deploy software because of the advanced deployment
options and monitoring features that they provide. Put another way, applications are the
method you should use going forward, even though you might still need packages to support
the way you performed software deployment in the past. The exception to this generalization
is scripts. You are likely to use packages to deploy software when working with:
■ Scripts that do not install any software on the computer, such as a script to restart a
number of services in a speciic order. These scripts typically do not have any detection
methods that can determine their state.
■ Scripts that will run only once. These scripts will be part of an operating system
deployment, and you do not need to monitor them continually.
There are other methods, such as Group Policy Preferences, that you can also use to run
scripts on computers, but packages remain the best way to run scripts on a computer if you
want to perform that task by using Coniguration Manager.

EXAM TIP
Using a package is the best way to accomplish the goal of running a script by using
Coniguration Manager.

Application management features

Application management uses the following Coniguration Manager features:
■ Requirements
■ Global conditions
■ Detection methods
■ Supersedence
■ Deployment action and purpose
■ State-based deployment
■ User device afinity
■ Monitoring
These features are described in the following pages.

Objective 2.1: Plan an application distribution strategy CHAPTER 2 43

From the Library of Ida Schander

 Requirements and global conditions
Global conditions enable you to set conditions you can use to create requirements in a
deployment type to determine whether the deployment type is suitable for a particular user
or client device—for example, whether the computer is the user’s primary device. Several
global conditions are already deined in Coniguration Manager, and you can create more as
necessary.
A requirement is a global condition with an operator and a value that is associated with a
deployment type. Coniguration Manager evaluates application requirements on a schedule
to determine whether the deployment type is applicable to the clients in a targeted
collection.

Detection methods
Detection methods enable you to deine how Coniguration Manager determines an applica-
tion’s installation state. Detection methods can query many aspects of the client operating
system, including the ile system and registry. For example, a detection method to determine
whether an application is installed would involve checking for a speciic registry key and
value.

Supersedence
Supersedence enables you to conigure a relationship between a new application and an
existing application that you have deployed. After you conigure supersedence, all future
deployments and Application Catalog requests receive the new application.

Deployment action and purpose

When you deploy an application in Coniguration Manager, you choose a deployment action
and a deployment purpose that deine what the deployment should do. Together, the
deployment action and the deployment purpose represent your intent for the application.
The available deployment actions are:
■ Install This action speciies that the deployment will install the application.
■ Uninstall This action speciies that the deployment will uninstall the application.
The possible deployment purposes are:
■ Available If you deploy the application to a user, the user sees the published applica-
tion in Application Catalog. If you deploy the application to a device, the user sees it in
Software Center.
■ Required If you deploy the application to either a user or a device, the application is
deployed automatically according to the schedule you have conigured. However, you
can allow a user to install the application before the deadline by using Software Center.
When you specify the user-targeted deployment purpose as available, you can specify
whether users need to request approval from an administrator before they can install the

44 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

application. After an administrator provides approval, which can be done from the Conigura-
tion Manager console, the application will install.

State-based deployment
The Coniguration Manager client periodically reevaluates the state of deployed applications
to verify that the current state matches the deployment purpose. For example, if an applica-
tion has been deployed as required and the user has uninstalled it, Coniguration Manager
will reinstall the required application. Similarly, if a required deployment uninstalls an applica-
tion and the user reinstalls it, Coniguration Manager will uninstall the application during the
evaluation cycle.

User device afinity

User device afinity enables a user to be associated with one or more speciic devices. You can
use this feature to deploy applications to the user and ensure that the application is installed
on only those speciic devices with which the user is associated. For example, you can ensure
that an application is installed on the user’s primary device rather than on any other device
he happens to sign on to. You can use user device afinity to predeploy software on a user’s
device even when the user is not logged on. You are most likely to use user device afinity as
a requirement when coniguring a deployment type.

Monitoring
An important aspect of the application management process is to monitor deployments for
success or failure. Monitoring can involve several activities, including:
■ Examining status in the Monitoring workspace.
■ Reviewing application management reports.
■ Reviewing status messages.
■ Examining log iles.

Application management server roles

Server roles that assist in application management include the Application Catalog web ser-
vice point, Application Catalog website point, and the reporting services point.

Application Catalog
Application Catalog enables users to select and install applications automatically by placing
requests in a portal, which administrators can approve for installation, or, if specially conig-
ured, allow installation to occur.

Objective 2.1: Plan an application distribution strategy CHAPTER 2 45

From the Library of Ida Schander

 You can implement Application Catalog by using the following two site roles:
■ Application Catalog Web Service Point This role provides software information
from the software library. As an administrator, you conigure this information for each
application that publishes in the catalog.
■ Application Catalog Website Point This role is the web interface for end users.
Users can use this portal to view the list of available applications and request and
install applications.
When planning for Application Catalog, you should keep in mind that:
■ Application Catalog is a hierarchy-wide role. Typically, in a hierarchy with multiple pri-
mary sites, you install one instance of each role in each primary site, although multiple
instances are supported.
■ You cannot install Application Catalog in a secondary site or on a central administra-
tion site, only in a primary site.
■ Application Catalog enables users to install deployed applications or request available
applications, which deploy after approval.
■ Application Catalog enables users to conigure some preferences and wipe their
mobile devices that are being managed through Coniguration Manager.
■ You can integrate Application Catalog with Microsoft SharePoint.

Reporting services
The reporting services point is a site system that you install on a server that is running
Microsoft SQL Server Reporting Services (SSRS), which provides advanced reporting capabili-
ties and authoring tools for building reports. Use this server role to generate reports related
to application management.
You can run reports from the Coniguration Manager console or directly from the report-
ing services point website. You can save reports in a variety of formats. In addition to running
reports manually, the reporting services point supports report subscriptions, which are recur-
ring requests to deliver reports at speciic times or in response to events. In the subscription,
you can specify the application ile format of the report.
When you are planning for the reporting services point, consider the following:
■ You must install the reporting services point on a computer that is running the same
version of SSRS as that of the site database.
■ Each SSRS instance can support one site only.
■ You can install multiple reporting services points in your hierarchy.
■ If you install a reporting services point in a primary site, the reports show the data
collected from that site. However, reports that you run on a reporting services point in
the central administration site return data collected from the entire hierarchy.

46 Chapter 2 Deploy and manage desktop and mobile applications

www.allitebooks.com
From the Library of Ida Schander
Software Center
Software Center is a tool used for installing and monitoring software deployments targeted
to devices. Software Center is installed as part of the Coniguration Manager client. Figure 2-1
shows Software Center.

FIGURE 2-1 Software Center showing available software

Software Center provides users with some control over how and when software installs on
their devices. Users can perform the following actions by using Software Center:
■ Install software that has been deployed as Required to a user collection of which they
are members if the deployment deadline has not passed and they are allowed to do so.
■ Install software that has been deployed as Available to a device-based collection of
which the system is a member.
■ Monitor the status of deployed software. The statuses include Available, Install After,
Installing, Installed, or Failed.
■ Retry an installation that has failed.
■ Uninstall installed software if you conigure an uninstall command on the application
and do not require the software.
■ Manage their personal settings. On the Options tab, users can conigure the following
settings, provided the policies set in the applicable client settings allow them to do so:
■ Business Hours And Days Users can conigure their business hours and days and
conigure settings so their systems do not install software during business hours.

Objective 2.1: Plan an application distribution strategy CHAPTER 2 47

From the Library of Ida Schander

 ■ Computer Maintenance Users can conigure a setting to allow the required
software to deploy only outside their business hours. In addition, they can conigure
a setting to suspend Software Center activity while in the presentation mode.
■ Power Management Users can specify whether this computer will use the power
management policies that have been conigured through Coniguration Manager.
■ Remote Control Users can specify the level of remote control allowed or whether
administrators must ask permission before obtaining remote control or other
related settings.

Application Catalog
Application Catalog is an optional component you can install for both intranet-based clients
and Internet-based clients. It functions as a self-service catalog from which users can request
software for installation.
Application Catalog uses two roles: the Application Catalog Web Service Point and the
Application Catalog Website Point roles. The Web Service Point role communicates with
the site server to retrieve application information. The Website Point role is the interface for
Application Catalog, and this role depends on the Web Service role. When users connect to
Application Catalog, the Website Point role passes requests and other communications to the
Web Service Point role, which in turn passes those communications to the site server.
You can customize the look of the Application Catalog website by using the Application
Catalog website point Properties dialog box. A user can navigate to the Application Catalog
website directly. Alternatively, Software Center provides a link to Application Catalog when
you conigure the Default Application Catalog website point in the applicable client settings.
Users can use the Application Catalog website point to:
■ Find available software.
■ Specify primary devices.
■ Manage available applications. On the Application Catalog tab, users can:
■ Search or browse Application Catalog for available software.
■ Install software available to a user-based collection of which they are members.
■ Request software that requires administrator approval.
■ Monitor the status of software requests on the My Application Requests tab.
■ Manage their primary devices. On the My Devices tab, users can:
■ Designate the current system as a primary device.
■ Manage their mobile devices. Users can view the status of their mobile devices and
wipe them remotely if necessary.

48 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 MORE INFO APPLICATION CATALOG AND SOFTWARE CENTER

You can learn more about Application Catalog and Software Center at http://technet
.microsoft.com/en-us/library/hh489603.aspx.

Software distribution to mobile devices

Integrate Coniguration Manager with Microsoft Intune to deploy and manage devices that
are running Windows Phone 8, Windows RT, Apple iOS, and Android operating systems. You
integrate Coniguration Manager with Intune by using the Intune connector, which acts as a
gateway between Coniguration Manager and Intune. In this method, the mobile devices con-
nect to the cloud to receive coniguration information and software. Only System Center 2012
R2 Coniguration Manager and System Center 2012 Coniguration Manager Service
Pack 1 (SP1) support this method.
Users can perform self-enrollment by using Company Portal, which is an app Microsoft
publishes and is available in the following locations:
■ The Apple App Store for iOS devices
■ The Google Play store for Android devices
■ The Windows Store for Windows devices

Thought experiment
Coniguration Manager at Wingtip Toys
You are planning the use of Coniguration Manager for software deployment at
Tailspin Toys. You want to run a command from the C:\Windows\System32 folder
on all of the 15,000 Coniguration Manager clients in your organization but to do
so only once. You also want to ensure that the App-V version of an application is
deployed only on computers that are not a user’s primary device. With this informa-
tion in mind, answer the following questions:

1. What’s the best way to get Coniguration Manager to run the command?

2. What’s the best way to ensure that the App-V version of the application is
deployed correctly?

Objective summary
■ In System Center 2012 R2 Coniguration Manager, you can choose to deploy software
by coniguring what are termed applications, or you can use the traditional method of
coniguring what are termed packages and programs.
■ Applications contain built-in intelligence, such as the ability to deploy different types
of software based on the properties of the client device.

Objective 2.1: Plan an application distribution strategy CHAPTER 2 49

From the Library of Ida Schander

 ■ Package objects represent the actual iles the targeted client requires to run a program
that Coniguration Manager deploys.
■ A program is the command that indicates how to manage the package iles.
■ Deployments associate a program with a target collection.
■ Distribution points are site systems that store the package iles, which clients access
when running a deployed program.
■ Global conditions enable you to set conditions that you can use to create requirements
in a deployment type to determine whether the deployment type is suitable for a
particular user or client device.
■ Detection methods enable you to deine how Coniguration Manager determines an
application’s installation state.
■ Supersedence enables you to conigure a relationship between a new application and
an existing application that you have deployed.
■ The available deployment actions are Install and Uninstall.
■ The possible deployment purposes are Available and Required.
■ User device afinity is the process of associating a user with one or more speciic
devices.
■ Software Center is a tool used for installing and monitoring software deployments
targeted to devices.
■ Application Catalog functions as a self-service catalog from which users can request
software for installation.
■ Integrate Coniguration Manager with Intune to deploy and manage devices that are
running Windows Phone 8, Windows RT, Apple iOS, and Android operating systems.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following Coniguration Manager features is used to determine whether
an application has already been installed on a computer?
a. Detection method
B. Supersedence
C. User device afinity
D. Application Catalog
2. Which of the following Coniguration Manager features enables end users to request
software they can, after approval, deploy to their computers?
a. User device afinity

50 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 B. Application Catalog
C. Supersedence
D. Detection method
3. Which of the following Coniguration Manager features would you use if you wanted
to target a deployment so that a particular application was installed only on a user’s
primary computer?
a. Detection method
B. Supersedence
C. Application Catalog
D. User device afinity
4. Microsoft Word 2010 is deployed on all computers in your organization. You want this
version of Word to replace Microsoft Word 2013 automatically. Which of the following
Coniguration Manager features would you employ to accomplish this goal?
a. User device afinity
B. Application Catalog
C. Supersedence
D. Detection method

Objective 2.2: Deploy applications using Microsoft

System Center 2012 Coniguration Manager
This objective deals with deploying applications to clients by using Coniguration Manager.
It covers how you can create applications; perform application deployment; and conigure
detection methods, dependencies, global conditions, requirements, and user device afinity.

This section covers the following topics:

■ Application creation
■ Application deployment
■ Detection methods
■ Dependencies
■ Global conditions
■ Requirements
■ User device afinity
■ Deploy Software Wizard
■ Simulated deployments

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 51

From the Library of Ida Schander

 Creating applications
You can create applications in Coniguration Manager by using the Create Application
Wizard. Access this wizard by navigating to the Applications node in the Application
Management folder in the Software Library workspace and then clicking Create Application
in the shortcut menu or on the ribbon. When creating an application, you can set the wizard
to detect settings automatically from the installation iles or use the wizard to create the
application manually.
When using the Create Application Wizard to create an application from an installation
ile, the wizard reads the installation iles from the standard deployment types and automati-
cally populates several ields for the application. The Create Application Wizard can read the
same installation iles as the Create Deployment Type Wizard except that it does not display
a separate Script Installer option. When creating an application from a script, you select
Manually Specify The Application Information in the Create Application Wizard on the Specify
Settings For This Application page.

Automatic detection of settings

When you create applications, you select the type of application you will create on the Specify
Settings For This Application page of the Create Application Wizard—for example,
Windows-based, such as Windows Installer (*.msi ile) or Microsoft Application Virtualization 5,
or mobile-based, such as the Windows Phone app package. After specifying the type, specify
the location of the installation ile to be imported.
Depending on the imported ile, some of the application information will be read from the
ile. You can add to or modify the existing information. After completing the wizard, you can
customize the application with requirements and other information.

Modifying application settings

Table 2-2 lists application settings that you can modify after creating an .msi-based
application.

TABLE 2-2 Application settings

Tab Settings

General Information The settings that you can modify on this tab are:
■ Name You can modify the name of the application.
■ Administrator Comments You can modify any comments for
administrators.
■ Publisher You can modify the name of the software manufacturer.
■ Software Version You can modify the software version.
■ Optional Reference This is an optional ield.
■ Administrative Categories You can modify these categories that help
administrators locate content in the Coniguration Manager console.

52 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Tab Settings

■ Date Published You can use this setting to specify a date on which the
application was published.
■ Allow This Application To Be Installed From The Install Application
Task Sequence Action Without Being Deployed You can select this
check box when you want to use the application in a task sequence such as
an operating system deployment task sequence.
■ Owners You can modify the owners of the application.
■ Support Contacts You can modify the support contacts for the
application.

Application Catalog The only setting that you can modify on this tab is Selected Language. The follow-
ing options are conigurable for each language installed and apply to the language
selected. (The users can view all these options in Application Catalog.)
■ Localized Application Name This option displays the name the users
will see.
■ User Categories Use this option to specify categories that the user can
use to ilter applications in Application Catalog.
■ User Documentation Use this option to specify a URL for accessing user
documentation.
■ Link Text Use this option to add a descriptor to the documentation link.
■ Privacy URL Use this option to specify a URL to access company-speciic
privacy information.
■ Localized Description Use this option to specify a description for the
application.
■ Keywords Use this option to add keywords for users to use when search-
ing Application Catalog.
■ Icon Use this option to specify an application icon.
The language in Internet Explorer determines the language displayed when a client
connects to Application Catalog.

References You can use the Relationship Type drop-down list on this tab to view:
■ Applications That Depend On This Application.

■ Applications That Supersede This Application.

■ Virtual Environments That Contain This Application.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 53

From the Library of Ida Schander

 Tab Settings

Distribution Settings The settings that you can modify on this tab are:
■ Distribution Priority You can use this drop-down list to set the priority
for sending the package to other sites and distribution points in the same
site.
■ Distribute The Content For This Package To Preferred Distribution
Points If you select this check box, when a client requests this content
and it is not available on any of its preferred distribution points, the content
will be distributed automatically to the client’s preferred distribution points.
■ Prestaged Distribution Point Settings This section provides three
options for copying content to distribution points that are conigured to
support prestaged content:
■ Automatically Download Content When Packages Are Assigned
To Distribution Points You can use this option for smaller applica-
tions, such as Silverlight, that are only a few megabytes in size, where
bandwidth limitations will not affect their distribution.
■ Download Only Content Changes To The Distribution Point You
can use this option for applications that are quite large but receive
small updates. For example, Microsoft Ofice is an application with
an initial size of more than 700 megabytes (MB), and it receives small
software updates.
■ Manually Copy The Content In This Package To The Distribution
Point You can use this option for large packages, such as Ofice 2013,
or for situations in which bandwidth limitations are a concern. With this
option, the Coniguration Manager distribution manager process will
never send the application to the remote distribution point.

Deployment Types This tab displays the currently conigured deployment types and enables you to
manage the existing deployment types or add new deployment types.

Content Locations The Distribution Points or Distribution Point Groups dialog box displays the distri-
bution points and distribution point groups that have the application content.

Supersedence The Supersedence tab displays the applications that this application supersedes.
You can add, edit, or remove supersedence relationships by using this tab.

Security The Administrative Users section displays the user or groups that have administra-
tive rights to the application.

54 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Application deployment
The software deployment process in Coniguration Manager consists of determining the users
or devices to which you want to deploy the application and the way you want to present the
software. The deployment can be deployed automatically (required), presented in Software
Center (available to devices), or deployed from Application Catalog (available to users).
You can deploy applications to either user collections or device collections. To deploy an
application, select the application and then, on the shortcut menu or ribbon, click Deploy.
This launches the Deploy Software Wizard.
By default, the installation behavior on a Windows Installer (*.msi ile) deployment type is
set according to the information in the .msi ile. When using the Install For System If Resource
Is Device; Otherwise Install For User Deployment Type on the User Experience tab, there are
some differences between deploying to a user and deploying to a device.
Table 2-3 describes these differences.

TABLE 2-3 Deployment type differences

Install for system if resource is

Deploying to users Deploying to devices
device; otherwise install for user

Software deployed as Required The software is installed automati- The software is installed automati-
that is at the deadline or beyond cally and silently. cally and silently.

Software deployed as Required The targeted user can start the Any user of the device can start
prior to the deadline installation from Software Center. the installation from Software
Center.

Software deployed as Available The user can request it from Any user of the device can start
Application Catalog. This might the installation from Software
require administrator approval. Center.

Deploy software without requiring This option installs the software You can use this option to install
a user to log on only on a user’s primary device, if software on any device.
present.

Who can use the software The user or users to whom the Everyone using the device can use
software was deployed can use it. the software.

Software types
The Application Management feature supports different kinds of software, including
Windows-based software and mobile device software. You can perform multiple actions
with software through System Center 2012 R2 Coniguration Manager, including installing
standard installations, performing custom installations, installing virtualized applications, and
uninstalling software. Each installation method that you deine is classiied as a deployment
type.
Applications contain deployment types, which in turn contain information about the iles,
commands, and programs used to install or uninstall software by using a particular method or
command.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 55

From the Library of Ida Schander

 When creating a new deployment type, the Create Deployment Type Wizard reads the
installation iles from the standard deployment types and automatically populates several
ields based on the deployment type. System Center 2012 Coniguration Manager and newer
versions work with many of the application packages available for installation on comput-
ers and mobile devices. The installer iles in each of these software packages include all the
information required to install the software. Figure 2-2 shows the list of supported automatic
installation method detection types.

FIGURE 2-2 Deployment type settings

The Create Deployment Type Wizard uses the following standard installation iles to create
the application and initial deployment type:
■ Windows Installer (*.msi File) This deployment type creates an application from a
Windows Installer ile.
■ Windows App Package This deployment type uses Windows Store apps (.appx iles).
■ Windows App Package (In The Windows Store) This deployment type enables
you to deploy applications directly from the Windows Store. This requires the users to
have a valid account for the Windows Store.
■ Script Installer This deployment type creates custom applications. For example, you
use this deployment type for *.exe iles or to deploy installation scripts.
■ Microsoft Application Virtualization 4 This deployment type creates an applica-
tion from a Microsoft Application Virtualization 4 manifest (.xml) ile.
■ Microsoft Application Virtualization 5 This deployment type creates an applica-
tion from a Microsoft Application Virtualization 5 package (.appv) ile.
■ Windows Phone App Package (*.xap File) This deployment type creates an
application by using a Windows Phone app package (.xap) ile.
■ Windows Phone App Package (In The Windows Phone Store) This deployment
type creates an application deployment based on a link to the application in the
Windows Phone Store.
■ Windows Mobile Cabinet This deployment type creates an application from a
Windows Mobile Cabinet (.cab) ile for supported Windows-based mobile devices.

56 Chapter 2 Deploy and manage desktop and mobile applications

www.allitebooks.com
From the Library of Ida Schander
 ■ App Package For iOS (*.ipa File) This deployment type creates an application from
an app package for Apple iOS (.ipa) ile.
■ App Package For iOS From App Store This deployment type creates an application
by specifying a link to the app in the App Store.
■ App Package For Android (*.apk File) This deployment type creates an application
from an app package for an Android (.apk) ile.
■ App Package For Android On Google Play This deployment type creates an
application by specifying a link to the app on Google Play.
■ Nokia SIS File This deployment type creates an application from iles that are in
Symbian Installation System (sis or sisx) format for supported Nokia Symbian–based
mobile devices.
■ Mac OS X This deployment type creates an application from a Mac OS X Installer
(.cmmac) ile that was created by using the CMAppUtil tool.
■ Web Application This deployment type creates a shortcut on a user’s device to the
web application.

Manual information entry

You can enter information manually into a deployment type or import a ile that contains
information to the deployment type. A deployment type can include the following
information:
■ General information about the deployment type, including the name of the deploy-
ment type, the technology the deployment type uses, and all the languages the
deployment type supports
■ Location of any content that the installation requires and the expected behavior when
communicating with a distribution point
■ Installation commands and uninstall commands
■ Detection method used to determine whether the application is installed on a client
device
■ User experience settings, including installation behavior and visibility
■ Requirements that must be met for the deployment type to install
■ Return codes used to determine whether a restart is required, the installation is com-
plete, or any other events you want to communicate to the user
■ Dependencies—additional deployment types from a separate application—that this
deployment type requires

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 57

From the Library of Ida Schander

 Considerations when deploying to Mac computers
Deploying applications to supported Mac computers is similar to deploying applications to
computers that are running Windows operating systems. However, due to the differences in
the platforms, consider the following:
■ You must package Mac OS X applications by using the CMAppUtil tool on a Mac
computer. This renders them in a format that System Center 2012 R2 Coniguration
Manager can read.
■ You can deploy Mac OS X applications only to devices, not to users.
■ Mac OS X applications support simulated deployments.
■ You cannot deploy Mac OS X applications as Available.
■ You cannot send wake-up packets to Mac OS X computers to start a deployment.
■ Mac OS X computers do not support Background Intelligent Transfer System (BITS).
■ Mac OS X deployments do not support global conditions. However, they do support
requirements such as operating system.

MORE INFO DEPLOYING SOFTWARE TO MAC COMPUTERS

You can learn more about deploying software to Mac computers at http://technet
.microsoft.com/en-us/library/jj687950.aspx.

Using deployment types

To create a new deployment type in an existing application, open the application’s Properties
dialog box, click the Deployment Types tab, and then click the Add button. The Create
Deployment Type Wizard opens, and you can select the deployment type you are creating.
You can choose Automatically Identify Information About This Deployment Type From Instal-
lation Files or Manually Specify The Deployment Type Information.
When retrieving the information from an installer ile, you import the required information
and possibly some optional information. You can edit the deployment type afterward to sup-
ply additional optional information or modify the imported information.
When creating a deployment type manually, you must supply all required information in
addition to any optional information. For example, when you work with the Windows Installer
(*.msi ile) deployment type, you can use:
■ Automatic creation The required ields and some optional ields are populated
automatically. They usually include Name, Installation Program, Installation Behavior,
Detection Method, and Uninstall Program. The Detection Method and Uninstall Pro-
gram ields do not appear in the Create Deployment Type Wizard. Additional informa-
tion that you can provide in the wizard includes Requirements and Dependencies.
■ Manual creation You must specify Name, Installation Program, and Detection
Method. Additional information that you can provide in the wizard includes Uninstall
Program, Requirements, Dependencies, and User Experience settings.

58 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 The following list describes the sections in the Create Deployment Type Wizard and con-
siderations to keep in mind when coniguring them.
■ General Contains basic information about the deployment type, including the name
and type of deployment. You can add additional information as reference information
for the Coniguration Manager administrators.
■ Content Contains information about the source iles and how this deployment type
will use them. If you are creating a deployment type for iles that already exist on the
client devices, you need not specify the content location.
■ Programs Contains information about the install and uninstall commands in this
deployment type. There are some optional ields to ensure that applications install cor-
rectly and enable Windows source management.
■ Detection Method Contains information about how the success of an installation
will be determined. You must specify at least one detection method. For complex
installations, you can create a script to detect the installation.
■ User Experience Contains information about how the user will view and interact
with the deployment.
■ Requirements Contains the conditions that will determine whether to install this
deployment type.
■ Return Codes Contains the codes the program will return when it inishes running.
Return codes can indicate successful installation, failed installation, or some other con-
dition such as when the installation process requires a restart.
■ Dependencies Contains information about the deployment types you must install
before you can install this deployment type. You can conigure the dependencies to be
autoinstalled during a deployment.

Detection methods
A detection method is a procedure that enables the deployment process to determine
whether an application is present on a system. Detection occurs before the content is
installed and at regular intervals afterward and provides the following functions:
■ Preventing Coniguration Manager from reinstalling the application needlessly
■ Reinstalling a required application that the user has uninstalled, for example, through
Control Panel
■ Determining whether an application is present before running a deployed uninstall
command
When you create an application by using one of the automatic methods, Coniguration
Manager creates a detection method based on the installer ile used to create the applica-
tion. Generally, this is suficient for most deployments. However, when you create a deploy-
ment type manually or when you need more reinement, you can create enhanced detection
methods.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 59

From the Library of Ida Schander

 To create a new detection method, open the properties of the deployment type that you
wish to modify, click the Detection Methods tab, and then click Add Clause. There are three
types of detection rules in the Detection Rule dialog box:
■ File System You can detect an application based on the existence of a speciic ile
or folder. You can also create a detection method that uses the Date Modiied or Date
Created properties for either a ile or folder, or the Version or Size properties for a ile.
■ Registry You can detect an application by searching in any of the registry hives for
the existence of a speciic key or value. You can also reine this detection method by
specifying a value for comparison.
■ Windows Installer You can detect an application by using the Windows Installer
database of installed applications. You can base this detection method on the exis-
tence of a speciic product code, or you can specify values for comparison of the Ver-
sion property or the Upgrade Code property.
You can create multiple detection rules in a single detection method and use either the
AND or the OR operator to connect them. In addition, you can group detection methods to
make complex detection methods.
Finally, instead of using the detection methods, you can create a Windows PowerShell,
Microsoft Visual Basic Scripting Edition (VBScript), or JScript script to detect an installed
application.

Dependencies
Dependencies deine one or more applications that must be installed before you run a
speciic deployment type. You can conigure dependent applications to install automatically
before a deployment type installs.
Dependencies are application deployment types that are added as a prerequisite for
another application’s deployment type. For example, assume that you have a custom applica-
tion that requires installation of a particular run time before the application installs. In this
case, you would create an application with the appropriate deployment type, which installs
the run time as a dependency on the custom application.
When deining a dependency, you create dependency groups. All dependent applications
are in one or more dependency groups. When you choose to allow dependent applications
to install automatically, each application in the group attempts to install in the order that the
group speciies, until one of the dependencies from the group is installed.
When creating a dependency, be careful not to create a circular reference, because then
the installation process will not install the applications.

60 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Global conditions
Global conditions deine the attributes that Coniguration Manager evaluates to determine
whether a deployment type applies to a particular user or device. However, they do not
deine the particular values for which you are checking. You use global conditions to build
requirements that will contain the values for which you are checking. You can use the pre-
deined global conditions to deine a requirement within any applicable deployment type;
however, you cannot modify the predeined global conditions. There are two categories of
predeined global conditions for both mobile and Windows-based device types: User and
Device.
Table 2-4 lists the predeined global conditions and the requirements for which you should
use them.

TABLE 2-4 Global conditions

Category Predeined global condition When would you use this?

User Primary device Is this device a primary device for the tar-
geted user?

Device Active Directory site Does this device belong to one of the listed
Active Directory Domain Services (AD DS)
sites?

Operating system Is this device running one of the listed oper-

ating systems?

Total physical memory Does this device meet the deined memory
requirement?

If the predeined global conditions do not meet your needs, you can create custom global
conditions. Administrator-created global conditions allow for a high level of customization.
You can create global conditions for Windows-based devices, Windows Mobile–based
devices, and Nokia devices. The available settings vary depending on the type of global con-
dition you are creating.
Examples of custom global conditions include:
■ Checking for a registry setting on a device.
■ Checking for a speciic coniguration of an application that the registry deines.
■ Verifying that a speciic .NET assembly is available.
■ Verifying an application version for an upgrade.
To create custom global conditions, in the Software Library workspace, in the Global Con-
ditions node, click Create Global Condition.
When you create a Windows-based global condition, you can check several aspects of
Windows-based computers. Table 2-5 describes the setting types you can conigure for evalu-
ation of applications to Windows-based computers.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 61

From the Library of Ida Schander

 TABLE 2-5 Conditions

Setting type Description

Active Directory Query Use this type to construct a query that inds values in AD DS.

Assembly Use this type to specify an assembly from the global assembly cache to
assess as a global condition.

File System Use this type to specify a ile or folder to assess as a global condition.

IIS Metabase Use this type to specify the Internet Information Services (IIS) metabase
setting to assess as a global condition.

Registry Key Use this type to specify a registry key to assess as a global condition.

Registry Value Use this type to specify a registry value to assess as a global condition.

Script Use a discovery script to ind and return a value from the target system.

Structured Query Language Use this type to specify a Structured Query Language (SQL) query to
(SQL) Query assess as a global condition.

WQL Query Use this type to specify a Windows Management Instrumentation (WMI)
Query Language (WQL) script to assess as a global condition.

XPath Query Use this type to specify the XML ile path and XML Path Language (XPath)
query to assess as a global condition.

Requirements
Applications in System Center 2012 R2 Coniguration Manager and newer versions support
using multiple deployment types in each application. This is similar to a package containing
multiple programs. However, there are several differences. When you deploy a package and
program to a collection, the program will attempt to run on every member of the collection.
Deployment types have intelligence in the form of detection methods, dependencies, and
requirements that are not available with programs. This difference means that deployment
types run the installation software only on clients whose installation meets all the speciied
criteria and, therefore, is more likely to be successful.
With applications, you deploy the application and not the deployment types. When clients
receive a policy that includes an application deployment, the clients use the requirements in
the deployment types to determine the deployment type, if any, that they will use. You can
create multiple deployment types of the same type, such as a suite deploying different com-
binations of programs, depending on the department to which the user belongs.
When you deploy an application with multiple deployment types, the application-deploy-
ment evaluation cycle evaluates requirements for each deployment type for the target device
or user. After the target device or user satisies the requirements for a deployment type,
no other deployment types are evaluated, and Coniguration Manager uses the satisfying
deployment type. If the target device or user cannot satisfy the requirements for any of the
deployment types, the application does not attempt to run. When this happens, the status
shows that the device has not met the requirements of the application.

62 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 When there are multiple deployment types and the target device or user could match the
requirements for more than one deployment type, application installation occurs using the
highest-priority deployment type. When using multiple deployment types in an application,
you must be sure to set the requirements accurately for each deployment type and carefully
set the priorities of the deployment types. For example, if the highest-priority deployment
type does not have any deined requirements, it will be the only deployment type used for all
installations of that application.
Global conditions have three categories that deine requirements: User, Device, and
Custom. The User and Device categories contain the predeined global conditions that you
can use to create requirements. When the existing conditions are not suficient, you can use
the Custom category to create custom global conditions by using the Create button within
the Create Requirement dialog box.
When deining requirements, you can use one of two rule types:
■ Value This condition type compares a value on the client system to the value that
you specify. All the predeined requirements are of the Value type. You can create cus-
tom global conditions to deine value condition types. Each condition has an operator
that deines how you are comparing the existing value on the client system to the
desired value in the condition. There are many possible operators, including the
standard relational operators such as Equals, Not Equal To, Greater Than, Less Than,
Between, Greater Than Or Equal To, and Less Than Or Equal To.
■ Existential This condition type checks whether the condition exists. There are no
predeined existential global conditions. You can create custom global conditions to
deine existential types.
When creating or editing a deployment type manually, you can specify multiple require-
ments. However, if you specify multiple requirements, all the requirements must be met
before deployment occurs.
Table 2-6 lists the categories for requirements.

TABLE 2-6 Requirement categories

Category Conditions Operators Possible values

User Primary device ■ Equals ■ True

■ False

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 63

From the Library of Ida Schander

 Category Conditions Operators Possible values

Device Active Directory site ■ One of ■ One or more

■ None of Active Directory
sites

Coniguration Manager site ■ One of ■ One or more

■ None of Coniguration
Manager sites

CPU speed ■ Any of the rela- ■ Any numerical

tional operators megahertz (MHz)
value

Disk space ■ Any of the rela- ■ Any numerical

tional operators megabyte value
for any drive, a
system drive, or a
speciic drive

Number of processors ■ Any of the rela- ■ Numerical value

tional operators

Operating system ■ One of ■ Any supported

■ None of operating system

Operating system language ■ One of ■ Any supported

■ None of language

Organizational unit (OU) ■ One of ■ One or more

■ None of Active Directory
OUs and child
OUs

Ownership ■ Equals ■ Personal

■ Not equal to ■ Company

Total physical memory ■ Any of the rela- ■ Any numerical

tional operators MB value

Windows Store inactive ■ Any of the rela- ■ Any positive

tional operators integer with 18
digits or fewer

Custom ■ Create a new condition; these ■ Varies ■ Varies

become global conditions.
■ Previously created global
conditions.

After creating or adding deployment types, you can adjust the priority with the Increase
and Decrease priority buttons on the Deployment Types tab in the application properties.
There are many reasons for creating requirements and as many ways to deine them:
■ To ensure that the application is installed only on a user’s primary device, use the pri-
mary device requirement from the User category.

64 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 ■ To ensure that the hardware is capable of supporting the application (such as memory
requirements), use the total physical memory requirement from the Device category.
■ To ensure that a prerequisite is installed or conigured correctly, use a custom require-
ment to check for a speciic ile and version or check for registry entries.

MORE INFO CHASSIS GLOBAL CONDITION

You can learn more about chassis global condition at http://blogs.technet.com/b

/brandonlinton/archive/2013/01/30/conigmgr-2012-chassis-type-global-condition.aspx.

User device afinity

System Center 2012 R2 Coniguration Manager and newer versions include a User Device
Afinity feature. User device afinity enables a user to associate one or more devices. These
devices are the user’s primary devices. Similarly, a device can have an afinity with more than
one user. You can use user device afinity as a requirement for deployment types to deploy
an application to a user-based collection so that the application deploys only to the user’s
primary devices. However, this requires the user’s primary devices to meet the application’s
other requirements, such as any hardware requirements. Typically, a primary device is the
device that the user uses on a daily basis to perform her work.
Using user device afinity as a requirement provides further options for deploying soft-
ware. For example, a required line-of-business (LOB) application is created with multiple
deployment types, such as the Windows Installer (*.msi ile) deployment type and the
Application Virtualization 5 deployment type. You could conigure the requirements for the
deployment types to use the Windows Installer (*.msi ile) deployment type only for a user’s
primary device. The application is then deployed as Required for the user. When the user logs
on to his primary device, the application is installed locally by using a Windows Installer (*.msi
ile) deployment type. If the same user accesses a device that is not his primary device, the
application is installed by using the Microsoft Application Virtualization 5 deployment type.
In addition, you can deploy an application as Required and then specify to predeploy soft-
ware to the user’s primary device. This allows the application to install before the user logs on
so that the user can run the application as soon as she logs on.

Automatically conigured afinity

You can conigure a site to assign user device afinity automatically based on the usage of
the devices. You can control this through Client Settings, either in Default Client Settings in
Administration and the Client Settings node or in a custom client setting. There are three set-
tings in the User And Device Afinity group that you can use to control automatic assignment
of device afinity:
■ User Device Afinity Usage Threshold (Minutes) Specify the number of minutes of
usage before a user device afinity is created.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 65

From the Library of Ida Schander

 ■ User Device Afinity Usage Threshold (Days) Specify the number of days over
which the usage-based afinity threshold is measured.
■ Automatically Conigure User Device Afinity From Usage Data In the drop-
down list box, click Yes to enable the site to create user device afinities automatically.
If you select No, an administrator must approve all user device afinity assignments.
You manage device afinity requests in the Assets And Compliance workspace. Select the
Device Collections node and then click Manage Afinity Requests to approve or reject afinity
requests. When using automatic afinity assignment, the thresholds are monitored continu-
ously. If a user falls below the speciied threshold, the afinity relationship will be removed.

User-deined afinity
You also can enable users to deine their own primary devices through Application Catalog.
First, conigure the Allow User To Deine Their Primary Devices user setting either in Default
Client Settings or in a custom client setting as shown in Figure 2-3:

FIGURE 2-3 User device affinity

Users then must start Application Catalog from the device they want to set as a primary
device, click the My Devices link, and then select the I Regularly Use This Computer To Do My
Work check box.

Administrator-deined afinity
There are three ways for administrators to deine user device afinity manually from the
Assets And Compliance workspace:
■ Select a device and then, on the ribbon, click Edit Primary Users.
■ Select a user and then, on the ribbon, click Edit Primary Devices.
■ Import a .csv ile.

66 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 To import a .csv ile, select either the Users node or the Devices node and then, on the
ribbon, click Import User Device Afinity. Each user and device in the ile must already exist
in the Coniguration Manager database. You must format the ile you import in the following
manner: <Domain\user name>,<Device NetBIOS name>.

Operating system deployment–deined afinity

During operating system deployment, you can use task sequence variables to aid in deining
user device afinity:
■ SMSTSAssignUsersMode There are three options for this variable:
■ Auto The Auto setting deines user device afinity automatically.
■ Pending The Pending setting creates a user device afinity request that requires
administrator approval.
■ Disabled The Disabled setting causes the task to skip user device afinity
processing.
■ SMSTSUdaUsers You can assign one or more users to this variable in the format of
DOMAIN\Username.

MORE INFO TASK SEQUENCE ACTION VARIABLES

You can learn more about task sequence action variables at http://technet.microsoft.com
/en-us/library/hh273365.aspx.

Deploy software wizard

Before a user or client can run a deployment, you must distribute the appropriate content
to one or more distribution points. You can either distribute the content to the distribution
points ahead of time or distribute it while completing the Deploy Software Wizard.
After you are ready to deploy an application, you create a deployment that targets either
users or devices. The client software checks the management point periodically for changes
to user and machine policies. When the client has detected the deployment and reached the
scheduled time of the deployment, and there is an applicable deployment type, the client sys-
tem contacts the management point to locate an available distribution point containing the
content. After the client system selects a distribution point with the content, the client system
downloads the content and runs the appropriate application deployment type.
You use the Deploy Software Wizard to deploy applications to users and computers. You
can launch this wizard either by selecting the application that you want to deploy and then
clicking the Deploy button on the ribbon or by selecting Deploy on the shortcut menu.
The following sections describe each page of the Deploy Software Wizard.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 67

From the Library of Ida Schander

 General
The Specify General Information For This Deployment page of the Deploy Software Wizard is
the General page, shown in Figure 2-4. You can conigure the following settings on this page:
■ Software This setting refers to the name of the application that you are deploying.
■ Collection This setting refers to the targeted device or user collection.
■ Use Default Distribution Point Groups Associated To This Collection This check
box is cleared by default.
■ Automatically Distribute Content For Dependencies This check box is selected
by default. Typically, you should not change this setting. Selecting it ensures that any
dependent content is distributed and available.

FIGURE 2-4 Deploy Software Wizard

Content
You use the Content page, shown in Figure 2-5, to specify one or more distribution points or
distribution point groups that contain the content. If you have not previously distributed the
content to at least one distribution point or distribution point group, you must designate the
target distribution points or distribution point group at this time.

68 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

FIGURE 2-5 Specify The Content Destination page

Deployment settings
On the Specify Settings To Control How This Software Is Deployed page, shown in Figure 2-6,
you can conigure the following settings:

FIGURE 2-6 Deployment Settings

■ Action This setting has two options: Install and Uninstall.

■ Purpose When the action is set to Install, this setting has two options: Available and
Required. When deploying an Uninstall action, the purpose is always Required.
If you select Required, the following settings are available:
■ Pre-deploy Software To The User’s Primary Device This check box is cleared by
default. Selecting this check box allows the software to be installed on a user’s primary
device without requiring the user to be logged on.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 69

From the Library of Ida Schander

 ■ Send Wake-up Packets This check box is cleared by default. Selecting this check box
causes a wake-up packet to be sent to devices when the application is scheduled to
be deployed. If the device supports Wake On LAN and if the device is turned off, the
device is turned on to begin the deployment.
■ Allow Clients On A Metered Internet Connection To Download Content After
The Installation Deadline, Which Might Incur Additional Costs When you enable
this option, clients on metered connections download content automatically when the
speciied deadline is reached. If the mobile client is on a limited mobile Internet access
plan, this could result in many overage minutes.
When deploying to a user, the same settings are available, with one additional option. If the
Install action with the Available purpose is selected, the Require Administrator Approval If Users
Request This Application check box appears and is cleared by default. If you select this check
box, users can request the application from Application Catalog. However, the application will
not be deployed until an appropriate Coniguration Manager administrator approves it.

Scheduling
On the Specify The Schedule For This Deployment page, shown in Figure 2-7, the options that
are visible in this section depend on how you deploy the application. When deploying an
application, consider the following scheduling options:

FIGURE 2-7 Specify The Schedule For This Deployment

■ The default setting is to make the application available as soon as possible to ensure
that applications are available immediately.
■ You can conigure the application to be available at a speciic time.
■ When the application is deployed with the Available purpose, the available time is
based on Coordinated Universal Time (UTC).

70 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 ■ When the application is deployed with the Required purpose, the action deadline is As
Soon As Possible After The Available Time.
■ You can change the action deadline to a speciic time. If the action deadline is set to a
speciic time, you can conigure the time to be either UTC or Client Local Time.

User experience
On the Specify The User Experience For The Installation Of This Software On The Selected
Devices page, shown in Figure 2-8, you can conigure settings related to how end users inter-
act with the application deployment.

FIGURE 2-8 Specify The User Experience For The Installation Of This Software On The Selected Devices

If you deploy the application as Available, you can select one of the following options to
determine how users see user notiications:
■ Display In Software Center And Show All Notiications
■ Display In Software Center, And Only Show Notiications For Computer Restarts
If you deploy the application as Required, an additional user notiication option becomes
available: Hide In Software Center And All Notiications. In addition, the following two check
boxes become available for allowing actions outside a maintenance window when the instal-
lation deadline is reached:
■ Software Installation or Software Uninstall
■ System Restart (If Required To Complete The Installation) or Computer Restart (If
Required To Complete The Software Uninstall)
To support the deployment to Windows Embedded devices, System Center 2012 Conigu-
ration Manager SP1 introduced the Commit Changes At Deadline Or During A Maintenance
Window (Requires Restarts) setting under Write Filter Handling For Windows Embedded
Devices.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 71

From the Library of Ida Schander

 Alerts
On the Specify Coniguration Manager And Operations Manager Alert Options page, you
conigure what information you get back about deployments. The settings that you conigure
depend on whether you deploy the software as Available or as Required.
If you deploy the software as Available, you can create a deployment alert when the
threshold is higher than a speciic value. You can conigure the threshold as a percentage of
failure; when a certain percentage of deployed clients report a failure, an alert is generated.
For example, if you conigure the percentage as 10 for a deployment that is targeting 1,000
devices and 100 deployments fail, an alert is generated.
If you also are using System Center 2012 R2 Operations Manager or System Center 2012
Operations Manager, you can specify the following Operations Manager–related settings:
■ Enable System Center Operations Manager Maintenance Mode This check box
is disabled by default. If you enable this setting, the Operations Manager agent on the
computer will not generate any alerts during the deployment of the application.
■ Generate System Center Operations Manager Alert When A Software Instal-
lation Fails or Generate System Center Operations Manager Alert When The
Software Removal Fails This check box is disabled by default. If the Enable System
Center Operations Manager maintenance mode is enabled and this setting is not
enabled, Operations Manager administrators might not notice failed installations (or
uninstallations). This can leave a critical, monitored system in a nonfunctioning state
without notifying the Operations Manager administrators.
If you deploy the software as Required, in addition to the options displayed for the Avail-
able deployment, the following settings are available:
■ Create A Deployment Alert When The Threshold Is Lower Than The Following or
Create A Removal Alert When The Threshold Is Lower Than The Following The
following two settings are available under this check box:
■ Percent Success You can specify a number between 0 and 99.
■ After You specify a date and time, and, if the speciied percentage success is not
met at this time, an alert is generated.
■ Create A Deployment Alert When The Threshold Is Higher Than The Following
or Create A Removal Alert When The Threshold Is Higher Than The Follow-
ing The following setting is available under this check box:
■ Percent Failure You can specify a number between 0 and 99.
By specifying these settings, you ensure that an alert is generated if the speciied percent-
age of targeted devices has not reported a successful deployment by the speciied date and
time. For example, you can conigure the percent success to 90 by December 12, 2014, for a
deployment that is targeting 1,000 devices. On December 13, 2014, if 900 deployments have
not been successful, an alert is generated.

72 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Simulated deployment
A simulated deployment is a special deployment in which you can test the evaluation of the
requirements in the application’s deployment types without distributing any iles. You create
a simulated deployment by selecting your application and then clicking the Simulate Deploy-
ment button on the ribbon. When using simulated deployment, you do not specify a distribu-
tion point because target clients do not use content.
A simulated deployment is evaluated like any deployment, and the results are in the Moni-
toring workspace under the Deployments node along with all the other deployments. When
examining the status of the simulated deployment, you see the following results:
■ Success This includes targets when a deployment type for the application is installed
already, including the deployment type with which they comply.
■ Simulate Success This includes targets that comply with a deployment type in the
application, including the deployment type with which they comply.
■ Requirements Not Met This includes targets that do not comply with any deploy-
ment type in the application, including the deployment types with which they do not
comply.
■ Unknown This includes targets that have not yet reported results.
You create a simulated deployment the same way as any other deployment. Therefore, you
cannot create a regular deployment for the same application and collection until you delete
the simulated deployment.

Thought experiment
Application deployment at Contoso
You want to deploy a new application to some of the computers in your organiza-
tion. A small number of computers in your organization don’t have enough memory
to run the application, and you want to avoid deploying the application to these
computers. You also want to verify that the deployment you have conigured will
reach all targeted computers. With this information in mind, answer the following
questions:

1. What can you do to ensure that the new application is deployed only to comput-
ers with enough RAM?

2. What should you do to verify that the deployment settings are correct?

Objective summary
■ When creating an application, you can either allow the wizard to detect settings auto-
matically from the installation iles or use the wizard to create the application
manually.

Objective 2.2: Deploy applications using Microsoft System Center 2012 Coniguration Manager CHAPTER 2 73

From the Library of Ida Schander

 ■ The software deployment process in Coniguration Manager consists of determining
the users or devices to which you want to deploy the application and the way in which
you want to present the software.
■ The deployment can be deployed automatically (required), presented in Software Cen-
ter (available to devices), or deployed from Application Catalog (available to users).
■ You can deploy applications to either user collections or device collections.
■ A detection method is a procedure that enables the deployment process to determine
whether an application is present on a system.
■ Dependencies deine one or more applications that must be installed before you run a
speciic deployment type.
■ Global conditions deine the attributes that Coniguration Manager evaluates to deter-
mine whether a deployment type applies to a particular user or device.
■ Applications in System Center 2012 R2 Coniguration Manager and newer versions
support using multiple deployment types in each application.
■ Deployment types run the installation software only on clients on which the installa-
tion meets all the speciied criteria and, therefore, is likely to be successful.
■ When there are multiple deployment types and the target device or user could match
the requirements for more than one deployment type, application installation occurs
using the highest-priority deployment type.
■ User device afinity enables a user to associate a primary device with one or more
devices. Typically, a primary device is the device the user uses on a daily basis to per-
form her work.
■ You can conigure a site to assign user device afinity automatically based on the usage
of the devices. You also can allow users to deine their own primary devices through
Application Catalog.
■ Before a user or client can run a deployment, you must distribute the appropriate con-
tent to one or more distribution points.
■ A simulated deployment is a special deployment in which you can test the evaluation
of the requirements in the application’s deployment types without distributing any
iles.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You want to make an application available to a user through Software Center, but the
application should be installed only if the user chooses to install it. Which of the fol-
lowing deployment settings would you conigure when running the Deploy Software
Wizard? (Choose two. Each correct answer forms part of a complete solution.)

74 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 a. Action: Install
B. Action: Uninstall
C. Purpose: Available
D. Purpose: Required
2. You want to ensure that a particular application is installed on all computers within the
scope of the deployment. Deployment of this software is mandatory. Which of the fol-
lowing deployment settings would you conigure when running the Deploy Software
Wizard? (Choose two. Each correct answer forms part of a complete solution.)
a. Action: Install
B. Action: Uninstall
C. Purpose: Available
D. Purpose: Required
3. In which of the following situations will software install automatically and silently?
(Choose all that apply.)
a. You deploy the software to a user collection. The software is deployed as
Required, and the deadline is set to a point in time prior to the current date.
B. Software is deployed as Available to a user collection.
C. Software is deployed as Available to a device collection.
D. You deploy the software to a device collection. The software is deployed as
Required, and the deadline is set to a point in time prior to the current date.
4. In which of the following scenarios will a user be able to request an application from
Application Catalog?
a. You deploy the software to a device collection. The software is deployed as
Required, and the deadline is set to a point in time prior to the current date.
B. Software is deployed as Available to a device collection.
C. Software is deployed as Available to a user collection.
D. You deploy the software to a user collection. The software is deployed as Required,
and the deadline is set to a point in time prior to the current date.

Objective 2.3: Deploy applications using Microsoft

Intune
Microsoft Intune is a cloud-based management suite that enables you to perform a variety of
client computer and device management and monitoring tasks. Intune is suitable for manag-
ing clients that might be located on remote networks on the Internet. You can use Intune to
manage the deployment of applications to computers and mobile devices such as those run-
ning the Windows Phone, iOS, and Android operating systems.

Objective 2.3: Deploy applications using Microsoft Intune CHAPTER 2 75

From the Library of Ida Schander

 This section covers the following topics:
■ Intune operating system support
■ Deploying software to the company portal
■ Deploying software for automatic installation
■ Windows Intune update policies

Intune operating system support

Intune supports management of clients that are running the following operating systems:
■ Windows 8.1, Windows 8, Windows 7, Windows Vista
■ Windows RT 8.1, Windows RT
■ Windows Phone 8.1, Windows Phone 8
■ Apple iOS 7, iOS 6, and iOS 5
■ Android (requires Exchange ActiveSync)
Intune can manage mobile devices directly or through Exchange ActiveSync and supports
direct management for mobile devices that are running Windows RT, Windows Phone 8,
Windows Phone 8.1, and iOS.
To deploy applications directly to mobile devices that are running Windows RT, you must
obtain sideloading keys, and you must have a code-signing certiicate to sign the applica-
tions. The Windows RT or Windows Phone 8 device must trust this code-signing certiicate.
Furthermore, you can use a process known as deep linking to deploy an application directly
from the appropriate Windows Store to mobile devices that are running the Windows RT or
Windows Phone 8 mobile operating systems.
You can use Intune to deploy applications to iOS devices by deep linking to the Apple
App Store or by sideloading apps, which means you are installing them by using direct access
to the source iles. To deploy applications to iOS devices, you must obtain the appropriate
mobile device management certiicates from Apple. You can use a similar process for devices
that are running the Android operating system.
Users can enroll devices by downloading the appropriate app from the online store for
their mobile device operating system. Alternatively, if they are using a computer running
Windows 7 or Windows Vista, they can download and run the Intune client installer.

Certiicate requirements
Depending on the mobile device operating system, you need certiicates or keys to enroll
mobile devices into your organization’s Intune subscription.

76 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Table 2-7 details these speciications.

TABLE 2-7 Intune certificate requirements

Mobile-device operating system Certiicates or keys Notes

Windows Phone 8 and Code-signing certiicate. All side- Purchase a code-signing certiicate
Windows Phone 8.1 loaded apps must be code-signed. from Symantec.

Windows RT 8.1 and Windows RT
■ Sideloading keys allow
installation of sideloaded
apps.
■ All apps that you sideload
must be code-signed.
■ Obtain sideloading keys
from Microsoft.
■ Sign apps by using a code-
signing certiicate that an
internal or other trusted
certiication authority (CA)
issues.

iOS5, iOS6, and iOS7 Apple Push Notiication service Obtain certiicate from Apple.
certiicate

Android Not required

Preparing for software deployment

You use the Software workspace of the Intune administrator console to view information
about software that has been detected on Intune client computers. Software inventory is only
generated for computers, and you can’t use this workspace to view the software inventory of
managed mobile devices. In the Detected Software section, you can view the properties of
detected software and add license agreement information for detected software.
Through the Managed Software page of the Software workspace, you can perform the
following tasks:
■ View and modify software properties
■ Add license agreements to managed software
■ Manage software deployments
■ Delete software
■ Add software
You add software to Intune using the Windows Intune Software Publisher. You can upload
software in the form of programs for computers or apps for mobile devices. This software
will be stored within Intune’s cloud storage. You can also use the Windows Intune Software
Publisher to add a link to an app in the Microsoft, Google, or Apple stores and to link to a
web application.
Links to an app in the app store are supported by devices running the following operating
systems:
■ Windows 8
■ Windows 8.1

Objective 2.3: Deploy applications using Microsoft Intune CHAPTER 2 77

From the Library of Ida Schander

 ■ Windows RT
■ Windows Phone 8
■ iOS
■ Android devices
Links to web apps can be deployed to any device Intune supports.

MORE INFO PREPARING FOR INTUNE SOFTWARE DEPLOYMENT

You can learn more about preparing for Intune software deployment at http://technet
.microsoft.com/en-us/library/dn646955.aspx.

Deploy software to the company portal

The company portal is a self-service portal that is available to users who have installed the
Intune client on their computers or mobile devices. Deploying software to the company por-
tal makes that software optionally available through the company portal on those computers
or devices.
To make the software available, you deploy the software package to a particular user
group or device group with the deployment action set to Available Install. Members of these
groups can then select the software for installation.

Deploy software for automatic installation

You can use Intune to deploy software that will automatically install on computers or devices
that are Intune clients. You deploy software for automatic installation by selecting the user
or device groups to which you wish to deploy the software and by setting the deployment
action to Required Install.
When you set the deployment action to Required Install, you can specify a deadline for the
deployment. You can select from among the following deadlines:
■ None The software will deploy based on agent policy settings.
■ As Soon As Possible The software will deploy directly after the next
synchronization.
■ One Week The software will deploy one calendar week after the current day.
■ Two Weeks The software will deploy two calendar weeks after the current day.
■ One Month The software will deploy one calendar month after the current day.
■ Custom Use this option to select a speciic date and time for software package
deployment.

78 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 MORE INFO INTUNE SOFTWARE DEPLOYMENT

You can learn more about Intune software deployment at http://technet.microsoft.com

/en-us/library/dn646961.aspx.

Intune update policies

Intune update policies determine the frequency with which the Intune client checks for and
performs the installation of a new application. These are the same settings that are used to
control the installation of software updates and are shown in Figure 2-9.

FIGURE 2-9 Update policy

Objective 2.3: Deploy applications using Microsoft Intune CHAPTER 2 79

From the Library of Ida Schander

 The policies related to application installation are as follows:
■ Update And Application Detection Frequency (Hours) Specify how often the
Intune client waits between checking for new updates and applications.
■ Automated Or Prompted Installation Of Updates And Applications Conigure
when either automatic or prompted installation of applications or updates will occur.
■ Delay To Restart Windows After Installation Of Scheduled Updates And Applica-
tions (Minutes) Set the length of time the computer will wait before performing a
restart after the installation of applications or updates.
■ Delay Following Windows Restart To Begin Installing Missed Scheduled Updates
And Applications (Minutes) Set how long the computer will wait to install applica-
tions or updates if a scheduled installation time was missed.
■ Allow Logged On User To Control Windows Restart After Installation Of Sched-
uled Updates And Applications Conigure whether a user who is logged on to the
computer may control whether the computer restarts after update installation.
■ Delay Between Prompts To Restart Windows After Installation Of Scheduled
Updates And Applications (Minutes) Specify the amount of time that the com-
puter will wait before restart prompts.

MORE INFO INTUNE INSTALLATION POLICIES

You can learn more about Intune installation polices at http://blogs.technet.com/b

/windowsintune/archive/2013/01/09/policy-settings-for-mandatory-updates.aspx.

EXAM TIP
Remember the differences between deployment actions.

Thought experiment
Intune at Fabrikam
Fabrikam has just purchased a large number of Surface 2 devices for remote users.
Intune will manage these devices. Users must perform their own enrollment, and
then administrators at Fabrikam will deploy an important custom application that
runs on Windows RT. With this information in mind, answer the following questions:

1. How will Surface 2 users enroll in Intune?

2. Which keys and certiicates are required to deploy custom software to the
Surface 2 devices by using Intune?

80 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Objective summary
■ Intune supports managing clients that are running Windows 8.1 (x86, x64), Windows 8
(x86, x64), Windows 7, Windows Vista , Windows RT 8.1, Windows RT, Windows
Phone 8, Windows Phone 8.1, Apple iOS 7, iOS 6, iOS5, Android (requires Exchange
ActiveSync).
■ To deploy applications directly to mobile devices that are running Windows RT, you
must obtain sideloading keys, and you must have a code-signing certiicate to sign the
applications.
■ You can use Intune to deploy applications to iOS devices by deep linking to the Apple
App Store or by sideloading apps to install them by using direct access to the source
iles.
■ Users can enroll devices by downloading the appropriate app from the online store
for their mobile device operating system. Alternatively, if they are using a computer
running Windows 7 or Windows Vista, they can download and run the Intune client
installer.
■ You use the Software workspace of the Intune administrator console to view informa-
tion about software that has been detected on Intune client computers.
■ To make software available in the company portal, you deploy the software package
to a particular user group or device group with the deployment action set to Available
Install.
■ You deploy software for automatic installation by selecting the user or device groups
to which you wish to deploy the software and by setting the deployment action to
Required Install.
■ Intune update policies determine the frequency with which the Intune client checks for
and performs the installation of new applications.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following Intune policy settings would you conigure to set the deployed
application installation time to 4 P.M. each weekday?
a. Update And Application Detection Frequency
B. Automated Or Prompted Installation Of Updates And Applications
C. Allow Immediate Installation Of Updates That Do Not Interrupt Windows
D. Allow Logged On User To Control Windows Restart After Installation Of Scheduled
Updates And Applications

Objective 2.3: Deploy applications using Microsoft Intune CHAPTER 2 81

From the Library of Ida Schander

 2. You want to allow users at your organization to choose when to restart their comput-
ers after you deploy an application that requires a restart to complete the installation
process. Which of the following Windows Intune policies would you conigure to
accomplish this goal?
a. Update And Application Detection Frequency
B. Allow Logged On User To Control Windows Restart After Installation Of Scheduled
Updates And Applications
C. Allow Immediate Installation Of Updates That Do Not Interrupt Windows
D. Automated Or Prompted Installation Of Updates And Applications
3. You want to increase the frequency with which applications newly deployed to the
company portal become visible to Intune clients. Which of the following Intune policies
would you conigure to accomplish this goal?
a. Allow Immediate Installation Of Updates That Do Not Interrupt Windows
B. Automated Or Prompted Installation Of Updates And Applications
C. Update And Application Detection Frequency
D. Allow Logged On User To Control Windows Restart After Installation Of Scheduled
Updates And Applications

Objective 2.4: Plan for application upgrades

Applications in Coniguration Manager might require ongoing management. Over time, you
might modify an application or decide that you no longer need to deploy it. In addition, you
might decide to stop deploying an application for a period of time or even uninstall the
application from clients. Finally, you likely will upgrade and replace existing applications. In
this lesson, you learn about several of the management options that are available for ongoing
maintenance of applications.

This section covers the following topics:

■ Application supersedence
■ Application revision history
■ Retiring applications
■ Uninstalling applications

82 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Application supersedence
Application management in Coniguration Manager enables you to upgrade or replace exist-
ing applications by using a supersedence relationship. When you supersede an application,
you can specify a new deployment type to replace that of the superseded application. In
addition, you can conigure whether to uninstall the superseded application.
When you supersede an application, the supersedence applies to all future deployments
and Application Catalog requests. The effect on existing deployments depends on the
options that you choose. To leave the superseded application in place, you can choose Do
Not Replace, or you can specify a new deployment type to replace the old deployment type.
If the superseded application has multiple deployment types, you specify a new deployment
type for each old deployment type that you want to replace. Whether you choose a new
deployment type or not, you can uninstall the application by selecting the Uninstall check box
for each old deployment type. Supersedence options are as follows:
■ You conigure the supersedence to uninstall the old deployment type, and you deploy
the application with the required action. When you do this, the existing application is
uninstalled, and the new application is installed.
■ You specify a new deployment type and do not conigure the supersedence to unin-
stall the old deployment type. If successful, the existing application will not be unin-
stalled, and the new application will perform an in-place upgrade of the old
application where possible. If not successful (for example, replacing a software title
with a competitor’s product), the old application is not removed from the target, and
the new application is installed.
You can view the supersedence and dependency relationships between applications, as
shown in Figure 2-10, in a variety of ways:
■ In the application’s Properties dialog box of the superseding application, on the
Supersedence tab, you can view the applications this application supersedes.
■ In the application’s Properties dialog box of the superseded application, on the
References tab, you can use these options: Applications That Depend On This
Application and Applications That Supersede This Application.
■ With a superseding application selected, on the ribbon, you can click View
Relationships to view dependencies, supersedence, and global conditions related to
the selected application.

Objective 2.4: Plan for application upgrades CHAPTER 2 83

From the Library of Ida Schander

 FIGURE 2-10 Supersedence

Application revision history

You can change applications in several ways, including complex tasks such as editing or creat-
ing a deployment type and simple tasks such as editing the administrator comments ield.
When you make any such changes to an application, Coniguration Manager creates a new
revision of the application. By using the Coniguration Manager console, you can access the
revision history for each application. After you access the revision history, you can view the
properties of each revision, restore a previous revision, or delete an old revision.

84 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 To view the revision history of an application, you select the application in Software Library
and then click the Revision History button on the ribbon. Figure 2-11 shows revision history.

FIGURE 2-11 Revision history

When you view a past revision, you are viewing a read-only copy of it. When you restore a
previous version of an application, Coniguration Manager creates a new revision.
If you no longer need to maintain a revision, you can delete it by clicking the Delete but-
ton. You cannot delete the latest revision. If you do not need the application or any of its revi-
sions, you can delete the application. However, you cannot delete an application if it is:
■ Referenced by any deployments.
■ Speciied as a dependency for another application.
■ Referenced in a task sequence.
■ Part of a virtual environment.

Retiring applications
You can retire an application at any time. Retiring an application prevents new deployments
of the application without uninstalling it. By retiring an application, you save all the work
and time you spent creating and customizing the application. Deployments based on retired
applications will continue to work as expected; however, you cannot create any new deploy-
ments from a retired application.
Although you cannot modify a retired application, you can reinstate the application when
desired. After reinstating an application, you can create new deployments of it. If a retired

Objective 2.4: Plan for application upgrades CHAPTER 2 85

From the Library of Ida Schander

 application is not referenced in any deployments, Coniguration Manager will delete it
automatically after 60 days. However, this will not uninstall the application from any client
machines.

Uninstalling applications
If you do not require an application in your environment, you can deploy it with an uninstall
action. However, the uninstall deployment will fail if an existing install deployment for the
software affects the clients targeted with the uninstall action. Therefore, before deploying an
uninstall action, remove the install deployments for the application that you are uninstalling.
You need to remove the install deployments affecting only the clients on which you want
to uninstall the application. If the uninstall deployment is in a separate application from the
install deployment, you can retire it with the install deployment.
Uninstalling an application will not uninstall any dependent applications. The uninstall
action uninstalls all instances of the software regardless of whether the application was
installed by Coniguration Manager, a manual process, or any other method. However, the
software to be uninstalled must be created as an application in Coniguration Manager with
an appropriate uninstall command.

Thought experiment
End of application life cycle at Contoso
An application that is widely deployed on computers will no longer be needed in
several months. With this information in mind, you are considering what strate-
gies to pursue when the application is no longer required. As part of the planning
process, answer the following questions:

1. What is the difference between retiring an application and uninstalling an

application?

2. What might cause an uninstall deployment to fail?

Objective summary
■ Application management in Coniguration Manager enables you to upgrade or replace
existing applications by using a supersedence relationship.
■ When you supersede an application, you can specify a new deployment type to
replace that of the superseded application.
■ You can conigure whether to uninstall the superseded application.
■ When you supersede an application, the supersedence applies to all future deploy-
ments and Application Catalog requests.

86 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 ■ You can retire an application at any time. Retiring an application prevents new deploy-
ments of the application without uninstalling the application.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. An application has been deployed on 30 percent of the desktop computers at your
organization. You want to stop new deployments of this application but don’t want to
remove existing instances of the application. Which of the following steps could you
take to accomplish this goal?
a. Retire the application.
B. Uninstall the application.
C. Supersede the application.
D. Install the application.
2. An application is deployed on 40 percent of the desktop computers at your organiza-
tion. Your superiors have chosen not to continue licensing the application, so now you
have to make sure that it is removed from these computers. No replacement appli-
cation has been chosen at this time. Which of the following steps could you take to
accomplish this goal?
a. Install the application.
B. Supersede the application.
C. Uninstall the application.
D. Retire the application.
3. You have decided to switch from one vendor’s application to another’s. The original
vendor’s application is present on 80 percent of the desktop computers at your orga-
nization. Which of the following steps could you take to replace the original vendor’s
application with a minimum of administrative effort?
a. Supersede the application.
B. Retire the application.
C. Uninstall the application.
D. Install the application.

Objective 2.5: Monitor applications

Coniguration Manager enables you to monitor the process of application deployment, per-
form tasks to inventory the applications that are present on Coniguration Manager clients,
and measure how often users run applications in your organization.

Objective 2.5: Monitor applications CHAPTER 2 87

From the Library of Ida Schander

 This section covers the following topics:
■ Monitoring application deployment
■ Asset Intelligence
■ Software metering

Monitoring application deployment

In the Monitoring workspace of the Coniguration Manager console, you can monitor all
deployments, including software updates, compliance settings, applications, task sequences,
packages, and programs.
Applications in Coniguration Manager support state-based monitoring, which you can
use to track the last application deployment state for users and devices. These state messages
display information about individual devices.
You can view the states on several tabs in the Monitoring workspace. Each tab displays the
individual users or devices reporting that state. The compliance states that may be displayed
include:
■ Success The application deployment was successful.
■ In Progress The application deployment is in progress.
■ Unknown The state of the application deployment is undetermined, so no state
messages have been returned. For example, when a device is turned off for a device-
targeted deployment or when a user has not logged on to receive a user-targeted
deployment, the state is Unknown.
■ Requirements Not Met The application did not deploy because it did not comply
with a dependency or a requirement.
■ Error The application failed to deploy because of an error.
Each compliance state includes subcategories that contain additional information on the
deployment state and information on the number of users and devices in this category. For
example, the Error compliance state contains the following three subcategories:
■ Error evaluating policy
■ Content related errors
■ Installation errors
When more than one compliance state applies for an application deployment to a user
who has more than one associated device, the aggregate state that you see is the lowest level
of compliance. For example, if a user logs on to two devices, and the application installs suc-
cessfully on one device but fails to install on the second device, the application’s aggregate
deployment state for that user displays as Error.
You can use these subcategories to help you quickly identify any important issues with an
application deployment. You also can view additional information to determine the devices
that fall into a particular subcategory of a compliance state.

88 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Asset Intelligence
Asset Intelligence enhances Coniguration Manager’s inventory capabilities by extend-
ing hardware inventory and adding functionality for license reporting. Enabling additional
hardware-inventory Windows Management Instrumentation (WMI) reporting classes helps
improve the range of information that Asset Intelligence gathers about software titles in use.
In System Center 2012 R2 Coniguration Manager, Asset Intelligence supports the manda-
tory software identiication tags speciied in the International Organization for
Standardization (ISO)/International Electrotechnical Commission (IEC) 19770-2 standard.
These tags include authoritative data that System Center 2012 R2 Coniguration Manager can
use to identify software installed on client computers. Because a standard deines the tags, an
increasing number of software vendors include them in their applications. If you want System
Center 2012 R2 Coniguration Manager to use mandatory software identiication tags, you
must enable the SMS_SoftwareTag Asset Intelligence Hardware Inventory Reporting class.
In System Center 2012 R2 Coniguration Manager, Asset Intelligence also collects infor-
mation about Application Virtualization 5 and Application Virtualization 4 applications even
though these applications run through the Microsoft Application Virtualization (App-V) client
and are not installed on the client computer in a traditional manner.
Asset Intelligence provides organizations with the following beneits over software
inventory:
■ It provides more accurate representation of software titles that are present on man-
aged computers.
■ It provides information about the license usage for speciic products rather than just
information about the software itself.
■ It can be used in conjunction with software metering to rationalize licensing by deter-
mining instances when software has deployed but is not being used.
■ It uses Software Inventory Agent to detect software titles by scanning client storage.
Asset intelligence retrieves information about installed software through the Hardware
Inventory Client Agent.
Asset Intelligence has several components, including:
■ The Asset Intelligence catalog Asset Intelligence relies on a set of database tables,
which contain software identiication, categorization information, and hardware
requirements for software titles. Collectively, these tables are the Asset Intelligence
catalog and are stored within the site database. The Asset Intelligence catalog can
provide data for reports on installed software titles, organize the information within
software categories and families, and provide a predeined set of hardware require-
ments for the software titles. You also can customize the organization of your informa-
tion by creating custom software categories and families and adding new user-deined
hardware requirements for speciic software titles. By using an Asset Intelligence
synchronization point, you can download periodic updates dynamically from

Objective 2.5: Monitor applications CHAPTER 2 89

From the Library of Ida Schander

 Microsoft to the Asset Intelligence catalog. These updates contain information about
newly released or validated software.
■ Asset Intelligence synchronization point This is a Coniguration Manager site sys-
tem role that you can use to connect to an online service that Microsoft hosts, known
as System Center Online, and then download Asset Intelligence catalog updates. You
can either schedule or manually initiate catalog synchronization. You also can use the
Asset Intelligence synchronization point to upload custom software title information to
System Center Online. Microsoft will then categorize it.
■ Asset Intelligence home page The Asset Intelligence node in the Asset And
Compliance workspace displays a summary dashboard of Asset Intelligence informa-
tion. It includes summaries of the Asset Intelligence component status, the catalog
synchronization status, and inventoried software status.
■ Asset Intelligence reports More than 50 reports present Asset Intelligence infor-
mation in an easy-to-use format. Many of these reports link to more speciic reports,
which enable you to query for general information and procure detailed information.
Report categories include hardware, license management, and software.

MORE INFO ASSET INTELLIGENCE

You can learn more about Asset Intelligence at http://technet.microsoft.com/en-us/library
/gg681998.aspx.

Asset Intelligence catalog

The Asset Intelligence catalog contains information for more than 500,000 software titles and
versions, representing more than 20 families and 90 speciic categories, and includes the fol-
lowing:
■ Support for manually importing software license information for software titles in use,
including both Microsoft and non-Microsoft titles
■ Hardware requirements for many software titles in the catalogSupport for adding
custom software categories, families, and software labels
■ Support for uploading software title information to the System Center Online service,
which then categorizes it
You can review contents of the Asset Intelligence catalog and customize certain elements
by clicking the Asset Intelligence node in the Assets And Compliance workspace. The Asset
Intelligence folder includes the following nodes:
■ Catalog
■ Inventoried Software
■ Hardware Requirements

90 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

CATALOG
The catalog includes most of the catalog segments that administrators can update and the
following:
■ Software Categories Asset Intelligence software categories broadly categorize
inventoried software titles. By default, there are a number of predeined software cat-
egories, such as Line Of Business, Original Equipment Manufacturer (OEM), and Ofice
Suites And Productivity. You can create additional user-deined categories to classify
inventoried software further.
■ Software Families Asset Intelligence software families further deine inventoried
software titles. By default, the Asset Intelligence catalog includes approximately 20
predeined software families. Some examples of these predeined software families are
Components And Peripherals, Equipment, Home And Entertainment, Industry Speciic,
Line Of Business, and Productivity And Viewers. You can create additional user-deined
software families to classify inventoried software further.
■ Custom Labels Custom labels enable further classiication of inventoried software
according to attributes that administrators deine. For example, you might create a
custom label known as Shareware and associate that label with inventoried shareware
titles. You then can run a report to display all software titles with which the custom
label Shareware is associated.

INVENTORIED SOFTWARE
The list of inventoried software titles includes information about software that the Hardware
Inventory Agent reports. This node displays the following information by default for each
inventoried software title:
■ Product Name The name of the inventoried software
■ Publisher The name of the vendor that developed the software
■ Version The product version of the software title
■ Category The currently assigned software category
■ Family The currently assigned software family
■ Label (1, 2, and 3) The custom labels that have been assigned with the software
title, to a maximum of three
■ Software Count The number of Coniguration Manager clients that have inventoried
the software title

HARDWARE REQUIREMENTS
You can use Asset Intelligence hardware requirements to provide data to help verify that
computers meet hardware requirements for software titles before you target them for
deployment. Asset Intelligence retrieves from its catalog the hardware requirements that
appear in the Coniguration Manager console. The list is not based on inventoried software
title information from Coniguration Manager clients. You can add, modify, or delete

Objective 2.5: Monitor applications CHAPTER 2 91

From the Library of Ida Schander

 custom hardware requirements for software titles that the Asset Intelligence catalog does not
predeine. However, existing, noncustom hardware requirement information that the Asset
Intelligence catalog stores is read-only, which means you cannot modify or delete it. The fol-
lowing information appears for each hardware requirement listed:
■ Software Title The software title name with which the hardware requirement is
associated.
■ Minimum CPU (MHz) The minimum central processing unit (CPU) speed, in mega-
hertz (MHz), that the software title requires.
■ Minimum RAM (KB) The minimum random access memory (RAM), in KB, that the
software title requires.
■ Minimum Disk Space (KB) The minimum free disk space, in KB, that the software
title requires.
■ Minimum Disk Size (KB) The minimum hard-disk size, in KB, that the software title
requires.
■ Validation State The validation state for the hardware requirement. Valid states
include Validated and User Deined.

Asset Intelligence data collection

You must conigure several settings and tasks so that Asset Intelligence performs optimally,
including the following:
■ Enable Hardware Inventory Asset Intelligence reports depend on information the
Hardware Inventory Agent collects. Ensure that you enable the Hardware Inventory
Agent on clients.
■ Enable Software Metering The software-related Asset Intelligence reports depend
on the Software Metering Client Agent to provide data. These reports include the
following:
■ Software 07A - Recently used executables by number of computers
■ Software 07B - Computers that recently used a speciied executable
■ Software 07C - Recently used executables on a speciic computer
■ Software 08A - Recently used executables by number of users
■ Software 08B - Users that recently used a speciied executable
■ Software 08C - Recently used executables by a speciied user
■ Enable Asset Intelligence Inventory reporting classes To enable the Asset
Intelligence Inventory reporting classes, right-click the Asset Intelligence node and
then click Edit Inventory Classes. You can enable the Asset Intelligence reporting class-
es you need per the type of reporting that you require. Note that from within the Edit
Inventory Classes dialog box, as you point to each reporting class, a tooltip displays
information about the reports that depend on each reporting class.

92 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 ■ Enable Windows event log settings Several Asset Intelligence reports rely on infor-
mation that Windows security event logs gather on client computers. To support these
reports, you must modify the event log settings for Windows security on clients so that
it logs all Success logon events. These reports include the following:
■ Hardware 03A - Primary computer users
■ Hardware 03B - Computers for a speciic primary console user
■ Hardware 04A - Computers with multiple users (shared)
■ Hardware 05A - Console users on a speciic computer
■ Import software license information Use the Import Software Licenses Wizard to
import Microsoft Volume License Statements and General License Statements from
non-Microsoft vendors into the Asset Intelligence catalog.
■ Install an Asset Intelligence synchronization point The site system role for the
Asset Intelligence synchronization point connects to System Center Online to down-
load and synchronize Asset Intelligence catalog information. You must install this role
on a site system in the central administration site for hierarchy conigurations. This
requires Internet access by using Transmission Control Protocol (TCP) port 443. You can
conigure a synchronization schedule, which by default is set to run every seven days.
■ Conigure Asset Intelligence maintenance tasks By default, this Asset Intelligence
feature uses two maintenance tasks:
■ Check Application Title With Inventory Information Checks that the software
title the software inventory reports reconciles with the software title in the Asset
Intelligence catalog.
■ Summarize Installed Software Data Provides information that appears in the
Inventoried Software node. This task is available only on primary sites.
■ Conigure Asset Intelligence Security You can use the Asset Manager security role
to provide the required permissions to manage the Asset Intelligence synchronization
point and modify the Asset Intelligence reporting classes and permissions related to
software inventory, hardware inventory, and software metering.

Software metering
Software metering enables you to monitor program usage on Coniguration Manager client
computers. You can summarize software-metering data to produce useful reports that can
help you plan for your organization’s software purchases.
Software metering can collect the following information:
■ Program usage information Includes start time, end time, meter data ID, resource
ID, user name, users of Terminal Services sessions, and whether Terminal Services is
running
■ File information Includes ile ID, ile name, ile version, ile description, and ile size
(in KB)

Objective 2.5: Monitor applications CHAPTER 2 93

From the Library of Ida Schander

 ■ Program information Includes company name, product name, product version, and
product language
Software metering uses two main components to perform data-collection tasks: the Soft-
ware Metering Agent and software-metering rules. When enabled, the Software Metering
Agent reports software-metering data based on the site’s software-metering rules. You must
conigure software-metering rules before data collection about a program’s usage begins.
The software-metering process includes the following steps:
1. The Software Metering Agent examines each program that runs on the client and
determines whether the program ile’s information matches any software-metering
rule. The agent collects usage data each time an actively monitored program runs on
the client regardless of whether the client is connected to the network.
2. The agent uploads the data to the management point on its next Software Metering
Usage Report Cycle. If the client is not connected to the network, the data remains on
the client and then uploads to the management point the next time the client connects
to the network.
3. The management point forwards the data to the site server.
4. The site server adds the data to the site database.
Software-metering data is summarized on a speciied schedule, and it replicates to the
central administration site, which contains usage data from all client computers within the
hierarchy.
After the site server summarizes client data, you can view the information by using queries
and reports. This data, combined with data from software inventory and Asset Intelligence,
can assist your organization in determining its software usage. You can conigure three ele-
ments of software metering: Software Metering Agent, software-metering rules, and auto-
matic generation of software-metering rules.

Coniguring the Software Metering Agent

When enabled, the Software Metering Agent collects usage data for programs speciied in
software-metering rules. Typically, the agent is enabled by default. However, if the agent has
been disabled, you can enable it in Client Settings within the Coniguration Manager console.
You can also customize the software-metering data collection schedule, which is every seven
days by default.

Coniguring software-metering rules

After ensuring that the Software Metering Agent is enabled, conigure software-metering
rules. You must create and conigure software-metering rules to specify the applications you
want the Software Metering Agent to monitor. The Create Software Metering Rule Wizard
leads you through the creation of a new software-metering rule.

94 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Automatic software-metering rules
Coniguration Manager enables you to generate software-metering rules automatically,
based on recent usage-inventory data. If Coniguration Manager automatically generates a
software-metering rule, the generated rule will be disabled. You must enable that rule if you
want clients to report usage of the software speciied in the automatically generated rule. In
addition, you might want to disable a software-metering rule but keep it for later use.
You can conigure the automatic generation of rules as follows:
1. Open the Software Metering Properties dialog box and then select the Automatically
Create Disabled Metering Rules From Recent Usage Inventory Data check box if it is
not already selected. This option is selected by default.
2. Specify the percentage of a site’s computers that must use a particular program before
a software-metering rule for that program is created automatically. The default value is
10 percent.
3. To protect against auto-generating an unmanageable number of disabled rules,
specify the number of rules after which no new software-metering rules are created
automatically. The default value is 100 rules.
4. Conigure the length of time the software-metering data stays stored in the site data-
base. The default value is 90 days.
To enable or disable a software-metering rule, you must perform the following procedure:
1. In the Coniguration Manager console, click the Assets And Compliance workspace and
then click Software Metering.
2. Select and then right-click one or more software-metering rules and then click either
Enable or Disable.

Summarization tasks
The Summarize Software Metering tasks perform data summarization to reduce the amount
of data the Coniguration Manager site database stores. Data summarization runs daily and
only runs against usage data that is older than 12 hours. Data summarization is required for
all Coniguration Manager software-metering reports to display meaningful data.
You should know when the summarization last occurred if you want to understand what
data the most current set of summary data contains. You can refer to the Software Metering
Summarization Progress report in Coniguration Manager to determine when the summariza-
tion last occurred.
The software-metering summarization tasks are:
■ Summarize Software Metering File Usage Data The Summarize Software
Metering File Usage Data task condenses software-metering ile usage data from
multiple records into one general record. This record provides information about the
program name, version, language, and number of distinct users over intervals of 15
minutes and 1 hour. This process compresses and optimizes the amount of data stored

Objective 2.5: Monitor applications CHAPTER 2 95

From the Library of Ida Schander

 in the Coniguration Manager site database. By default, the Summarize Software
Metering File Usage Data task runs daily. For every hour, and every 15-minute interval
within the hour, the task calculates the total number of distinct user/computer com-
binations that are running the matching program. Within the 15-minute intervals, this
approximates the number of concurrent users. For example:
■ If a single user is using a software program and signs in to three computers simulta-
neously, this counts as three usages.
■ If three users sign in to a computer that is running Terminal Services or Remote
Desktop Services, and all three are running the software program, this counts as
three usages.
■ If a single user starts and stops the software program on the same computer three
times during the hour, this counts as one usage for that user.
■ Summarize Software Metering Monthly Usage Data This task condenses detailed
software-metering usage data from multiple records into one general record. This
record provides information about the program name, program version and language,
program running times, number of usages, last usage, user name, and computer name.
Data summarization helps compress the amount of data in the Coniguration Manager
site database. Monthly software usage data replicates to the central administration site.
The summarization information includes the number of times each matching software
program runs on a particular computer and by a particular user during the month. By
default, the task runs daily, and the summarization period is one month.
The following maintenance tasks remove old software-metering data and summarized
data from the Coniguration Manager site database:
■ Delete Aged Software Metering Data This task deletes all unsummarized soft-
ware-metering data that is older than the number of days speciied. By default, the
task runs every day and deletes software-metering data that is older than ive days.
You can conigure the number of days to be any number from 2 through 255.
■ Delete Aged Software Metering Summary Data This task deletes summarized
software-metering summary data that is older than the number of days speciied. By
default, the task runs every Sunday to delete software-metering summary data that is
older than 270 days.

EXAM TIP
Remember the purpose of software-metering rules.

96 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 Thought experiment
Contoso Asset Intelligence
You want to ind out more about how applications are being used at Contoso. To
accomplish this goal, you have implemented Coniguration Manager. After experi-
menting with the various settings, determine the answers to the following ques-
tions:

1. What must you enable to view information about users who have run a speciic
executable?

2. You run an Asset Intelligence report to ind computers that multiple users are
using, but the report displays no records. How can you troubleshoot and correct
the issue?

Objective summary
■ In the Monitoring workspace of the Coniguration Manager console, you can monitor
all deployments, including software updates, compliance settings, applications, task
sequences, packages, and programs.
■ Applications in Coniguration Manager support state-based monitoring, which you can
use to track the last application deployment state for users and devices.
■ Asset Intelligence enhances Coniguration Manager’s inventory capabilities by extend-
ing hardware inventory and adding functionality for license reporting.
■ You can use Asset Intelligence hardware requirements to provide data to help verify
that computers meet hardware requirements for software titles before you target them
for deployment.
■ Software metering enables you to monitor program usage on Coniguration Manager
client computers.
■ The Software Metering Agent reports software-metering data based on the site’s
software-metering rules.
■ The Summarize Software Metering tasks perform data summarization to reduce the
amount of data that the Coniguration Manager site database stores.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. By default, what is the maximum number of automatically created Coniguration
Manager software-metering rules?
a. 10
B. 50

Objective 2.5: Monitor applications CHAPTER 2 97

From the Library of Ida Schander

 C. 100
D. 1,000
2. By default, what percentage of a site’s computers must use a particular program before
a software-metering rule for that program is created automatically?
a. 5 percent
B. 10 percent
C. 15 percent
D. 20 percent
3. You are monitoring application deployment for computers in a speciic collection.
Which of the following compliance states indicates that a requirement or dependency
wasn’t met?
a. In Progress
B. Error
C. Requirements Not Met
D. Success

Objective 2.6: Manage content distribution

Distribution points store content such as applications, packages, software updates, and
operating system images. Coniguration Manager clients access this content as instructed by
speciic deployment tasks. Deploying and managing distribution points requires considering
the amount of content on the distribution point, available network bandwidth, and the ability
to monitor the status of the distribution point.

This section covers the following topics:

■ Content management
■ Distribution points
■ Network bandwidth considerations
■ Content library
■ Content management
■ Content distribution
■ Prestaging content

98 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Content management
Distribution points provide content to Coniguration Manager clients. Before you can use
Coniguration Manager to deploy software to a client device, you must have at least one dis-
tribution point that the client can access. Depending on the size of your environment, you can
implement additional distribution points as necessary to ensure eficient access to content for
Coniguration Manager clients.
Distribution points host content iles for:
■ Applications.
■ Packages.
■ Software updates.
■ Operating system deployments.
The eficiency of your distribution points depends on two main considerations:
■ Managing content distribution to your distribution points in a way that minimizes
impact to network bandwidth. You don’t want to block clients from accessing content
each time you move new data to the distribution point.
■ Ensuring that Coniguration Manager clients connect to appropriate distribution points
to access content for deployments. You want to ensure that clients have access to a
local distribution point rather than connecting to one on the other side of the country
or even one on another continent.
In Coniguration Manager, the distribution point site system role includes a number of
features to utilize network bandwidth and store content eficiently. These include:
■ Scheduling and throttling You can schedule a speciic time for availability and
limit the transfer rate you use when you distribute content to a distribution point over
a network connection. You can restrict rate limits to a percentage of available band-
width, or you can conigure throttling based on the size of data blocks, in kilobytes
(KB), and the time delay between sending each data block (in seconds). Note that these
options do not apply when the distribution point is on a site server or when you con-
igure it as a pull-distribution point.
■ Content library The content library is a common repository that stores all content
iles for packages, applications, software updates, and operating system deployments.
Single-instance storage prevents storage of multiple copies of the same content iles
on the distribution point. This provides a huge beneit by decreasing hard disk space
requirements for content. The content library is on the site server and on each distri-
bution point. The Package Transfer Manager site server component transfers content
from the site server to a distribution point.
■ Content validation You can use content validation to ensure the integrity of content
that the content library stores. You can run content validation on a schedule that you
conigure for the distribution point, or you can validate content manually from the

Objective 2.6: Manage content distribution CHAPTER 2 99

From the Library of Ida Schander

 properties of any instance of content. You can view the validation status on the Con-
tent Status node of the Monitoring workspace.

Distribution points
You can deploy distribution points on computers running server operating systems such as
Windows Server 2012 R2, on client operating systems such as Windows 8, and to Microsoft
Azure. Before you deploy a new distribution point, consider the following:
■ Association to boundary groups When you can associate a distribution point with
one or more boundary groups, it becomes a preferred distribution point for clients
within the boundary group’s boundaries. When you associate a distribution point with
a boundary group, you conigure the connection speed to the distribution point as
either Fast (the default) or Slow. Clients that are in an assigned boundary group
attempt to use their preferred distribution points for accessing content. For clients
outside the assigned boundary groups, you have the option of allowing fallback access
to the distribution point. If a preferred distribution point is not available to the client,
the client uses an available fallback distribution point.
■ Use of distribution point groups A distribution point group is a logical grouping
of distribution points that you can use to simplify content distribution to multiple dis-
tribution points. For example, if you distribute content to a distribution point group, all
distribution points that are group members receive the content. Beginning with System
Center 2012 R2 Coniguration Manager, if you add a new distribution point to an exist-
ing distribution point group, the content hosted on other members of the group will
automatically be added to the new distribution point.
You can associate collections with distribution point groups. This enables you to distribute
content to collections directly rather than having to specify distribution point groups during
deployment. Any distribution points that are members of a distribution point group that you
associate with a collection will receive the content that has been distributed to that collection.
■ Support for Internet-based or mobile clients To support Internet-based clients or
mobile clients, you must conigure the distribution point to accept HTTPS communica-
tion. The distribution point must have a valid public key infrastructure (PKI) web server
certiicate to use HTTPS communication. In addition, to support client authentication,
client computers must have a valid PKI client certiicate installed from a trusted certi-
ication authority (CA). Internet client support requires additional coniguration, such
as coniguring a fully qualiied domain name (FQDN), irewall access rules, and the
distribution point to support Internet-based clients. In many scenarios, cloud-based
distribution points replicate this functionality without the complexity of coniguring
communication.
■ Network connection speed to the content source location By default, all dis-
tribution points in a boundary group are conigured with a fast connection. When a
client is connecting to a fallback distribution point, which is one used when the one to
which the client was going to connect is unavailable, Coniguration Manager

100 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 automatically classiies the connection as Slow. You can also specify a distribution point
as having a slow connection in relation to a boundary group on which it is a member.
It is also possible to conigure deployments to behave differently, depending on the
connection speed.
■ Content on demand You can enable the Distribute The Content For This Package To
Preferred Distribution Points property for an application or package to enable
on-demand content distribution to preferred distribution points. If you enable this
setting, when a client requests content that is not available on a preferred distribution
point, the content downloads to all preferred distribution points.
■ Scheduling and throttling requirements You can conigure rate limits on distribu-
tion points to control the bandwidth used to copy the content from the site server.
You can do this on all distribution points with the exception of a distribution point on
a site server or a distribution point that you conigure as a pull-distribution point. You
can conigure rate limits by specifying the amount of bandwidth a transfer can use. In
addition, you can schedule when the transfer can occur.
■ Prestaged content requirements When scheduling and throttling do not provide
the desired control over the content-transfer process, you can conigure the Enable
This Distribution Point For Prestaged Content setting in the distribution point proper-
ties on the General tab. When you enable this setting, you can control how content is
copied to a distribution point on a per-package basis. The following options are
available:
■ Automatically Download Content When Packages Are Assigned To Distribution
Points
■ Download Only Content Changes To The Distribution Point
■ Manually Copy The Content In This Package To The Distribution Point
■ Support for operating system deployment In System Center 2012 R2
Coniguration Manager, you can enable distribution points to support Pre-Boot
Execution Environment (PXE) and multicast. You can use both of these conigurations
for operating system deployment tasks. PXE enables distribution points to respond to
incoming PXE boot requests by clients on the local network. Multicast enables
deploying operating system images by sending data to multiple clients simultaneously
instead of by using a separate connection to each client. If you enable PXE or multicast
settings on a distribution point, the Windows Deployment Services server role installs
automatically on the server. PXE and multicast are not supported on a workstation-
based distribution point.
■ BranchCache System Center 2012 R2 Coniguration Manager and newer versions
support BranchCache distributed mode. You can conigure software deployments to
support BranchCache. When a BranchCache-enabled client downloads BranchCache-
enabled content from a BranchCache-enabled distribution point, the client caches the
software locally. When additional BranchCache-enabled clients on the same subnet
need to download the content, they download it from a peer and then cache it. When

Objective 2.6: Manage content distribution CHAPTER 2 101

From the Library of Ida Schander

 you use BranchCache in a remote location, only the initial client needs to download
the content from a distribution point.

Pull-distribution points
When you assign content to a pull-distribution point, the pull-distribution point copies the
content iles from the speciied distribution point. This reduces the processing usage of the
site server when distributing content to a large number of distribution points. Pull-distribu-
tion points support the same conigurations and functionality as typical Coniguration
Manager distribution points with the following exceptions:
■ You cannot conigure a cloud-based distribution point as a pull-distribution point or as
a source server for pull distributions.
■ You cannot conigure a distribution point on a site server as a pull-distribution point.
■ Prestaged content distribution settings override pull distribution. If you conigure the
content for prestaging, a pull-distribution point will not pull it.
■ Rate limit conigurations do not apply to pull-distribution points.
■ Retry settings do not apply to pull-distribution points. The Package Transfer Manager
service on the site server does not notify the pull-distribution point to start download-
ing the content until it has veriied that the pull-distribution point is available on a
source server.
■ If the pull-distribution point is in a remote forest, the Coniguration Manager client
must be installed on the distribution point, and the Network Access Account must be
able to access the source distribution point.
You can conigure a distribution point as a pull-distribution point during the creation of
the distribution point or after the distribution point is in place. When coniguring a distribu-
tion point as a pull-distribution point, you must also specify one or more source distribution
points. You can use only distribution points that support HTTP as source distribution points if
you are using the Coniguration Manager console. When coniguring multiple source distribu-
tion points, you can assign priorities to each.

MORE INFO PULL-DISTRIBUTION POINTS

You can learn more about pull-distribution points at http://technet.microsoft.com/en-us
/library/gg682083.aspx.

Cloud-based distribution points

System Center 2012 Coniguration Manager Service Pack 1 (SP1) and later support cloud-
based distribution points in Microsoft Azure. You conigure cloud-based distribution points
in the Cloud services node in the Administration workspace. You must also conigure a client
settings policy to allow clients to use cloud-based distribution points. Finally, to help con-
trol the costs associated with a cloud-based distribution point, you can conigure thresholds

102 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

for the amount of storage the distribution point uses and the amount of client trafic to the
distribution point.
Cloud-based distribution points include the following distribution point features:
■ Support for individual or group-based management
■ A possible fallback distribution point
■ Support for intranet and Internet-based clients
■ Support for BranchCache-conigured systems to download content from the cloud-
based distribution point
There are additional features speciic to using a cloud-based distribution point in
Microsoft Azure. When content is sent to a Microsoft Azure–based distribution point, the
content is encrypted while traversing the Internet. In addition, you can quickly scale the size
of your distribution points as necessary without investing in additional hardware.
Cloud-based distribution points have the following limitations:
■ Cannot host software update packages
■ Cannot be conigured for PXE or multicast deployments
■ Cannot be used with task sequences that use the Download Content Locally When
Needed By Running Task Sequence deployment option
■ Do not support packages that run from the distribution point
■ Do not support streaming packages
■ Cannot be conigured for prestaged content
■ Cannot be conigured as pull-distribution points

Network bandwidth considerations

Distributing content in a Coniguration Manager infrastructure generates network trafic at
various points in the distribution process:
■ When content iles are copied from the source path to the site server if the source path
is on a different server from the site server. For this scenario, iles transfers use the
Server Message Block (SMB) protocol. The effect of this trafic on the network is usually
negligible because it occurs over a high-speed network.
■ When content iles are copied from the site server to remote distribution points. In this
situation, ile transfers use the SMB protocol, which can have a signiicant impact on
network usage, especially over low-speed network connections. You can manage this
trafic by using content throttling and distribution scheduling except for distribution
points that are located on site servers.
Consider the following when coniguring content throttling and scheduling:
■ Content distribution detects updated iles so that only the new or updated iles are
distributed when content source iles are updated.

Objective 2.6: Manage content distribution CHAPTER 2 103

From the Library of Ida Schander

 ■ You can conigure scheduling and set speciic throttling settings that determine when
and how much bandwidth is consumed during content distribution to remote distribu-
tion points. You can conigure the throttling settings on the Rate Limits tab and the
scheduling settings on the Schedule tab. The Rate Limits and Schedule tabs appear
only in the properties for distribution points that are not installed on a site server.
■ You can conigure remote distribution points with different settings based on the net-
work bandwidth limitations from the site server to the remote distribution point. Each
remote distribution point that you conigure as a pull-distribution point uses its own
throttling settings and schedule to transfer content.

Distribution point priority

Beginning with System Center 2012 R2 Coniguration Manager, Coniguration Manager
assigns a priority to each distribution point. This priority is based on how long content distri-
bution has taken in prior distributions, on average. This priority is evaluated constantly as you
distribute content. When you distribute content to multiple distribution points at the same
time, the highest-priority distribution point receives content irst. The Coniguration Manager
console does not include any options for managing the distribution point priority settings.

Bandwidth management planning

When planning for network bandwidth management in Coniguration Manager, consider how
you can reduce the content distribution network trafic:
■ Conigure scheduling and bandwidth throttling settings on distribution points and
senders.
■ Use content prestaging to transfer the content ofline.
■ Place distribution points on the same high-speed networks as clients.
■ Install standard applications as part of the operating system images.
■ Include standard application installer iles in the operating system image and use cus-
tom task sequence commands to install those applications from the local source iles.
Both senders and the Package Transfer Manager service use ile-based replication and the
SMB protocol. Any irewalls placed between sites or between the site server and distribution
points must allow SMB trafic.

MORE INFO CONFIGURATION MANAGER FIREWALL PORTS

You can learn more about Coniguration Manager irewall ports at http://technet.microsoft
.com/en-us/library/hh427328.aspx.

104 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Content library
The content library hosts content iles. These iles include software updates, operating system
deployment images, and iles related to packages and applications. Each site server and
distribution point hosts a content library. The content library uses a single-instance store for
the iles it hosts to reduce the amount of disk space that content consumes. Before content
iles are transferred to a content library, a check is performed to determine whether the ile is
already present. Files are not added if they are already present in the content library. An
association is made between the existing ile and the newly transferred application or
package.
When you deploy a Coniguration Manager distribution point, you can specify the volumes
that will host the content library. When you specify multiple volumes, you specify a priority
for each volume. Coniguration Manager transfers content to volumes based on priority until
the highest-priority volume has less than the minimum amount of conigured available free
space. You must conigure these settings when you deploy the distribution point because you
cannot alter them after you deploy it.
In environments where site servers and distribution points are hosted on servers running
the Windows Server 2012 and Windows Server 2012 R2 operating systems, you can enable
deduplication on volumes that store the content library to increase storage eficiency. You
should also consider placing the content library on volumes hosted on Storage Spaces. Stor-
age Spaces simplify the process of increasing storage later.
System Center 2012 Coniguration Manager SP1 and System Center 2012 R2
Coniguration Manager enable you to move content to a different location by using the
Content Library Transfer tool, which is available as part of the System Center 2012
Coniguration Manager toolkit. You can download this toolkit from the Microsoft
Download Center.

Prerequisites for content management

When you deploy a distribution point, Coniguration Manager can install and conigure
Internet Information Services (IIS) automatically. IIS must be present on all distribution points.
The only time that you should not have Coniguration Manager deploy and conigure IIS is
when IIS is present already on the distribution point.
When you deploy a distribution point to a site server, you can use only the computer
account of the site server as the Site System Installation Account. When you deploy a distribu-
tion point to a computer that is a member of the same Active Directory forest, ensure that
the site server’s computer account is a member of the local Administrators group on a target
computer.
If all the management points in the Coniguration Manager site are conigured for HTTP,
you can use self-signed certiicates with the distribution point. When all management points
in the Coniguration Manager site are conigured to use HTTPS, you should use a certiicate

Objective 2.6: Manage content distribution CHAPTER 2 105

From the Library of Ida Schander

 issued by a trusted CA. This certiicate must be conigured with an intended use that includes
client authentication, and it must allow the private key to be exported.
If you use Windows Server 2012 or Windows Server 2012 R2, consider enabling dedupli-
cation on the volume that hosts the distribution point. This minimizes the amount of space
consumed by content storage.
You can add the Distribution Point Site System role to an existing site system, or you can
add a new site system server and then add the Distribution Point Site System role to the new
site system server. Before installing the Distribution Point Site System role, ensure that the
account you use to install the site system role is a member of the local Administrators group
on the site system.
Use the following set of instructions to install and conigure a distribution point site system
role:
1. In the System Center 2012 R2 Coniguration Manager console, click the Administration
workspace.
2. Expand Site Coniguration and then click the Servers And Site System Roles node.
3. To create a new site system role, right-click Servers And Site System Roles and then
click Create Site System Server. To add a new role to an existing site server, in the
results pane, right-click the server and then click Add Site System Roles. Both methods
open the General page of the Create Site System Server Wizard.
4. On the Select A Server To Use As A Site System page, conigure the following options
as necessary:
■ Name For a new site system server, you must provide either the NetBIOS or FQDN
of the computer that will host the system role. If you supply the NetBIOS name, it
resolves automatically to the required FQDN for use. For existing site system serv-
ers, this value will be conigured already.
■ Site Code For a new site system server, select the site code that will be associated
with this site system. For existing site system servers, this value will be conigured
already.
■ Specify An FQDN For This Site System For Use On The Internet If you use this
site system to communicate with Internet-based clients, you need to specify the
FQDN that is resolvable from the Internet. This setting is optional, depending on
whether you support Internet-based clients.
■ Require The Site Server To Initiate Connections To This Site System The
default behavior of site systems is to initiate a connection to the site server to send
status information. However, in untrusted locations, such as a perimeter network or
an untrusted domain, this might not be desirable. The setting ensures that the site
server always initiates connections with the site system.
■ Use The Site Server’s Computer Account To Install This Site System By
default, the site server’s computer account is used to install the site system. To
install the site system successfully, be sure that the site server’s computer account is

106 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 added to the local Administrators group on the computer to which you are adding
this site system role.
■ Use Another Account For Installing This Site System You may choose to use a
speciic account for the site system’s installation account. If you use a standard user
account, make sure that the account is a member of the local Administrators group
on the site system.
5. On the Specify Internet Proxy Server page, specify any proxy information required to
connect to the Internet.
6. On the Specify Roles For This Server page, select the Distribution Point check box.
7. On the Distribution Point page, conigure the following options as necessary:
■ Install And Conigure IIS If Required By Coniguration Manager This option
allows Coniguration Manager to install and conigure IIS on the site system server.
If IIS is installed on the site system already, this option ensures that Coniguration
Manager conigures it as necessary during the distribution point site system role-
installation process.
■ Description This is a text box in which you can provide a brief description of the
distribution point.
■ Specify How Client Computers Communicate With This Distribution
Point Depending on how you conigure your site, you might have the option to
specify whether clients use HTTP or HTTPS to communicate with the distribution
point. If this distribution point is intended to support mobile, Mac OS X, or Internet-
based clients, you must conigure HTTPS.
■ Create A Self-signed Certiicate Or Import A PKI Client Certiicate By default,
a distribution point creates a self-signed certiicate to use for PXE communications
during operating system deployments. If you use HTTPS for client communication,
import a certiicate that a trusted CA issues.
■ Enable This Distribution Point For Prestaged Content When you enable this
option, the site server adheres to the content properties that govern the transfer to
prestaged, content-enabled distribution points.
8. On the Drive Settings page, specify the drive settings for the distribution point. Conig-
ure the following options as necessary:
■ Drive Space Reserve (MB) This setting enables you to specify the amount of
space on the drive that should be reserved and the amount that should remain free.
Coniguration Manager will not use the speciied free space for distribution point
content storage.
■ Specify The Locations For The Content Library And Package Share On This
Distribution Point You can specify two disk drives for the content library location
and two disk drives for the package share location. By default, Automatic is selected
for all options, so the drive with the most available disk space is used. To ensure

Objective 2.6: Manage content distribution CHAPTER 2 107

From the Library of Ida Schander

 that you control the content library and package share locations, we recommend
specifying a drive letter for primary and secondary locations.
9. If this is a pull-based distribution point, on the Pull Distribution Point page, select the
Enable This Distribution Point To Pull Content From Other Distribution Points check
box. If you select this option, you must conigure the source distribution points.
10. On the PXE Settings page, select the Enable PXE Support For Clients check box if
necessary. This setting enables or disables PXE support on the distribution point. If you
enable this option, you can conigure additional options, such as enabling unknown
computer support and requiring a password when computers start by using PXE.
11. On the Multicast page, select the Enable Multicast To Simultaneously Send Data To
Multiple Clients check box if necessary. If you enable this option, you can conigure
additional options such as initiating a Multicast Connection Account, specifying mul-
ticast address settings, and enabling scheduled multicast sessions. Furthermore, note
that if you select this option, Windows Deployment Services will be installed if
necessary.
12. On the Content Validation page, select the Validate Content On A Schedule check box
if necessary. If you enable this option, you can conigure a schedule for content valida-
tion. Content validation veriies the integrity of the content iles that the distribution
point stores.
On the Boundary Groups page, you can associate existing boundary groups with the
distribution point. This creates a protected distribution point for boundaries that are
members of the associated boundary groups. You also can use this page to create new
boundary groups as necessary. You can use Allow Fallback Source Location For Content
to enable clients outside the boundary groups to use the distribution point when no
other distribution point is available.

Distribution point monitoring

In the Monitoring workspace of the Coniguration Manager console, you can use the
Distribution Status folder to perform monitoring for:
■ Content status This includes the status of individual packages, applications, and
driver packages in relation to their distribution points. When viewing the content sta-
tus, you can cancel an in-progress distribution.
■ Distribution point group status This includes the aggregate status of content
assigned to a speciic distribution point group.
■ Distribution point coniguration status This includes the aggregate status of the
content assigned to a distribution point and the status of the optional components
(PXE and multicast).
To troubleshoot content distribution, you can use:
■ Coniguration Manager reports.

108 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 ■ Coniguration Manager status messages.
■ Coniguration Manager logs.
To troubleshoot issues with content management, you can use the following Coniguration
Manager logs:
■ SMSProv.log Troubleshoot actions started from the user interface (UI) or the soft-
ware development kit (SDK).
■ DistMgr.log Troubleshoot content creation, update, deletion, and start of distribu-
tion. You can use this log on the site server from the source site to verify that
Distribution Manager processes the content.
■ Scheduler.log View the current status of the sender job. You can use this log on the
site server from the source site to verify that the content was queued for the sender.
■ Sender.log Troubleshoot the copy of the compressed content to the destination site.
You can use this log on the site server from the source site to determine whether the
sender has transferred the content to a different site.
■ Despooler.log Troubleshoot the extraction of the compressed copy to the content
library on the destination site. You can use this log ile on the site server from the des-
tination site to verify that the despooler received and processed the content.
■ PkgXferMgr.log Troubleshoot the distribution of content from the site server to the
distribution point. You can use this log on the site server to determine whether the
Package Transfer Manager processed the content and transferred it to a distribution
point located in the same site as the site server.
■ SMSDPProv.log Troubleshoot the addition of content to the content library on the
distribution point. You can use this log on a distribution point to verify that content
was added to the content library.
■ SMSPXE.log Troubleshoot the PXE provider. You can ind this log on a distribution
point that is conigured to use PXE.

Content distribution
Client computers can access only content that has been distributed to distribution points.
Coniguration Manager places content iles in containers called packages. The distribution
process copies these packages to distribution points from the source iles in the source path.
Packages can host application deployment types, packages, deployment packages, operating
system images, driver packages, boot images, and task sequences.
To distribute content to distribution points, perform the following procedure:
1. In the Coniguration Manager console, click the Software Library workspace.
2. Expand the appropriate folder (Application Management, Software Updates, or
Operating Systems).
3. Access the node for the content that you need to distribute.

Objective 2.6: Manage content distribution CHAPTER 2 109

From the Library of Ida Schander

 4. Select the content and then, on the ribbon, click Distribute Content.
5. In the Distribute Content Wizard, on the Review Selected Content page, verify that the
content that is listed is the content you want to distribute. If you are distributing an
application, you can select the Detect Associated Content Dependencies And Add
Them To This Distribution check box.
6. On the Specify The Content Destination page, click Add. You can add a content des-
tination that is associated with collections, a distribution point, or a distribution point
group.
By default, Coniguration Manager grants access to the package folder on a distribution
account to the Users And Administrators groups. If necessary, you can mediate access to the
package folder by coniguring access for additional accounts and groups. You do not have
to conigure the Network Access account as a Package Access account because the Users
group already has this account as a member. Mobile devices always access package content
anonymously. This means that you cannot use Package Access accounts to mediate access to
package content for mobile devices.

Updating content
When you change the source iles for speciic content, update the copy of the content on the
distribution points. When you update content on distribution points, Coniguration Manager
increments the package version and updates only the iles with changes.
To update content on distribution points, perform the following procedure:
1. On the Coniguration Manager console, click the Software Library workspace.
2. Expand the appropriate folder: Application Management, Software Updates, or
Operating Systems.
3. Access the node for the content you want to update.
4. Select the content and then, on the ribbon, click Update Distribution Points.
5. In the Coniguration Manager message that asks whether you want to refresh the
content, click Yes.

Redistributing, validating, or removing content

Sometimes you might need to redistribute content to distribution points, such as when you
need to repair corrupted content iles. You can use one of the following three methods to
perform content redistribution:
■ From the Software Library workspace, select the content and then open the Properties
dialog box. Click the Content Locations tab, select the distribution point or distribution
point group, and then click Redistribute.
■ From the Administration workspace, open the Distribution Points node. Right-click a
distribution point and then click Properties. On the Content tab, select the content and
then click Redistribute.

110 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 ■ From the Administration workspace, open the Distribution Point Groups node. Right-
click a distribution point group and then click Properties. On the Content tab, select
the content and then click Redistribute.

Managing content in progress

System Center 2012 R2 Coniguration Manager introduces the ability to manage content
while it is copying to a distribution point. From the Monitoring workspace, you can cancel
distributions in progress if necessary. In addition, you can redistribute content that fails to
distribute. To cancel content distribution:
1. From the Monitoring workspace, open the Distribution Status node and then select
Content Status.
2. Select the distribution that you want to manage and then click the View Status link.
3. On the In Progress tab, in the Asset Details section, right-click the target server and
then select Cancel.

Monitoring content status

Coniguration Manager provides extensive content monitoring capabilities, including content
status, number of failures, pending distributions, and successful distributions. Methods that
you can use to monitor content status on distribution points include:
■ Content Status In the Monitoring workspace, under the Distribution Status folder,
click Content Status. When you click this node, the results pane displays a list of all
content. You can right-click speciic content and then click View Status to display status
information that pertains to content distribution and validation.
■ Package Transfer Manager The Package Transfer Manager component (SMS
_PACKAGE_TRANSFER_MANAGER) provides status information that pertains to pack-
age transfers to distribution points.
■ Package Transfer Manager component log ile (PkgXferMgr.log) You can ind
the PkgXferMgr.log ile on the primary site server in the <Coniguration Manager
Installation Path>\Logs folder. This log ile provides extensive information related to
content distribution to remote distribution points.
■ Software Deployment Content reports System Center 2012 R2 Coniguration
Manager includes several reports that pertain to content management and distribu-
tion. You can ind these reports when you expand the Reporting node in the Monitor-
ing workspace.

Prestaging content
Content prestaging enables you to transfer and preload content by using an ofline method
such as shipping media from a site server to a distribution point. You can use this method
instead of ile-based replication to reduce network trafic between the site server and the
distribution point. Content prestaging:

Objective 2.6: Manage content distribution CHAPTER 2 111

From the Library of Ida Schander

 ■ Works with all content types.
■ Works with content libraries and package shares.
■ Registers content availability automatically with the site server upon content extraction
on the distribution point.
■ Uses a compressed, prestaged content ile with the .pkgx extension.
■ Can be used to prestage multiple content iles in a single operation.
■ Offers a conlict detection mechanism as part of the extraction tool to prevent earlier
versions of content from being prestaged on a distribution point.
Consider prestaging content for applications and packages when:
■ You have limited network bandwidth between the site server and the distribution
point. While distributing content over the network to a remote distribution point, and
when scheduling and throttling do not reduce network trafic suficiently, consider
prestaging the content on the distribution point.
■ You need to restore the content library on a site server. If a site server fails, information
about packages and applications in the content library is restored to the site database
as part of the restore process. However, the site backup does not include content
library iles by default. If you do not have a ile system backup to restore the content
library, you can create a prestaged content ile from another site that contains the
packages and applications that you need and then extract the prestaged content ile
on the recovered site server.
Prior to prestaging content, you must perform the following steps on the distribution
point that will receive prestaged content:
1. On the General tab of the Distribution Point Properties dialog box, select the Enable
This Distribution Point For Prestaged Content check box.
2. On the Distribution Settings tab of the dialog box for content type properties, ensure
that you conigure the Prestaged Distribution Point settings. These settings include:
■ Automatically Download Content When Packages Are Assigned To Distribution
Points.
■ Download Only Content Changes To The Distribution Point.
■ Manually Copy The Content In This Package To The Distribution Point.
To prestage the content, use the following procedure:
1. Create a prestaged content ile. You can create a prestaged content ile for any type
of content. To create the prestaged content ile, right-click the content or multiselect
two or more instances of content and right-click them and then click Create Prestaged
Content File.
2. In the Create Prestaged Content File Wizard, specify the name and location for the
content ile and then complete the wizard. The Create Prestaged Content File Wizard
creates a single ile with a .pkgx extension.

112 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 3. Distribute the content to the distribution point. You can copy the ile to a portable
drive or to removable media and then send the drive or media to the location that
hosts the distribution point that requires the content.
4. Import the prestaged content ile to the distribution point. On the distribution point,
open a command prompt and then browse to \SMS_DP$\sms\Tools. At the command
prompt, type the following command and then press Enter:
ExtractContent /P:<PrestagedFileLocation>[\<PrestagedFileName>] /S

EXAM TIP
Remember the limitations of pull-distribution points.

Thought experiment
Content distribution at Contoso
You are reviewing the distribution of content at Contoso. You are particularly
concerned about when to prestage content and how to respond to application ile
corruption. With this information in mind, answer the following questions:

1. You suspect that the content for a speciic software application is corrupt on a
distribution point. How can you ix the problem?

2. In which scenarios would you prestage content?

Objective summary
■ Before you can use Coniguration Manager to deploy software to a client device, you
must have at least one distribution point that the client can access.
■ When you can associate a distribution point with one or more boundary groups, it
becomes a preferred distribution point for clients within the boundary group’s
boundaries.
■ When you associate a distribution point with a boundary group, you conigure the
connection speed to the distribution point as either Fast (the default) or Slow.
■ A distribution point group is a logical grouping of distribution points that you can use
to simplify content distribution to multiple distribution points simultaneously.
■ Associating a collection with a distribution point group enables you to distribute con-
tent to collections directly.
■ When you assign content to a pull-distribution point, the pull-distribution point copies
the content iles from the speciied distribution point.
■ Beginning with System Center 2012 Coniguration Manager SP1, you can use cloud-
based distribution points in Microsoft Azure to host a distribution point.

Objective 2.6: Manage content distribution CHAPTER 2 113

From the Library of Ida Schander

 ■ The content library hosts content iles. These iles include software updates, operating
system deployment images, and iles related to packages and applications.
■ When you change the source iles for speciic content, you need to update the copy of
the content on the distribution points.
■ Content prestaging enables you to transfer and preload content by using an ofline
method such as shipping media from a site server to a distribution point.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following cannot be used with cloud distribution points? (Choose all that
apply.)
a. App-V streaming packages
B. Software update packages
C. Applications that are installed after being downloaded from the distribution point
D. Prestaged content
2. Which of the following Coniguration Manager log iles would you use to troubleshoot
the distribution of content from the site server to the distribution point?
a. Scheduler.log
B. Sender.log
C. PkgXferMgr.log
D. SMSPXE.log
3. Which of the following Coniguration Manager log iles would you use to view the cur-
rent status of the sender job to verify that content is queued properly for distribution?
a. SMSPXE.log
B. Scheduler.log
C. Sender.log
D. PkgXferMgr.log
4. Which of the following Coniguration Manager log iles would you use to troubleshoot
the copying of compressed content to the destination site during content distribution?
a. PkgXferMgr.log
B. Scheduler.log
C. Sender.log
D. SMSPXE.log

114 Chapter 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

Answers

Objective 2.1
Thought experiment
1. Conigure a program to run the command.
2. Use user device afinity as a requirement when coniguring a deployment type.

Objective review
1. Correct answer: A
a. Correct: Detection methods enable you to deine how Coniguration Manager
determines an application’s installation state.
B. Incorrect: Supersedence enables you to conigure a relationship between a new
application and an existing application that you have deployed.
C. Incorrect: User device afinity is the process of associating a user with one or more
speciic devices.
D. Incorrect: Application Catalog functions as a self-service catalog from which users
can request software for installation.
2. Correct answer: B
a. Incorrect: User device afinity is the process of associating a user with one or more
speciic devices.
B. Correct: Application Catalog functions as a self-service catalog from which users
can request software for installation.
C. Incorrect: Supersedence enables you to conigure a relationship between a new
application and an existing application that you have deployed.
D. Incorrect: Detection methods enable you to deine how Coniguration Manager
determines an application’s installation state.
3. Correct answer: D
a. Incorrect: Detection methods enable you to deine how Coniguration Manager
determines an application’s installation state.
B. Incorrect: Supersedence enables you to conigure a relationship between a new
application and an existing application that you have deployed.
C. Incorrect: Application Catalog functions as a self-service catalog from which users
can request software for installation.
D. Correct: User device afinity is the process of associating a user with one or more
speciic devices.

Answers CHAPTER 2 115

From the Library of Ida Schander

 4. Correct answer: C
a. Incorrect: User device afinity is the process of associating a user with one or more
speciic devices.
B. Incorrect: Application Catalog functions as a self-service catalog from which users
can request software for installation.
C. Correct: Supersedence enables you to conigure a relationship between a new
application and an existing application that you have deployed.
D. Incorrect: Detection methods enable you to deine how Coniguration Manager
determines an application’s installation state.

Objective 2.2
Thought experiment
1. Conigure a global condition related to the amount of memory and use it with a
requirement so that deployment will occur only if the minimum amount of memory is
available.
2. You can perform a simulated deployment to verify that the deployment settings are
correct.

Objective review
1. Correct answers: A and C
a. Correct: You must choose the Install action to make the application available
through Software Center.
B. Incorrect: The Uninstall action removes an application.
C. Correct: The Purpose of Available makes the application available in Software
Center.
D. Incorrect: Choosing this option would ensure that the software was deployed,
independent of the user’s choice.
2. Correct answers: A and D
a. Correct: You must choose the Install action to make the application available
through Software Center.
B. Incorrect: The Uninstall action removes an application.
C. Incorrect: The Purpose of Available makes the application available in Software
Center.
D. Correct: Choosing this option would ensure that the software was deployed, inde-
pendent of the user’s choice.

116 CHAPTER 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 3. Correct answers: A and D
a. Correct: When the software is deployed as Required and the deadline has passed,
software will install automatically and silently.
B. Incorrect: In this scenario, the user can request it from Application Catalog.
C. Incorrect: In this scenario, the user can request it from Software Center.
D. Correct: When the software is deployed as Required and the deadline has passed,
software will install automatically and silently.
4. Correct answer: C
a. Incorrect: When the software is deployed as Required and the deadline has
passed, software will install automatically and silently.
B. Incorrect: In this scenario, the user can request it from Software Center.
C. Correct: In this scenario, the user can request it from Application Catalog.
D. Incorrect: When the software is deployed as Required and the deadline has
passed, software will install automatically and silently.

Objective 2.3
Thought experiment
1. Users will download the Company Portal app from the Windows Store and use it to
enroll in Intune.
2. A sideloading key is necessary to sideload software. A code-signing certiicate the
Surface 2 devices trust is required to sign the custom software digitally.

Objective review
1. Correct answer: B
a. Incorrect: This policy setting determines the frequency with which new applica-
tion deployments will be detected.
B. Correct: This policy setting determines when updates and applications are
installed as scheduled and whether a user is prompted for installation.
C. Incorrect: This policy setting determines whether updates that don’t require a
restart are installed automatically.
D. Incorrect: This setting determines whether a logged-on user may control when
Windows restarts after the installation of an update or application that requires a
restart.
2. Correct answer: B
a. Incorrect: This policy setting determines the frequency with which new applica-
tion deployments will be detected.

Answers CHAPTER 2 117

From the Library of Ida Schander

 B. Correct: This setting determines whether a logged-on user may control when
Windows restarts after the installation of an update or application that requires a
restart.
C. Incorrect: This policy setting determines whether updates that don’t require a
restart are installed automatically.
D. Incorrect: This policy setting determines when updates and applications are
installed as scheduled and whether a user is prompted for installation.
3. Correct answer: C
a. Incorrect: This policy setting determines whether updates that don’t require a
restart are installed automatically.
B. Incorrect: This policy setting determines when updates and applications are
installed as scheduled and whether a user is prompted for installation.
C. Correct: This policy setting determines the frequency with which new application
deployments will be detected.
D. Incorrect: This setting determines whether a logged-on user may control when
Windows restarts after the installation of an update or application that requires a
restart.

Objective 2.4
Thought experiment
1. Retiring an application prevents new deployments of the application without uninstall-
ing the application. Uninstalling an application removes the application.
2. Uninstall deployments fail if there is an existing install deployment.

Objective review
1. Correct answer: A
a. Correct: Retiring an application blocks new deployments but doesn’t remove
existing deployed software.
B. Incorrect: Uninstalling an application removes it from computers on which it is
installed.
C. Incorrect: Superseding an application replaces one application with another.
D. Incorrect: Installing an application deploys a new application. It does not remove
or replace other applications.
2. Correct answer: C
a. Incorrect: Installing an application deploys a new application. It does not remove
or replace other applications.

118 CHAPTER 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

 B. Incorrect: Superseding an application replaces one application with another.
Because no replacement was chosen, you would not select this option.
C. Correct: Uninstalling an application removes it from computers on which it is
installed.
D. Incorrect: Retiring an application blocks new deployments but doesn’t remove
existing deployed software.
3. Correct answer: A
a. Correct: Superseding an application replaces one application with another.
B. Incorrect: Retiring an application blocks new deployments but doesn’t remove
existing deployed software.
C. Incorrect: Uninstalling an application removes it from computers on which it is
installed. Although you could uninstall and then conigure a new installation, this
would require more administrative effort than superseding the application.
D. Incorrect: Installing an application deploys a new application. It does not remove
or replace other applications. Although you could uninstall and then conigure a
new installation, this would require more administrative effort than superseding
the application.

Objective 2.5
Thought experiment
1. You must enable Software Metering to view information about users who have run a
speciic executable.
2. Ensure that all computers are conigured to audit logon events. Typically, you would do
this by using Group Policy.

Objective review
1. Correct answer: C
a. Incorrect: The default maximum number of automatically generated
Coniguration Manager software-metering rules is 100.
B. Incorrect: The default maximum number of automatically generated
Coniguration Manager software-metering rules is 100.
C. Correct: The default maximum number of automatically generated
Coniguration Manager software-metering rules is 100.
D. Incorrect: The default maximum number of automatically generated
Coniguration Manager software-metering rules is 100.

Answers CHAPTER 2 119

From the Library of Ida Schander

 2. Correct answer: B
a. Incorrect: By default, 10 percent of a site’s computers must use a particular pro-
gram to trigger the automatic creation of a software-metering rule.
B. Correct: By default, 10 percent of a site’s computers must use a particular program
to trigger the automatic creation of a software-metering rule.
C. Incorrect: By default, 10 percent of a site’s computers must use a particular pro-
gram to trigger the automatic creation of a software-metering rule.
D. Incorrect: By default, 10 percent of a site’s computers must use a particular pro-
gram to trigger the automatic creation of a software-metering rule.
3. Correct answer: C
a. Incorrect: In Progress status indicates that the application deployment is in
progress.
B. Incorrect: Error status indicates that the application failed to deploy because of an
error.
C. Correct: Requirements Not Met status indicates that the application did not
deploy because it did not comply with a dependency or a requirement.
D. Incorrect: Success status indicates that the application deployment was successful.

Objective 2.6
Thought experiment
1. You can redistribute the content to the distribution point, either from the properties of
the software application or package or from the distribution point itself.
2. You would prestage content when you need to distribute large iles to remote loca-
tions for which the time or expense required to transfer the content across wide area
network (WAN) links is prohibitive.

Objective review
1. Correct answers: A, B and D
a. Correct: You can’t use App-V streaming packages with cloud-based distribution
points.
B. Correct: You can’t use software update packages with cloud-based distribution
points.
C. Incorrect: You can use applications that are installed after being downloaded
from the distribution point with cloud-based distribution points.
D. Correct: You can’t use prestaged content with cloud distribution points.

120 CHAPTER 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

2. Correct answer: C
a. Incorrect: You use the Scheduler.log log to view the current status of the sender
job. You can use this log on the site server from the source site to verify that the
content was queued for the sender.
B. Incorrect: You use the Sender.log log to troubleshoot the copy of the compressed
content to the destination site. You can use this log on the site server from the
source site to determine whether the sender has transferred the content to a dif-
ferent site.
C. Correct: You use the PkgXferMgr.log log to troubleshoot the distribution of con-
tent from the site server to the distribution point. You can use this log on the site
server to determine whether the Package Transfer Manager processed the content
and transferred it to a distribution point located in the same site as the site server.
D. Incorrect: You use the SMSPXE.log log to troubleshoot the PXE provider. You can
ind this log on a distribution point that is conigured to use PXE.
3. Correct answer: B
a. Incorrect: You use the SMSPXE.log log to troubleshoot the PXE provider. You can
ind this log on a distribution point that is conigured to use PXE.
B. Correct: You use the Scheduler.log log to view the current status of the sender
job. You can use this log on the site server from the source site to verify that the
content was queued for the sender.
C. Incorrect: You use the Sender.log log to troubleshoot the copy of the compressed
content to the destination site. You can use this log on the site server from the
source site to determine whether the sender has transferred the content to a dif-
ferent site.
D. Incorrect: You use the PkgXferMgr.log log to troubleshoot the distribution of con-
tent from the site server to the distribution point. You can use this log on the site
server to determine whether the Package Transfer Manager processed the content
and transferred it to a distribution point located in the same site as the site server.
4. Correct answer: C
a. Incorrect: You use the PkgXferMgr.log log to troubleshoot the distribution of con-
tent from the site server to the distribution point. You can use this log on the site
server to determine whether the Package Transfer Manager processed the content
and transferred it to a distribution point located in the same site as the site server.
B. Incorrect: You use the Scheduler.log log to view the current status of the sender
job. You can use this log on the site server from the source site to verify that the
content was queued for the sender.

Answers CHAPTER 2 121

From the Library of Ida Schander

 C. Correct: You use the Sender.log log to troubleshoot the copy of the compressed
content to the destination site. You can use this log on the site server from the
source site to determine whether the sender has transferred the content to a dif-
ferent site.
D. Incorrect: You use the SMSPXE.log log to troubleshoot the PXE provider. You can
ind this log on a distribution point that is conigured to use PXE.

122 CHAPTER 2 Deploy and manage desktop and mobile applications

From the Library of Ida Schander

CHAPTER 3

Plan and implement software

updates
The timely and regular deployment of software updates is a task that almost all IT profes-
sionals have to manage. Microsoft provides the Windows Server Update Services (WSUS)
role as a freely available add-on to enable organizations to manage the deployment of
updates to computers in their environment. Although WSUS is functional, it has its limita-
tions. That’s when products such as System Center Updates Publisher and System Center
2012 R2 Coniguration Manager are useful. In this chapter, you learn about deploying
third-party updates by using System Center Updates Publisher, deploying updates by using
Coniguration Manager, and deploying and managing updates by using Microsoft Intune.

Objectives in this chapter:

■ Objective 3.1: Plan and deploy third-party updates.
■ Objective 3.2: Deploy software updates by using Coniguration Manager and
Windows Server Update Services (WSUS).
■ Objective 3.3: Deploy software updates by using Microsoft Intune.

Objective 3.1: Plan and deploy third-party updates

In this section, you learn about System Center Updates Publisher and how you can use this
application to publish updates from third-party vendors to a WSUS server and
Coniguration Manager.

This section covers the following topics:

■ System Center Updates Publisher
■ System Center Updates Publisher options
■ Managing updates

123

From the Library of Ida Schander

 System Center Updates Publisher
System Center Updates Publisher (SCUP) 2011 is an application you can use with
Coniguration Manager to manage software updates that third-party vendors and your
own organization produce. By using SCUP, you can import software updates from catalogs
third-party vendors publish so that these updates can be deployed through Coniguration
Manager. You can also use SCUP to import software updates your own organization creates.
For example, if your organization has created software that is deployed to a large number of
client computers, and that software requires software updates to be deployed, you can use
SCUP to import those updates so that you can use Coniguration Manager to deploy them.

MORE INFO SYSTEM CENTER UPDATES PUBLISHER

You can learn more about System Center Updates Publisher at http://technet.microsoft
.com/en-US/library/hh134747.aspx.

Operating system and software requirements

You can deploy SCUP 2011 on the following operating systems:
■ Windows Server 2012 R2
■ Windows Server 2012
■ Windows Server 2008 R2
■ Windows Server 2008
■ Windows 8.1
■ Windows 8
■ Windows 7
■ Windows Vista
The dependencies for SCUP are governed by the operating system platform you use to
host it. If you use Windows 8, Windows 8.1, Windows Server 2012, or Windows Server 2012
R2 clients in your environment, you must deploy SCUP on a computer running either
Windows Server 2012 or Windows Server 2012 R2.
■ When installing System Center Updates Publisher on Windows Server 2012 and
Windows Server 2012 R2, ensure that you have installed the remote server administra-
tion tools and the WSUS role.
■ When installing System Center Updates Publisher on Windows Server 2008 and
Windows Server 2008 R2, you should install WSUS 3.0 SP2 and install .NET Framework
4 as well as hotix KB2530678.

124 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Certiicate requirements
SCUP requires a signing certiicate to sign updates digitally that it publishes. This digital sig-
nature enables clients to verify the integrity of the updates. You can obtain a certiicate from
a trusted certiicate authority (CA) or have SCUP create a self-signed certiicate. Certiicates
must be trusted by clients of the update server and by the update server itself. This require-
ment is not a problem if you have obtained the certiicate from a CA that client computers
trust but requires special coniguration of clients if you use the self-signed certiicate.
When you obtain a signing certiicate for Updates Publisher 2011 from a CA, ensure that it
has the following properties:
■ Enable The Allow Private Key To Be Exported Option
■ Set Key Usage To Digital Signature
■ Set Minimum Key Size To A Value Equal To Or Greater Than 2048 Bit
If you use a self-signed certiicate, export the self-signed certiicate from the server that
hosts SCUP by using the certiicates snap-in of the Microsoft Management console. You then
import the certiicate into the Trusted Root Certiication Authorities certiicate store. You can
do this manually on each client, or you can use Active Directory to publish the self-signed
certiicate to the Trusted Root Certiication Authorities certiicate store on computers that are
members of the domain.

EXAM TIP
Remember the process for using self-signed certiicates with SCUP.

MORE INFO SCUP CERTIFICATES

You can learn more about SCUP certiicates at http://technet.microsoft.com/en-us/library

/hh134732.aspx.

SCUP options
Depending on the details of your SCUP deployment, you can choose to publish updates to a
WSUS server or to a WSUS server integrated with Coniguration Manager. Update Server
options, shown in Figure 3-1, enable you to conigure whether Updates Publisher 2011 pub-
lishes software updates to a WSUS update server and whether the update server is local or
remote and to specify the certiicate that Updates Publisher 2011 uses to publish software
updates. All software updates must be digitally signed when they are published. Use this
option when clients update using only WSUS.

Objective 3.1: Plan and deploy third-party updates CHAPTER 3 125

From the Library of Ida Schander

 FIGURE 3-1 System Center Updates Publisher Options

ConigMgr Server options, shown in Figure 3-2, enable you to conigure how Updates
Publisher 2011 interacts with System Center 2012 R2 Coniguration Manager to publish soft-
ware updates. You should always publish to the top-level WSUS server in your Coniguration
Manager environment because this ensures that all child sites have access to SCUP published
updates. Use this option if Coniguration Manager manages software updates in your organi-
zation’s environment.

126 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

FIGURE 3-2 Configuration Manager integration

MORE INFO INTEGRATING SCUP WITH CONFIGURATION MANAGER

You can learn more about integrating SCUP with Coniguration Manager at http://technet
.microsoft.com/en-us/library/hh134775.aspx.

Trusted Publishers options, shown in Figure 3-3, enable you to conigure which publishers
SCUP trusts. This includes adding and removing trusted publishers. You can also view the cer-
tiicate of trusted publishers. You automatically add a publisher to the list of trusted publish-
ers when you import a catalog into SCUP and when you publish a software update.

Objective 3.1: Plan and deploy third-party updates CHAPTER 3 127

From the Library of Ida Schander

 FIGURE 3-3 Trusted Publishers

Proxy Settings options, shown in Figure 3-4, enable you to conigure proxy settings when
you use SCUP to import software update catalogs from the Internet or when you publish
software update catalogs to the Internet.

FIGURE 3-4 Proxy Settings

128 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 Advanced options, shown in Figure 3-5, enable you to conigure the following:
■ Add Timestamp When Signing Updates
■ Check For New Catalog Alerts On Startup
■ Enable Certiicate Revocation Checking For Digitally Signed Catalog Files
■ Local Source Publishing

FIGURE 3-5 Advanced options

MORE INFO SCUP OPTIONS

You can learn more about SCUP options at http://technet.microsoft.com/en-us/library

/hh134775.aspx.

Managing updates
After you have integrated SCUP into your organization’s updates infrastructure, you need to
start importing and publishing updates. You can add an update directly from a standalone
update ile, or you can subscribe to a vendor’s catalog ile. You use the four workspaces of the
SCUP console to accomplish these tasks.

Objective 3.1: Plan and deploy third-party updates CHAPTER 3 129

From the Library of Ida Schander

 Updates workspace
Use the Updates workspace to create software updates and software update bundles, publish
a software update, duplicate an update, delete a software update or bundle, export an
update or bundle, and assign a software update or bundle to a publication. Figure 3-6 shows
the Updates workspace. A bundle is a collection of updates.

FIGURE 3-6 Updates workspace

To create a software update, perform the following steps:

1. In the Updates workspace of the System Center Updates Publisher 2011 console, click
Create on the ribbon and then click Software Update.
2. In the Package Information section, provide the following information:
■ Package Source Provide the location to an MSI ile that contains the software
update package.
■ Use A Local Source To Publish Software Update Content Use this option to
specify a local UNC or URL that hosts content.
■ Binary Language Use this option to specify the language of the update.
■ Success Return Codes This option displays any codes returned during installation
that indicate that the update has installed correctly.

130 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 ■ Success Pending Reboot Codes This option displays any codes returned during
installation that indicate that the update will complete installation correctly pending
a reboot.
■ Command Line Use the command line to install the update.
3. In the Required Information section, provide the following information:
■ Language Specify the language of the title and description.
■ Title Specify the name of the software update.
■ Description Describe the software update.
■ Classiication Choose from among Critical Update, Feature Pack, Update, Security
Update, Service Pack, Tool, Driver, and Update Rollup.
■ Vendor Select the vendor for the software update.
■ Product Specify which product is updated by the update.
■ More Info Specify a URL that provides more information about the update.
4. In the Optional Information section, provide the following information if necessary:
■ Bulletin ID If a bulletin exists to describe the update, provide the identiier here.
■ Article ID If an article exists to describe the update, provide the article ID here.
■ CVE ID Provide the CVE (Common Vulnerabilities and Exposures) ID number.
■ Support URL Provide a URL for more information about the update.
■ Severity Choose the severity of the update for security updates. Choose from
among None, Critical, Important, Moderate, and Low.
■ Impact Specify the update impact. Choose from among Normal, Minor, and
Requires Exclusive Handling. If an update requires exclusive handling, it must be
installed separately from other updates.
■ Restart Behavior This option provides information about what happens after the
update installs. Choose from among Never Reboots, Always Requires Reboot, and
Can Request Reboot.
5. In the Prerequisite dialog box, provide information about any software updates that
must be present on the target computer for this update to install.
6. In the Superseded Updates dialog box, provide information about any existing updates
that this update supersedes.
When you publish this update, Coniguration Manager marks all software updates that
you specify on this page as expired.
7. In the Installable Rules dialog box, provide information that enables the software
update client to determine whether the update should be installed.

Objective 3.1: Plan and deploy third-party updates CHAPTER 3 131

From the Library of Ida Schander

 MORE INFO UPDATES WORKSPACE

You can learn more about the Updates workspace at http://technet.microsoft.com/en-US

/library/hh134756.aspx.

Catalogs workspace
The Catalogs workspace enables you to add catalogs to SCUP. Catalogs are collections of
updates, usually from third-party vendors. Use the Catalogs workspace to subscribe to
software updates catalogs (including partner catalogs), to edit catalog subscriptions, and
to import software updates from catalogs into the Updates Publisher 2011 repository. After
the software updates are imported into the repository, you can publish or export them to an
external catalog. Figure 3-7 shows the Catalogs workspace.

FIGURE 3-7 Catalogs workspace

EXAM TIP
Remember that you use the Catalogs workspace to subscribe to the updates catalogs that
third-party vendors publish.

MORE INFO CATALOGS WORKSPACE

You can learn more about the Catalogs workspace at http://technet.microsoft.com/en-US

/library/hh134765.aspx.

132 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Publications workspace
When you publish a software update to WSUS or Coniguration Manager by using SCUP, you
can choose to publish all content associated with the software update or just publish meta-
data associated with the update. You deine publications in the Updates workspace. You use
the Publications workspace to publish a publication to an update server, export a publication,
and remove software updates from a publication.

MORE INFO PUBLICATIONS WORKSPACE

You can learn more about the Publications workspace at http://technet.microsoft.com

/en-US/library/hh134767.aspx.

Rules workspace
Applicability rules enable you to determine whether the computer that is the target of the
update has the prerequisites for the installation update. For example, Figure 3-8 shows an
applicability rule related to the Notepad.exe ile.

FIGURE 3-8 Applicability rule

Objective 3.1: Plan and deploy third-party updates CHAPTER 3 133

From the Library of Ida Schander

 You can use the Rules workspace to create, edit, and delete rules and rule sets. You can
create two types of applicability rules:
■ Installable rules This rule type determines whether a target computer requires a
software update.
■ Installed rules This rule type determines whether an update is already present on a
computer.

MORE INFO RULES WORKSPACE

You can learn more about the Rules workspace at http://technet.microsoft.com/en-US

/library/hh134743.aspx.

Thought experiment
Third-party software updates at Tailspin Toys
You are the server administrator at Tailspin Toys. Tailspin Toys uses WSUS to deploy
Microsoft software updates to client computers on its internal network. All of the
computers deployed at Tailspin Toys have software installed that was created by
a speciic third-party vendor. This third-party vendor publishes an update catalog
that is compatible with System Center Updates Publisher. You have deployed SCUP
on a computer running Windows Server 2012 R2. You have obtained a signing
certiicate from an internal CA. With this information in mind, answer the following
questions:

1. What steps can you take to minimize the complexity of obtaining and importing
updates from the third-party vendor into SCUP?

2. Which computers in the organization need to trust the CA that issued the sign-
ing certiicate installed on the SCUP server?

Objective summary
■ System Center Updates Publisher enables you to deploy third-party software updates
to WSUS or Coniguration Manager servers so that these updates can be deployed to
clients of these servers.
■ You can subscribe to update catalogs that third-party vendors publish. From these
catalogs, you can import updates.
■ You can publish updates or update bundles to WSUS or Coniguration Manager
servers.
■ Rules enable you to perform checks on clients to determine update applicability.

134 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which type of applicability rule should you conigure to determine whether an update
is already present on a computer?
a. Installable rule
B. Installed rule
C. Automatic approval rule
D. Automatic deployment rule
2. Which SCUP workspace do you use to remove a software update from publication?
a. Updates workspace
B. Catalogs workspace
C. Publications workspace
D. Rules workspace
3. You are adding an update from a third-party vendor in preparation for publishing
that update to your organization’s Coniguration Manager deployment. The update
requires a computer restart to complete installation. Which of the following sections in
the Optional Information window enables you to provide this information?
a. Restart Behavior
B. Impact
C. Severity
D. CVE ID

Objective 3.2: Deploy software updates by using

Coniguration Manager and WSUS.
Integrating Coniguration Manager with WSUS provides many beneits to an administrator
responsible for ensuring that computers in his or her organization remain up to date. Using
Coniguration Manager gives you much more control over update deployment, enabling you
to specify when updates will be installed and giving you detailed information about whether
Coniguration Manager clients comply with previously deployed updates.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 135

From the Library of Ida Schander

 This section covers the following topics:
■ Coniguration Manager software update point
■ Software update client settings
■ Managing updates
■ Monitoring and troubleshooting software updates
■ Automatic deployment rules

Software updates in Coniguration Manager

Coniguration Manager integrates with the WSUS engine to synchronize with the Microsoft
Update servers to retrieve metadata for software updates, assess which software updates are
required for Coniguration Manager clients, and then deploy those updates to clients. You get
the following beneits by using Coniguration Manager to manage software updates instead
of using WSUS by itself:
■ Scan and deploy functionality You can scan a collection of client computers for
required updates, analyze results, and then deploy updates to those client computers.
■ Compliance integration You can integrate the software updates feature with other
Coniguration Manager functionality, such as compliance baselines and task sequences,
for operating system deployment.
■ Collection-based maintenance windows Use this feature to ensure that
Coniguration Manager only applies updates during approved maintenance periods.
■ Enhanced monitoring and reporting Compared to WSUS, Coniguration Manager
provides extensive monitoring capabilities, such as detailed state messages, status
updates, and alerts for key software-update issues. Coniguration Manager also pro-
vides an extensive number of reports to show your entire organization’s deployment
status and compliance statistics with respect to updates.
■ Wake on LAN and power management support Coniguration Manager includes
support for technology that wakes up a computer on a local area network (Wake On
LAN technology). This feature enables you to deploy software updates after business
hours without requiring users to leave their computers on, which consumes power
unnecessarily.
■ Support for Network Access Protection (NAP) With the integration of NAP and
the System Health Validator point site system role, you can deine what software
updates are required for computers to connect to and communicate with the network
resources. This differs from WSUS integration with NAP, by which, rather than requiring
speciic updates to be deployed, you test to see whether an update check was per-
formed recently and detected updates of a speciic type have been installed.

136 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Coniguration Manager software update point
The software update point is a Coniguration Manager site system role that supports software
update management. It integrates WSUS with the Coniguration Manager infrastructure. In
multisite Coniguration Manager deployments, each site usually contains a software update
point. You typically conigure the software update point at the hierarchy’s top-level site to
synchronize updates from Microsoft Update. Then, you conigure the software update points
in each child site to synchronize updates from the upstream update server in the parent site.
The deployment of software update points in secondary sites is optional. It is generally
a good idea to deploy a software update point in a secondary site when there is limited
network bandwidth between client computers and site systems in the primary site. When you
conigure a software update point in a secondary site, the WSUS installation is conigured as
a replica of the WSUS instance located in the primary site. Clients located within the second-
ary site boundaries are conigured to communicate with the local software update point in
the secondary site. In this coniguration, you continue to manage all deployments from the
primary site.
System Center 2012 R2 Coniguration Manager supports multiple software update points
in each site. When you deploy multiple software update points in a site, those software
update points are automatically load balanced in the following way: Coniguration Manager
initially assigns a client to a software update point. The client retains that assignment unless it
experiences a software-update failure such as the WSUS server being unavailable or unre-
sponsive. The client retries to connect to the software update point a minimum of four times
at 30-minute intervals. After the fourth attempt, the client waits an additional two minutes
and then chooses another software update point randomly from the site, with a priority of a
software update point that resides in the same forest.
If you deploy the software update point on a computer that hosts additional site system
roles, you can support up to 25,000 clients. If the software update point site system role is
deployed by itself, it can support up to 100,000 clients.

Deployment
When you install a software update point, you must conigure it to communicate with the
WSUS through the appropriate ports. By default, when you install WSUS on a computer run-
ning Windows Server 2012 or Windows Server 2012 R2, it creates a dedicated website for
WSUS and conigures ports 8530 for HTTP and 8531 for HTTPS.
A Coniguration Manager software update point has the following prerequisites:
■ WSUS 3.0 SP2 or newer The Software Updates feature requires WSUS 3.0 Service
Pack 2 (SP2) or newer for software-updates catalog synchronization and client scan-
ning for compliance assessments with respect to software updates. For Windows
Server 2008 R2, you must download and install WSUS and related prerequisites on a
system before coniguring that system as a Coniguration Manager site system for a
software update point. From Windows Server 2012 onward, WSUS is a built-in role.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 137

From the Library of Ida Schander

 ■ WSUS 3.0 SP2 or newer administration console If WSUS is not installed on the
site server, you must install the WSUS administration console on the Coniguration
Manager site server. This enables the site server and the WSUS server to communicate
with each other.
■ Coniguration Manager roles The software update point also requires the manage-
ment point and distribution point roles to be deployed.
■ Coniguration Manager reporting services point Although not a primary prereq-
uisite, before you can use software updates reports you need to conigure a reporting
services point site system. However, because other Coniguration Manager features
require the reporting services point, you most likely have deployed it within your infra-
structure already.
As you deploy and conigure the software update point, ensure that the site system role
is working as expected. Component Status provides status messages related to the compo-
nents used during the software update coniguration. In the Monitoring workspace, expand
System Status and then click Component Status. The following components are related to the
software update point:
■ SMS_WSUS_CONTROL_MANAGER Displays status information related to the instal-
lation of the component on the software update point. This component also provides
information about the availability of the component on the server. The related
WSUSCtrl.log stores detailed information.
■ SMS_WSUS_CONFIGURATION_MANAGER Displays status information related
to the success or failure of coniguration settings for the software update point. The
related WCM.log stores detailed information.

Synchronizing the update point

The software update process begins when the top-level site (central administration site or
standalone primary site) downloads the metadata of the software update catalog that identi-
ies each update and the products to which it applies. Depending on synchronization settings
that you conigure within the Coniguration Manager console, the software-updates synchro-
nization process retrieves the metadata from an upstream software update point or from
Microsoft Update. You can schedule metadata synchronization as part of the software update
point properties, or you can initiate the update manually.
To synchronize the metadata of the software update catalog, follow these steps:
1. Select the software update classes and products for synchronization and then syn-
chronize them either based on a schedule that you conigure or by initiating the
synchronization manually. The WSUS Synchronization Manager on the site server calls
an application programming interface (API) to request the WSUS server to initiate syn-
chronization with Microsoft Update or with an existing WSUS server that is not in the
Coniguration Manager hierarchy.

138 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 2. The WSUS server requests the metadata of the software update catalog from
Microsoft Update, which returns it to the WSUS server. If the synchronization occurs on
a conigured schedule, the software update point performs a full synchronization and
applies all metadata changes, such as additions, modiication, or removals. If you initi-
ate the synchronization manually, the software update point inserts only new catalog
metadata into the site database. This results in faster synchronization. The WSUS server
stores the metadata in the WSUS database, and the WSUS Synchronization Manager
continues to poll the WSUS server until synchronization is complete.
3. When WSUS Synchronization Manager polling detects that WSUS synchronization is
complete, it requests the software update metadata from the WSUS server and inserts
it into the Coniguration Manager site database. When synchronization is complete,
the SMS_WSUS_SYNC_MANAGER component creates status message 6702. You also
can verify a successful synchronization by reviewing the site server’s Wsyncmgr.log
for a reference to status message 6702. If synchronization fails, the WSUS
Synchronization Manager schedules another attempt within 60 minutes. Status mes-
sage 6703 also provides information about the failure. When the metadata synchro-
nization process is complete, you can view the software updates from within the
Coniguration Manager console.
When the software update point that is located in the central administration site com-
pletes metadata synchronization, the metadata replicates to all child primary site databases
by using database replication. After data replication is complete for the site databases, the
child site’s WSUS Synchronization Manager requests the WSUS database instance running
on the child site’s software update point to initiate synchronization with the upstream WSUS
server in the central site. Child sites always perform a full synchronization. The WSUS
Synchronization Manager in each primary site then sends a replication request to any of its
respective child secondary sites that contain a software update point.
If you have a software update point that you do not conigure to synchronize with an
upstream server (for example, a software update point that is located in a perimeter network),
you can export and import updates manually by using the WSUSutil tool. Using WSUSutil to
export or import metadata requires local administrative privileges on the WSUS server. You
must run the tool locally on the server. Use the following process to export and import the
metadata:
1. On the export server, copy all the iles and folders from WSUSInstallationDrive\WSUS
\WSUSContent\ to the import server. This ensures that locally stored updates and
applicable license terms are available to the import server.
2. On the export server, open a command prompt, type the following command, and
then press Enter:
wsusutil.exe export <packagename> <logfilename>

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 139

From the Library of Ida Schander

 3. Move the exported package to the import server, open a command prompt, type the
following command, and then press Enter:
wsusutil.exe import <packagename> <logfilename>

Software Update Manager security role

To conigure the site system role for the software update point, you need to be a member
of the Full Administrator security role. The Software Update Manager role should be associ-
ated with administrative users who need to perform software update–related tasks. This role
includes the following permissions:
■ Allows you to delegate the management of software updates.
■ Allows you to deine and deploy software updates to clients.
■ Provides permissions to create and modify software update packages, Software
Update Groups, deployment templates, and provides the ability to enable software
updates for NAP.

Software update client settings

In the Administration workspace, you use the Client Settings node to specify settings related
to various client agent components, including the Software Updates agent. You can use the
Default Client Settings object to apply coniguration settings for software updates to the
hierarchy’s clients. You can create and conigure a Custom Client Device Settings object if you
have unique software updates settings that you want to apply to members of a speciic
collection.
The Computer Agent section of the Default Settings dialog box provides the Disable
Deadline Randomization setting for controlling the deployment of software updates. This Yes
or No setting determines whether updates deploy at the designated time or use a random
start time of up to two hours after the scheduled beginning of the deployment.

140 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 The Software Updates section, shown in Figure 3-9, contains the following settings that
conigure how client computers deploy software updates:

FIGURE 3-9 Software Updates

■ Enable Software Updates On Clients Speciies whether the Software Updates

agent is enabled or disabled on client computers. Setting the option to Yes enables
software updates, which is the default setting. Setting the option to No disables soft-
ware updates on clients.
■ Software Update Scan Schedule Speciies how often the client computer initiates
a scan for software updates compliance. By default, the software update scan occurs
every seven days.
■ Schedule Deployment Re-evaluation Conigures how often the Software Updates
agent reevaluates software updates for installation status. This setting is useful if a user
has uninstalled a deployed update. This setting initiates reevaluation, and if an update
is missing, it reinstalls that update automatically according to the reevaluation sched-
ule that you conigure. By default, deployment reevaluation is every seven days.
■ When Any Software Update Deployment Deadline Is Reached, Install All Other
Software Update Deployments With Deadline Coming Within A Speciied Period
Of Time Speciies whether to enforce all required software update deployments that
have installation deadlines within a speciic period if a single update reaches its instal-
lation deadline. Setting the option to Yes enables the setting. Setting it to No disables
the setting, which is the default coniguration.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 141

From the Library of Ida Schander

 ■ Period Of Time For Which All Pending Deployments With Deadline In This Time
Will Also Be Installed Speciies the period for the previous setting. When you set
the previous setting to Yes, you can specify a period. Required updates within the
speciied period deploy when another update reaches its deadline. The default setting
is one hour.
Maintenance windows, shown in Figure 3-10, enable you to prevent systems from reboot-
ing during critical times. For example, deploying updates in the middle of the workday would
most likely be disruptive to your users, so you can conigure a maintenance window so that
update deployment would occur only after 4:00 P.M. or 5:00 P.M.

FIGURE 3-10 Maintenance Windows tab

Use maintenance windows to control when:

■ Required software deployments can run.
■ Software updates will deploy.
■ Compliance settings deployments and evaluations can run.
■ Operating system deployments can occur.
■ Task sequence deployments can run.
By specifying available windows for these tasks to run, you can prevent unnecessary inter-
ruptions for users. Maintenance windows only apply to when deployments are allowed to run.
You can schedule the deployments to download and run locally so that downloads can occur
before the maintenance window.
You conigure maintenance windows in the properties of a device collection on the
Maintenance Windows tab. You can conigure multiple windows on a collection, and a device
can be in multiple collections that have scheduled maintenance windows. Each maintenance

142 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

window is deined by the start time, end time, and recurrence pattern. In addition, you can
conigure the maintenance windows to All Deployments, only Software Updates, or only Task
sequences.
Any reboots caused by a deployment can occur only during a maintenance window.
Therefore, you should conigure your software updates maintenance windows to be long
enough to deploy all the appropriate updates to prevent reboots during working hours. Each
maintenance window must be conigured for less than 24 hours.
When a device is affected by multiple maintenance windows, the maintenance windows
are cumulative. For example, if a device is in a collection with a maintenance window from
12:00 A.M. to 3:00 A.M. and in a different collection with a maintenance window from
2:00 A.M. to 5:00 A.M., its effective maintenance window would be from 12:00 A.M. to
5:00 A.M.
Maintenance windows only affect deployments that start automatically. If a user starts a
deployment from the application catalog or from the software center, the application will
install, and any required reboots will occur.

Scanning for update compliance

When the initial scan begins on a client, the Software Updates agent submits a request to
the management point to ind the WSUS server that the scan will use. After the management
point provides the WSUS server location, the agent enables the Specify Intranet Microsoft
Update Service Location local Group Policy setting located at Computer Coniguration
\Administrative Templates\Windows Components\Windows Update and then conigures the
policy setting with the URL of the server that is running the software update point.
If you conigure Windows Update settings in an Active Directory–based Group Policy
Object (GPO), the Active Directory settings override the local Group Policy settings that the
Software Updates agent conigures. Be sure to remove conlicting Group Policy settings from
Active Directory when integrating software updates by using Coniguration Manager.
The Software Updates agent then passes a scan request to the Windows Update agent.
The Windows Update agent connects to the WSUS server, retrieves the software updates
metadata, and then performs a local scan on the client. The Windows Update agent sends
the compliance results to the management point by using state messages. The management
point forwards the results to the site server, which then inserts them in the site database.
The process to scan clients for update compliance is as follows:
1. Per the schedule that you conigure, or when you initiate the scan manually, the client
receives machine policy from the Management point. The machine policy conig-
ures local Group Policy settings with the name of the software update point that the
Windows Update agent should use. The machine policy also provides the schedules for
scanning and reevaluation.
2. The compliance scan initiates on the client. The Windows Update agent on the client
connects to the WSUS server, retrieves the software update metadata, and initiates the

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 143

From the Library of Ida Schander

 compliance scan. The client returns a list that relects the compliance state for every
update evaluated.
3. If conigured, WSUS stores the scan results in the WSUS database. This setting is not
enabled by default.
4. The client stores the compliance scan results in Windows Management
Instrumentation (WMI) and then sends the results as a batch to the management
point as state messages. The client then sends the state messages to the management
point in bulk every 15 minutes by default.
5. The management point sends the results to the site server, which then enters them in
the site database.
6. You can view the compliance scan results by using the Coniguration Manager console
or by using reports in categories such as the Software Updates – D Scan category and
Software Updates – A Compliance category.

Compliance states
When a client computer performs a deployment evaluation for software updates,
Coniguration Manager creates a state message that contains the software update’s com-
pliance state for each update that it is evaluating. Coniguration Manager then sends state
messages to the site server through the management point, which then inserts them in the
site database. A database summarization process occurs, which summarizes the results into
speciic compliance states. For each update, the Coniguration Manager console displays the
number of client computers in each compliance state.
Compliance states are as follows:
■ Required The software update is applicable to and required on the client computer.
The site server also might report this state for three scenarios:
■ If the software update is deployed but not installed
■ If the state messages have not been received on the site server
■ If the update requires a computer restart before it completes
■ Installed The software update has installed on the computer.
■ Not Required The software update is not applicable to the client computer.
■ Unknown The site server has not received any information about the speciic update
from the client computer. The site server might report this state for three scenarios:
■ The client computer’s compliance scan has not been reported.
■ The scan was not successful.
■ The scan was successful, but the state message has not been processed at the site
server due to a backlog state or a corrupt state message ile.

144 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Managing updates
Managing software updates includes determining what software updates to deploy, deploy-
ing the updates to client devices, and then monitoring the results of the software updates
deployment. To improve eficiency and consistency of software updates management, you
can use software update groups.

Software update groups

A software update group is a logical collection of software updates that can be deployed as a
single unit.
Using a software update group has many advantages, including the following:
■ Ensuring ease of management when you deploy multiple updates You can use
a software update group to organize multiple software updates into a single object
that a deployment can reference for targeted collections. You can run the Download
Software Updates Wizard based on a software update group and then create a deploy-
ment package. This package references speciic software-update installation iles and
then distributes the iles to distribution points. You also can use the Deploy Software
Updates Wizard for a software update group to deploy the updates within that soft-
ware update group to a targeted collection.
■ Providing easy tracking capabilities for the compliance status for multiple
updates A software update group includes only the software updates that you add.
You can use the software update group to monitor the compliance status for target
systems. In addition, when you use software update groups to create deployment
packages, you can use reports such as the Compliance 1 – Overall Compliance and the
Compliance 3 – Update Group (per update) to obtain status for each software update
within the group.
■ Enabling the delegation of software update administration Using a software
update group enables you to delegate the administration of software updates. For
each software update group, you can set one or more security scopes, which you then
can reference when you add an administrative user to whom you assign the Software
Update Manager security role.
To create a software update group, select one or more updates and then, on the ribbon,
click Create Software Update Group. In the Create Software Update Group dialog box, you
can set options for a group name and description.
You can add software updates to an existing software update group by selecting the
update and then clicking the Edit Membership button on the Home tab on the ribbon. This
displays a list of available software update groups that you can then select as required.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 145

From the Library of Ida Schander

 Downloading updates
Deploying software updates involves creating a deployment package, downloading the soft-
ware update iles, and then distributing them to distribution points. Verify that the content is
available on distribution points before you deploy the software updates to clients.
You can use the Download Software Updates Wizard to create the deployment package,
deine the distribution points, and specify the download location of the update iles. Start the
wizard by selecting one or multiple software updates or a software update group and then
clicking the Download button on the ribbon.
When you run the Download Software Updates Wizard, you conigure the following:
■ Deployment Package Enables you to select an existing deployment package or
create a new one. The deployment package speciies its source, which is the location to
which the source iles download and from which the client distributes them to distribu-
tion points. You must create and share the package source folder that the deployment
package uses. Each deployment package uses a speciic shared folder.
■ Distribution Points Enables you to specify the distribution points or distribution
point groups that host the deployment package iles. This page displays only if you are
creating a new deployment package.
■ Distribution Settings Enables you to specify several distribution options. This page
displays only when you are creating a new deployment package. The options that you
can specify include the following:
■ Distribution Priority You can specify the priority in which the client sends pack-
ages to distribution points. The client sends packages with a high priority before
sending packages that you conigure with a medium or low priority.
■ Distribute The Content For This Package To Preferred Distribution Points If
you select this option, a client request causes the local distribution point to down-
load the package if it has not downloaded already.
■ Prestaged Distribution Point Settings This section provides options for control-
ling the behavior of distribution points that you conigure to support prestaged
content.
■ Download Location Speciies the location from which the software update point
downloads the software update iles. If you have an Internet connection, you can select
Download Software Updates From The Internet. If you do not have an Internet connec-
tion, you can download the software updates manually and then store the iles on an
accessible network location. You can select Download Software Updates From A
Location On My Network and then provide the network location of the stored iles.
■ Language Selection Speciies the languages that should be downloaded for each
software update ile.

146 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Update deployment
When you deploy software updates to client computers, the software-update deployment
information is added to the Coniguration Manager machine policy. The client computer
becomes aware of the deployment on the next machine policy retrieval and evaluation cycle.
The cycle’s default setting is every 60 minutes.
To deploy software updates to client computers, you irst must create a deployment pack-
age. You do so by running the Deploy Software Updates Wizard, which you can invoke by
selecting speciic updates or by selecting a software update group and then clicking Deploy
On The Ribbon.
To deploy software updates:
1. In the System Center 2012 R2 Coniguration Manager console, use the Deploy
Software Updates Wizard to create a new deployment package. In the wizard, you can
deine numerous settings, such as:
■ Software updates or software update group that the deployment includes.
■ Collection or collections that the deployment targets.
■ Deployment settings that you should use, such as whether the updates are required
or available and whether to turn on the Wake On LAN functionality.
■ Deployment scheduling, which speciies when the software will be available, and the
deadline for the installation.
■ User experience, such as notiications and restart behavior.
■ Alert settings.
■ Download and installation settings for slow networks.
■ Locations of the package source and distribution points.
■ Whether you want to download software updates from the Internet or from a net-
work location.
■ Language selection for the updates.
2. The site server requests the software updates’ binaries from the download location
that you deine in the deployment. These binaries can come from Microsoft Update or
from a local source.
3. The site server copies the software update binaries to the content library on the
distribution point. The site server adds the new software update deployment to the
machine policy.
4. At the client policy polling interval, the client retrieves the machine policy from the
management point and receives the new deployment information.
5. If the software update catalog has changed, the client scans for each software update
to verify that it is still required. If you conigure the software-update deployment
type as Required, the client requests the binaries from the distribution point for each

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 147

From the Library of Ida Schander

 required update and then stores them in the local cache. If you conigure the deploy-
ment type as Available, the updates download when the user invokes the installation.
6. The client sends a state message to the management point that reports that the soft-
ware update was downloaded. The management point forwards the state message to
the site server, which then enters the message into the database.
7. When the installation deadline for the software update arrives or you initiate the
update installation manually, the client scans for each software update to verify that it
still is required. The client then installs the software update, performs another scan on
the client to verify that the update is no longer required, and then sends a state mes-
sage to the management point that indicates the update has been installed. If a restart
is necessary, the state message indicates that the client computer is pending a restart.
After the restart, a scan begins to verify that the software update is complete and no
longer required and creates a state message to indicate that the update has installed.
For each software update that fails to install, an error-status message is sent to the
management point, which forwards the messages to the site server. The site server
then inserts status messages into the database.
Client computers initiate a deployment reevaluation cycle every seven days by default.
During this evaluation cycle, the client computer scans for previously deployed and installed
software updates. If any are missing, the software updates are reinstalled on the client.

Monitoring and troubleshooting software updates

You can use several methods to monitor and troubleshoot the client compliance and deploy-
ment of software updates, including the All Software Updates results pane, alerts, status mes-
sages, reports, WSUS logs, server-side logs, and client logs.

Monitoring software update processes

You need to monitor three basic activities when using Coniguration Manager to manage
software updates. These are synchronization, distribution, and client deployment.
To verify that the software update point has the most recent list of available updates, it
needs to be able to perform synchronization successfully. You can use the following methods
to monitor software update point synchronization:
■ Software Update Point Synchronization Status Located in the Monitoring
workspace, the Software Update Point Synchronization Status node provides detailed
information related to the synchronization status for all software update points in the
hierarchy. Details include the synchronization source, last synchronization date and
time, synchronization status, and error codes for failures.
■ Alerts When you conigure the synchronization schedule for the software update
point, you can conigure an alert to generate if synchronization fails on any site in the
hierarchy. You also can modify this setting from the Sync Schedule tab of the Software

148 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 Update Component Properties dialog box. You can view alerts from the Alerts node in
the Monitoring workspace.
■ SMS_WSUS_SYNC_MANAGER This method displays status information related to
both WSUS synchronization and site database synchronization with WSUS. The
wsyncmgr.log stores detailed information and is located in either the INSTALL_PATH
\Logs folder or the SMS_CCM\Logs folder, if the system is a management point.
You can use one of the following methods to ensure that update content distributes suc-
cessfully to distribution points:
■ Content Status In the Monitoring workspace, under the Distribution Status node,
you can click Content Status. When you click this node, the results pane displays a list
of all content that has been distributed. You can right-click a speciic content type,
such as a software update package, and then click View Status to display status and
progress information related to content distribution to distribution points.
■ Package Transfer Manager The Package Transfer Manager component
(SMS_PACKAGE_TRANSFER_MANAGER) provides status information related to content
transfers to distribution points. You can ind the related PkgXferMgr.log on the site
server in the <Coniguration Manager Installation Path>\Logs folder. This log ile pro-
vides verbose installation and coniguration information related to content distribution
to remote distribution points.
After update content has been transmitted to distribution points, you can use the follow-
ing elements to monitor the deployment of that content to Coniguration Manager clients:
■ Deployment Status When you click the Deployments node, the results pane shows
a list of all current deployments, including deployments related to the software update
feature. You can right-click a speciic deployment and then click View Status to display
status information related to a speciic software update deployment.
■ Alerts When you create a deployment, you can enable alerts based on speciied cri-
teria. For example, you might want an alert to be generated if client compliance for the
deployment is below a speciic percentage. You view generated alerts from the Alerts
node in the Monitoring workspace.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 149

From the Library of Ida Schander

 Software Updates reports
The Reporting node in the Monitoring workspace contains reports that are organized within
speciic categories as shown in Figure 3-11. You can use reports to provide information to
anyone who has permission to access the reporting feature.

FIGURE 3-11 Software Updates reports

These reports are grouped as follows:

■ Software Updates – A Compliance Contains reports related to compliance based
on speciic software updates, software update groups, or computers. Reports include:
■ Compliance 1 - Overall Compliance.
■ Compliance 2 - Speciic Software Update.
■ Compliance 3 - Update Group (Per Update).
■ Compliance 4 - Updates By Vendor Month Year.
■ Compliance 5 - Speciic Computer.
■ Compliance 6 - Speciic Software Update Status (Secondary).
■ Compliance 7 - Computers In A Speciic Compliance State For An Update Group
(Secondary).
■ Compliance 8 - Computers In A Speciic Compliance State For An Update
(Secondary).
■ Software Updates – B Deployment Management Contains reports that provide
information related to deployments and the updates contained within speciic deploy-
ments. Reports include:
■ Management 1 - Deployments Of An Update Group.
■ Management 2 - Updates Required But Not Deployed.

150 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 ■ Management 3 - Updates In A Deployment.
■ Management 4 - Deployments That Target A Collection.
■ Management 5 - Deployments That Target A Computer.
■ Management 6 - Deployments That Contain A Speciic Update.
■ Management 7 - Updates In A Deployment Missing Content.
■ Management 8 - Computers Missing Content (Secondary).
■ Software Updates – C Deployment States Contains reports that illustrate the
enforcement and evaluation states of a computer or speciic deployment. Reports
include:
■ States 1 - Enforcement States For A Deployment.
■ States 2 - Evaluation States For A Deployment.
■ States 3 - States For A Deployment And Computer.
■ States 4 - Computers In A Speciic State For Deployment (Secondary).
■ States 5 - States For An Update In A Deployment (Secondary).
■ States 6 - Computers In A Speciic Enforcement State For An Update (Secondary).
■ Software Updates – D Scan Contains reports that display the last scan states by col-
lection and by site. Reports include:
■ Scan 1 - Last Scan States By Collection.
■ Scan 2 - Last Scan States By Site.
■ Scan 3 - Clients Of A Collection Reporting A Speciic State (Secondary).
■ Scan 4 - Clients Of A Site Reporting A Speciic State (Secondary).
■ Software Updates – E Troubleshooting Contains reports that display information
related to scan and deployment errors. Reports include:
■ Troubleshooting 1 - Scan Errors.
■ Troubleshooting 2 - Deployment Errors.
■ Troubleshooting 3 - Computers Failing With A Speciic Scan Error (Secondary).
■ Troubleshooting 4 - Computers Failing With A Speciic Deployment Error
(Secondary).

Update-related log iles

Coniguration Manager log iles provide detailed information about software-updates com-
ponents. You can use log iles to help verify functionality or troubleshoot issues.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 151

From the Library of Ida Schander

 SITE SERVER LOG FILES
You can ind the Site Server log iles in the following folders on the site server, in the
<InstallationPath>\Logs folder. These log iles include:
■ PatchDownloader.log Located on the Coniguration Manager console computer
that you use to run the wizard to download the update, this log ile provides informa-
tion about downloading software updates, from the update source that you specify in
the software updates metadata to the designated download destination.
■ WCM.log Located on the site server, this log ile provides information about the
software update-point coniguration and about connecting to the WSUS server for
subscribed update categories, classiications, and languages.
■ wsyncmgr.log Located on the site server, this log ile provides information about the
software-updates synchronization process.

SOFTWARE UPDATE POINT LOG FILES

Software update point log iles are located on the software update point (WSUS server) in
both the %ProgramFiles%\Update Services\Logiles folder and the C:\Program Files\Microsoft
Coniguration Manager\Logs folder. These log iles include:
■ WSUSCtrl.log This log ile provides information about the coniguration, database
connectivity, and health of the site’s WSUS server.
■ SoftwareDistribution.log This log ile provides information about the software
updates that synchronize from the conigured update source to the WSUS server
database.

CLIENT COMPUTER SOFTWARE UPDATE LOG FILES

In some cases, you’ll need to investigate a client computer to determine why software
updates are not being applied. Log iles are located on the client computer, in both the
%windir%\CCM\Logs and the %ProgramFiles%\SMS_CCM\Logs folders (for management
points). These logs include:
■ ScanAgent.log This log ile provides information about the scan requests for soft-
ware updates, what tool is requested for the scan, and the WSUS location.
■ WUAHandler.log This log ile provides information about when the Windows
Update agent searches for software updates.
■ WindowsUpdate.log Found on the client in the %windir% folder, this log ile
provides information about when the Windows Update agent connects to the WSUS
server and retrieves the software updates for compliance assessment and whether
there are updates to the agent components.
■ UpdatesHandler.log This log ile provides information about software update com-
pliance scanning and the download and installation of software updates on the client.
■ UpdatesStore.log This log ile provides information about the compliance status for
the software updates that the compliance scan cycle assesses.

152 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 ■ UpdatesDeployment.log This log ile provides information about the deployment
on the client, including software update activation, evaluation, and enforcement. Ver-
bose logging shows additional information about the interaction with the client user
interface.

Automatic deployment rules

Automatic deployment rules help you automate the deployment of speciic update types,
depending on the criteria that you conigure. You can use an automatic deployment rule to
automate:
■ Selection of software updates per criteria that you specify.
■ Creation of a software update group that contains the selected updates.
■ Download and distribution of software-update content to distribution points.
■ Deployment of updates to client computers.
Automatic deployment rules are beneicial for managing routine updates, such as monthly
deployments of software updates and deinition updates for antimalware solutions such as
System Center 2012 R2 Endpoint Protection (Endpoint Protection).
An automatic deployment rule relies on property ilters and search criteria that you con-
igure to specify the updates that become part of an associated software update group. For
example, you might want to automate creation of a software update group that contains any
deinition updates released within the past week. To meet this requirement, you conigure a
rule based on the Date Revised and Update Classiication property ilters. The Date Revised
ilter would contain a criterion that selects updates released within the past week, and you
would conigure the Update Classiication ilter to select Deinition Updates.
After the rule runs, you have the option to:
■ Enable download and deployment of the updates within a software update group.
■ Use the rule to automate membership creation or updating for a software update
group and create the deployment object. This enables you to verify the list of the
group’s software updates and then enable the update group’s deployment manually as
needed.
You use the Create Automatic Deployment Rule Wizard to specify settings that relate to
the automatic deployment rule. To start the wizard, use the following procedure:
1. From the Software Library workspace, expand the Software Updates node.
2. Select Automatic Deployment Rules.
3. On the ribbon, click Create Automatic Deployment Rule.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 153

From the Library of Ida Schander

 On the pages of the Create Automatic Deployment Rule Wizard, described in Table 3-1,
provide the following settings:

TABLE 3-1 Automatic Deployment Rule Wizard pages and settings

Page Description

General Enables you to conigure general information for the automatic deployment rule,
including the following:
■ Name Use to provide the name associated with the automatic deployment
rule.
■ Description Use to provide additional information about the rule.
■ Template Select a previously saved deployment template or use the built-in
Deinition Updates or Patch Tuesday templates. Create a deployment template
to save the current coniguration settings for the deployment during the wiz-
ard’s last step.
■ Collection Specify the collection that the software update deployment is
targeting.
■ Software Update Group Add software updates to an existing software
update group or ensure creation of a new software
update group each time the rule runs.
■ Enable The Deployment After This Rule Runs Specify whether the updates
deploy to clients immediately after rule evaluation. If you do not select this
option, you need to enable the deployment of the software update group
manually.

Deployment Enables you to conigure speciic deployment settings, such as:

Settings
■ Use Wake On LAN To Wake Up Clients For Required Deployments Select
this check box to enable Wake On LAN functionality.
■ Detail Level Specify the amount of information the client returns. Options
include All Messages, Only Success And Error Messages, and Only Error
Messages.
■ License Agreement Choose automatic deployment of software updates that
do not include a license agreement or choose deployment of software updates
regardless of whether they have a license agreement.

Software Updates Enables you to select the property ilters and specify the respective search criteria you
use to add software updates to the associated software update group.

Evaluation Enables you to specify a schedule for running a rule. By default, the evaluation schedule
Schedule is set to run after any software update-point synchronization. If you choose to run the
rule on a speciic schedule, you should ensure that the evaluation schedule does not
exceed the frequency of the synchronization schedule for the software update point.

154 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Page Description

Deployment Enables you to conigure deployment schedule settings, including:

Schedule
■ Whether the schedule is evaluated by using the client’s local time or Coordi-
nated Universal Time. The latter ensures that deployment occurs at the same
time for all clients, regardless of their time zone location.
■ Software available time. The Software Available Time section
enables you to schedule when the deployment will become available to clients.
■ An installation deadline. When a scheduled deadline is reached, the software
updates in the associated software update group install on the client comput-
ers, and the computers restart if necessary and allowed.

User Experience Enables you to specify various options for the user experience. Three sections outline
the user experience:
■ User Visual Experience Use one of three options for user notiications selec-
tion: Display In Software Center And Show All
Notiications; Display In Software Center, And Only Show
Notiication For Computer Restarts; and Hide In Software Center And All
Notiications.
■ Deadline Behavior Specify activities that can take place outside a conigured
maintenance window. The options include Software Installation and System
Restart.
■ Device Restart Behavior Specify whether to suppress a restart for servers,
workstations, or both.

Alerts Enables you to specify criteria for generating a Coniguration Manager alert. You also
can specify alert behavior in relation to Operations Manager. For example, to minimize
false alerts, you might choose to disable Operations Manager alerts whenever software
updates install on a computer.

Download Settings On the Download Settings page, you can:

■ Specify how software updates run when connected to a slow or unreliable net-
work boundary. By design, when a client connects to a fast network boundary,
the client downloads content from the distribution point and then installs the
software updates locally. By default, when a client connects to a slow network
boundary, the client does not install software updates.
■ Conigure the deployment so that clients can download updates from an
unprotected distribution point if they are not available on a protected distribu-
tion point.
■ Enable peer-to-peer content distribution, which uses BranchCache
functionality.
■ Conigure clients to download the content directly from Microsoft Updates if it
is not available on a distribution point.
■ Conigure clients on a metered connection to download the content after the
installation deadline.

Deployment Enables you to select an existing deployment package or create a new deployment
Package package so that updates deploy from an automatic deployment rule. The deployment
package speciies the package source for the deployment. You must create and share
the package source folder that the deployment package uses. Each deployment pack-
age uses its own shared folder.

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 155

From the Library of Ida Schander

 Page Description

Distribution Points Enables you to specify the distribution points or distribution-point groups that host the
package iles for deployment. This page is visible only if you are creating a new deploy-
ment package.

Download Location Enables you to specify the location from which you download the software update
iles. If you have an Internet connection from the software update point, you can select
Download Software Updates From The Internet. If you do not have an Internet connec-
tion from the software update point, you can download the software updates manually
from a different computer and then store the iles on an accessible network location.

Language Selection Speciies the languages that you should download for each software update ile.

Summary The summary page enables you to verify the Automatic Deployment Rule Wizard set-
tings. You also can click the Save As Template button to save the settings that you want
to use for subsequent deployments. When you click the Save As Template button, you
can select the speciic settings that you want to include in the saved template.

MORE INFO AUTOMATIC DEPLOYMENT RULES

You can learn more about automatic deployment rules at http://technet.microsoft.com

/en-us/library/gg682168.aspx#BKMK_DeploymentWorklows.

Thought experiment
Deploying a Coniguration Manager software update point at Fabrikam
You are the server administrator at Fabrikam. You are planning the deployment of
Coniguration Manager, which you will initially use to manage software updates.
You have deployed WSUS 4.0 on a computer running Windows Server 2012 R2. This
computer will host only the WSUS role and no Coniguration Manager site system
roles. With this information in mind, answer the following questions:

1. What software element must you deploy on the site server if it is to host the
software update point role?

2. Which other Coniguration Manager roles must be present in the Coniguration

Manager site to support the software update point?

Objective summary
■ The Coniguration Manager software update point integrates with WSUS to allow soft-
ware updates to be deployed to Coniguration Manager clients.
■ The Coniguration Manager software update point integrates with WSUS 3.0 SP2 or
newer.
■ The software-updates synchronization process retrieves the metadata from an
upstream software update point or from Microsoft Update.

156 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 ■ You conigure Client Settings to specify the software update coniguration settings for
Coniguration Manager clients.
■ Scanning for compliance enables you to determine whether Coniguration Manager
clients are missing updates.
■ A software update group is a collection of software updates.
■ Deploying software updates involves creating a deployment package, downloading
the software update iles, and then distributing them to distribution points.
■ You can use several methods to monitor and troubleshoot the client compliance and
deployment of software updates, including the All Software Updates results pane,
alerts, status messages, reports, WSUS logs, server-side logs, and client logs.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You are coniguring the connection between the Coniguration Manager software
update point and a separate WSUS server hosted on a computer running the Windows
Server 2012 R2 operating system. This WSUS server is conigured using default ports
and is conigured to accept only secure (HTTPS) trafic. Which port will the
Coniguration Manager software update point need to use for a connection?
a. 8530
B. 8531
C. 80
D. 443
2. Which of the following log iles would you examine to review information about syn-
chronization between the software update point and a WSUS server?
a. Wsyncmgr.log
B. WSUSCtrl.log
C. SoftwareDistribution.log
D. ScanAgent.log
3. Which of the following compliance states indicates that an update should be deployed
to a client computer?
a. Unknown
B. Installed
C. Not Required
D. Required

Objective 3.2: Deploy software updates by using Coniguration Manager and WSUS. CHAPTER 3 157

From the Library of Ida Schander

 Objective 3.3: Deploy software updates by using
Microsoft Intune
Microsoft Intune provides you with an alternative method of managing software updates for
computers that are outside the perimeter network or in remote branch ofices where deploy-
ing a WSUS server or Coniguration Manager is impractical. In this section, you learn how you
can manage software updates with Intune.

This section covers the following topics:

■ Microsoft Intune update policies
■ Update categories and classiications
■ Approving updates
■ Automatic approval rules
■ Third-party updates

Microsoft Intune update policies

Intune can provide software updates to clients on which the Intune agent is installed. When
you install the Intune agent on a computer, the computer retrieves updates from Intune. You
should ensure that any Group Policy settings coniguring an update server are removed prior
to deploying the Intune agent because the settings might interfere with the computer retriev-
ing updates.
How Intune clients retrieve updates is determined by Intune policies, which include set-
tings related to endpoint protection, network bandwidth, user device linking, and updates.
The updates settings enable you to conigure settings around the installation of software
updates and applications.
To create an update policy, perform the following steps:
1. In the Intune Administrator console, click Policy, click Overview, and then click Add
Policy under Tasks.
2. In the Create A New Policy dialog box, click Windows Intune Agent Settings, select
Create And Deploy A Custom Policy, as shown in Figure 3-12, and then click the Create
Policy button.

158 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

FIGURE 3-12 Creating a policy

3. In the Updates section, shown in Figure 3-13, conigure the following settings:
■ Name Type a name for the policy on the General page.
■ Update And Application Detection Frequency (Hours) Indicate how often you
want the client to check for updates.
■ Automated Or Prompted Installation Of Updates And Applications Conigure
whether updates and applications are installed automatically according to a sched-
ule, or the user is prompted for the installation of updates and applications.
■ Allow Immediate Installation Of Updates That Do Not Interrupt
Windows Specify whether updates that do not require a restart will be installed
immediately.
■ Delay To Restart Windows After Installation Of Scheduled Updates And
Applications (Minutes) Specify how long the computer will wait.
■ Allow Logged On User To Control Windows Restart After Installation Of
Scheduled Updates And Applications This option allows a signed-on user to
control whether a computer restarts after the installation of applications and
updates.
■ Prompt User To Restart Windows During Windows Intune Client Agent
Mandatory Updates Determines whether the user is prompted after the installa-
tion of a mandatory update that requires a restart.

Objective 3.3: Deploy software updates by using Microsoft Intune CHAPTER 3 159

From the Library of Ida Schander

 ■ Windows Intune Client Agent Mandatory Updates Installation
Schedule Specify when mandatory updates will be installed.
■ Delay Between Prompts To Restart Windows After Installation Of
Scheduled Updates And Applications (Minutes) Specify the period between
restart prompts.

FIGURE 3-13 Updating a policy

4. Click Save Policy to save the policy.

5. In the Do You Want To Deploy This Policy Now pop-up box, click Yes.
6. In the Manage Deployment dialog box, shown in Figure 3-14, select the computers to
which you want to deploy the policy and then click OK.

160 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

FIGURE 3-14 Selecting groups

Updating categories and classiications

Update categories and classiications to conigure the products and update classiications for
which Intune will manage updates. Although you can conigure Intune to manage updates for
almost every currently supported Microsoft product, you should only conigure Intune so that
it manages updates for products that are actually installed on computers that have the Intune
agent. Figure 3-15 shows that Intune can manage the following update classiications:
■ Critical Updates
■ Security Updates
■ Deinition Updates
■ Service Packs
■ Update Rollups

Objective 3.3: Deploy software updates by using Microsoft Intune CHAPTER 3 161

From the Library of Ida Schander

 FIGURE 3-15 Service Settings: Updates

Approving updates
To deploy updates to Intune clients, approve them in the Intune Administration console. To
approve an update, perform the following steps:
1. In the Intune Administration console, click Updates.
2. In the All Updates node, shown in Figure 3-16, select the update that you want to
approve and click Approve.

FIGURE 3-16 All Updates

162 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

3. On the Select Groups page, shown in Figure 3-17, select the groups to which you want
to deploy the update and click Add. Then click Next.

FIGURE 3-17 Select Groups

4. On the Deployment Action page, shown in Figure 3-18, select the approval status for
the update. You can choose from among Required Install, Do Not Install, Available
Install, and Uninstall. Then click Finish.

Objective 3.3: Deploy software updates by using Microsoft Intune CHAPTER 3 163

From the Library of Ida Schander

 FIGURE 3-18 Deployment Action

Automatic approval rules

Automatic approval rules enable you to conigure Intune to approve updates automatically,
based on product category and update classiication. When you conigure an automatic
approval rule, the update will be deployed automatically rather than requiring an administra-
tor to perform manual approval. For example, you might conigure an automatic approval
rule for Windows 8.1 operating system updates that are classiied as critical or security. Any
Windows 8.1 operating system update that Microsoft publishes that has the critical or security
classiication will automatically be published to Intune clients.

EXAM TIP
Remember that approval rules will work only if Intune manages the products and clas-
siications that are the subject of the rule. There’s no point creating an approval rule for
Windows 8.1 updates if Intune isn’t conigured to manage updates for Windows 8.1.

To create an automatic approval rule, perform the following steps:

1. In the Administration workspace of the Intune Administration console, click Updates
and then scroll to Automatic Approval Rules. Click the New button.
2. On the General page of the Create Automatic Approval Rule Wizard, create a name
and provide a description for the rule. Then click Next.

164 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

3. On the Product Categories page, select the products to which the automatic approval
rule applies. Then click Next.
Figure 3-19 shows Windows 8.1 selected.

FIGURE 3-19 Product Categories

4. On the Update Classiications page, select the update classiications for which the rule
will perform an automatic approval. Then click Next. Figure 3-20 shows Critical
Updates and Security Updates selected.

Objective 3.3: Deploy software updates by using Microsoft Intune CHAPTER 3 165

From the Library of Ida Schander

 FIGURE 3-20 Update Classifications

5. On the Deployment page, select the Intune groups for which the automatic approval
rule will approve the update. You can also conigure an installation deadline for
updates approved by this rule. Then click Add. Figure 3-21 shows the All Computers
group selected and an installation deadline of 14 Days After Approval. Click Next to
proceed.

166 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

 FIGURE 3-21 Deployment

6. On the Summary page, click Finish to complete the installation of the updates.

Third-party updates
You can use Intune to deploy updates from vendors other than Microsoft. You do this by
manually uploading the update iles, which can be in .msi, .msp, or .exe format. To upload and
conigure a third-party update to Intune, perform the following steps:
1. In the Updates workspace of the Intune Administration console, click Upload under
Tasks.
2. On the Update Files page, select the ile you want to upload and click Next.
3. Select a classiication.
You can choose from among Updates, Critical Updates, Security Updates, Update
Rollups, or Service Packs. Then click Next.
4. On the Requirement page, select the operating system and architecture (x86 or x64)
requirements for the update and then click Next.
5. On the Detection Rules page, specify how Intune can check whether the update has
already been deployed on the Intune client.
This check can be performed by looking for an existing ile, an MSI product code, or a
speciic registry key. Click Next.
6. On the Prerequisites page, identify any prerequisite software required for update
installation and then click Next.

Objective 3.3: Deploy software updates by using Microsoft Intune CHAPTER 3 167

From the Library of Ida Schander

 You can specify None if no prerequisites are required or specify an existing ile, an MSI
product code, or a speciic registry key.
7. On the Command Line Arguments page, specify any command-line arguments
required to deploy the update and then click Next.
8. On the Return Codes page, specify how Intune should interpret return codes the
update installation generates. Click Next. Finally, click Upload to complete.
After the update is uploaded to Intune, you can approve it using the same method you use
to approve other software updates.

EXAM TIP
Remember that you can use SCUP or Intune to publish third-party updates to computers.

Thought experiment
Intune for update deployment for Contoso remote clients
You are responsible for managing software updates for remote clients at Contoso.
All remote clients use the Windows 8.1 operating system and run the same suite of
third-party applications. You want to ensure that any security and critical updates
are deployed as soon as possible. You will review other updates before deciding to
deploy them. With this information in mind, answer the following questions:

1. How can you ensure that Windows 8.1 security and critical updates are installed
as soon as possible?

2. What steps must you take to deploy updates for the suite of third-party
applications?

Objective summary
■ Intune can provide updates to clients on which the Intune agent is installed.
■ You select which updates Intune provides to clients, based on product and update
classiication.
■ When you manually approve updates, you select the group for which the update is
approved and specify a deployment action.
■ Automatic approval rules enable you to deploy updates automatically, based on prod-
uct and update classiication.
■ You can upload third-party updates to Intune and distribute them to Intune clients.

168 Chapter 3 Plan and implement software updates

From the Library of Ida Schander

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You have noticed that, although updates for Windows 7 are present within the list of
available updates in the Intune console, updates for Windows 8 and Windows 8.1 are
not present. Which of the following should you conigure to resolve this problem?
a. Automatic approval rules
B. Third-party updates
C. Update policies
D. Update categories and classiications
2. You want to ensure that a user who is signed on to a computer can control whether
Windows restarts after the installation of scheduled updates deployed from Intune.
Which of the following would you conigure to accomplish this goal?
a. Update categories and classiications
B. Update policies
C. Third-party updates
D. Automatic approval rules
3. You want computers running Windows 8.1 in your organization’s Melbourne branch
ofice to install critical operating system updates automatically. Computers running
Windows 8.1 in your organization’s Canberra ofice should install critical operating
system updates only if an administrator manually approves those updates. Which of
the following should you conigure to accomplish this goal? (Choose two. Each correct
answer provides part of a complete solution.)
a. Conigure multiple computer groups.
B. Conigure update policies.
C. Conigure update categories and classiications.
D. Conigure automatic approval rules.

Objective 3.3: Deploy software updates by using Microsoft Intune CHAPTER 3 169

From the Library of Ida Schander

 Answers

Objective 3.1
Thought experiment
1. Use the Catalogs workspace of the System Center Updates Publisher console to sub-
scribe to the update catalog the third-party vendor published.
2. The WSUS server and WSUS clients must trust the CA that issued the signing certiicate
installed on the SCUP server.

Objective review
1. Correct answer: B
a. Incorrect: The Installable rule type determines whether a target computer
requires a software update.
B. Correct: The Installed rule type determines whether an update is already present
on a computer.
C. Incorrect: Automatic approval rules are used with Intune to deploy updates auto-
matically, based on classiication and product.
D. Incorrect: Automatic deployment rules are used with Coniguration Manager to
deploy updates automatically, based on classiication and product.
2. Correct answer: C
a. Incorrect: You use the Updates workspace to manage updates and update
bundles, but you use the Publications workspace to remove a software update
from publication.
B. Incorrect: You use the Catalogs workspace to subscribe to updates catalogs that
third-party vendors publish.
C. Correct: You use the Publications workspace to remove a software update from
publication.
D. Incorrect: You use the Rules workspace to edit rules that determine whether an
update should be installed.
3. Correct answer: A
a. Correct: You specify whether an update requires a restart in the Restart Behavior
section.
B. Incorrect: You use the Impact section to specify how an update should be han-
dled—for example, whether it must be installed independently of other updates.

170 CHAPTER 3 Plan and implement software updates

From the Library of Ida Schander

 C. Incorrect: You use Severity to specify the security implications of an update.
D. Incorrect: You use the CVE ID ield to specify the common vulnerabilities and
exposures identiier.

Objective 3.2
Thought experiment
1. You must ensure that the WSUS console is deployed on the site server, given that
WSUS is hosted on a separate server. This allows communication between the software
update point and the WSUS server.
2. You must ensure that the management point and distribution point roles are also
deployed.

Objective review
1. Correct answer: B
a. Incorrect: Port 8530 is used for HTTP communication in the default coniguration
of WSUS on Windows Server 2012 R2. You need to use port 8531 when coniguring
communication by using HTTPS.
B. Correct: You need to use port 8531 when coniguring communication by using
HTTPS.
C. Incorrect: Port 80 is usually reserved for HTTP trafic. With WSUS on Windows
Server 2012 R2, the default HTTP port is 8530.
D. Incorrect: Although port 443 is usually reserved for HTTPS trafic and was used
for secure communication with earlier versions of WSUS, more recent versions of
WSUS use port 8531 for HTTPS communication.
2. Correct answer: A
a. Correct: Located on the site server, the Wsyncmgr.log log ile provides information
about the software-updates synchronization process.
B. Incorrect: The WSUSCtrl.log log ile provides information about the coniguration,
database connectivity, and health of the site’s WSUS server.
C. Incorrect: The SoftwareDistribution.log log ile provides information about the
software updates that synchronize from the conigured update source to the WSUS
server database.
D. Incorrect: Located on the client computer, the ScanAgent.log log ile provides
information about the scan requests for software updates, which tool is requested
for the scan, and the WSUS location.

Answers CHAPTER 3 171

From the Library of Ida Schander

 3. Correct answer: D
a. Incorrect: The Unknown compliance state indicates that the site server has not
received information from the client computer. Although the update might be
required, this is not the best answer.
B. Incorrect: The Installed compliance state indicates that the update has been
installed.
C. Incorrect: The Not Required compliance state indicates that the update does not
need to be deployed.
D. Correct: The Required compliance state indicates that the update should be
deployed to the client computer.

Objective 3.3
Thought experiment
1. Create an automatic approval rule that approves all critical and security updates for
computers running Windows 8.1.
2. Import third-party updates into Intune and then approve them for distribution.

Objective review
1. Correct answer: D
a. Incorrect: Automatic approval rules automatically approve updates based on
product and classiication. If the Windows 8 and Windows 8.1 updates are not
present in the Intune console, you need to change the update categories and clas-
siications settings.
B. Incorrect: You can upload third-party updates to Intune, but you should conigure
update categories and classiications to ensure that speciic Microsoft operating
systems and products are covered.
C. Incorrect: Update policies specify when and how updates will be deployed. You
do not use them to conigure which updates will be deployed.
D. Correct: You need to conigure update categories and classiications to ensure
that updates for Windows 8.1 will be available to your Intune deployment.
2. Correct answer: B
a. Incorrect: You conigure update categories and classiications to ensure that
updates for speciic products and for speciic classiications will be available to your
Intune deployment.
B. Correct: Update policies specify when and how updates will be deployed, includ-
ing whether a signed-on user can override a restart required to complete update
installation.

172 CHAPTER 3 Plan and implement software updates

From the Library of Ida Schander

 C. Incorrect: You can upload third-party updates to Intune, but this doesn’t involve
controlling restart behavior.
D. Incorrect: Automatic approval rules automatically approve updates based on
product and classiication. They do not control restart behavior.
3. Correct answers: A and D
a. Correct: You need to conigure a group for the Melbourne computers and then
conigure an automatic approval rule.
B. Incorrect: Update policies do not determine which updates are installed, just
when and how the updates are installed.
C. Incorrect: You only need to conigure update categories and classiications if
Intune isn’t obtaining updates of the required category and classiication.
D. Correct: You need to conigure a group for the Melbourne computers and then
conigure an automatic approval rule.

Answers CHAPTER 3 173

From the Library of Ida Schander

This page intentionally left blank

From the Library of Ida Schander

CHAPTER 4

Manage compliance and

endpoint protection settings
For many industries, the coniguration of computers and devices is subject to compliance
legislation. You can use the System Center 2012 R2 Coniguration Manager compliance
functionality to ensure that your organization’s managed devices meet the necessary con-
iguration standards. Coniguration Manager also includes antimalware functionality so
you can monitor and remediate malware incidents on clients in your organization’s
environment.

Objectives in this chapter:

■ Objective 4.1: Build a coniguration item.
■ Objective 4.2: Create and monitor a baseline.
■ Objective 4.3: Conigure Endpoint Protection.

Objective 4.1: Build a coniguration item

This objective deals with building coniguration items for Coniguration Manager. Such
items enable you to evaluate the coniguration of a Coniguration Manager client. You can
conigure these items for Windows, Mac OS X, and mobile device clients.

This section covers the following topics:

■ Overview of compliance settings
■ Coniguration items
■ Creating coniguration items
■ Coniguration item settings
■ Remediation

175

From the Library of Ida Schander

 Overview of compliance settings
The Compliance Settings feature in Coniguration Manager enables you to assess and man-
age coniguration settings for Windows-based computers, Mac operating system (Mac OS X)
computers, and devices running the Windows RT, Windows Phone, Windows Mobile, iOS, and
Android mobile operating systems.
You can use compliance settings to:
■ Monitor the version of a device’s installed operating system.
■ Verify whether applications are installed and conigured correctly.
■ Check for prohibited applications or security settings.
■ Check that speciic software updates are installed.
■ Conigure features and security settings on mobile devices.
■ Remediate noncompliant settings automatically (when supported).
■ Conigure user data and proiles settings such as folder redirection, ofline iles, and
roaming user proiles (applicable for Windows 8.x and newer only).
■ Conigure company resource access by using remote connection, virtual private net-
work (VPN), Wi-Fi, and certiicate proiles. (This is applicable only for devices running
Windows 8.x and newer, iOS, and Android operating systems.)Compliance settings
consist of one or more coniguration items. Coniguration items contain the speciic
settings and rules that deine the requirements necessary to meet compliance. You can
group coniguration items into coniguration baselines. You deploy coniguration base-
lines to client systems to evaluate compliance and, potentially, perform remediation.

MORE INFO COMPLIANCE SETTINGS OVERVIEW

You can learn more about compliance settings at http://technet.microsoft.com/en-us

/library/gg682139.aspx.

Coniguration items
Coniguration items contain one or more unique settings and values that you want to com-
pare for compliance evaluation. For example, does a particular registry key have a particular
setting, is a speciic software update installed, or is the most recent version of an installed
application deployed on the client?
Within a coniguration item, you specify the compliance settings you are evaluating and
the rules that should take effect based on those settings. You can use a single coniguration
item to evaluate multiple settings. When coniguring a compliance rule as part of a conigura-
tion item, you can deine the noncompliance severity that the client reports if the evaluation
reveals noncompliance. If the coniguration item supports remediation, you can specify the
setting in the coniguration item that you want to remediate—for example, changing a regis-
try key value from 0 to 1.

176 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 You can specify coniguration items for the following device types:
■ Windows
■ Mobile device
■ Mac OS X

Windows coniguration items

You can specify Windows-based coniguration items based on values related to the following
settings:
■ Active Directory Query
■ Assembly
■ File System
■ IIS Metabase
■ Registry Key
■ Registry Value
■ Script
■ SQL Query
■ WQL Query
■ XPath Query
Depending on the speciic setting, you can conigure rules for reporting purposes or for
performing remediation tasks.

Mobile device coniguration items

Mobile device coniguration items enable you to conigure settings that you can apply to
managed Windows, iOS, and Android devices. Some common settings include the following:
■ Password
■ Device
■ Email management
■ Store
■ Browser
■ Security
■ Windows Server work folders
You apply these coniguration settings to devices that you manage through the Microsoft
Intune connector.

Objective 4.1: Build a coniguration item CHAPTER 4 177

From the Library of Ida Schander

 Mac OS X coniguration items
Mac OS X coniguration items are rules that you want to evaluate for managed Mac OS X
computers. Coniguration items include:
■ Mac OS X Preferences.
■ Scripts.

Creating coniguration items

You can create a coniguration item by using any of the following methods:
■ Create a coniguration item manually.
■ Create a child coniguration item from an existing Windows-based coniguration item.
■ Import coniguration data.
■ Copy an existing coniguration item.

Create a coniguration item manually

The most direct way to create a coniguration item is to select the Coniguration Items node,
which is located under Compliance Settings in the Assets And Compliance workspace. Click
Create Coniguration Item on the ribbon. This starts the Create Coniguration Item Wizard.
On the General page of the Create Coniguration Item Wizard, shown in Figure 4-1, conig-
ure the following basic settings about the coniguration item:
■ Name Provide a name for the coniguration item.
■ Description Provide a description for the coniguration item.
■ Type Specify whether this coniguration item is for Windows clients, mobile devices,
or Mac OS X clients. When specifying the type as Windows clients, you can specify
whether the coniguration item is an application. This reveals additional options that
you can use for detecting the application.
■ Categories Provide an administrative category that you can use to tag your conigu-
ration items.

178 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

FIGURE 4-1 Create Configuration Item Wizard

After completing the General page, the wizard takes different paths, depending on which
type of coniguration item you are creating. Table 4-1 describes the pages that appear for
each of the types.

TABLE 4-1 Create Configuration Item Wizard options

Type Wizard page Description

Windows Detection Methods This page appears only if you selected the This
Coniguration Item Contains Application Settings check
box on the General page of the wizard. On the Detection
Methods page, you can specify the manner in which the
application is detected.

Supported Platforms On this page, you can conigure the Windows operating
systems that will assess this coniguration item for compli-
ance. If you selected the This Coniguration Item Contains
Application Settings check box on the General page, this
page appears after the Compliance Rules page.

Settings On this page, you can add new settings that you need to
monitor.

Compliance Rules On this page, you can add new compliance rules used to
evaluate the settings based on speciied conditions.

Objective 4.1: Build a coniguration item CHAPTER 4 179

From the Library of Ida Schander

 Type Wizard page Description

Mobile device Mobile Device Settings On this page, you select the Mobile Device Settings
Groups item that you want to evaluate in this conigura-
tion item. For each group that you choose, the wizard
adds a page.

Supported Platforms On this page, you select the mobile device operating sys-
tems that this coniguration item can evaluate. The sup-
ported platforms include:
■ Windows Mobile 6.1 and 6.5.
■ Nokia Symbian.
■ Windows Phone 8.
■ Windows RT.
■ Windows 8.1.
■ iOS 5, iOS 6, and iOS 7.
■ Android 4, Android 4.1, and 4.2.

Platform Applicability This page displays the mobile device settings that do
not support all the platforms that you speciied on the
Supported Platforms page.

Mac OS X Supported Platforms On this page, you select the Mac OS X operating systems
that this coniguration item can evaluate. The supported
platforms include Mac OS X 10.6, Mac OS X 10.7, and Mac
OS X 10.8.

Settings On this page, you can add new settings that you want to
monitor.

Compliance Rules On this page, you can add new compliance rules to evalu-
ate the settings based on speciied conditions.

Create a child coniguration item

Use the create a child coniguration item method to create a coniguration item that inherits
the properties of an existing coniguration item. You then can reine the properties with a
more detailed coniguration. To create a child coniguration item, select the coniguration
item that you want to use as a parent and then, on the ribbon, click Create Child
Coniguration Item. This starts the Create Child Coniguration Item Wizard.
The Create Child Coniguration Item Wizard has the same options as the Create
Coniguration Item Wizard except that you cannot remove or modify settings inherited from
the parent coniguration item. You can add settings or compliance rules to reine a conigu-
ration item further for a speciic baseline. You can create child coniguration items only for
Windows-based coniguration items.

180 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Import coniguration data
You can import coniguration items that you have:
■ Exported from other sites.
■ Downloaded as part of coniguration packs from the Microsoft website or from other
vendors.
To import coniguration data, select the Coniguration Items node and then, on the ribbon,
click the Import Coniguration Data button. This starts the Import Coniguration Data Wizard.
In this wizard, you import one or more cabinet (.cab) iles with coniguration data, which you
can use in Coniguration Manager.

Copy existing coniguration items

You use the copy existing coniguration items method to create a coniguration item with the
properties of an existing coniguration item but for which you want to modify some set-
tings. When you copy a coniguration item, you do not maintain a relationship between the
new coniguration item and the coniguration item that you copied. To copy a coniguration
item, select the coniguration item you want to copy and then, on the ribbon, click Copy. This
opens the Coniguration Item Name dialog box. Provide a name for the copy in the dialog
box to create a copy. Then you can edit it as you would edit a coniguration item that you
created manually.

Coniguration item revision history

Coniguration Manager maintains a revision history of each coniguration item. When you
modify a coniguration item, you do not lose the previous settings, and you can still use the
previous settings in a coniguration baseline. When you select the Coniguration Items node,
you can view in the Revision column the number of times a coniguration item has been
revised.
To manage revisions, select the coniguration item that you want to work with and then,
on the ribbon, click the Revision History button. In the Coniguration Item Revision History
window, the following options are available for you:
■ Show All Revisions or Show Revisions In Use You can use this drop-down list to
switch between all the revisions of the current coniguration item and only the revi-
sions that are being used in a coniguration baseline.
■ Compare With Current Revision When you select an older version of the conigu-
ration item, you can use this button to view the difference between that revision and
the latest revision.
■ Delete Use this button to delete a particular revision.
■ Export Use this button to export a particular revision to a .cab ile so that you can
import the revision into another instance of Coniguration Manager.
■ Copy Use this button to copy a particular revision to create a new coniguration item.

Objective 4.1: Build a coniguration item CHAPTER 4 181

From the Library of Ida Schander

 ■ Restore Use this button to restore a particular revision. Restoring a revision creates a
new revision that is based on the settings of the restored revision.
■ Properties Use this button to view the properties of a particular revision.

MORE INFO CREATING CONFIGURATION ITEMS

You can learn more about creating coniguration items at http://technet.microsoft.com

/en-us/library/gg712331.aspx.

Coniguration item settings

You have several choices for the types of settings to monitor when you create a conigura-
tion item for Windows operating systems, mobile device support, or Mac OS X. Each type of
coniguration setting is evaluated against its own compliance rules and has its own values to
monitor.
When coniguring compliance rules, the options you have range from simply checking
whether a setting exists to comparing it to a speciic value. You then specify the severity level
if the condition is not met.

Windows settings
When you create a Windows coniguration item, you can monitor several aspects of
Windows-based computers. The following list describes the setting types that you can moni-
tor for computers running Windows operating systems:
■ Active Directory Query Use this setting type to construct a query to ind values in
Active Directory Domain Services (AD DS).
■ Assembly Use this setting type to specify an assembly from the global assembly
cache to assess for compliance on computers.
■ File System Use this setting type to specify a ile or folder to assess for compliance
on computers.
■ IIS Metabase Use this setting type to specify the Internet Information Services (IIS)
metabase setting to assess for compliance on computers.
■ Registry Key Use this setting type to specify a registry key to assess for compliance
on computers.
■ Registry Value Use this setting type to specify a registry value to assess for compli-
ance on computers.
■ Script Use this setting type to specify two scripts:
■ A discovery script to identify and return a value
■ A remediation script to remediate the noncompliant setting
■ SQL Query Use this setting type to specify a SQL query to assess for compliance on
computers.

182 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 ■ WQL Query Use this setting type to specify a Windows Management Instrumenta-
tion (WMI) Query Language (WQL) query to assess for compliance on computers.
■ XPath Query Use this setting type to specify the XML ile path and XML Path
Language (XPath) query to assess for compliance on computers.
In addition, when using the Windows coniguration item type, you can specify that the
coniguration item must include application settings. Depending on the application settings,
the wizard displays detection methods for applications. You have the following options for
detecting applications:
■ Always Assume Application Is Installed
■ Use Windows Installer Detection
■ Detect A Speciic Application And Deployment Type
■ Use A Custom Script To Detect This Application

Mobile device settings

When you create a mobile device coniguration item, you can monitor several setting groups
for compliance. These setting groups are as follows:
■ Password This group includes typical password settings such as the password length
and password expiration.
■ Device This group contains device restriction settings.
■ Email Management This group includes typical settings for email such as allowed
protocols, attachments, and archives.
■ Store This group contains application store settings.
■ Browser This group contains default web browser settings.
■ Internet Explorer This group contains Internet Explorer settings for Windows-based
clients.
■ Content Rating This group contains content rating for audio, video, and app
content.
■ Cloud This group enables you to specify cloud restrictions that apply to mobile
devices.
■ Security This group includes typical security settings such as ile signing, apps,
Bluetooth, and cameras.
■ Peak Synchronization This group includes settings that control the hours and fre-
quency of mobile device synchronization.
■ Roaming This group includes settings that conigure download options for mobile
devices when they are roaming.
■ Encryption This group includes encryption settings for devices, email, and storage
cards.

Objective 4.1: Build a coniguration item CHAPTER 4 183

From the Library of Ida Schander

 ■ Wireless Communications This group includes settings to conigure wireless net-
work connections for mobile devices.
■ Certiicates This group speciies the certiicates to install on mobile devices.
■ System Security This group includes settings for system security, including irewall,
automatic updates, and antimalware protection.
■ Windows Server Work Folders This group enables you to conigure Windows
Server work folder settings.

Mac OS X settings
You can monitor the following setting types on Coniguration Manager clients running the
Mac OS X operating system:
■ Mac OS X Preferences This setting type includes preferences within Mac OS X that
use the following data types on application IDs and keys: string, date and time, integer,
loating point, and Boolean.
■ Script This setting type allows a script to run that returns the value to be assessed for
client compliance.

Compliance rules
The simplest compliance rule to conigure is an Existential rule. Existential rules test whether
a setting exists. You can choose whether the compliance state exists or does not exist. In
addition to testing for existence, the File system setting also supports the following com-
pliance rule: File Exists The Following Number Of Times. This rule uses any of the available
operators to compare values from 0 through 9999.
Another type of rule is the Value rule. You use value rules to compare the current value in
the coniguration item to a speciied value by using one of the available operators. Some of
the setting types support more than just a simple comparison. For example:
■ The value rule for the Registry Key setting enables you to evaluate permissions on a
registry key for compliance.
■ The value rule for the File System setting enables you to evaluate the following
properties:
■ Date Modiied
■ Date CreatedSize (Bytes)
■ Product Name
■ File Version
■ Company
■ Secure Hash Algorithm 1 (SHA-1)
■ Attributes

184 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 ■ Permissions
■ The value rule for the Assembly setting enables you to evaluate the following proper-
ties: Version, Culture, and Public Key Token.
Depending on the compliance rule you create, you can choose from several relational
operators to compare a current value to a desired value. You can use the following operators
for this purpose:
■ Equals
■ Not Equal To
■ Greater Than
■ Greater Than Or Equal To
■ Less Than
■ Less Than Or Equal To
■ Between
■ One Of
■ None Of

Severity levels
Computers that do not comply with one or more of the objects or settings in the conigura-
tion item send a state message and a status message with one of the following noncompliant
severity levels:
■ None
■ Information
■ Warning
■ Critical
■ Critical With Event
Computers that do not comply with one or more of the objects or settings in the con-
iguration item log a Windows application event message (Event ID: 11857) of the type Error.
State messages and status messages the client sends have the noncompliant severity level of
Critical With Event.

Remediation
Coniguration Manager supports remediation only for the following coniguration items:
■ Registry values
■ Scripts
■ WQL query coniguration items

Objective 4.1: Build a coniguration item CHAPTER 4 185

From the Library of Ida Schander

 ■ All mobile phone settings
■ Mac OS X Preferences
Remediation is available only when the type operator is set to Equals in all cases except for
mobile phone settings. During remediation, Coniguration Manager performs one of the fol-
lowing actions based on the setting type:
■ Create the value if it does not exist (when the rule type is Value and the operator is
Equals).
■ Set the value if it exists but is not compliant.
■ Run a remediation script when using a script-based coniguration item.
■ Set the value for the mobile device settings if supported by the mobile device operat-
ing system. (Not all mobile devices support the same settings.)
The method in which you conigure remediation depends on the type of setting:
■ For a registry value or WQL query coniguration item, in the compliance rule, select the
Remediate Noncompliance Rules When Supported check box. If you select this check
box, the remediation action will be one of the following:
■ Create The Value If It Does Not Exist.
■ Set The Value If It Exists But Is Not Compliant.
■ For a script coniguration setting, you need to provide an appropriate remediation
script.
■ For mobile device coniguration settings, on each setting group that you add to the
coniguration item, you must select the Remediate The Noncompliant Settings check
box.
Coniguration item remediation occurs only when the item is included in a baseline
deployment that you also have conigured for remediation. (For remediation to be success-
ful, you must conigure remediation both on the compliance rule and in the deployment
properties of the coniguration baseline in which the coniguration item is listed.) Due to the
requirement for both the item and deployment to support remediation, you can use the same
coniguration item in both remediating and nonremediating deployments.

EXAM TIP
Remember which coniguration item types allow remediation.

186 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 Thought experiment
Coniguration Items at Contoso
You are testing the compliance functionality of Coniguration Manager. Speciically,
you are interested in monitoring the coniguration of mobile devices and deter-
mining whether a prohibited ile-sharing application is installed on Coniguration
Manager clients running the Windows 8.1 operating system. With this information
in mind, answer the following questions:

1. What must you conigure in addition to Coniguration Manager to manage

mobile device coniguration item settings?

2. Which coniguration item type could you use to determine whether a prohibited
application is installed on Coniguration Manager clients running the
Windows 8.1 operating system?

Objective summary
■ The Compliance Settings feature enables you to assess and manage coniguration set-
tings for Coniguration Manager clients.
■ Coniguration items contain one or more unique settings and values that you want to
compare for compliance evaluation.
■ Use the create a child coniguration item method to create a coniguration item that
inherits the properties of an existing coniguration item.
■ Use the copy existing coniguration items method to create a coniguration item with
the properties of an existing coniguration item but for which you want to modify
some settings.
■ Coniguration Manager maintains a revision history of each coniguration item. When
you modify a coniguration item, you do not lose the previous settings, and you can
still use the previous settings in a coniguration baseline.
■ Coniguration Manager supports the following noncompliant severity levels: None,
Information, Warning, Critical, and Critical With Event.
■ Coniguration Manager supports remediation only for the following coniguration
items: registry values, scripts, WQL query coniguration items, all mobile phone set-
tings, and Mac OS X Preferences (where the value type operator is set to Equals).

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.

Objective 4.1: Build a coniguration item CHAPTER 4 187

From the Library of Ida Schander

 1. Which of the following coniguration item types supports remediation? (Choose two.
Each correct answer provides a complete solution.)
a. Registry values
B. Registry keys
C. WQL query
D. XPath query
2. Which the following setting types would you use in a coniguration item to determine
whether a particular ile was present on a Coniguration Manager client?
a. Active Directory query
B. Assembly
C. File system
D. Registry value
3. Which of the following setting types would you use in a coniguration item to deter-
mine whether a speciic registry key was present on a Coniguration Manager client?
a. Registry value
B. WQL query
C. Script
D. Registry key
4. Which of the following setting types would you use in a coniguration item to run a
script to remediate a noncompliant setting?
a. WQL query
B. Script
C. File system
D. Assembly
5. You have a WMI query language query that determines the amount of free disk space
on a computer’s operating system volume. Which of the following setting types would
you use in a coniguration item to determine whether a Coniguration Manager client
had more than 15 GB of free space on the operating system volume? (Choose the best
answer.)
a. WQL query
B. Script
C. File system
D. Registry value

188 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Objective 4.2: Create and monitor a baseline
Coniguration baselines enable you to collect coniguration items, software updates, and even
other coniguration baselines as a way of determining compliance. You can create your own
baselines or import preexisting baselines through coniguration packs. You can use the results
of a compliance check to create a new collection.

This section covers the following topics:

■ Coniguration baselines
■ Creating coniguration baselines
■ Deploying coniguration baselines
■ Coniguration packs
■ Viewing compliance information

Coniguration baselines
A coniguration baseline is a group of coniguration items, software updates, and other con-
iguration baselines. If a system is noncompliant with one item in a coniguration baseline, it is
noncompliant with the coniguration baseline.
If you include coniguration items for multiple products and system settings in a single
baseline, you increase the baseline’s complexity. This makes managing the baseline more
dificult. A simpler approach is to create several single product or system settings baselines
and then deploy the baselines to the Coniguration Manager collections to which you want
to apply them. When you evaluate the baselines, the compliance results are easier for you to
analyze. You can use the same coniguration item in multiple coniguration baselines.
After you create a coniguration baseline, you can deploy it to a collection. This enables
that collection’s devices or primary devices of the collection’s users to download the conigu-
ration baseline and assess compliance with each of the baseline’s coniguration items.

Objective 4.2: Create and monitor a baseline CHAPTER 4 189

From the Library of Ida Schander

 Client settings contain the default schedule for running evaluations as shown in Figure 4-2.
When you deploy a coniguration baseline to a collection, you can specify remediation set-
tings, alert settings, and a schedule for that coniguration baseline to use for evaluating the
client systems.

FIGURE 4-2 Compliance Settings

You can use the evaluation results of the coniguration baseline to create a collection. If
the coniguration baseline contains coniguration items that do not support automatic reme-
diation, you can use this collection as a target so that an additional task can remediate the
issue. For example, you might use the coniguration items in a coniguration baseline to
detect a forbidden application. You then can create a collection based on the coniguration
baseline and deploy an application or package to uninstall the forbidden application.
You can create collections based on the following compliance states: Compliant, Error,
Non-Compliant, and Unknown. You can access the wizard for creating the collection by
selecting the coniguration baseline and then selecting the Deployment tab. When you select
a deployment on the Deployment tab, a Create New Collection menu appears on both the
ribbon and the Actions menu. You can use this option to create a query-based collection
according to the state you have chosen.

MORE INFO CONFIGURATION BASELINES

You can learn more about coniguration baselines at http://technet.microsoft.com/en-au

/library/gg712268.aspx.

190 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Creating coniguration baselines
You can create a coniguration baseline in one of the following ways:
■ Create a coniguration baseline manually, using the Create Coniguration Baseline
dialog box.
■ Import coniguration data.
■ Copy an existing coniguration baseline.
If a coniguration item has multiple revisions, you can specify which version of the conigu-
ration item is used in the baseline.

Create a coniguration baseline manually

The most direct way to create a coniguration baseline is to select the Coniguration Baselines
node, which is located under Compliance Settings in the Assets And Compliance workspace,
and then click the Create Coniguration Baseline button on the ribbon. This launches the
Create Coniguration Baseline dialog box, shown in Figure 4-3.

FIGURE 4-3 Create Configuration Baseline

Import coniguration data

The process to import the coniguration baselines is the same as the process to import con-
iguration items. You use the Import Coniguration Data Wizard to import one or more .cab
iles containing coniguration baselines, coniguration items, or both. Then you can use them
in Coniguration Manager.

Objective 4.2: Create and monitor a baseline CHAPTER 4 191

From the Library of Ida Schander

 Copy an existing coniguration baseline
You use this method to create a coniguration baseline when you want a coniguration base-
line with the properties of an existing coniguration baseline. After you make the copy, you
can modify the properties to create the coniguration baseline you require. When you copy
a coniguration baseline, you do not maintain a relationship between the new coniguration
baseline and the coniguration baseline that you copied. To copy a coniguration baseline,
select the coniguration baseline that you want to copy and then, on the ribbon, click Copy.
This opens the Coniguration Baseline Name dialog box.

Deploying coniguration baselines

Deploying a coniguration baseline to a collection of client devices enables you to perform an
evaluation of those devices against the baseline. To deploy a coniguration baseline, select an
existing coniguration baseline and then, on the ribbon, click Deploy. This opens the Deploy
Coniguration Baselines dialog box shown in Figure 4-4.

FIGURE 4-4 Deploy Configuration Baselines

The following settings are available in the Deploy Coniguration Baselines dialog box:
■ Available Coniguration Baselines Use this list box to select any additional base-
lines you want to deploy as part of this deployment.
■ Selected Coniguration Baselines This list box displays the baselines that are
selected for this deployment.

192 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 ■ Remediate Noncompliant Rules When Supported You can conigure certain
coniguration items for automatic remediation. If you enable remediation, you also can
allow the remediation process to ignore maintenance windows by selecting the Allow
Remediation Outside The Maintenance Window check box.
■ Generate An Alert When Compliance Is Below The Speciied Percentage After
The Speciied Date And Time When you enable this setting, the compliance per-
centage check box and the Date And Time check box are also selected. If the speciied
percentage of systems is not compliant by the speciied date and time, Coniguration
Manager generates an alert. If you are using System Center 2012 R2 Operations
Manager, you can conigure Coniguration Manager to send the alert to Operations
Manager as well, by enabling Generate System Center Operations Manager Alert in this
dialog box.
■ Select The Collection For This Coniguration Baseline Deployment Use the
Browse button in this option to select the user or device collection to which this base-
line will deploy.
■ Specify The Compliance Evaluation Schedule For This Coniguration
Baseline Use the default schedule conigured on the default client settings or cus-
tomize the evaluation schedule for the deployment.

MORE INFO DEPLOYING BASELINES

You can learn more about deploying baselines at http://technet.microsoft.com/en-us

/library/hh219289.aspx.

Coniguration packs
Coniguration packs are predeined coniguration items or coniguration baselines that
Microsoft and other developers provide to organizations. These coniguration packs often
represent best-practice conigurations for common operating systems, server roles, services,
and programs. For example, some auditing irms use coniguration packs to assess whether an
organization complies with speciic regulations regarding computer coniguration.
You can download Microsoft and some non-Microsoft coniguration packs from the
Microsoft System Center Marketplace. In addition, you can ind coniguration packs created
by users on several Coniguration Manager community support websites. You also can add
existing Coniguration Manager 2007 coniguration packs to System Center 2012 R2
Coniguration Manager by using the import functionality.
After you download and import a coniguration pack, you can use the coniguration items
and coniguration baselines as they are. Alternatively, you can use them as a starting point for
your own coniguration settings and then modify the imported coniguration packs to meet
your requirements.

Objective 4.2: Create and monitor a baseline CHAPTER 4 193

From the Library of Ida Schander

 Viewing compliance information
You can use the Coniguration Manager Control Panel item to evaluate the baselines for
compliance settings manually or to view the evaluation results for the compliance settings
baselines. You require local administrator rights to view a report in the Coniguration
Manager Control Panel item.
To view compliance on a Coniguration Manager client, you can access the Coniguration
Manager Properties dialog box within Control Panel. The Conigurations tab of the
Coniguration Manager Properties dialog box displays the following basic information:
■ A list of all the coniguration baselines, including the last version of the baseline that
was downloaded
■ The last time the evaluation was performed and the results of the evaluation
■ The coniguration baseline evaluations (if any) that are currently running on this
computer
You can use the Conigurations tab to perform the following actions:
■ Evaluate You can select a deployed coniguration baseline and then use the Evaluate
button to run the evaluation outside the current schedule.
■ View Report When you click the View Report button, an Internet Explorer window
appears, displaying a report on the selected coniguration baseline. The report displays
the compliance status of the baseline and all the coniguration items that are in the
coniguration baseline.
■ Refresh The Refresh button updates the display with current information.
The Coniguration Manager site receives the compliance information the client systems
generate in the form of state messages. You can use this information to:
■ View the compliance of the deployment.
■ Create collections based on the state of coniguration items.
■ Generate and view compliance reports.

Compliance monitoring
Like all deployments, you can monitor the compliance baseline deployments in the
Monitoring workspace in the Deployments node. When you select a compliance deployment,
the preview pane displays the following:
■ General information This section includes the name of the deployment and the
target collection.
■ Compliance statistics This section includes a pie chart displaying the relative num-
ber of Compliant, Error, Non-Compliant, and Unknown client systems. The total asset
count and the time of the summarization appear with a link to a detailed status view.
■ Related objects This section includes links to the target collection and the deployed
baseline.

194 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 When you click the View Status link in the preview pane, Coniguration Manager displays
a more detailed view of the compliance information. The Deployment Status window shows
general information similar to the information in the preview pane, including the name of the
baseline and target collection and the time the last summarization ran. The Compliant, Error,
Non-Compliant, and Unknown tabs display detailed information such as the coniguration
items, the number of assets, and a list of clients. You can use the More Details link to view the
details of a speciic asset.

Compliance management reports

The following reports, some of which are listed in Figure 4-5, are available for viewing compli-
ance evaluation results:
■ List Of Unknown Assets For A Coniguration Baseline
■ List Of Rules Conlicting With A Speciied Rule For An Asset
■ List Of Assets By Compliance State For A Coniguration Item In A Coniguration
Baseline
■ Rules And Errors Summary Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Summary Compliance Of A Coniguration Baseline For A Collection
■ Summary Compliance By Coniguration Items For A Coniguration Baseline
■ Summary Compliance By Coniguration Baseline
■ List Of Assets By Compliance State For A Coniguration Baseline
■ Details Of Compliant Rules Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Compliance History Of A Coniguration Item
■ Compliance History Of A Coniguration Baseline
■ Details Of Conlicting Rules Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Details Of Remediated Rules Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Details Of Noncompliant Rules Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Details Of Errors Of Coniguration Items In A Coniguration Baseline For An Asset
■ List Of Unknown Assets For A Coniguration Item
■ Details Of Conlicting Rules Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Details Of Compliant Rules Of Coniguration Items In A Coniguration Baseline For
An Asset
■ Summary Compliance By Coniguration Policies

Objective 4.2: Create and monitor a baseline CHAPTER 4 195

From the Library of Ida Schander

 ■ List Of Assets With Certiicate Nearing Expiry
■ List Of Assets By Certiicate Insurance Status
■ Certiicate Issuance History

FIGURE 4-5 Compliance reports

MORE INFO MONITOR COMPLIANCE SETTINGS

You can learn more about monitoring compliance settings at http://technet.microsoft.com

/en-us/library/gg712303.aspx/.

EXAM TIP
Remember that you can use the compliance results as the basis for creating new
collections.

196 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 Thought experiment
Compliance Monitoring at Fabrikam
You are using Coniguration Manager’s compliance functionality to monitor compli-
ance across multiple device collections at your organization. A speciic baseline,
which includes a large number of coniguration items, reports a large percentage of
noncompliant clients. You’re interested in determining whether a large number of
coniguration items or just one or two items are causing the noncompliant result.
With this information in mind, answer the following questions:

1. Which report would you use to determine the speciic coniguration items in a
baseline that are triggering noncompliance when applied to a collection?

2. Which report would you view to determine the compliance trend for a conigu-
ration baseline?

Objective summary
■ A coniguration baseline is a group of coniguration items, software updates, and other
coniguration baselines.
■ You can group coniguration items into coniguration baselines.
■ You deploy coniguration baselines to client systems to evaluate compliance and
(potentially) perform remediation.
■ You can use the evaluation results of the coniguration baseline to create a collection.
■ Coniguration packs are predeined coniguration items or coniguration baselines that
Microsoft and other developers provide to organizations.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following can you include in a coniguration baseline? (Choose two. Each
correct answer provides a complete solution.)
a. Coniguration item
B. Antimalware policy
C. Windows Firewall policy
D. Software updates

Objective 4.2: Create and monitor a baseline CHAPTER 4 197

From the Library of Ida Schander

 2. Which of the following options must you select when deploying a coniguration base-
line so that coniguration items are automatically remediated when it is possible to do
so? (Choose two. Each correct answer provides a complete solution.)
a. Select The Collection For This Coniguration Baseline Deployment
B. Select The Compliance Evaluation Schedule For This Coniguration Baseline
C. Generate An Alert When Compliance Is Below The Speciied Percentage After The
Speciied Date And Time
D. Remediate Noncompliant Rules When Supported
3. You want an alert to be generated if the percentage of computers in a speciic collec-
tion that isn’t compliant after two weeks rises above 25 percent. Which of the follow-
ing settings must you conigure when coniguring the deployment of a coniguration
baseline? (Choose two. Each correct answer provides part of a complete solution.)
a. Remediate Noncompliant Rules When Supported
B. Generate An Alert When Compliance Is Below The Speciied Percentage After The
Speciied Date And Time
C. Select The Compliance Evaluation Schedule For This Coniguration Baseline
D. Select The Collection For This Coniguration Baseline Deployment
4. A coniguration baseline includes a coniguration item that tests for the presence of a
particular ile on the operating system volume. You want to create a collection of all
computers in the Sydney Windows 8.1 Computers collection on which this ile is not
present on the operating system volume. Which of the following compliance states
should you use as the basis for creating a new collection?
a. Compliant
B. Non-Compliant
C. Error
D. Unknown

Objective 4.3: Conigure Endpoint Protection

System Center Endpoint Protection is an antimalware client that you can deploy, manage, and
monitor as part of your organization’s Coniguration Manager deployment. You can also use
System Center Endpoint Protection to manage the irewall settings of Coniguration Manager
clients.

198 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 This section covers the following topics:
■ System Center Endpoint Protection
■ Implement Endpoint Protection
■ Antimalware policies
■ Windows Firewall policies
■ Policy management
■ Monitoring Endpoint Protection status
■ Coniguring alerts

System Center Endpoint Protection

System Center Endpoint Protection is an antimalware client. Prior to the release of System
Center 2012, this client was part of the ForeFront suite of products. When you deploy the
Coniguration Manager Endpoint Protection feature, an Endpoint Protection client installs on
Coniguration Manager client computers. You can use the Endpoint Protection client to:
■ Detect and remediate malware, rootkit, network, and spyware vulnerabili-
ties The Endpoint Protection client provides protection by performing scheduled
scans on a computer or by enabling real-time protection. Both these methods monitor
ile and program activity on a computer. The client can use Network Inspection System
to inspect network trafic for the most commonly used protocols, such as HTTP, Server
Message Block (SMB), and Simple Mail Transfer Protocol (SMTP).
■ Automatically download antimalware deinitions and engine updates You can
deploy policies that deine how often antimalware deinitions are updated and how a
client obtains the updates.
■ Manage Windows Firewall settings Endpoint Protection provides basic manage-
ment of Windows Firewall for the domain, private, and public proiles. Settings include
enabling or disabling the irewall; notifying the user when Windows Firewall blocks a
new program; and blocking all incoming connections, including those in the list of
allowed programs.
Integrating Endpoint Protection with Coniguration Manager provides the following
beneits:
■ Flexible source locations for client updates You can use a variety of source loca-
tions for deinition updates. You can conigure Endpoint Protection to:
■ Obtain updates that Coniguration Manager or Windows Server Update Services
(WSUS) distributes.
■ Allow direct connection to Microsoft Update and the Microsoft Malware Protection
Center.
■ Obtain updates from a Universal Naming Convention (UNC) ile share.

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 199

From the Library of Ida Schander

 ■ The ability to take advantage of the management infrastructure Endpoint
Protection uses the existing Coniguration Manager infrastructure to communicate
policy settings to clients and retrieve status information from clients.
■ Enhanced monitoring and reporting Coniguration Manager provides extensive
monitoring capabilities such as email notiications, in-console monitoring, and reports
that inform administrators of malware presence and the security status of client
computers.

MORE INFO INTRODUCTION TO ENDPOINT PROTECTION

You can learn more about Endpoint Protection at http://technet.microsoft.com/en-us

/library/hh508781.aspx.

Implement Endpoint Protection

Implement Endpoint Protection by performing the following general steps:
1. In the central administration site or a standalone site, install the Endpoint Protection
Point Site System role.
2. Create collections as necessary and then conigure Endpoint Protection alerts for each
collection. Subscribe to alerts as necessary.
3. Determine the source for obtaining updates to malware deinitions and the antimal-
ware engine. You must conigure additional roles, such as the Software Update Point
role, if you plan to use Coniguration Manager software updates as the update source.
4. Conigure antimalware policies as needed. The Default Antimalware Policy will apply
to all Endpoint Protection clients in the hierarchy. You can create and deploy custom
antimalware policies that will override the settings in the default policy.
5. Conigure client settings for Endpoint Protection. You can use client settings to install
and enable Endpoint Protection clients on client computers. As you enable clients, any
antimalware policies that you have conigured through client settings will come into
effect. You can create and deploy custom client settings to target speciic collections
as needed.
6. Optionally, create and deploy Windows Firewall policies. You can conigure Windows
Firewall proile settings and then deploy the policy to speciic collections.
7. Monitor and manage Endpoint Protection by using the console and alerts.

Prerequisites
To implement Endpoint Protection within your Coniguration Manager primary site or hierar-
chy, you must meet the following prerequisites:
■ Endpoint Protection point Before you can install the Endpoint Protection client on
workstations, you must install and conigure an Endpoint Protection Point Site System

200 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 role at the top site in the hierarchy, whether that is a central administration site or a
standalone primary site.
■ Client settings To install the Endpoint Protection client on workstations, you must
conigure the appropriate default client settings or create and deploy a custom client
setting that targets speciic collections.
■ Software update point If you want to use software updates to deliver antimalware
deinition and engine updates, you must implement the Software Updates feature of
Coniguration Manager.
■ Reporting services point Before you can run reports related to Endpoint
Protection, you must conigure a reporting services point site system.
■ Security permissions The Endpoint Protection Manager security role provides the
ability to create and modify antimalware and Windows Firewall policies. This security
role also enables you to deploy Endpoint Protection policies to collections, to monitor
status, and to create and modify console alerts and reports. You must conigure the
security role before you implement Endpoint Protection.
You can download speciic Endpoint Protection clients to protect Mac computers and
Linux clients from the Microsoft Volume Licensing Service Center. You cannot manage these
clients from the Coniguration Manager console. However, you can use a System Center 2012
Operations Manager management pack to manage Linux clients from Operations Manager.

MORE INFO PREREQUISITES

You can learn more about Endpoint Protection prerequisites at http://technet.microsoft

.com/en-us/library/hh508780.aspx.

The Site System role

You must deploy the Endpoint Protection Point Site System role before you can install
Endpoint Protection on client computers. Consider the following factors when you deploy this
Endpoint Protection role:
■ Deployment within a Coniguration Manager hierarchy You can install the
Endpoint Protection point only on a single site system server. You must locate this
server within the central administration site for a hierarchy coniguration or in the pri-
mary site in a standalone primary site coniguration. You also must accept the speciic
Endpoint Protection license agreement when prompted.
■ Microsoft Active Protection Service membership When you install an Endpoint
Protection point, you may specify the default Microsoft Active Protection Service
membership setting. If you choose to join the service, Coniguration Manager
automatically collects information about detected software and sends it to Microsoft.
Based on this information, Microsoft creates new antimalware deinitions. You can
choose from two levels of membership:

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 201

From the Library of Ida Schander

 ■ Basic membership If you choose this membership, basic information is sent to
Microsoft, which includes information about where the software originated and the
actions the user or application performed. This level of membership will not alert
the user if the service detects a change by a software program that has not been
subject to risk assessment.
■ Advanced membership This level of membership will alert the user when the
service detects a change by software that has not been subject to risk assessment
by Microsoft. In addition to basic information, this membership level will send
information such as software location, ile names, how the software operates, and
the effect that the software has had on the computer.
■ Veriication of installation status You can verify the successful installation of an
Endpoint Protection point by monitoring the SMS_ENDPOINT_PROTECTION
_MANAGER component for a message with the ID of 500. An ID of 500 indicates that
the component has started. The EPSetup.log ile also provides details about the instal-
lation status.

Client settings
You can use Default Client Settings to apply Endpoint Protection installation settings to all
clients within the hierarchy. You would create and conigure a Custom Client Device Settings
item if you needed to apply unique settings to members of a speciic collection. For example,
you might want to deploy Endpoint Protection to a small group of computers irst to test it
before you deploy it to the entire hierarchy. Over time, you can add clients to the target col-
lection to provide a phased deployment.

202 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Figure 4-6 shows the Endpoint Protection settings of Default Client Settings.

FIGURE 4-6 Endpoint Protection settings

The Endpoint Protection section provides several settings that relate to the installation of
the Endpoint Protection client. Table 4-2 describes these settings.

TABLE 4-2 Endpoint Protection settings

Setting Description

Manage Endpoint Protection When set to Yes, Coniguration Manager manages the existing Endpoint
Client On Client Computers Protection client on client computers.
When set to No, Coniguration Manager does not manage the Endpoint
Protection client. The default setting is No.

Install Endpoint Protection Client
On Client Computers
When set to Yes, the Endpoint Protection client installs on client com-
puters. This option is available only if Manage Endpoint Protection
Client On Client Computers is set to Yes.
When set to No, the Endpoint Protection client will not install on client
computers, and all subsequent options are disabled.
The default setting is Yes.

Automatically Remove Previously
Installed Antimalware Software
Before Endpoint Protection Is
Installed
When set to Yes, the client installation checks for and uninstalls most
third-party antimalware clients.
The default setting is Yes. The Endpoint Protection client installation
fails if you attempt to install the client on a computer that does not sup-
port the uninstallation of an existing antimalware solution. In this case,
uninstall the existing antimalware solution before you enable Endpoint
Protection.

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 203

From the Library of Ida Schander

 Setting
Allow Endpoint Protection
Client Installation And Restart
Outside Maintenance Windows.
Maintenance Windows Must Be At
Least 30 Minutes Long For Client
Installation
For Windows Embedded Devices
With Write Filters, Commit
Endpoint Protection Client
Installation (Requires Restarts)
Suppress Any Required Computer
Restarts After The Endpoint
Protection Client Is Installed
Allowed Period Of Time Users Can
Postpone A Required Restart To
Complete The Endpoint Protection
Installation (Hours)
Disable Alternate Sources (Such
As Microsoft Windows Update,
Microsoft Windows Server Update
Services, Or UNC Shares) For The
Initial Deinition Update On Client
Computers
Antimalware policies
You use an antimalware policy to control coniguration settings for the Endpoint Protection
client on client computers. When you conigure client settings to install Endpoint Protection
on client computers, a default client antimalware policy is applied to provide initial protection
after the installation.
204 Chapter 4 Manage compliance and endpoint protection settings
Description
If set to Yes, the Endpoint Protection client installs outside the speciied
maintenance window for the device. If set to No, the client installs only
during the speciied maintenance window.
The default setting is No. A maintenance window must be at least 30
minutes long for the Endpoint Protection client to install successfully.
This setting speciies how the Endpoint Protection client installs on a
Windows Embedded device. If you select Yes, the write ilter is disabled,
which allows the installation to commit on the device. This also requires
a restart of the device. If you select No, the client installs on a tempo-
rary overlay and is not committed until another installation commits the
changes to the device. The default setting is No.
If set to Yes, after the client installs the client will suppress any required
restarts. The default setting is Yes.
Consider deploying KB981889 to your Coniguration Manager clients
before you deploy the Endpoint Protection client. This update requires
a client restart, but it can help you prevent restarts during the Endpoint
Protection client installation task.
This setting speciies the number of hours a user can postpone a poten-
tial restart after the client installs. The default setting is 24 hours.
This option is available only if Suppress Any Required Computer
Restarts After The Endpoint Protection Client Is Installed is set to Yes.
After you install the Endpoint Protection client, it will connect imme-
diately to a source and update its antimalware signatures. The default
setting is Yes.
If you set this to Yes, the initial update of the antimalware signatures
from a remote source is disabled. In this case, only Coniguration
Manager provides the initial update to client computers. This setting
helps avoid unnecessary network connections to remote locations such
as the Internet and can reduce network bandwidth during the initial
installation.
Setting this option to No allows the client to update the antimalware
signatures from a remote source after initial installation of the client.
From the Library of Ida Schander
Figure 4-7 shows the default client antimalware policy.

FIGURE 4-7 Scheduled Scans

You can import preconigured policy templates, or you can create your own custom
antimalware policy and deploy the policy to collections. This enables you to provide different
Endpoint Protection client settings based on the requirements of the computers contained
within a collection. For example, you might have a group of computers in a collection that
require speciic iles or ile locations excluded from the malware scan processes. A custom
antimalware policy enables you to address this requirement.
If you deploy a custom antimalware policy to a collection, the custom policy settings
merge with the default client antimalware policy. A single computer might be a member of
multiple collections that have an assigned policy. The client uses priority evaluation to deter-
mine which policy to apply. The policy with the highest priority, which is the lowest number
displayed in the Priority column, will take precedence. That policy then applies appropriate
settings to the Endpoint Protection client software.
To modify the default antimalware policy, perform the following procedure:
1. In the Coniguration Manager console, click the Assets And Compliance workspace.
2. Expand the Endpoint Protection node and then click Antimalware Policies.
3. In the results pane, click Default Client Malware Policy.
4. On the ribbon, click Properties.
The Default Antimalware Policy dialog box appears.

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 205

From the Library of Ida Schander

 Settings that you conigure in the Default Antimalware Policy dialog box apply to all com-
puters in the hierarchy on which the Endpoint Protection client is installed unless overridden
by a custom malware policy that is assigned to the client.
To create and deploy a custom antimalware policy, perform the following procedure:
1. In the Coniguration Manager console, click the Assets And Compliance workspace.
2. Expand the Endpoint Protection node and then click Antimalware Policies.
3. On the ribbon, click Create Antimalware Policy.
The Create Antimalware Policy dialog box appears. In this dialog box, you can provide
a name and specify coniguration settings.
4. To assign a custom antimalware policy to a collection, choose the policy to deploy and
then, on the ribbon, click Deploy. The Select Collection dialog box appears.
5. In the Select Collection dialog box, select the collection to which you want to deploy
this policy and then click OK.
You also can import an existing Endpoint Protection template by selecting the
Antimalware Policies node and then clicking Import on the ribbon. Coniguration Manager
provides several preconigured antimalware policy settings for high security, standard desk-
top, server role-based, or performance-optimized scenarios.
Table 4-3 lists the available antimalware policy settings.

TABLE 4-3 Antimalware policy settings

Setting Description

Scheduled Scans Provides settings to enable or disable a scheduled scan on client computers.
When you enable scheduled scans, additional scan options are available, such
as the type of scan, the day and time of the scan, and performance options
such as starting the scan only when the computer is idle.

Scan Settings Provides settings that describe what the client should scan—for example,
removable storage devices, network drives, and email.

Default Actions Provides settings to specify how Endpoint Protection should respond to
Severe, High, Medium, and Low classiied threats. Possible options include
Allow, Quarantine, and Remove.
For Severe and High threats, you can select an additional option,
Recommended, which treats the threat as instructed within the deinition iles.
You cannot select Allow for threats classiied as Severe or High.

Real-time Protection Provides settings to enable real-time protection. If you enable real-time pro-
tection, additional options are available to specify whether to scan incoming
iles, outgoing iles, or both. You also can specify whether users can conigure
real-time protection settings on their computers.

Exclusion Settings Enables you to specify iles, locations, ile types, and processes to exclude from
the scanning process.

Advanced Provides settings to specify options such as whether to create a system restore
point before cleaning computers, show notiication messages to users, delete
quarantined iles after a speciied number of days, and allow users to control
exclusions.

206 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Setting Description

Threat Overrides Enables you to conigure a speciic action (Allow, Remove, or Quarantine)
based on a threat name.

Microsoft Active Protection Enables you to specify whether clients join Microsoft Active Protection Service.
Service You also can specify whether you want to allow end users to modify Microsoft
Active Protection Service settings on their client.

Deinition Updates
Provides options to specify how often a client will check for deinition updates.
Settings include specifying the location and order in which the client obtains
updated deinitions. Possible source options include:
■ Updates Distributed From Coniguration Manager.
■ Updates Distributed From WSUS.
■ Updates Distributed From Microsoft Update.
■ Updates Distributed From Microsoft Malware Protection Center.
■ Updates From UNC File Shares.
You can deine the order in which to contact update sources.

If you choose to provide updates from UNC ile shares, you must download the
updates manually and store them in speciic folders on the UNC ile share. Files
for x64-based computers must be in a folder named x64, and iles for
x86-based computers must be in a folder named x86. You must share the par-
ent folder that contains the x64 and x86 folders with Read access permissions
for the client computers and domain users that connect to the share.
During an automatic update, the client computer’s computer account is used
to authenticate to the share. When a user manually updates the deinitions,
that user’s user account authenticates to the share.

MORE INFO ANTIMALWARE POLICIES

You can learn more about antimalware policies at http://technet.microsoft.com/en-us

/library/hh508785.aspx.

Windows Firewall policies

Endpoint Protection provides you with the ability to control basic settings for Windows
Firewall. You can conigure a irewall policy to establish the following settings for each type of
network proile, including domain, private, and public:
■ Enable Windows Firewall This setting controls whether Windows Firewall is turned
on or off. Options include Yes, No, and Not Conigured.
■ Block All Incoming Connections, Including Those In The List Of Allowed
Programs This setting is available only if Enable Windows Firewall is set to Yes for the
corresponding network proile. This setting controls whether incoming connections are
allowed to the client computers. Options include Yes, No, and Not Conigured.
■ Notify The User When Windows Firewall Blocks A New Program This setting is
available only if Enable Windows Firewall is set to Yes for the corresponding network
proile. This setting controls whether users are notiied when Windows Firewall blocks
a program. Options include Yes, No, and Not Conigured.

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 207

From the Library of Ida Schander

 In a manner similar to how you create a custom antimalware policy, you can create a
irewall policy and then deploy the policy to a collection. There is no default Windows Firewall
policy. During the policy deployment, you also can conigure a schedule to evaluate compli-
ance to the policy. This enables you to view deployment status for the policy to determine
which clients are compliant or noncompliant with the Windows Firewall policy.
To create and deploy a irewall policy, perform the following procedure:
1. In the Coniguration Manager console, click the Assets And Compliance workspace.
2. Expand the Endpoint Protection node and then click Windows Firewall Policies.
3. On the ribbon, click Create Windows Firewall Policy. The Create Windows Firewall
Policy dialog box appears. Provide a name and description and then click Next.
4. On the Proile Settings page, conigure settings for each of the network proiles, if
required, and then complete the wizard.
To assign a irewall policy to a collection, perform the following procedure:
1. Select the policy you want to deploy and then, on the ribbon, click Deploy.
The Deploy Windows Firewall Policy dialog box appears.
2. Click the Browse button and, in the Select Collection dialog box, select the appropriate
device collection. Click OK.
3. Under Specify The Compliance Evaluation Schedule For This Coniguration Baseline,
specify the schedule to evaluate client compliance with the policy. The default value
is to evaluate compliance every seven days. Click OK to close the Deploy Windows
Firewall Policy dialog box.
When you deploy a Windows Firewall policy to a device collection, the policy applies to
clients in a random order over a two-hour period. This helps decrease the impact on the
network.

208 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Policy management
After you deploy antimalware and Windows Firewall policies, you can perform a number of
policy management tasks. Table 4-4 provides a summary of them.
TABLE 4-4 Policy management tasks
Task
Increase priority
Decrease priority
Merge antimalware policies
Perform an on-demand scan
Force computers to download
the latest antimalware deini-
tion iles
Set security scopes
Description
If multiple policies are deployed to the same computer, the policies
apply in the order shown in the Order column of the Antimalware Policies
or Windows Firewall Policies results pane. You can use Increase Priority to
increase the priority on a selected policy. This option is available for both
antimalware and Windows Firewall policies.
Similar to Increase Priority, you can use Decrease Priority to decrease the
priority of a selected policy. This option is available for both antimalware
and Windows Firewall policies.
This option enables you to merge multiple antimalware policies into a single
policy. During the merge, if any policy conlicts occur they are resolved by
using the most secure option for the conlicting setting.
You might need to perform an on-demand scan of a single computer or a
collection of computers outside the scheduled scan. If you select a device
collection, the Endpoint Protection button, when clicked, provides options
to perform a Full Scan or a Quick Scan on all computers within the col-
lection. If you select a speciic computer within a collection, you also can
choose to perform a Full Scan or Quick Scan on the selected computer as
required. This creates a Coniguration Manager client notiication, which
attempts to initiate the scan as soon as possible.
You can force a download of the latest antimalware deinition iles by per-
forming the following procedure:
1. Select a device collection or a speciic computer within a collection.
2. On the Collection tab, click Endpoint Protection.
3. Click Download Deinition to open the Download
Deinition dialog box.
4. In the Download Deinition dialog box, select a deinition update
source: Software Update Deployment or Endpoint Protection Client
Source Order.
5. The Download Deinition dialog box provides an
option to randomize client execution of the download task. Conig-
ure the randomization period. The randomization period is set to
120 minutes by default.
For each antimalware policy, you can deine a speciic security scope. This
enables you to delegate policy management to speciic administrative
users. For example, you might specify a policy for workstations and conig-
ure another policy for servers. You can assign the workstation policy to a
scope named Workstations, and you can assign the server policy to a scope
named Servers. Then you can assign each scope to appropriate administra-
tive users.
Objective 4.3: Conigure Endpoint Protection CHAPTER 4 209
From the Library of Ida Schander
 MORE INFO MANAGING POLICIES

You can learn more about managing policies at http://technet.microsoft.com/en-us/library

/hh524342.aspx.

Monitoring Endpoint Protection status

Coniguration Manager provides extensive functionality, enabling you to monitor the status
of the Endpoint Protection client. You can use Coniguration Manager to perform the follow-
ing monitoring tasks:
■ Ensure that computers have successfully installed the Endpoint Protection client.
■ Determine the status of the antimalware deinition iles on computers.
■ Determine which types of malware have been detected, how many computers have
been affected, and the remediation status.
Table 4-5 describes the methods to monitor Endpoint Protection status and compliance.

TABLE 4-5 Endpoint Protection monitoring methods

Method Description

System Center 2012 R2 Endpoint The Monitoring workspace has a node named Endpoint Protection
Protection Status Status. Under this node is another node, named System Center 2012 R2
Endpoint Protection Status. This node provides information such as:
■ Endpoint Protection client status.

■ Malware remediation status.

■ Top 5 malware by number of computers.
■ Operational status of clients.
■ Deinition status on computers.By default, All Systems is
selected to show status information. If you want to view the sta-
tus of other collections, you must select a collection for which
you want to view status information. You can select collections
that are listed only when:
■ You have deployed an antimalware policy to a collection.
■ You enable View This Collection In The Endpoint Protection
Dashboard on the Alerts tab of the device collection’s
properties.

Malware Detected The Monitoring workspace also has a node named Malware Detected.
This node provides a summary of detected malware, including infor-
mation such as Collection, Threat Name, Computers Infected, and
Computers Remediated.

210 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Method Description

Antimalware Policies and Malware
Detail tabs
In the Assets And Compliance workspace, you can click the Devices
node (or expand the Device Collections node) and double-click to view
the membership of a device collection. When you select a computer,
the preview pane displays an Antimalware Policies tab and a Malware
Detail tab. The Antimalware Policies tab shows statistics related to the
application state of the policy applied to the client. The Malware Detail
tab provides statistics on detected threats and the computer’s remedia-
tion state.

Reports The Endpoint Protection report category provides six reports that you
can use to classify antimalware activity and infection status. These
reports include the following:
■ Antimalware Activity Report
■ Antimalware Overall Status And History
■ Computer Malware Details
■ Infected Computers
■ Top Users By Threats
■ User Threat List

MORE INFO MONITORING ENDPOINT PROTECTION

You can learn more about monitoring Endpoint Protection at http://technet.microsoft.com

/en-us/library/hh508769.aspx.

Coniguring alerts
You can use Coniguration Manager alerts to notify administrative users when speciic events
have occurred within the hierarchy. You can conigure alerts for each collection by opening
the Properties dialog box of that collection and then selecting the Alerts tab and clicking
Add. This displays the Add New Collection Alerts dialog box, shown in Figure 4-8. Table 4-6
describes the Endpoint Protection events that you can enable to generate alerts.

FIGURE 4-8 Add New Collection Alerts

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 211

From the Library of Ida Schander

 TABLE 4-6 Endpoint Protection alert settings

Event Description

Malware Is Detected When you select this event, an alert is generated if malware is detected on
any computer within the collection. You can deine the malware detection
threshold for the alert. Choose from the following options:
■ High – All Detections An alert is generated whenever malware
is detected, regardless of the action the Endpoint Protection client
takes.
■ Medium – Detected, Pending Action An alert is generated only
if one or more computers require a manual action to complete the
malware removal.
■ Low – Detected, Still Active An alert is generated when there are
one or more computers in the collection on which detected malware
is still active.

The Same Type Malware Is When you select this event, an alert is generated if the same malware has
Detected On A Number Of been detected on a speciied percentage of computers.
Computers

The Same Type Malware Is When you select this event, an alert is generated if speciic malware is
Repeatedly Detected Within detected more than a speciied number of times over a speciied number
The Speciied Interval On A of hours.
Computer

Multiple Types Of Malware When you select this event, an alert is generated if more than a speciied
Are Detected On The Same number of malware types are detected over a speciied number of hours on
Computer With The Speciied computers in the monitored collection.
Interval

For each event, you also can specify the severity of the alert itself. Choose Critical,
Warning, or Information.

MORE INFO CONFIGURING ALERTS

You can learn more about coniguring alerts for Endpoint Protection in Coniguration
Manager at http://technet.microsoft.com/en-us/library/hh508782.aspx.

EXAM TIP
Remember how antimalware policy priority works.

212 Chapter 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 Thought experiment
Endpoint Protection at Tailspin Toys
You have noticed that computers at your organization’s Brisbane branch ofice seem
more susceptible to malware infection than computers at other locations. Some
computers are being infected repeatedly by the same type of malware. Sometimes
the same malware infects multiple collections. You are coniguring the collection
alert settings for the Brisbane computers collection. With this information in mind,
answer the following questions:

1. Which alert option should you conigure to detect repeat infections on the same
computer?

2. Which alert option should you conigure to detect the same malware on multiple
computers?

Objective summary
■ System Center Endpoint Protection is an antimalware client that can detect and reme-
diate malware, rootkit, network, and spyware vulnerabilities; automatically download
antimalware deinitions and engine updates; and manage Windows Firewall settings.
■ Endpoint Protection requires a Coniguration Manager Endpoint Protection point,
which you conigure with client settings and, depending on how you want deinition
updates delivered, a software update point.
■ You use an antimalware policy to control coniguration settings for the Endpoint Pro-
tection client on client computers.
■ You can conigure a irewall policy to establish settings for each type of network pro-
ile, including domain, private, and public.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following locations can host antimalware deinition update iles for an
Endpoint Protection client? (Choose three. Each correct answer provides a complete
solution.)
a. FTP site
B. Microsoft Update/Microsoft Malware Protection Center
C. UNC ile share
D. WSUS server

Objective 4.3: Conigure Endpoint Protection CHAPTER 4 213

From the Library of Ida Schander

 2. Your organization has a central administration site; the Sydney primary site; the
Melbourne primary site; and secondary sites at Canberra, Geelong, and Newcastle.
The Geelong site is a secondary site of the Melbourne site. Clients in the Geelong site
will be using System Center Endpoint Protection. In which site should you deploy the
Endpoint Protection Point Site System role?
a. Central administration site
B. Melbourne
C. Sydney
D. Geelong
3. Which of the following would you conigure in an antimalware policy to ensure that
iles on volume E were not scanned for malware by the Endpoint Protection client?
a. Advanced settings
B. Real-time protection
C. Exclusion settings
D. Threat overrides
4. Which of the following antimalware policy settings would you conigure to have a
system restore point automatically created by the Endpoint Protection client before
cleaning malware from computers?
a. Real-time protection
B. Exclusion settings
C. Advanced settings
D. Threat overrides

214 CHAPTER 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

Answers

Objective 4.1
Thought experiment
1. You must conigure the Intune connector to manage mobile device coniguration item
settings.
2. You could look for application-speciic registry settings by using Registry Key settings
or look for iles related to the application by using File System coniguration item
settings.

Objective review
1. Correct answers: A and C
a. Correct: Registry values support remediation.
B. Incorrect: Registry keys do not support remediation. Registry values do.
C. Correct: WQL queries support remediation.
D. Incorrect: XPath queries do not support remediation.
2. Correct answer: C
a. Incorrect: You use an Active Directory query setting type to perform an Active
Directory query to locate values in Active Directory.
B. Incorrect: You use the Assembly setting type to determine whether an assembly
from the global assembly cache is present.
C. Correct: You can use a File System setting type in a coniguration item to deter-
mine whether a particular ile is present on a Coniguration Manager client.
D. Incorrect: You use a Registry Value setting type to check for a registry value.
3. Correct answer: D
a. Incorrect: You use a Registry Value setting type to check for a registry value. You
use Registry Key to check for a registry key.
B. Incorrect: You use the WQL query setting to determine whether a WQL query run
on a Coniguration Manager client matches a speciic value.
C. Incorrect: You can use the Script setting type to run a script that checks for a spe-
ciic result or runs as a remediation script to remedy a noncompliant setting.
D. Correct: You use a Registry Key setting type to check for a registry key.

Answers CHAPTER 4 215

From the Library of Ida Schander

 4. Correct answer: B
a. Incorrect: You use this setting to determine whether a WQL query run on a Con-
iguration Manager client matches a speciic value.
B. Correct: You can use the Script setting type to run a script that checks for a spe-
ciic result or runs as a remediation script to remedy a noncompliant setting.
C. Incorrect: You can use a File System setting type in a coniguration item to deter-
mine whether a particular ile is present on a Coniguration Manager client.
D. Incorrect: You use the Assembly setting type to determine whether an assembly
from the global assembly cache is present.
5. Correct answer: A
a. Correct: You use this setting to determine whether a WQL query run on a Con-
iguration Manager client matches, is greater than, or is less than a speciic value.
B. Incorrect: Although you could call a script that runs the query, the best answer is
to use the WQL query type directly rather than calling a WQL query in a script.
C. Incorrect: You can use a File System setting type in a coniguration item to deter-
mine whether a particular ile is present on a Coniguration Manager client.
D. Incorrect: You use a Registry Value setting type to check for a registry value.

Objective 4.2
Thought experiment
1. You can use the Summary Compliance By Coniguration items for a coniguration base-
line when looking at a collection. You use the detailed report for a speciic asset.
2. You would use the compliance history of a coniguration baseline report to view con-
iguration baseline compliance trend data.

Objective review
1. Correct answers: A and D
a. Correct: A coniguration baseline is a group of coniguration items, software
updates, and other coniguration baselines.
B. Incorrect: A coniguration baseline is a group of coniguration items, software
updates, and other coniguration baselines.
C. Incorrect: A coniguration baseline is a group of coniguration items, software
updates, and other coniguration baselines.
D. Correct: A coniguration baseline is a group of coniguration items, software
updates, and other coniguration baselines.

216 CHAPTER 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

 2. Correct answers: A and D
a. Correct: You need to select the collection to which the coniguration baseline will
be deployed when deploying a baseline.
B. Incorrect: Although you can specify a schedule, you can use the default schedule,
so Select The Compliance Evaluation Schedule For This Coniguration Baseline is
not mandatory.
C. Incorrect: You don’t need to generate alerts to accomplish this goal.
D. Correct: You select Remediate Noncompliant Rules When Supported to remediate
noncompliant rules when possible.
3. Correct answers: B and D
a. Incorrect: You select Remediate Noncompliant Rules When Supported to remedi-
ate noncompliant rules when possible.
B. Correct: You need to conigure Generate An Alert When Compliance Is Below The
Speciied Percentage After The Speciied Date And Time to accomplish your goal.
C. Incorrect: Although you can specify a schedule, you can use the default schedule,
so Select The Compliance Evaluation Schedule For This Coniguration Baseline is
not mandatory.
D. Correct: You need to select the collection to which the coniguration baseline will
be deployed when deploying a baseline.
4. Correct answer: B
a. Incorrect: The ile will be present on computers that are compliant.
B. Correct: Computers that are noncompliant do not have the ile and will form the
basis of the new collection.
C. Incorrect: The Error state doesn’t allow you to determine whether the ile is pres-
ent and should not be used as the basis for the new collection.
D. Incorrect: The Unknown state doesn’t allow you to determine whether the ile is
present and should not be used as the basis for the new collection.

Objective 4.3
Thought experiment
1. You should conigure The Same Type Malware Is Repeatedly Detected Within The
Speciied Interval On A Computer.
2. You should conigure The Same Type Malware Is Detected On A Number Of
Computers.

Answers CHAPTER 4 217

From the Library of Ida Schander

 Objective review
1. Correct answers: B, C, and D
a. Incorrect: You can’t conigure the Endpoint Protection client to retrieve antimal-
ware deinition updates from an FTP site.
B. Correct: Antimalware deinition update iles for the Endpoint Protection client can
be retrieved from Microsoft Update/Microsoft Malware Protection Center.
C. Correct: Antimalware deinition update iles for the Endpoint Protection client can
be hosted on a UNC ile share.
D. Correct: Antimalware deinition update iles for the Endpoint Protection client can
be hosted through WSUS.
2. Correct answer: A
a. Correct: You deploy the Endpoint Protection Point Site System role at the top of
the Coniguration Manager hierarchy.
B. Incorrect: You deploy the Endpoint Protection Point Site System role at the top of
the Coniguration Manager hierarchy.
C. Incorrect: You deploy the Endpoint Protection Point Site System role at the top of
the Coniguration Manager hierarchy.
D. Incorrect: You deploy the Endpoint Protection Point Site System role at the top of
the Coniguration Manager hierarchy.
3. Correct answer: C
a. Incorrect: Advanced settings enable you to conigure options such as whether to
create a system restore point before cleaning computers, show notiication mes-
sages to users, delete quarantined iles after a speciied number of days, and allow
users to control exclusions.
B. Incorrect: Use real-time protection settings to enable real-time protection. If you
enable real-time protection, additional options are available to specify whether to
scan incoming iles, outgoing iles, or both. You also can specify whether users can
conigure real-time protection settings on their computers.
C. Correct: Exclusion settings enable you to specify iles, locations, ile types, and
processes to exclude from the scanning process.
D. Incorrect: Threat overrides settings enable you to conigure a speciic action
(Allow, Remove, or Quarantine) based on a threat name.

218 CHAPTER 4 Manage compliance and endpoint protection settings

From the Library of Ida Schander

4. Correct answer: C
a. Incorrect: Use real-time protection settings to enable real-time protection. If you
enable real-time protection, additional options are available to specify whether to
scan incoming iles, outgoing iles, or both. You also can specify whether users can
conigure real-time protection settings on their computers.
B. Incorrect: Exclusion settings enable you to specify iles, locations, ile types, and
processes to exclude from the scanning process.
C. Correct: Advanced settings enable you to conigure options such as whether to
create a system restore point before cleaning computers, show notiication mes-
sages to users, delete quarantined iles after a speciied number of days, and allow
users to control exclusions.
D. Incorrect: Threat overrides settings enable you to conigure a speciic action
(Allow, Remove, or Quarantine) based on a threat name.

Answers CHAPTER 4 219

From the Library of Ida Schander

This page intentionally left blank

From the Library of Ida Schander

CHAPTER 5

Manage Coniguration
Manager clients
The Coniguration Manager client is software that you deploy to devices that you intend
to manage using System Center 2012 R2 Coniguration Manager. The client performs tasks
locally, based on the instructions received from Coniguration Manager. Collections enable
you to group devices or users for performing tasks by using Coniguration Manager.

Objectives in this chapter:

■ Objective 5.1: Deploy and manage the client agent.
■ Objective 5.2: Manage collections.
■ Objective 5.3: Conigure and monitor client status.

Objective 5.1: Deploy and manage the client agent

This objective deals with how to deploy the Coniguration Manager client. It covers the
properties of the client itself, the site systems that need to be present within the
Coniguration Manager hierarchy to support client deployment, the process of installing
the client, and the management of client settings.

This section covers the following topics:

■ The Coniguration Manager client
■ Site systems used in client deployment
■ Client installation
■ Client assignment
■ Client settings

221

From the Library of Ida Schander

 The Coniguration Manager client
You deploy the Coniguration Manager client to devices to perform tasks on behalf of the
Coniguration Manager server. The Coniguration Manager client consists of multiple ele-
ments that run in the background. These elements perform tasks based on the site conigura-
tion and policy.
On computers running Windows operating systems, the user interface (UI) for the
Coniguration Manager client consists of two parts: the Coniguration Manager control panel
and Software Center. If you managed previous versions of Coniguration Manager, you are
likely familiar with the Coniguration Manager control panel. You access it through Control
Panel on supported computers running Windows operating systems. You conigure and man-
age the Coniguration Manager client software for computers running Mac OS X, Linux, and
UNIX operating systems through the command-line interface.
Unlike the Coniguration Manager control panel, which is generally used by users with
Administrative privileges, Software Center is designed for use by end users. Software Center,
shown in Figure 5-1, provides end users with the ability to interact with the app distribution
process.

FIGURE 5-1 Software Center Options dialog box

The tabs of the Coniguration Manager Properties dialog box are as follows:
■ General This tab, shown in Figure 5-2, enables you to view identifying information
about the client. This includes the build number, the assigned site, the type of certii-
cate, and the management point the client is using.

222 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 FIGURE 5-2 Configuration Manager Properties General tab

■ Components This tab enables you to view information about the installed components
and agents. When you install the client, this installs all client components and agents,
even if you disable them at the site. On this tab, you can view versions of the individual
components and whether they are enabled or disabled. This tab is shown in Figure 5-3.

FIGURE 5-3 Configuration Manager Properties Components tab

Objective 5.1: Deploy and manage the client agent CHAPTER 5 223

From the Library of Ida Schander

 ■ Actions This tab enables you to initiate client actions when you do not want to wait
until the scheduled time. Client actions include starting a hardware or software inven-
tory cycle, retrieving user or machine policy updates, and similar actions. Figure 5-4
shows this tab.

FIGURE 5-4 Configuration Manager Properties Actions tab

■ Site This tab enables you to assign a client to a site either automatically or manually.
Changes to this tab require local administrator rights.
■ Cache Use this tab to conigure the client cache settings. On this tab, you can change
the cache location from the default location of %systemroot%\Ccmcache to a different
location, or you can delete iles from the cache. You also can change the cache’s size.
Changes to this tab require local administrator rights.
■ Conigurations This tab enables you to view the coniguration baselines assigned
to this client. You also can run an evaluation and view a local report of the client’s
compliance. Access to local compliance reports from this tab requires local administra-
tor rights.
■ Network This tab enables you to conigure settings for Internet-based management.
Changes to this tab require local administrator rights.

224 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 Users can set the following preferences for software delivery or remote control by using
Software Center:
■ Specify their work information, which includes business hours and days. Users must set
aside at least four hours a day for Coniguration Manager maintenance tasks.
■ Exclude their system from the Coniguration Manager Power Management feature if
the Coniguration Manager policy permits this.
■ Specify how software maintenance occurs. Users can specify that their systems install
software after business hours or the suspension of Software Center activities while in
presentation mode.
■ Override remote control settings for their computers if Coniguration Manager policy
permits it. Users can specify settings such as the level of remote access and whether
permission is required to start a remote control session.

MORE INFO CLIENT SETTINGS

You can learn more about client settings at http://technet.microsoft.com/en-us/library
/gg682067.aspx.

Workgroup-based clients
You can use Coniguration Manager to manage computers that are not part of a domain.
These computers, referred to as workgroup-based computers, must meet the following
prerequisites:
■ You must install the Coniguration Manager client software manually on each work-
group-based computer by using an account with local administrator privileges.
■ You must conigure a network access account to allow access to resources in the site
server domain for clients that are not domain members.
There also are features that Coniguration Manager does not support for workgroup-
based computers, including:
■ Using client push installation.
■ Targeting users for application deployment.
■ Performing global roaming.
■ Using Active Directory Domain Services (AD DS) to locate site system servers.
■ Using Active Directory discovery.
An alternative to managing nondomain client computers by using Coniguration Manager
is to manage them by using Microsoft Intune. In this scenario, ensure that you deploy the
nondomain-joined client on a network with connectivity to the Internet.

Objective 5.1: Deploy and manage the client agent CHAPTER 5 225

From the Library of Ida Schander

 Internet-based clients
You can use Coniguration Manager to manage clients on internal networks and clients on
external networks with Internet connectivity. Clients on external networks that have Internet
connectivity are referred to as Internet-based clients. Coniguration Manager uses HTTPS to
communicate securely with these clients. To conigure a client for Internet-based client man-
agement, you must obtain a computer certiicate from a trusted certiication authority (CA).
You must also conigure the client with the Internet fully qualiied domain name (FQDN) of
the management point. After you conigure the client, you can manage it as long as the client
retains connectivity to the Internet-facing site systems for its assigned Coniguration Manager
site.
To support HTTPS, you need to deploy a certiicate from a trusted CA on the
Coniguration Manager site systems with which clients communicate. This can be from an
internal CA that the client is conigured to trust or from an external trusted CA. When using
an internal enterprise CA, you can use only version 2 templates because Coniguration
Manager does not support certiicates issued from version 3 and version 4 templates.
Internet-based clients do not support all Coniguration Manager features. Speciically,
Coniguration Manager does not support the following client features on the Internet:
■ Client deployment over the Internet, such as client push and software update–based
client deployment. Use manual client installation instead.
■ Auto-site assignment.
■ Network Access Protection (NAP).
■ Wake On LAN (WOL).
■ Operating system deployment. However, you can deploy task sequences that do not
deploy an operating system, such as task sequences that run scripts and maintenance
tasks on clients.
■ Remote control.
■ Out-of-band management, which enables you to manage the computer before the
operating system is active.
■ Software deployment to users unless the Internet-based management point can
authenticate the user in AD DS by using Windows authentication (Kerberos authentica-
tion or Windows NT LAN Manager). This is possible when the Internet-based manage-
ment point trusts the forest in which the user account resides.
An alternative to Internet-based client management is to use DirectAccess, a feature sup-
ported for clients running the Enterprise editions of Windows 7, Windows 8, and
Windows 8.1 operating systems. DirectAccess enables clients on the Internet to access inter-
nal network resources through an always-on, computer-authenticated virtual private network
(VPN). DirectAccess has prerequisites, including a requirement that the computers be domain
joined and that you deploy a DirectAccess server. A further alternative is to manage Internet-
based clients by using Intune.

226 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 MORE INFO INTERNET-BASED CLIENT MANAGEMENT
You can learn more about Internet-based client management at http://blogs.technet
.com/b/conigurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client
-management-in-conigmgr-2012.aspx.

Mac OS X computers
System Center 2012 Coniguration Manager Service Pack 1 (SP1) introduced support for Mac
OS X computers. Coniguration Manager supports the following versions of the Mac operat-
ing systems:
■ Mac OS X 10.6 (Snow Leopard)
■ Mac OS X 10.7 (Lion)
■ Mac OS X 10.8 (Mountain Lion)
■ Mac OS X 10.9 (System Center R2 Coniguration Manager only)
Mac OS X computers are limited to the following Coniguration Manager features:
■ Hardware inventory You can use the hardware inventory data collected from Mac
OS X computers in the same way as data collected from Windows-based computers;
that is, you can use it to create collections, reports, and queries. You also can use the
Coniguration Manager console feature Resource Explorer to view hardware inventory
data for Mac OS X computers.
■ Software deployment You can use Coniguration Manager to deploy software that
is packaged in the following formats to Mac OS X computers:
■ Mac OS Installer Package (.pkg)
■ Mac OS X Application (.app)
■ Apple Disk Image (.dmg)
■ Meta Package File (.mpkg)
■ Compliance settings Coniguration Manager supports the use of Mac OS X
Preference settings (.plist iles) to enforce the coniguration of different elements on
Mac OS X computers, or shell scripts to monitor and remediate settings.
Coniguration Manager client software installation and management for Mac OS X com-
puters requires the use of public key infrastructure (PKI) certiicates. The Coniguration
Manager client software for Mac OS X computers always performs certiicate revocation
checking, and you cannot disable this functionality. If a Mac OS X computer is unable to per-
form the check, it will not connect to the Coniguration Manager site systems.
Mac OS X computers communicate with Coniguration Manager site systems as if they
were Internet-based clients. This means that all communication happens by using HTTPS. You
must conigure management points and distribution points to support Mac OS X computers.
To conigure a management point and a distribution point to support Mac OS X comput-
ers, perform the following procedure:

Objective 5.1: Deploy and manage the client agent CHAPTER 5 227

From the Library of Ida Schander

 1. In the Coniguration Manager console, click Administration.
2. In the Administration workspace, expand Site Coniguration and then click Servers And
Site System Roles.
3. Select the computer that has the management point role assigned. In the details pane,
right-click Management Point and then click Properties.
4. In the Management Point Properties dialog box, under Client connections, click HTTPS.
5. Select the Allow Mobile Devices And Mac Computers To Use This Management Point
check box and then click OK.
6. Select the computer that has the distribution point role assigned. In the details pane,
right-click Distribution Point and then click Properties.
7. In the Distribution Point Properties dialog box, under Specify How Client Computers
Communicate With This Distribution Point, select HTTPS.
8. Under Create A Self-Signed Certiicate Or Import A PKI Client Certiicate, select Import
Certiicate and then click Browse.
9. Browse to the web server certiicate that was created previously for the distribution
point and then click OK.

MORE INFO MANAGING MAC OS X

You can learn more about managing Mac OS X with Coniguration Manager at http://blogs
.technet.com/b/pauljones/archive/2013/06/02/managing-mac-os-x-with-system-center
-2012-coniguration-manager.aspx.

Linux and UNIX computers

System Center 2012 Coniguration Manager SP1 introduced support for computers running
the Linux or UNIX computer system. The following versions of Linux and UNIX are supported:
■ Oracle Linux 5 and 6
■ Red Hat Enterprise Linux 4, 5, and 6
■ Solaris 9, 10, and 11
■ SUSE Linux Enterprise Server 9, 10, and 11
■ Debian 5 and 6
■ CentOS-5.0 and CentOS 6
■ Ubuntu 12.4 LTS and 10.4 LTS
■ IBM AIX 5.3, 6.1, and 7.1
■ HP-UX 11i v2 and 11i v3

228 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 Coniguration Manager supports the following features on Linux-based and UNIX-based
computers:
■ Hardware inventory You can use hardware inventory data collected from Linux
and UNIX computers in the same way as data collected from Windows-based comput-
ers; that is, you can use it to create collections, reports, and queries. You also can use
Resource Explorer to view hardware inventory data for Linux-based and UNIX-based
computers.
■ Software deployment You can use Coniguration Manager to deploy software to
Linux-based and UNIX-based computers by using packages and programs. Using
Coniguration Manager for deploying software on Linux-based and UNIX-based com-
puters does not support any kind of user interaction.
Linux-based and UNIX-based computers are also workgroup-based clients and, therefore,
have the same prerequisites and limitations of workgroup-based computers. Furthermore, the
Coniguration Manager client software for Linux and UNIX does not support Server Message
Block (SMB) communication, forcing all communication with distribution points to happen
over HTTP or HTTPS.
To conigure a distribution point to support Linux-based and UNIX-based computers,
perform the following steps:
1. In the Coniguration Manager console, click Administration.
2. In the Administration workspace, expand Site Coniguration and then click Servers And
Site System Roles.
3. Select the computer that has the distribution point role assigned. In the details pane,
right-click Distribution Point and then click Properties.
4. In the Distribution Point Properties dialog box, under Specify How Client Computers
Communicate With This Distribution Point, select either HTTP or HTTPS.
5. If you selected HTTPS in step 4, under Create A Self-Signed Certiicate Or Import A PKI
Client Certiicate, select Import Certiicate, click Browse, ind a web server certiicate
that you created previously for the distribution point, and then click OK.

MORE INFO UNIX AND LINUX SUPPORT

You can learn more about UNIX and Linux support at http://blogs.msdn.com/b/steverac
/archive/2013/06/27/unix-and-linux-support-in-conigmgr-2012-sp1.aspx.

Objective 5.1: Deploy and manage the client agent CHAPTER 5 229

From the Library of Ida Schander

 Client installation
To deploy the components of the Coniguration Manager client software eficiently to poten-
tial resources, you need to decide which deployment method to use. Consider the beneits of
each installation method and decide which method suits your environment best. The client
deployment methods are as follows:
■ Client push installation This method pushes the software for the Coniguration
Manager client software to client computers. You can automate this deployment
method so that client installation occurs on systems assigned to the site, or you can
manually initiate a client push installation to any discovered system supported for cli-
ent installation.
■ Group Policy installation This method uses Group Policy to publish or assign the
Coniguration Manager client software to computers when the Group Policy Object
(GPO) updates on the computer.
■ Software update point installation Use this method to install the Coniguration
Manager client software installation program (CCMSetup.exe) as a software update to
a software update point. This is useful if Windows Server Update Services (WSUS) is
in use in the environment, particularly if you have Windows Firewall enabled and not
conigured to support other installation methods.
■ Manual installation In this method, you manually initiate the Coniguration
Manager client software installation on computers by using CCMSetup.exe. If AD DS
contains published information from Coniguration Manager, and if you run
CCMSetup.exe without any command-line parameters, the client installation process
will retrieve the published client installation parameters from AD DS.
■ Logon script installation This method uses CCMSetup.exe in a logon script to trig-
ger the client installation. This method ensures that the Coniguration Manager client
software is installed on all computers to which the user has local administrator permis-
sions and that are members of the domain in which the policy that applies the logon
script is conigured.
■ Upgrade installation (software deployment) Use this method to upgrade existing
client software on computers to newer Coniguration Manager versions.
■ Operating system deployment When using operating system deployment to
deploy a new operating system or to upgrade an existing one, you can include the
Coniguration Manager client software as part of the operating system deployment
process.
■ Computer imaging Use this method to preinstall the Coniguration Manager cli-
ent software on a master image computer that will be used to build your enterprise’s
computers.
Depending on the client installation method you use, the complexity of coniguration can
vary signiicantly. However, all the installation methods use the same iles and complete the

230 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

installation in essentially the same way. The installation process for the Coniguration
Manager client software for Windows-based clients uses the following iles:
■ CCMSetup.exe
■ Client.msi
■ CCMSetup.msi

CCMSetup.exe
CCMSetup.exe generally begins the client installation process and runs in all client installation
methods. CCMSetup performs the following actions:
■ Determines the location from which to download client prerequisites and installation
iles. If you start CCMSetup without command-line options, and if you have extended
the AD DS schema for Coniguration Manager, the setup process reads the client instal-
lation properties from AD DS to ind an appropriate management point. If you have
not extended the Active Directory schema, CCMSetup searches Domain Name System
(DNS) or Windows Internet Naming Service (WINS) for a management point to con-
tact. Alternatively, you can specify a management point by providing the
/mp:<ComputerName> switch or a speciic Universal Naming Convention (UNC) loca-
tion by using the /source:<path> switch.
■ Downloads and installs client prerequisite iles. Files include the client.msi ile and all
prerequisite software necessary for install.
CCMSetup copies all the iles it needs to the %systemroot%\CCMSetup\Logs folder and
creates the Ccmsetup.log ile in the same location. Numerous switches are available for modi-
fying the behavior of CCMSetup.exe.

Client.msi
After CCMSetup.exe installs the required prerequisites on the intended client, CCMSetup
invokes Client.msi by using MSIExec, a Windows Installer ile. MSIExec then installs the client
on the system. Client.msi creates the client.msi.log ile in the %systemroot%\CCMSetup folder.
You can modify the Client.msi installation behavior by providing speciic properties on the
CCMSetup.exe command line. Alternatively, you can specify the properties on the Installation
Properties tab of the Client Push Installation Properties dialog box. These settings publish to
AD DS, and several installation methods use them.

CCMSetup.msi
You also can use GPOs to deploy the Coniguration Manager client software. GPOs use the
CCMSetup.msi ile to initiate the installation process. This ile is located in the <installation
directory>\bin\i386 folder on the Coniguration Manager site server.

Objective 5.1: Deploy and manage the client agent CHAPTER 5 231

From the Library of Ida Schander

 MORE INFO CLIENT INSTALLATION OPTIONS
You can learn more about Coniguration Manager client installation options at
http://technet.microsoft.com/en-us/library/gg699356.aspx.

Deploying to Mac OS X computers

Because Coniguration Manager treats computers running the Mac OS X operating system
as Internet-based computers, all communication with the management point and distribu-
tion point must happen by using HTTPS. Before deploying the client, you must conigure the
Coniguration Manager environment to support the Mac OS X computers. To ensure that your
environment supports Mac OS X computers, perform the following procedure:
1. Deploy certiicates and conigure the client certiicate template for Mac OS X
computers:
a. Deploy a web server certiicate to the computers that will run the following site
system roles:
■ Management Point
■ Distribution Point
■ Enrollment Point
■ Enrollment Proxy Point
B. Deploy a client authentication certiicate to the computers running the following
site system roles:
■ Management Point
■ Distribution Point
C. Conigure the client certiicate template in the CA to allow Read And Enroll per-
mission to the account that will be used to enroll the certiicate on the Mac OS X
computers.
2. Conigure the following Coniguration Manager site system roles that Mac OS X com-
puters use:
a. Management Point. Conigure the following settings:
■ HTTPS Communication
■ Allow Client Connections From The Internet
■ Allow Mobile Devices And Mac Computers To Use The Management Point
B. Distribution Point. Conigure the following settings:
■ HTTPS Communication
■ Allow Client Connections From The Internet
C. Install an enrollment point and an enrollment proxy point.

232 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 3. Conigure Default Client Settings to support Mac OS X computers:
a. Set Allow Users To Enroll Mobile Devices And Mac Computers to Yes.
B. Create a new proile to assign clients to a Coniguration Manager site by using a
CA and the certiication template that you changed in step 1.
After you conigure the environment correctly to support Mac OS X computers, you can
download and install the Coniguration Manager client software on existing Mac OS X com-
puters. To install the client on Mac OS X computers, perform the following procedure:
1. Download and extract the client source iles for Mac OS X clients. You do this by
downloading the ConigmgrMacClient.msi ile from the Microsoft Download Center
to a Windows-based computer and then running the ConigmgrMacClient.msi ile to
extract the Mac client package, named Macclient.dmg. Copy the Macclient.dmg ile
to the Mac OS X computer on which you want to install the client and run the ile to
extract its contents to a local disk.
2. Install the client on the Mac OS X computer and enroll it as a client. You do this by run-
ning the following commands:
sudo ./ccmsetup

sudo ./CMEnroll –s <enrollment_proxy_server_name> -ignorecertchainvalidation -u

<'username'>

3. Restart the Mac OS X computer.

In organizations that use System Center 2012 R2 Coniguration Manager only, the
Enrollment Wizard starts after you install the client on the computer running Mac OS X. It
enables you to enroll the computer by specifying domain credentials and the name of the
enrollment proxy point server.

MORE INFO INSTALL MAC OS X CLIENT

You can learn more about installing the Mac OS X client at http://technet.microsoft.com
/en-us/library/jj591553.aspx.

Deploying to Linux-based and UNIX-based computers

Cumulative update 1 for System Center 2012 Coniguration Manager SP1 and later provides
a universal installer that you can use to deploy the Coniguration Manager client to any sup-
ported version of Linux or UNIX. Prior to the cumulative update 1 for System Center 2012
Coniguration Manager SP1, each Linux or UNIX version had its own install package that had
to be downloaded and installed on the client computer to make it a Coniguration Manager
client.
To install the client by using the universal installer, perform the following procedure:
1. Copy the install script and the client installation (.tar) ile to the Linux-based or UNIX-
based computer. The name of the .tar ile will be Ccm-universal-x86.<build>.tar or

Objective 5.1: Deploy and manage the client agent CHAPTER 5 233

From the Library of Ida Schander

 ccm-universal-x64.<build>.tar, where x86 is for use on 32-bit clients, x64 is for use on
64-bits, and build represents the build number for the installer.
2. On the Linux-based or UNIX-based computer, run the following command:
./install –mp <FQDN of management point> -sitecode <site_code> ccm-universal-<x86
or x64>.<build>.tar

3. Review the contents of Scxcm.log in the /V/Opt/Microsoft folder to conirm that the
installation occurred.

MORE INFO INSTALLING THE CLIENT ON LINUX AND UNIX COMPUTERS

You can learn more about installing the client on Linux and UNIX computers at
http://technet.microsoft.com/en-us/library/jj573939.aspx.

Extending the schema

Although it is not mandatory, extending the AD DS schema and publishing Coniguration
Manager information in AD DS helps simplify the client deployment process and site manage-
ment. When you extend the AD DS schema and publish Coniguration Manager information
in AD DS, this simpliies the client installation process by storing Coniguration Manager–
related information in Active Directory, which enables clients to retrieve the data during
installation. You can use AD DS publishing with any installation method on domain-joined
Windows clients to enable automatic site assignment. AD DS publishing also enables you to
provide the client with the name of the management point with which to communicate, in
addition to other information.
Coniguration Manager publishes the following client installation properties to AD DS:
■ The default management point used to download content for the client installation.
■ The Coniguration Manager site code.
■ The HTTP port used for client communication.
■ The HTTPS port used for client communication.
■ A setting indicating that the client must communicate using HTTPS.
■ The fallback status point. If the site has multiple fallback status points, the irst to be
installed is the only one published to AD DS.
■ The selection criteria for certiicate selection. This might be required when the client
has more than one valid certiicate.Installation properties speciied on the Installation
Properties tab of the Client Push Installation Properties dialog box.
■ Automatic updates when alterations are made to default ports for site systems.
Only a member of the Schema Admins group, or an enterprise administrator who has
suficient permissions to modify the schema, can extend it. If you extend the schema prior to
installation, Coniguration Manager conigures the site automatically to publish site informa-
tion during installation. At the end of the installation, the Coniguration Manager site server

234 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

publishes site information to AD DS. However, you can extend the schema after installing
Coniguration Manager and conigure the site manually to publish to AD DS.
You can extend the Active Directory schema by using either of the following methods:
■ The LDIFDE command-line tool (Ldifde.exe) and the ConigMgr_ad_schema.ldf ile.
You must modify the ConigMgr_ad_schema.ldf ile to include the name of the Active
Directory forest prior to modifying the schema.
■ The ExtADSch.exe tool. ExtADsch.exe creates a log ile in the root of the system drive
called Extadsch.log.
You can ind both the executable iles in either the \SMSSETUP\BIN\i386 folder or the
\SMSSETUP\BIN\x64 folder on the installation media. ExtADSch.exe is a standalone execut-
able ile; however, the ConigMgr_ad_schema.ldf ile requires you to run the following com-
mand to use it.
ldifde –i –f ConfigMgr_ad_schema.ldf –v –j <location to store log file>

MORE INFO EXTEND SCHEMA

You can learn more about extending the schema at http://technet.microsoft.com/en-us
/library/gg712272.aspx.

Site systems used in client deployment

The process of installing the Coniguration Manager client software uses several site systems.
In addition to the site systems that play a direct role in client deployment, several site systems
might participate in client deployment.
The following site system roles are involved directly with installing client devices:
■ Management point
■ Fallback status point
■ Software update point
■ Enrollment point and enrollment proxy point
■ Distribution point
■ Reporting services point

Management point
A management point is usually required to complete the client installation process because
the client might need to contact a distribution point to download necessary prerequisite soft-
ware. The installation process is complete when the client has registered with a primary site,
receives its initial policy assignment, and then retrieves the policy. This initial policy sets the
components to their desired state. In most installation methods, the client downloads
CCMSetup.exe and Client.msi iles from a management point and any other prerequisites

Objective 5.1: Deploy and manage the client agent CHAPTER 5 235

From the Library of Ida Schander

 from a distribution point. After the installation program is complete, the client contacts the
management point to register itself and obtains its site assignment. It then reports the state
of the installation. If the client cannot contact the management point, all the client compo-
nents will show as Installed instead of Enabled or Disabled.
The client software follows several methods to locate the management point and uses the
methods in the following order:
1. Setup parameters As part of the installation command, you can specify a manage-
ment point.
2. AD DS The client software will query AD DS for an appropriate management point.
3. Domain Name System (DNS) The client will search for a service (SRV) resource
record type for a management point. To ind the right SRV record in DNS, you must
conigure clients with their site code.
4. Windows Internet Naming Service (WINS) A management point will update its
WINS record with appropriate information automatically. If a client is a WINS client,
WINS is the last resource the client software uses to locate a management point.
Automatic client assignment is determined using boundaries that are members of a
boundary group, where that boundary group has automatic assignment enabled. In previous
versions of Coniguration Manager, automatic site assignment would fail, and Coniguration
Manager would not manage clients if they fell outside all boundaries. With System Center
2012 Coniguration Manager, you can conigure a fallback site for client assignment at the
hierarchy level. If you install a client that is outside any of the conigured boundary groups,
the automatic site assignment process will use this site, and the installation process will com-
plete successfully.

Fallback status point

The fallback status point is an optional site system that you can use during the client instal-
lation process. A fallback status point monitors client deployment and identiies unmanaged
clients because unmanaged clients cannot communicate with a management point. The fall-
back status point relies on unauthenticated connections from clients over HTTP. You should
use a dedicated system for the fallback status point so that if a site system is not available,
the client can contact the fallback status point to report the error. You cannot conigure the
fallback status point as a highly available role.
The reports that the Coniguration Manager client software produces use data sent by
clients through the fallback status point. Mobile devices that are enrolled by Coniguration
Manager and mobile devices that are managed by using the Exchange Server connector do
not use a fallback status point.

236 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

Software update point
You can install the Coniguration Manager client software by using software update point
push installations. If you choose to use this method, conigure the software update point on a
WSUS server to install the client when computers scan for applicable software updates.

Enrollment point and enrollment proxy point

Mobile devices use the enrollment point for enrollment with Coniguration Manager, and the
enrollment proxy point manages the enrollment requests from the mobile devices. These
site system roles are not required if you plan to manage mobile devices by using only the
Exchange connector.

Distribution point
Most client installation methods copy the necessary installation iles from a management
point. In certain circumstances, the installation process uses a distribution point instead.
When you deploy an operating system by using the Coniguration Manager Operating
System Deployment feature, the task sequence action that installs the client software down-
loads the operating system from a distribution point. If you use Pre-Boot Execution
Environment (PXE) boot in conjunction with operating system deployment, Coniguration
Manager installs the Windows Deployment Services PXE server on the distribution point.

Reporting services point

In addition to the required and optional roles that client installation uses directly, you might
ind it useful to install a reporting services point. This will enable you to view any reports
about the client installation process or the status of the clients.

MORE INFO SITE SYSTEM ROLES USED FOR CLIENT DEPLOYMENT

You can learn more about site system roles used for client deployment at http://technet
.microsoft.com/en-au/library/gg681976.aspx.

Client assignment
You cannot manage a client until it is assigned to a site. After client installation is complete,
the client is assigned automatically to a site so that the client can be managed. You can
assign client devices to any primary site; however, you cannot assign client devices either to a
secondary site or to a central administration site.
Most clients will reside within site-assignment boundary groups and will be assigned
automatically to a site based on the boundary deinition. You can conigure a fallback site for
clients that might be outside the conigured boundaries of any site. You also can assign a cli-
ent to a site through a client.msi property either directly or through the Installation Properties
tab of the Client Push Installation Properties dialog box.

Objective 5.1: Deploy and manage the client agent CHAPTER 5 237

From the Library of Ida Schander

 If you have not extended AD DS, you have two options for site assignment. You can specify
a site code by using the Client.msi property SMSSITECODE=site code, or you can assign a
group of clients to a site manually by using Group Policy. You also can choose to install a cli-
ent ofline instead of installing it immediately to a site.
If the client automatic assignment fails, the client software remains installed, but
Coniguration Manager will not manage it until you assign the client to a site. If the client is
unassigned, it will attempt to perform automatic assignment each time the CCMExec process
starts.
After the client is assigned to a site, it remains assigned to that site even if the client
changes its IP address and roams to another site. A client can move to another site only when
an administrator reassigns it manually.

MORE INFO CLIENT SITE ASSIGNMENT

You can learn more about client site assignment at http://technet.microsoft.com/en-us
/library/gg682060.aspx.

Client settings
You can conigure client software in the Administration workspace in the Client Settings node
of the Coniguration Manager console. You conigure the Default Client Settings object with
settings that will apply to all clients. The Default Client Settings object always has a priority
of 10,000, and you cannot change this setting. Therefore, the Default Client Settings object is
applied irst, and custom settings will override the default settings when you assign them to
collections. You can conigure custom settings for any of the categories or a combination of
categories found in the Default Client Settings object.
Client settings are hierarchy-wide settings that, by default, affect all clients in the hierar-
chy. Because Coniguration Manager considers these settings as global data, modiications
that you make to Default Client Settings at one site replicate to all other primary sites in the
hierarchy and to the central administration site.

Custom settings
In the Administration workspace, in the Client Settings node of the Coniguration Manager
console, you can create custom client settings. The Default Client Settings object applies to
all clients, and if you want to conigure a setting for all devices or users, you can modify the
Default Client Settings option. However, if you need to change some settings for a speciic
collection of users or devices, you will need to create a custom setting.
Reasons for creating custom client settings include:
■ Creating a custom client setting for a group of systems on which software metering
should be disabled.

238 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 ■ Creating a custom client setting for a group of systems to increase or decrease the
frequency of status messages.
■ Creating a custom client setting for a group of servers to prevent them from conigur-
ing an afinity with a user automatically.
After creating a custom client setting object, deploy it to one or more collections to
apply it. To deploy a custom client setting to a collection, right-click the custom client setting
and then click Deploy. You can then choose the collections to which you want to deploy the
custom client setting.
Note that you cannot conigure certain settings through a custom client device policy.
Table 5-1 lists the settings that you can conigure only in the Default Client Settings object.

TABLE 5-1 Default client settings policy settings

Policy Setting

Compliance Settings Schedule Compliance Evaluation

Hardware Inventory The settings in this policy include:

■ Maximum Custom Management Information Format (MIF) File Size In
Kilobytes (KB).
■ Collect MIF Files.

Mobile Devices Polling Interval

Software Inventory Conigure The Display Names For Manufacturer Or Product

Multiple client device settings

Assigning multiple client device settings to a collection enables you to create different client
device-settings objects for separate Coniguration Manager feature sets. For example, you
might have a client device-settings object for software deployment and another client device-
settings object for hardware inventory.
All client setting objects are assigned a priority level. Coniguration Manager processes
each setting object in order, with lower numerical values overriding higher numerical values.
When you create a new custom client setting, it receives the next available priority. When
you delete a custom client settings object, the priority on all client settings that have a higher
priority reduces by one. For example, consider when you have four custom client settings:
ClientSetting1, ClientSetting2, ClientSetting3, and ClientSetting4. ClientSetting1 was created
irst and has a priority of one. ClientSetting2 was created second and has a priority of two.
ClientSetting3 has a priority of three, and ClientSetting4 has a priority of four. If you delete
ClientSetting2, ClientSetting1 will retain its priority of one, the priority of ClientSetting3 will
be adjusted to two, and the priority of ClientSetting4 will be adjusted to three.
You can use the Coniguration Manager console’s Resultant Client Settings functionality to
determine the resultant client settings when multiple client settings are applied. In the Assets

Objective 5.1: Deploy and manage the client agent CHAPTER 5 239

From the Library of Ida Schander

 And Compliance workspace, right-click the device, user, or user collection for which you want
to see resultant client settings, click Client Settings, and then click Resultant Client Settings.

MORE INFO CLIENT SETTINGS

You can learn more about client settings at http://technet.microsoft.com/en-au/library
/gg682109.aspx.

EXAM TIP
Remember how settings are resolved when multiple client settings apply through collec-
tion membership.

Thought experiment
Coniguration Manager client deployment
You are planning the deployment of the Coniguration Manager client at Contoso.
As part of the planning process, you need to determine how to handle computers
that are not joined to the domain and computers that are running the Mac OS X
operating system. With this information in mind, answer the following questions:

1. What steps do you need to take to install the Coniguration Manager client on
nondomain-joined Windows-based computers?

2. Which site system roles require web server certiicates when you use
Coniguration Manager to manage computers running Mac OS X?

3. Which site system roles require client authentication certiicates when you use
Coniguration Manager to manage computers running Mac OS X?

Objective summary
■ On computers running Windows operating systems, the UI for the Coniguration
Manager client consists of two parts: the Coniguration Manager control panel and
Software Center.
■ Users can set the preferences for software delivery or remote control by using
Software Center.
■ You must manually install the Coniguration Manager client software on workgroup-
based computers and conigure a network access account to allow access to resources
in the site server domain for clients that are not domain members.
■ To conigure a client for Internet-based client management, obtain a computer certii-
cate from a trusted certiication authority (CA). You must conigure the client with the
Internet fully qualiied domain name (FQDN) of the management point.

240 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 ■ Extending the schema simpliies the client installation process by storing Coniguration
Manager–related information in Active Directory.
■ You can assign client devices to any primary site but cannot assign client devices either
to a secondary site or to a central administration site.
■ The Default Client Settings object is applied irst, and custom settings will override the
default settings when you assign them to collections.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Of which domain security group must a user account be a member if it will be used to
extend the schema with information about Coniguration Manager?
a. Domain Admins
B. Schema Admins
C. Enterprise Admins
D. Protected Users
2. You are working with a Coniguration Manager deployment in which the Active
Directory schema has not been extended. Which of the following methods can you use
to assign a site code to clients? (Choose two. Each correct answer provides a complete
solution.)
a. Use the Client.msi property SMSSITECODE=site code.
B. Conigure an answers.txt ile.
C. Conigure Group Policy.
D. Conigure an unattend.xml ile.
3. What is the priority of the Default Client Settings object?
a. 1
B. 100
C. 1,000
D. 10,000
4. Which of the following settings cannot be conigured through a custom client device
policy? (Choose three. Each correct answer provides a complete solution.)
a. Software Inventory: Conigure The Display Names For Manufacturer Or Product
B. Compliance Settings: Schedule Compliance Evaluation
C. Mobile Devices: Polling Interval
D. Cloud Services: Allow Access To Cloud Distribution Point

Objective 5.1: Deploy and manage the client agent CHAPTER 5 241

From the Library of Ida Schander

 Objective 5.2: Manage collections
You can use collections to manage and organize groups of computers, mobile devices, users,
and security groups throughout your Coniguration Manager environment. You also can use
collections to help accomplish many Coniguration Manager management tasks. In this sec-
tion, you learn about the various types of collections, the methods to create collections, and
the process of monitoring collections.

This section covers the following topics:

■ Collections
■ Collection rules
■ Maintenance windows
■ Power management
■ Monitoring collections

Collections
Collections represent resource groups that consist of devices such as computers and mobile
devices or users and user groups from all of the hierarchy’s sites. You can use collections to
accomplish several management and coniguration tasks, including:
■ Organizing resources into manageable units to create an organized and logical struc-
ture of resources.
■ Organizing collections of target resources to perform Coniguration Manager opera-
tions on multiple resources simultaneously. Coniguration Manager operations can
include operations such as application deployments and installation of software
updates.
■ Targeting groups of computers with speciic conigurations, such as:
■ Client settings.
■ Power-management settings.
■ Maintenance-window settings.
■ Organizing computers based on their compliance status, with a speciic baseline.
■ Integrating with role-based administration to specify collections that a speciic admin-
istrative user can access.
You can view or modify collections by using the User Collections and Device Collections
nodes found in the Assets And Compliance workspace. User collections can contain Users and
User Groups. Device collections can contain devices managed by Coniguration Manager.

242 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 Coniguration Manager includes seven predeined user and device collections as described
in Table 5-2.

TABLE 5-2 Predefined collections

Collection Location Description

All User Groups User Collections This collection displays all security groups that
the Active Directory Group Discovery method
discovers.

All Users User Collections This collection displays all users that the Active
Directory User Discovery method discovers.

All Users And User Groups User Collections This collection contains all users and user
groups that the Active Directory User Discovery
method discovers.

All Desktop And Server Clients Device Collections This collection displays all desktop computers
and servers that are Coniguration Manager
clients and that have communicated with the
site by using Heartbeat Discovery.

All Mobile Devices Device Collections This collection displays mobile devices that
Coniguration Manager manages and that sat-
isfy one of the following conditions:
■ The mobile device is assigned to a site.

■ The Exchange Server connector has

discovered the mobile device.

All Systems Device Collections This collection contains all systems and all
unknown computers. This collection also dis-
plays devices that have been discovered by
using Active Directory System Discovery,
Network Discovery, and Heartbeat Discovery.

All Unknown Computers Device Collections This collection contains x64 and x86 placeholder
entries for the unknown computer support fea-
tures that Operating System Deployment uses.

MORE INFO CONFIGURATION MANAGER COLLECTIONS

You can learn more about Coniguration Manager collections at http://technet.microsoft
.com/en-us/library/gg682177.aspx.

Objective 5.2: Manage collections CHAPTER 5 243

From the Library of Ida Schander

 Collection rules
You can use rules to manage the membership of Coniguration Manager collections. Table
5-3 describes the different rule types you can use to manage the membership of
Coniguration Manager collections.

TABLE 5-3 Collection rule types

Rule Description

Direct rule You can use a direct rule to add a speciic resource to a collection. If you add a
resource to a collection by using a direct rule, the resource will remain in the col-
lection until manually removed. You can create or manage direct membership
rules for a collection by using either of the following methods:
■ Use the Create Direct Membership Rule Wizard. This wizard opens when
you select Direct Rule in the Create Device Collection Wizard or in the
Create User Collection Wizard.
■ Add the selected items to an existing collection. You can select existing
resources and add these resources to existing user collections by using
the Users node and the Devices node located in the Assets And
Compliance workspace. This creates a direct membership rule for the
target collection that contains the selected resources.

Query rule You can use a query rule to add members to a collection based on their attributes.
For example, you can create a collection that contains devices that are within a
speciic Active Directory organizational unit (OU), or you can create a collection
that contains devices on which a speciic software version is installed. In both
cases, collection membership is updated dynamically based on the query rule’s
results. You can conigure collection membership to be reevaluated according to
a schedule.

Include collections You can use the include collections rule type to include the members of another
collection in the membership evaluation for the current collection.

Exclude collections You can use the exclude collections rule type to exclude the members of another
collection in the membership evaluation for the current collection.

When you create a new collection, you specify a base collection called a limiting collection.
The limiting collection becomes a foundation for resources that can be added to the new
collection. You can use limiting collections along with role-based access control to ensure that
delegated administrators can see only objects that are relevant for their administrative tasks.
Coniguration Manager reevaluates all of a collection’s rules on a speciied schedule. You
can also trigger on-demand reevaluation of collection membership. The default schedule to
evaluate the membership of custom collections is once every seven days.
Coniguration Manager supports incremental evaluation of members of a collection. This
feature runs separately from the full update cycle, and it scans periodically for new resources
or resources that have changed since the previous collection evaluation. If you enable incre-
mental evaluation, incremental collection member evaluation runs every ive minutes.
Figure 5-5 shows enabling incremental updates during collection creation.

244 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

FIGURE 5-5 Membership Rules page of the Create Device Collection Wizard, showing options for incre-
mental updates and scheduling full updates

Maintenance windows
Maintenance windows enable you to conigure a speciic period during which required
deployments, software-update installations, coniguration-item remediation, and task
sequences can run on a client. Assigning a speciic start time for a program deployment does
not ensure that the program runs at that time. However, you can conigure maintenance
windows to ensure that the assigned program installations and the restarts that Coniguration
Manager triggers do not occur at inconvenient or undesirable times.
For example, you might conigure a required application deployment that installs a large
application and then restarts the computer. To avoid running this during normal business
hours, you might conigure the deployment to run at 2:00 A.M. on a speciic day. However, an
executive might have taken a portable computer on a business trip before you deployed the
program. When the executive returns to the ofice after the scheduled start time, the portable
computer would start to install the application a few minutes after the computer connects
to the ofice network. This could affect the system performance of the computer and, after
installation, force a restart at the very time the executive wants to check an important email
message or make a presentation. To avoid this scenario, conigure an overnight maintenance
window for a collection of which the executive’s computer is a member. This ensures that the
installation and restarts do not occur during normal business hours.

Objective 5.2: Manage collections CHAPTER 5 245

From the Library of Ida Schander

 You can conigure maintenance windows by opening the Properties dialog box of a spe-
ciic collection and then selecting the Maintenance Windows tab as shown in Figure 5-6.

FIGURE 5-6 Maintenance Windows tab

Maintenance windows do not affect the following coniguration management processes:

■ Policy download and evaluation
■ Data collection and reporting of inventory and metering data
■ Remediation for Network Access Protection (NAP)
■ Transmission of Wake On LAN wake-up packets
■ Out-of-band management
■ Application deployment content downloads
■ Deployments, software-update deployments, coniguration-item remediation, or task
sequences that are optional or speciically conigured to ignore maintenance windows
■ User-initiated deployments
Changes to maintenance windows that occur during a maintenance window do not take
effect while the current maintenance window is in effect.
A required deployment does not run during a maintenance window that is shorter or has
less time remaining than the deployed software’s conigured maximum run time. For exam-
ple, a deployment that has a run time of 45 minutes does not run if only 30 minutes remain

246 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

in the maintenance window. In addition, if you conigure the maximum run time of deployed
software as unknown, the software might run past the end of a maintenance window.
A client computer can be a member of more than one collection with maintenance
windows. When a client computer is a member of two or more collections with maintenance
windows, that computer’s maintenance windows will be a combination of the deined collec-
tions’ maintenance windows.
For example, PC1 is a member of Collection A, Collection B, and Collection C. The mainte-
nance windows for each of the collections are as follows:
■ Collection A’s maintenance window is from 5 P.M. to 8 P.M.
■ Collection B’s maintenance window is from 4 A.M. to 7 A.M.
■ Collection C’s maintenance window is from 7 P.M. to 11 P.M.
Therefore, PC1’s maintenance windows will be from 4 A.M. to 7 A.M. and from 5 P.M. to
11 P.M. When using maintenance windows, consider the following best practices:
■ When you use maintenance windows to restrict system changes, you should create
collections speciically for this purpose instead of using the default collections or other
custom collections.
■ When you conigure maintenance windows, include a description of the maintenance
window in the collection’s name for easy identiication.

MORE INFO MAINTENANCE WINDOWS

You can learn more about maintenance windows at http://technet.microsoft.com/en-us
/library/hh508762.aspx.

Power management
Use Coniguration Manager to conigure and monitor standard Windows power options
throughout the managed environment. Coniguration Manager power management enables
you to apply a power plan to managed computers and monitor power consumption to mini-
mize costs and provide environmental beneits for your organization.

Objective 5.2: Manage collections CHAPTER 5 247

From the Library of Ida Schander

 Table 5-4 describes the external dependency for implementing power management by
using Coniguration Manager.

TABLE 5-4 Power management dependencies

Dependency Description

Client computer support for the
intended power state
Correct display adapter driver
Client computers need to be able to support the following states:
■ Sleep
■ Hibernate
■ Wake from sleep
■ Wake from hibernate
Clients with Windows 7 and later provide the best platform for power
management. However, you can also use power management with
Windows Vista.
You can use the Power Management: Power Capabilities report to
verify the hardware capabilities of computers in a speciic collection.
Make sure that client computers are using the correct display adapter
driver. If they are using the wrong display adapter driver, the sleep
states might be disabled, and power-monitoring data might not be
available.

Table 5-5 lists the prerequisites for implementing power management by using
Coniguration Manager.

TABLE 5-5 Power management prerequisites

Dependency Description

Coniguration Manager client soft- All client computers that you intend to manage with a power manage-
ware ment policy must be Coniguration Manager clients.

Hardware Inventory To use power management, you must enable Hardware Inventory.
Power management uses information that the hardware inventory
process collects.

Power Management Client Settings
To use power management, you must enable Power Management
Client Settings. You can conigure this option in Default Client Settings
to apply to the entire hierarchy, or you can create a custom client
device setting to deploy to a speciic collection. By default, Power
Management Client Settings is enabled.
You can also allow users to exclude their devices from power manage-
ment. If you enable this option, users can then use Software Center
to exclude their own computers from power management plans. This
option is disabled by default.

Reporting services point The power management reports require you to conigure a reporting
services point within the site.

To implement an enterprise-wide power management solution, you must:

1. Monitor the current power state and usage.
Your irst step to effective power management is to collect data and analyze reports
that outline current power settings and consumption. Power management uses

248 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 hardware inventory to collect data. You can view the hardware inventory by using
reports and graphs to determine optimal power management settings for your envi-
ronment. During your monitoring stage, you can use a number of reports that provide
information related to current power settings on computers in a collection; power
management capabilities of a computer; and current computer, monitor, and user
activity over a period of time. You can also use the reports to provide information
related to current power consumption for a speciied collection over a period of time,
current power consumption costs for a speciied collection over a period of time, and
computers not capable of power management.
2. Plan power management plans.
After monitoring and collecting baseline data, you can use the gathered information to
decide on the types of power management settings you want to deploy. It is important
to determine speciic settings that you want to enable or disable to meet your organi-
zational requirements.
3. Apply power management policies.
After carefully planning your power management settings, you can conigure and
apply the required plan settings to a speciic collection. Depending on the settings
required, you can specify default power plans, or you can create your own customized
power plan.
4. Check compliance and reports.
As the power management settings take effect, you can track ongoing power con-
sumption and settings on all managed computers and troubleshoot any problems.
Various reports provide details about power usage, costs, and environmental impact.

Power management plan settings

When you are ready to apply power management settings, you can choose to implement a
default power plan or customize your own plan for both peak and nonpeak time intervals.
Default power plans include:
■ Balanced.
■ High Performance.
■ Power Saver.
Depending on the power plan that you use and the peak or nonpeak coniguration, vari-
ous power management settings might or might not be applied. You cannot modify default

Objective 5.2: Manage collections CHAPTER 5 249

From the Library of Ida Schander

 plans. However, if you choose to create a customized power plan, you can modify and apply
your own settings to match speciic requirements. Figure 5-7 shows the Balanced power plan.

FIGURE 5-7 Power plan settings

Table 5-6 describes the available power management settings.

TABLE 5-6 Power management settings

Setting Description

Turn Off Display After (Minutes)
Sleep After (Minutes)
Hibernate After (Minutes)
Require A Password On Wakeup
Power Button Action
This setting speciies the amount of time that a computer must be inac-
tive before turning off the monitor. Setting a value of zero prevents
power management from turning off the display.
This setting speciies the amount of time that a computer must be inac-
tive before going into a sleep state.
This setting speciies the amount of time that a computer must be inac-
tive before going into a hibernation state.
This setting speciies whether unlocking the computer requires a pass-
word after it comes out of a sleep state.
This setting speciies the action that occurs when you press the power-
on button on the computer. Values include the following:
■ Do nothing
■ Sleep
■ Hibernate
■ Shut down

250 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

Setting Description

Start Menu Power Button This setting speciies the action that occurs when you click the Start
menu power button. Values include the following:
■ Sleep
■ Hibernate
■ Shut down
Sleep Button Action This setting speciies the action that occurs when you press the Sleep
button. Values include the following:
■ Do nothing
■ Sleep
■ Hibernate
■ Shut down
Lid Close Action This setting speciies the action that occurs when you close the lid on a
portable computer. Values include the following:
■ Do nothing
■ Sleep
■ Hibernate
■ Shut down
Turn Off Hard Disk After This setting speciies the amount of time that a computer’s hard disk
(Minutes) must be idle before it turns off.
Hibernate After (Minutes) This setting speciies the amount of time that a computer must be inac-
tive before it goes into a hibernation state.
Low Battery Action This setting speciies the action that occurs when the battery reaches a
low-threshold setting on a portable computer. Values include the
following:
■ Do nothing
■ Sleep
■ Hibernate
■ Shut down
Critical Battery Action This setting speciies the action that occurs when the battery reaches
a critical-threshold setting on a portable computer. Values include the
following:
■ Do nothing
■ Sleep
■ Hibernate
■ Shut down
Allow Hybrid Sleep This setting speciies whether Windows should save a hibernation ile
when the computer enters a sleep state. You can use the hibernation ile
to restore the computer’s state in the event of a power loss while in the
sleep state.
Allow Standby State When This setting enables the computer to be in standby mode, which enables
Sleeping Action it to wake up faster. Note that this mode still consumes some power.
Required Idleness To Sleep (%) This setting speciies a percentage of idle time for the computer proces-
sor to go into a sleep state.

Objective 5.2: Manage collections CHAPTER 5 251

From the Library of Ida Schander

 Setting Description

Enable Windows Wake-Up Timer This setting enables the built-in Windows wake-up timer that power
For Desktop Computers management can use to wake a desktop computer. This setting is not
available for portable computers.

You can conigure each of the power management settings twice: once for on-battery
systems and once for plugged-in systems. To apply a power plan to a collection of computers,
perform the following procedure:
1. Right-click the collection that is to have the power management policy and then click
Properties.
2. Click the Power Management tab and then select Specify Power Management Settings
For This Collection.
Figure 5-8 shows this for the Toronto Windows 8.1 Workstations collection.

FIGURE 5-8 Power Management tab

3. Specify a power plan for both peak and nonpeak times.

If you are creating a customized power plan, the Edit button is available for editing speciic
power management settings.

Power management reports

You can view and analyze various reports related to power consumption, environmental
impact, and power management settings in your Coniguration Manager environment. The
site database retains power management data used by daily reports for 31 days. The site
database retains data used by monthly reports for 13 months. You might consider saving or

252 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

exporting the results from critical reports if you want to be able to perform long-term
analysis.
To view power management reports, perform the following procedure:
1. In the Monitoring workspace, expand the Reporting node and then expand the
Reports node.
2. Click the Power Management folder.
3. In the results pane, shown in Figure 5-9, select the report to view and then, on the rib-
bon, click Run.
Depending on the report, you might need to provide additional criteria to view the data
results.

FIGURE 5-9 Power management reports

MORE INFO POWER MANAGEMENT

You can learn more about power management at http://technet.microsoft.com/en-us
/library/gg699392.aspx.

Objective 5.2: Manage collections CHAPTER 5 253

From the Library of Ida Schander

 Monitoring collections
Because several Coniguration Manager features are based on collections, you should know
how to monitor the collections. You might want to know when the collections are created,
modiied, or deleted. You also might want to view status messages that pertain to members
of a speciic collection. You can monitor collection-based tasks by using the following
methods:
■ Component Status The Component Status node, under the System Status node in
the Monitoring workspace, contains the SMS_COLLECTION_EVALUATOR component.
This component provides status information related to collections.
■ Log iles The Colleval.log ile is associated with the SMS_COLLECTION_EVALUATOR
component and provides detailed status information related to collection evaluation
and management. This log ile is located in the c:\Program Files\Microsoft
Coniguration Manager\Logs folder.
■ Status Message Queries The Status Message Queries node, under the System node
in the Monitoring workspace, provides the following status-message queries to assist
in collection monitoring:
■ All Status Messages For A Speciic Collection At A Speciic Site
■ Collection Member Resources Manually Deleted
■ Collections Created, Modiied, And Deleted
■ Reports The Reports node includes several reports that pertain to collection-based
tasks. The reports include:
■ All Collections.
■ All Resources In A Speciic Collection.
■ All Package And Program Deployments To A Speciied Collection.
■ Inventory Classes Assigned To A Speciic Collection.
■ Issues by incidence detail for a speciied collection.

254 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 To view all reports that pertain to collections, you can perform a search on the Reports
node for Collections. Figure 5-10 shows the results of this search.

FIGURE 5-10 Collection-related reports

EXAM TIP
Remember the default evaluation schedule period for rule-based collections.

Thought experiment
Power management at Tailspin Toys
You are the Coniguration Manager administrator at Tailspin Toys. You are setting
up Coniguration Manager to manage the power settings for the leet of laptop
computers used at Tailspin Toys. With this information in mind, answer the follow-
ing questions:

1. Which power management setting would you conigure to ensure that the com-
puter shuts down when the battery reaches the critical-threshold setting?

2. Which power management setting would you conigure to ensure that a por-
table computer is shut down when the lid is closed?

Objective 5.2: Manage collections CHAPTER 5 255

From the Library of Ida Schander

 Objective summary
■ Collections represent resource groups that consist of devices such as computers and
mobile devices or users and user groups from all of the hierarchy’s sites.
■ You can use a direct rule to add a speciic resource to a collection. If you add a
resource to a collection by using a direct rule, the resource will remain in the collection
until manually removed.
■ You can use a query rule to add members to a collection based on their attributes.
■ The default schedule to evaluate the membership of custom collections is once every
seven days; incremental collection member evaluation runs every ive minutes.
■ Maintenance windows enable you to conigure a speciic period during which required
deployments, software-update installations, coniguration-item remediation, and task
sequences can run on a client.
■ Coniguration Manager power management enables you to apply a power plan to
managed computers.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following can you add to a collection by using a direct membership rule?
(Choose two. Each correct answer provides a complete solution.)
a. Router
B. Switch
C. Active Directory security group
D. User account
2. You have created a collection by using a query rule. You have not enabled incremental
updates. How often will the membership of the collection be updated by default?
a. Once an hour
B. Once a day
C. Once every 7 days
D. Once every 10 days
3. Which of the following activities are not affected by maintenance windows? (Choose
three. Each correct answer provides a complete solution.)
a. Coniguration item remediation
B. User-initiated software deployment
C. Policy download and evaluation
D. Centralized software deployments

256 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 4. Which of the following client settings must be enabled if you want to use
Coniguration Manager to manage power settings for computers running
Windows 8.1?
a. Hardware Inventory
B. Remote Tools
C. Software Inventory
D. Compliance Settings

Objective 5.3: Conigure and monitor client status

System Center 2012 R2 Coniguration Manager includes the Client Status feature that you can
use to monitor client health and activity. The client health evaluator works outside the normal
client processes to enable an administrator to discover issues with the clients, particularly
issues that clients would be unable to report. This section describes how to use the Client
Status feature and how to use the Coniguration Manager console to monitor and evaluate
client health.

This section covers the following topics:

■ Verifying client installation
■ Client status
■ Client health evaluation and remediation
■ Client health reports
■ Client health alerts

Verifying client installation

You can verify the Coniguration Manager client software’s installation success in a number of
ways, from both the server side and the client side. To verify that the Coniguration Manager
client software installed successfully, you can examine client log iles, Control Panel in the cli-
ent computer, and current information in collections and status reports.

Objective 5.3: Conigure and monitor client status CHAPTER 5 257

From the Library of Ida Schander

 Table 5-7 describes methods for verifying a successful client installation.

TABLE 5-7 Verifying client installation

Veriication method Description

Client status column with- Collection status displays information about the client’s status, including:
in the collection
■ Client Type (Computer).
■ Client (Yes/No).
■ Site Code.
■ Client Activity (Active/Inactive).

Coniguration Manager Coniguration Manager reports provide client deployment and assignment sta-
reports tus. All of the client deployment and assignment reports require you to deploy a
fallback status point system role in the environment and conigure the client to
report state messages to the fallback status point during client installation.
Useful Coniguration Manager reports include the following:
■ Client Assignment Detailed Status Report
■ Client Assignment Failure Details
■ Client Assignment Status Details
■ Client Assignment Success Details
■ Client Deployment Status Details
■ Client Deployment Success Report
■ Client Deployment Failure Report
■ Computers Assigned But Not Installed For A Particular Site
■ Count Of Clients For Each Site
■ Count Of Coniguration Manager Clients By Client Versions

Coniguration Manager On each client, you can conirm the client’s status from the General tab of the
properties Coniguration Manager Properties dialog box.

258 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

Veriication method Description

Client logs You can use several log iles to verify client installation. Examples include:
■ CCMSetup.log This log records setup tasks that CCMSetup.exe per-
forms. You use this log to help troubleshoot client installation problems.
CCMSetup.log is stored at %Windir%\CCMSetup\Logs.
■ Client.msi.log This log records setup tasks that Client.msi performs.
You use this log to help troubleshoot client installation problems. Client
.msi.log is stored at %Windir%\CCMSetup\Logs.
■ ClientLocation.log This log records site assignment tasks. You use
this log to help troubleshoot when the client is not assigned to a
Coniguration Manager site. ClientLocation.log is stored at %Windir%
\CCM\Logs.
■ ClientIDManagerStartup.log This log records when the client has
registered in the site successfully. No other client processes will com-
plete until after registration of the client. This log is stored at %Windir%
\CCM\Logs.
■ DataTransferService.log This log records all BITS communication for
policy or package access. You should check this log when troubleshoot-
ing components that cannot download. This log is stored at %Windir%
\CCM\Logs.
■ PolicyAgent.log This log records policies by using the Data Transfer
service. You should check this log when troubleshooting the policy that
cannot update. This log is stored at %Windir%\CCM\Logs.

Client status
The System Center 2012 R2 Coniguration Manager client agent runs a scheduled task to
evaluate its client health status. The health status of a client enables you to determine the
answers to the following questions:
■ How many clients are healthy in the hierarchy?
■ How many clients are inactive in the hierarchy because they have been powered off for
a long time or because the Coniguration Manager client agent is not installed?
■ What is the main cause of unhealthy clients in the hierarchy?
The task runs daily between midnight and 1:00 A.M. by default. Then, the client sends the
evaluation results to a management point as a status message. Similar to the initial installa-
tion process, if the client fails to send its status message to a management point, it will then
send the status message to a fallback status point if one exists in your hierarchy. If you have
not installed a fallback status point in your hierarchy, the site server might not receive some
evaluation results. The site server summarizes the evaluation results and activities of the cli-
ent’s health and then displays them in the Coniguration Manager console in the Client Status
folder located in the Monitoring workspace.

Objective 5.3: Conigure and monitor client status CHAPTER 5 259

From the Library of Ida Schander

 When you click the Client Status node, the results pane displays some statistics and the
Recent Alerts section. The statistics have links showing the percentage of clients that are
healthy, unhealthy, or unknown, and active or inactive. Recent Alerts shows the alerts the
Client Health feature generates because of meeting deined thresholds for client health and
activity.
If you click the different links, this creates a temporary node under the Devices node in
the Assets And Compliance workspace, and the console changes automatically to the newly
created temporary node. Temporary nodes remain in the Coniguration Manager console
until you remove them manually or close the console. For example, when you click the Active
Clients That Failed Client Check link—which denotes the clients that failed the client health
checks—a temporary node for these unhealthy clients is created and selected automatically.

MORE INFO CLIENT STATUS

You can learn more about client status at http://technet.microsoft.com/en-us/library
/hh338432.aspx.

Client health evaluation and remediation

Client Status in the Coniguration Manager console receives its information from the Client
Health evaluation engine running on each client. The Client Health evaluation engine is an
executable ile named CCMEval.exe. This engine can perform health checks by using rules
and can automatically rectify some coniguration problems through a process termed
remediation.
CCMEval.exe is installed with the Coniguration Manager client agent and runs on comput-
ers. However, it is not part of the mobile device client. When you install the Coniguration
Manager client agent, the install process creates a scheduled task named Coniguration
Manager Health Evaluation. This task runs Ccmeval.exe at a time between midnight and
1:00 A.M. The client reports the results as a state message to the client’s management point
or a fallback status point if the management point is unavailable.
You can run the Coniguration Manager Health Evaluation process on demand by run-
ning CCMEval.exe as required. Client health evaluation and remediation is only available to
Windows-based computers. To view the client health rules that the Client Health evaluation
engine is using, you can look in the <client location>\ccmeval.xml ile. You can disable
remediation of a client system by setting the following registry value to True: HKLM
\Software\Microsoft\CCM\CCMEval\NotifyOnly.
If the computer is not running when the scheduled Coniguration Manager Health
Evaluation task is due to run, the task will run automatically as soon as it can, such as when

260 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

you load the operating system or bring the computer out of sleep mode. Table 5-8 lists the
health evaluation rules and remediation actions.

TABLE 5-8 Health evaluation rules

Health check Remediation

Verify WMI Service Exists No automatic remediation

Verify/Remediate WMI Service Startup Type Set service startup to automatic
Verify/Remediate WMI Service Status Start service
Wmi Repository Integrity Test Reinstall client
Wmi Repository Read/Write Test Reset WMI Repository and rein-
stall client
Verify BITS Exists No automatic remediation
Verify/Remediate BITS Startup Type Set service startup to automatic
Verify/Remediate Client And Client Prerequisites Installation Reinstall client
Verify SMS Agent Host Service Exists No automatic remediation
Verify/Remediate SMS Agent Host Service Startup Type Set service startup to automatic
Verify/Remediate SMS Agent Host Service Status Start service
Verify/Remediate Lantern Service Startup Type Set service startup to manual
Verify/Remediate Antimalware Service Startup Type Set service startup to automatic
Verify/Remediate Antimalware Service Status Start service
Verify/Remediate Network Inspection Service Startup Type Set service startup to manual
Verify/Remediate Windows Update Service Startup Type Set service startup to automatic
Verify/Remediate Windows Update Service Status Start service
Verify/Remediate Coniguration Manager Remote Control Service Set service startup to automatic
Startup Type
Verify/Remediate Coniguration Manager Remote Control Service Start service
Status
Verify/Remediate SQL CE Database Is Healthy Set the database to ccmstore.sdf

Client health reports

In addition to the Client Check and Client Activity information in the Coniguration Manager
console, you can use the Client Status reports. After you have installed and conigured a
reporting services point role, the Client Status reports are located in the Client Status folder
in the Coniguration Manager console or the ConigMgr_<site code>\Client Status path in the
reporting website.

Objective 5.3: Conigure and monitor client status CHAPTER 5 261

From the Library of Ida Schander

 Table 5-9 lists the available reports.

TABLE 5-9 Client health reports

Report Description

Client Remediation Details
Client Remediation Summary
Client Status History
Client Status Summary
Client Time To Request Policy
Clients With Failed Client Check
Details
Inactive Clients Details
This report provides client remediation details for a given collection.
This report provides remediation summary information for a given
collection.
This report provides a historical view of the overall client status in the
environment.
This report provides administrators with the current percentages of
healthy and active clients for a given collection.
This report shows the percentage of clients that have requested pol-
icy at least once in the past 30 days. Each day represents a percent-
age of total clients that have requested policy since day one in the
cycle. This is useful for determining the time it would take to distrib-
ute a policy update to your client population. Client deployments or
changes in client count can affect the accuracy of the report.
This report displays details about clients in a speciic collection that
have failed a client check.
This report provides a detailed list of inactive clients for a given
collection.

Client health alerts

The Alerts feature can use data from the Client Status feature to generate alerts in the
Coniguration Manager console. To conigure alerts for Client Status, open the Properties
dialog box for any collection. On the Alerts tab, click Add. You can add the following alert
conditions:
■ Client Check Pass Or No Results For Active Clients Falls Below Threshold (%)
■ Client Remediation Success Falls Below The Threshold (%)
■ Client Activity Falls Below Threshold (%)
After you have conigured the alerts, the alerts that generate appear in the Alerts node of
the Monitoring workspace and in the Client Status node. You also can subscribe to alerts to
receive email notiications if you require email in addition to the in-console alert feature.

EXAM TIP
Remember that not all health issues can be remediated.

262 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 Thought experiment
Client monitoring at Contoso
You are the Coniguration Manager administrator at Contoso. You are concerned
that a number of client computers that Coniguration Manager manages at your
organization are either inactive or regularly failing client health checks. With this
information in mind, answer the following questions:

1. How can you determine which clients have failed client health checks?
2. How can you determine which clients in a collection are inactive?

Objective summary
■ The System Center 2012 R2 Coniguration Manager client agent runs a scheduled task
to evaluate its client health status.
■ If the client fails to send its status message to a management point, it will then send
the status message to a fallback status point if one exists in your hierarchy.
■ The Client Health evaluation engine is an executable ile named CCMEval.exe. This
engine can perform health checks by using rules and can automatically rectify some
coniguration problems through a process termed remediation.
■ You can run the Coniguration Manager Health Evaluation process on demand by run-
ning CCMEval.exe as required. Client health evaluation and remediation is only avail-
able to Windows-based computers.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You want to run Coniguration Manager Health Evaluation immediately rather than
waiting for it to occur at the scheduled time. Which of the following iles would you
run to accomplish this task?
a. CCMEval.exe
B. CCMSetup.exe
C. CMTrace.exe
D. CCMSetup.msi

Objective 5.3: Conigure and monitor client status CHAPTER 5 263

From the Library of Ida Schander

 2. Which of the following health evaluation rules supports remediation?
a. Verify BITS Exists
B. Verify/Remediate Windows Update Service Status
C. Verify SMS Agent Host Service Exists
D. Verify File Exists
3. Which of the following reports would you run to view remediation details for a given
collection?
a. Client Status History
B. Client Remediation Details
C. Client Status Summary
D. Inactive Clients Details

264 Chapter 5 Manage Coniguration Manager clients

From the Library of Ida Schander

Answers

Objective 5.1
Thought experiment
1. You must install the client manually, using an account with local administrator privi-
leges. You also must conigure a network access account to allow access to resources in
the site server domain for clients that are not domain members.
2. The computers running the Management Point, Distribution Point, Enrollment Point,
and Enrollment Proxy Point roles require web server certiicates when you want to use
Coniguration Manager to manage computers running Mac OS X.
3. The computers running the Management Point and Distribution Point roles require
client authentication certiicates when you want to use Coniguration Manager to man-
age computers running Mac OS X.

Objective review
1. Correct answer: B
a. Incorrect: The user account used to extend the schema must be a member of the
Schema Admins domain security group.
B. Correct: The user account used to extend the schema must be a member of the
Schema Admins domain security group.
C. Incorrect: The user account used to extend the schema must be a member of the
Schema Admins domain security group.
D. Incorrect: The user account used to extend the schema must be a member of the
Schema Admins domain security group.
2. Correct answers: A and C
a. Correct: You can assign a site code to a Coniguration Manager client by using the
Client.msi property SMSSITECODE=site code.
B. Incorrect: You cannot assign a site code to a Coniguration Manager client by
using an answers.txt ile.
C. Correct: You can assign a site code to a Coniguration Manager client by using
Group Policy.
D. Incorrect: You cannot assign a site code to a Coniguration Manager client by
using an unattend.xml ile.
3. Correct answer: D
a. Incorrect: The Default Client Settings object has a default priority of 10,000.
B. Incorrect: The Default Client Settings object has a default priority of 10,000.

Answers CHAPTER 5 265

From the Library of Ida Schander

 C. Incorrect: The Default Client Settings object has a default priority of 10,000.
D. Correct: The Default Client Settings object has a default priority of 10,000.
4. Correct answers: A, B, and C
a. Correct: You can cannot conigure the Software Inventory: Conigure The Display
Names For Manufacturer Or Product setting through a custom client policy.
B. Correct: You cannot conigure the Compliance Settings: Schedule Compliance
Evaluation setting through a custom client policy.
C. Correct: You cannot conigure the Mobile Devices: Polling Interval setting through
a custom client policy.
D. Incorrect: You can conigure the Cloud Services: Allow Access To Cloud
Distribution Point setting through a custom client policy.

Objective 5.2
Thought experiment
1. Conigure the Critical Battery Action power management setting.
2. Conigure the Lid Close Action power management setting.

Objective review
1. Correct answers: C and D
a. Incorrect: You cannot add a router to a collection because a router cannot be
managed by Coniguration Manager.
B. Incorrect: You cannot add a switch to a collection because a switch cannot be
managed by Coniguration Manager.
C. Correct: You can add an Active Directory security group to a collection by using a
direct membership rule.
D. Correct: You can add a user account to a collection by using a direct membership
rule.
2. Correct answer: C
a. Incorrect: By default, collection membership is reevaluated once every 7 days.
B. Incorrect: By default, collection membership is reevaluated once every 7 days.
C. Correct: By default, collection membership is reevaluated once every 7 days.
D. Incorrect: By default, collection membership is reevaluated once every 7 days.
3. Correct answers: A, B, and C
a. Correct: Coniguration item remediation is not affected by maintenance windows.
B. Correct: User-initiated software deployment is not affected by maintenance
windows.

266 CHAPTER 5 Manage Coniguration Manager clients

From the Library of Ida Schander

 C. Correct: Policy download and evaluation are not affected by maintenance
windows.
D. Incorrect: Although it is possible to conigure a centralized software deployment
speciically to ignore maintenance windows, by default, centralized software
deployment only occurs during the times speciied in the maintenance window.
4. Correct answer: A
a. Correct: You must enable Hardware Inventory to be able to use Coniguration
Manager to manage power settings for computers running Windows 8.1.
B. Incorrect: You do not need to enable Remote Tools to be able to use
Coniguration Manager to manage power settings for computers running
Windows 8.1.
C. Incorrect: You do not need to enable Software Inventory to be able to use
Coniguration Manager to manage power settings for computers running
Windows 8.1.
D. Incorrect: You do not need to enable Compliance Settings to be able to use
Coniguration Manager to manage power settings for computers running
Windows 8.1.

Objective 5.3
Thought experiment
1. Run the Clients With Failed Client Check Details report.
2. Run the Inactive Clients Details report to determine which clients are no longer active
in a collection.

Objective review
1. Correct answer: A
a. Correct: You run CCMEval.exe to trigger the health evaluation process.
B. Incorrect: CCMSetup.exe is used in the client deployment process.
C. Incorrect: CMTrace.exe is used to view log iles.
D. Incorrect: CCMSetup.msi is used in the Coniguration Manager setup process.
2. Correct answer: B
a. Incorrect: The Verify BITS Exists health check does not support automatic
remediation.
B. Correct: The Verify/Remediate Windows Update Service Status health check sup-
ports automatic remediation.

Answers CHAPTER 5 267

From the Library of Ida Schander

 C. Incorrect: The Verify SMS Agent Host Service Exists health check does not support
automatic remediation.
D. Incorrect: The Verify File Exists health check does not support automatic
remediation.
3. Correct answer: B
a. Incorrect: The Client Status History report provides a historical view of the overall
client status in the environment.
B. Correct: You would run the Client Remediation Details report to view remediation
details for a given collection.
C. Incorrect: The Client Status Summary report provides the current percentages of
healthy and active clients for a given collection.
D. Incorrect: The Inactive Clients Details report provides a detailed list of inactive
clients for a given collection.

268 CHAPTER 5 Manage Coniguration Manager clients

From the Library of Ida Schander

CHAPTER 6

Manage inventory using

Coniguration Manager
As the name of the product suggests, Coniguration Manager enables you to inventory and
manage the coniguration of managed client devices. Hardware and software inventory
allow you to generate a detailed picture of the hardware and software conigurations of
the client devices that Coniguration Manager manages. Software Metering is a feature that
enables you to track how applications on managed clients are being utilized. You can then
use the reporting functionality in Coniguration Manager to generate detailed reports using
the information that has been collected.

Objectives in this chapter:

■ Objective 6.1: Manage hardware and software inventory.
■ Objective 6.2: Manage software metering.
■ Objective 6.3: Create reports.

Objective 6.1: Manage hardware and software

inventory
Coniguration Manager enables you to conigure the collection of hardware and software
inventory and, thus, to generate detailed information about the coniguration of client
devices in your organization. You can use this detailed information as the basis for creating
Coniguration Manager collections or use it to generate reports about the coniguration of
managed devices.

This section covers the following topics:

■ Inventory collection
■ Hardware inventory collection
■ Extending hardware inventory
■ Software inventory collection
■ File collection
■ Managing inventory collection

269

From the Library of Ida Schander

 Inventory collection
Inventory collection involves gathering information about a client computer’s hardware and
software. You can collect inventory information through three primary methods:
■ Hardware inventory Collects information about the hardware coniguration of
client computers. Coniguration Manager supports hardware inventory collection for
computers that are running supported Windows operating systems, Mac OS X, Linux,
and UNIX operating systems.
■ Software inventory Collects information about iles on client devices. Operating
systems that are not Windows-based do not support software inventory.
■ Asset Intelligence Use in conjunction with and in addition to hardware inventory to
report software installations on client computers.
If you want to conigure hardware and software inventory options that apply to the entire
hierarchy, do so using Default Client Settings. If you want to conigure hardware and software
inventory options that only apply to a small number of computers, create custom client set-
tings and then assign them to speciic collections.

EXAM TIP
Custom client settings override any settings that you conigure within Default Client
Settings.

Inventory collection isn’t limited to Coniguration Manager. Microsoft Intune (formerly

Windows Intune) can collect hardware inventory from its clients. Integrating Intune with
Coniguration Manager enables you to use the inventory information that Intune collects in
Coniguration Manager.
When you integrate Intune with Coniguration Manager, there are some differences
between what Intune inventories for personal devices and what it inventories for company-
owned devices. The following table illustrates the software inventory capability of Intune
when integrated with Coniguration Manager.

TABLE 6-1 Intune inventory information

Platform Personal devices Company devices

Windows Phone 8/Windows Phone 8.1 Only managed apps Only managed apps

Windows RT/Windows RT 8.1 Only managed apps Only managed apps

Windows 8/Windows 8.1 Only managed apps Only managed apps

iOS Only managed apps All installed apps

Android Only managed apps All installed apps

270 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 MORE INFO INTUNE INVENTORY
You can learn more about Microsoft Intune inventory at http://blogs.technet.com/b
/tune_in_to_windows_intune/archive/2014/03/24/windows-intune-mobile-device-inventory
-information-faq.aspx.

You can use the results of inventory collection with other Coniguration Manager features.
For example, you can:
■ Build queries that include or exclude computers based on their hardware coniguration
or installed software. For example, you can create a query that displays all computers
with less than 5 gigabytes of space left on their operating system volume.
■ Build collections by using queries that include or exclude computers based on their
hardware coniguration or the type of installed software—for example, that have a
speciic model of graphics adapter or that are running a speciic application.
■ Generate reports based on hardware coniguration or installed software.
■ Use queries and reports to ind computers that do not meet corporate standards. For
example, you can maintain information about current hardware and software installa-
tions to ensure that all computers meet the current compliance requirements.
■ Use Resource Explorer, which is the Coniguration Manager console that displays the
complete inventory data that Coniguration Manager collects for individual computers.
■ Collect copies of iles from client computers by using software inventory. Coniguration
Manager then stores these iles on the site server. One example is if you need to collect
a speciic coniguration ile from computers within a speciic site.
By default, the hardware inventory and software inventory collection runs every seven
days, though by coniguring default or custom client settings, you can modify this schedule
to meet your organization’s requirements. Computer hardware and software coniguration
changes slowly, so it is rarely necessary to schedule aggressive inventory collection. Figure 6-1
shows a schedule conigured to run once every 14 days.

FIGURE 6-1 Inventory schedule

Objective 6.1: Manage hardware and software inventory CHAPTER 6 271

From the Library of Ida Schander

 Inventory collection runs automatically based on the schedule you conigure. The key
phases in the inventory collection process are as follows:
1. Inventory agents create inventory data iles that contain the collected data.
2. Client sends inventory data iles to the management point.
3. Management point forwards data to the site server.
4. Update the site database. Coniguration Manager updates the database.
5. Replicate to the central administration site.
The primary site servers add the inventory data to the Coniguration Manager site
database. The site database stores hardware inventory history for each client. Coniguration
Manager retains only the current software inventory data for each client and does not store
historical data. Inventory data is site data, and site data will not replicate to any other primary
sites in the hierarchy, only to the central site.

MORE INFO INVENTORY COLLECTION

You can learn more about inventory collection at http://msdn.microsoft.com/en-us/library
/jj218177.aspx.

Hardware inventory collection

The Coniguration Manager hardware inventory agent discovers information about comput-
ers by querying the Windows Management Instrumentation (WMI) database on the client
computer. The hardware inventory agent is enabled by default and runs every seven days.
By default, hardware inventory has a built-in random delay, which ranges from 60 to 240
minutes. This helps alleviate contention issues for speciic scenarios, such as Virtual Desktop
Infrastructure (VDI) environments.
WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM).
WBEM allows access to data from a variety of underlying technologies, including the Win32
class, WMI, the Desktop Management Interface (DMI), and the Simple Network Management
Protocol (SNMP). WBEM is based on the Common Information Model (CIM) schema. WMI
uses Managed Object Format (MOF) iles to determine what information to load into the CIM
repository. WMI can also use providers to access the CIM repository.
Clients running OS X, Linux, or UNIX use an open source Open Management Infrastructure
(OMI) implementation of the CIM and WBEM standards to gather hardware inventory infor-
mation. OMI includes rules for gathering information about installed applications because it is
not possible to obtain this information through a software inventory.
With Coniguration Manager 2007, you used the SMS_DEF.MOF ile to customize hardware
inventory classes. With Coniguration Manager 2012 and Coniguration Manager 2012 R2,
you customize the hardware inventory classes that the hardware inventory agent collects by
modifying the hardware inventory client settings.

272 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 The irst time the hardware inventory agent runs, it collects and returns a full hardware
inventory. This full inventory establishes a baseline for future inventory collections. Sub-
sequent inventory data contains only the information that has changed since the previous
inventory collection. Another term for this changed information is delta information. Because
delta information is typically a fraction of a complete inventory collection, the network trafic
that client inventory generates after initial inventory collection is much smaller.
Certain events can cause a client to again collect and report a full hardware inventory:
■ The client attempts to update inventory data that does not exist in the site database.
■ The delta inventory information becomes corrupt.
■ You upgrade the Coniguration Manager client software to a new version.
■ An administrator assigns the client to a new site.
You can modify the hardware inventory collection by coniguring the client settings for the
hardware inventory agent. You conigure the hardware inventory agent in the Administration
workspace, Client Settings node, in either Default Client Settings or a custom client settings
object. Figure 6-2 shows enabling hardware inventory.

FIGURE 6-2 Hardware Inventory client settings

If you want the hardware inventory settings to apply to speciic computers only, create a
custom client setting that deploys to a collection that contains the computers you want to
inventory. If a computer receives settings from both the default and custom client settings,
the hardware inventory agent merges the hardware inventory classes from each of the set-
tings when the client reports its hardware inventory.

Objective 6.1: Manage hardware and software inventory CHAPTER 6 273

From the Library of Ida Schander

 You can conigure several options for hardware inventory as described in Table 6-2.

TABLE 6-2 Hardware inventory options

Option Use

Enable Hardware Inventory On Clients Enable or disable a hardware inventory collection. This option is
enabled by default. Disabling hardware inventory in custom set-
tings disables hardware inventory on clients.

Hardware Inventory Schedule Specify the start time and interval for which the client’s hardware
inventory agent collects hardware inventory. By default, hardware
inventory collection runs every seven days.

Maximum Custom MIF File Size (KB)
Specify the maximum size for custom Managed Information Format
(MIF) iles that you want to collect from a client. You can conigure
this option by using the Collect MIF Files setting. The hardware
inventory agent does not collect or process any MIF iles that
exceed the maximum custom MIF ile size. The default value is
250 kilobytes (KB).

Hardware Inventory Classes
Customize which WMI classes and attributes you use to collect
hardware information from Coniguration Manager clients. You can
modify the default classes and attributes, or you can import custom
Managed Object Format (MOF) iles to allow for vendor-speciic
classes and attributes.

Collect MIF Files Specify the custom MIF ile types that you want to collect. You can
choose to collect custom IDMIF and NOIDMIF iles, or you can col-
lect both types. The default option is no collection of any custom
MIF iles.

MORE INFO HARDWARE INVENTORY

You can learn more about hardware inventory at http://technet.microsoft.com/en-us
/library/hh301103.aspx.

Extending hardware inventory

You can extend the hardware inventory for Windows-based clients by using the following
methods for Default Client Settings or for a custom client-device setting coniguration:
■ Enable or disable existing inventory classes. To display a list of default inventory classes,
click the Set Classes button, which opens the Hardware Inventory Classes dialog box
shown in Figure 6-3. From this dialog box, you can enable or disable the classes and
class properties that you want the hardware inventory agent to collect. You can use
either the Search For Inventory Classes ield or the Filter buttons that are at the top of
the Hardware Inventory Classes dialog box to search for and view individual classes.

274 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 FIGURE 6-3 Hardware Inventory Classes

■ Add a new hardware inventory class. You can connect to another computer to retrieve
speciic inventory classes and then add the new inventory class to the set of default
classes. For example, you might use a client computer to test a hardware vendor–spe-
ciic MOF ile. After you verify that the speciic MOF ile collects the custom informa-
tion properly, you can connect to the computer from the Coniguration Manager
console to import the vendor-speciic classes.
If you have a custom MOF ile that contains hardware inventory class settings that you
used in a prior version of Coniguration Manager or an MOF ile that a vendor provides, you
can use the Import and Export features to import or export custom MOF iles and their
associated settings.
The Coniguration.mof ile is a text ile you can edit with a text editor such as Notepad
.exe, which deines the data classes for the hardware inventory agent. Coniguration.mof also
deines and registers the providers that the hardware inventory agent uses during data col-
lection. To extend the hardware inventory that Coniguration Manager collects, you edit the
Coniguration.mof ile to use a registered inventory data provider. For example, if you want to
collect additional information from speciic registry keys on the client computer, you modify
the registry property provider to collect the speciic registry key information that you require.
When clients request computer policies as part of their normal policy-polling interval,
Coniguration Manager attaches the Coniguration.mof content to the policy body that clients
download and compile. When you add, modify, or delete data classes from the Coniguration
.mof ile, the next time that clients receive an updated computer policy, they automatically
compile changes that have occurred to inventory-related data classes.

Objective 6.1: Manage hardware and software inventory CHAPTER 6 275

From the Library of Ida Schander

 The Coniguration.mof ile is located on the site server in the ConigMgr install directory
\Inboxes\Cliiles.src\Hinv folder.

Software inventory collection

Software inventory collection enables you to inventory speciic ile types, such as .exe iles,
located on Coniguration Manager client devices. Software inventory provides some details
about a ile by inventorying ile header information. If the ile does not have a ile header, or if
the software inventory agent cannot read the header ile, the ile is inventoried as an
unknown ile type. Inventory results include a report on any ile that matches the requested
ile type and might include ile-system details that you conigure in the software inventory
agent settings. You can also use software inventory to collect copies of iles that are trans-
ferred to the site server. The default inventory settings are shown in Figure 6-4.

FIGURE 6-4 Software Inventory

Similar to hardware inventory, software inventory initially reports a full inventory soon
after you enable the software inventory agent. Subsequent inventory reports only contain
changes to inventory information. The site server processes delta inventory information but
rejects it if information is missing or corrupt. If the site server rejects the delta inventory, it
instructs the client to run and report a full inventory cycle.
You can use Resource Explorer to view inventory information for client software, or you
can view software-inventory information in reports. Coniguration Manager clients that are
running OS X, Linux, or UNIX do not support the software inventory feature.

276 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 By default, the software inventory agent is enabled and conigured to run every seven
days using the simple schedule option. However, no ile types are speciied. You can modify
this setting to conigure ile types, as shown in Figure 6-5, and a custom schedule as
necessary.

FIGURE 6-5 File Types

The information that Coniguration Manager gathers can include data related to the
operating system, installed programs, and any iles that you want to inventory. Coniguration
Manager stores this data in the site database, where you can use the information in queries to
generate and view reports or to build software-speciic collections. For example, you can cre-
ate a collection of all computers that have speciic versions of iles, or you can ind all clients
with an old version of a ile and replace it with a newer version.
Although software inventory can provide a list of installed application iles, such as .exe
iles, you should not use it for identifying installed software. Instead, you should use Asset
Intelligence, which provides details about installed applications beyond a simple list of ile
names. For example, software inventory might ind a ile named Game.exe but not be able
to ind information beyond that name. Asset Intelligence, however, will allow you to identify
which application it actually is.
By default, software inventory is enabled on clients, but no ile types are deined for inven-
tory. To inventory speciic ile types, you need to conigure software inventory rules by using
the following settings:
■ Name You can list a speciic ile, or you can specify a ile type by using wildcard
characters. For example, you could specify *.ps1 to inventory Windows PowerShell
command-line interface scripts.
■ Path You can conigure the agent to search for the speciied ile on all of the clients’
hard disks or in a speciic path. The path can be explicit or based on a variable such as
%ProgramFiles%.

Objective 6.1: Manage hardware and software inventory CHAPTER 6 277

From the Library of Ida Schander

 ■ Exclude Encrypted And Compressed Files This option is enabled by default and
speciies that Coniguration Manager does not inventory any ile that has the encryp-
tion or compression attribute set.
■ Exclude Files In The Windows Folder This option is enabled by default and speci-
ies that Coniguration Manager will not inventory any iles that are in the
%SystemRoot% folder.
In addition, you can conigure reporting detail for software inventory to specify whether
software inventory collects ile system full details, details for inventoried iles, or product
details from ile header information. These options apply to all software inventory rules.
Collecting software inventory of encrypted and compressed iles might cause the inven-
tory process to run more slowly. To inventory an encrypted ile, the software inventory agent
must create a decompressed copy of the ile. Furthermore, if the client computer is running
antivirus software, the antivirus software rescans every ile that the inventory process opens.
You can exclude some folders or entire volumes from a client’s software inventory. To
exclude a folder, create a hidden ile named Skpswi.dat in that folder. Note that excluding
a folder from software inventory also excludes any subfolders. To exclude an entire hard
disk, create the hidden Skpswi.dat ile in the volume’s root. You also might decide to use the
Skpswi.dat ile to exclude speciic folders that you do not want to inventory on a ile server or
distribution point.
Software inventory retrieves manufacturer and product names from ile header informa-
tion. If any inconsistencies are in the way, these names are entered in the header information;
multiple variations of the manufacturer and product names also appear both in Resource
Explorer and in any query results based on inventoried ile display names.
For example, iles created by A. Datum Corporation might enter the manufacturer name in
various forms, such as A. Datum; A. Datum, Corp; A. Datum, corp; or Adatum. Such inconsis-
tencies can make it more dificult to read and query against software inventory information
because the data appears under multiple manufacturer names rather than under a single
name.
To resolve this problem, you can set custom display names for manufacturers or products.
For example, you can map all variations of A. Datum to A. Datum Corporation for display and
query purposes.

MORE INFO SOFTWARE INVENTORY

You can learn more about software inventory at http://technet.microsoft.com/en-us
/library/hh509028.aspx.

278 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

File collection
File collection allows iles to be collected from Coniguration Manager clients. When you
specify a ile for collection, the software inventory agent runs a ile collection cycle on each
Coniguration Manager client. If the software inventory agent inds a ile to collect, it attaches
the ile to the inventory report and then forwards it to the site server. On the client, the ile
collection cycle is a separate action from the software inventory cycle. By default, software
inventory does not collect any iles.
The site server stores up to ive versions of each ile that the software inventory agent
collects from each client. The site server does not delete any iles that the software inventory
agent collects. Therefore, you should use ile collection only in very speciic circumstances
and conigure the agent to collect only iles that are small and do not change often. Consider
enabling deduplication on the volume that hosts collected iles.

EXAM TIP
File collection is not enabled by default. Up to ive versions of each ile are stored.

To conigure ile collection by software inventory, you must perform the following
procedure:
1. To create a new ile entry, under Client Settings, in the Software Inventory section, click
Set Files and then click New (which appears as a star).
2. In the Collected File Properties dialog box, shown in Figure 6-6, specify the name of
the iles that you want to collect or use wildcard characters to specify the ile types that
you want to collect. An example is *.ini.

FIGURE 6-6 Collected File Properties

3. Specify the location in which you want the agent to search for iles. You can conigure
the agent to search for a speciic ile on all of the client’s hard disks or in a speciic path
only. The path can be explicit or based on a variable such as %windir%.

Objective 6.1: Manage hardware and software inventory CHAPTER 6 279

From the Library of Ida Schander

 4. Specify whether to exclude encrypted and compressed iles.
5. Specify the maximum total ile size of iles collected for this entry.
The site server stores each collected ile in the ConigMgr installation directory\Inboxes
\Sinv.box\Filecol folder. If a ile has not changed since the last collection, the agent will not
collect it again. You can use Resource Explorer to view or save iles that the agent collects
from a client.

Managing inventory collection

You may have situations in which you need hardware or software inventory to run immedi-
ately on a single client. For example, when a client has received an upgrade, you may want it
reported as soon as possible.
You can initiate certain client actions (such as policy retrieval and inventory collection) on
demand, independent of scheduled intervals. You can initiate these client actions on the
Actions tab of the Coniguration Manager Properties dialog box in Control Panel on the
client.
To initiate off-cycle inventory collection and reporting, you must complete the following
procedure:
1. On the client computer, open Control Panel.
2. In Control Panel, in System And Security, start Coniguration Manager.
3. In the Coniguration Manager Properties dialog box, click the Actions tab.
4. Under Actions, select the inventory action that you want to initiate, such as the Hard-
ware Inventory Cycle shown in Figure 6-7, and then click Run Now.

FIGURE 6-7 Hardware Inventory Cycle

280 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 After agents collect hardware or software inventory information from Coniguration
Manager client computers, you can view the results by using either Resource Explorer or
inventory reports. You also can obtain results by creating custom queries from within the
Coniguration Manager console.
You can use Resource Explorer to display inventory information for one client at a time. To
start Resource Explorer, you must complete the following procedure:
1. From the Coniguration Manager console, click the Assets And Compliance workspace.
2. Click the Devices node. Note that you also can click Device Collections, right-click a
device collection that contains the client device that you want to view, and then click
Show Members.
3. In the list view, right-click a client device, point to Start, and then click Resource
Explorer.
You also can use the reporting feature to view various types of reports pertaining to hard-
ware and software inventory. To access reports, complete the following procedure:
1. In the Coniguration Manager console, click the Monitoring workspace.
2. Expand the Reporting node and then click and expand the Reports node. Notice that
reports are organized into category-based folders, enabling you to locate common
reports quickly.
You also can access reporting by using Internet Explorer to open the Report Manager URL.
By default, the URL for the Report Manager is http://servername/Reports.
If you conigure management points to use HTTPS for client communication, all data trans-
mitted to the server is protected using Secure Sockets Layer (SSL). However, you can opt to
use HTTP to communicate with management points within your internal network. In this case,
HTTP sends client inventory data and collected iles unencrypted and unsigned. As a result,
your organization would be exposed to threats such as someone intentionally sending invalid
data or excessively large data as a form of denial-of-service attack. In addition, because the
data is unencrypted, it is possible for someone to capture and read the collected inventory in
transit. As a best practice, consider implementing security measures to protect the inventory
process and data communication by using the following methods:
■ Enable Signing And Encryption To provide more secure communication between
client computers and the site, you can conigure several signing and encryption
options, including:
■ Require Signing This option ensures that all data that is sent from the client to
the management point is signed.
■ Require Secure Hash Algorithm 256 (SHA-256) This option ensures that when
a client is communicating by using HTTP, the communication uses the SHA-256 hash
algorithm to sign the data. Note that only System Center 2012 Coniguration
Manager client and newer Coniguration Manager versions support SHA-256.

Objective 6.1: Manage hardware and software inventory CHAPTER 6 281

From the Library of Ida Schander

 ■ Use Encryption This option ensures that all inventory data and state messages
are encrypted by using the Triple Data Encryption Standard (3DES) encryption
algorithm when sent to the management points. You can use this option for envi-
ronments in which inventory data might contain sensitive information.
To enable signing and encryption for the site, complete the following procedure:
1. In the Coniguration Manager console, click the Administration workspace.
2. Expand the Site Coniguration node and then click Sites.
3. In the list view, right-click the site and then click Properties.
4. In the Site Properties dialog box, click the Signing And Encryption tab.
5. Select the signing and encryption options as needed.
■ Disable Any Custom MIF File Collections Although you can extend inventory by
collecting IDMIF and NOIDMIF iles, the MIF iles that the hardware inventory agent
collects are not validated. As a result, a malicious user could use the MIF iles to alter
your site’s database by overwriting valid data with invalid data.
■ Do Not Collect Critical Or Sensitive Files The inventory client agent runs with the
rights of the LocalSystem account. This account can collect copies of critical system
iles, such as the registry or security account database. When these iles are available at
the site server, someone with permission to read the collected iles could analyze their
contents and potentially discern important client details that could enable him or her
to compromise its security.
■ Use An Appropriate Deletion Interval For Aged Inventory Data And Collected
Files You can ensure the encryption of data that is sent from the client to the man-
agement point, but the data that the site database stores is not encrypted. Therefore,
you should determine how long you want the database to retain the inventory infor-
mation and collected iles and conigure the Delete Aged Inventory History and Delete
Aged Collected Files site maintenance tasks as appropriate.
To conigure the deletion interval for the Delete Aged Inventory History and Delete Aged
Collected Files site maintenance tasks, complete the following procedure:
1. In the Coniguration Manager console, click the Administration workspace.
2. Expand the Site Coniguration node and then click Sites.
3. In the list view, right-click the site and then click Site Maintenance.
4. Modify the properties for the Delete Aged Inventory History and Delete Aged Col-
lected Files site maintenance tasks as required. This dialog box is shown in Figure 6-8.

282 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 FIGURE 6-8 Delete Aged Inventory History Properties

Several methods are available to troubleshoot the causes of problems with inventory col-
lection. These methods include:
■ Reviewing the client log iles A client’s log iles can help you identify inventory
problems that are affecting that client. The client log iles that pertain directly to
inventory are as follows:
■ InventoryAgent.log Records activities of the inventory agent, including creation
of discovery data records (DDRs) and inventory reports.
■ CcmExec.log Records activities of the client of the Short Message Service (SMS)
Agent Host service. For inventory, this includes high-level events such as initializa-
tion of the inventory agent queue.
■ Policyagent.log Records policy updates on the client, including updates that
enable the inventory agent and conigure the hardware inventory collection.
■ FileSystemFile.log Records scanning events by the inventory agent ile system
for software inventory when you enable and conigure it.
■ Mifprovider.log Records events related to MIF ile reporting.
■ Reviewing the management point log iles You can use log iles on the manage-
ment point to help identify inventory problems that relate to inventory processing. The
management point log iles that pertain to inventory are as follows:
■ MP_Hinv.log Provides details on hardware inventory that client computers report.

Objective 6.1: Manage hardware and software inventory CHAPTER 6 283

From the Library of Ida Schander

 ■ MP_Relay.log Provides details on how inventory information maps to speciic
inbox folders.
■ MP_Retry.log Provides information on the retry states of inventory collection.
■ Reviewing the site-server log iles You can use log iles on the server to help iden-
tify inventory problems that affect more than one client. The following are log iles of
the site server that relate directly to inventory:
■ Dataldr.log Records processing of MIF iles and hardware inventory data into the
site database.
■ Sinvproc.log Records processing of software inventory data into the site
database.
■ Reviewing status message queries Coniguration Manager status messages report
information about Coniguration Manager component behavior and data low. Status
messages can be helpful when you are troubleshooting Coniguration Manager issues
because many status messages include possible cause and resolution information.
Status message queries related to inventory include the following:
■ Clients That Reported Errors Or Warnings During Inventory File Collection
■ Clients That Reported Errors Or Warnings While Creating A Hardware Inventory File
■ Clients That Reported Errors Or Warnings While Creating A Software Inventory File

Thought experiment
Inventory collection at Contoso
You are the Coniguration Manager administrator at Contoso. Contoso has a het-
erogeneous environment, with computers that run Windows, Mac OS X, Linux, and
UNIX operating systems. You are interested in collecting hardware and software
inventory information. With this in mind, answer the following questions:

1. Which operating systems support the collection of hardware inventory?

2. Which operating systems support the collection of software inventory?

Objective summary
■ Inventory collection involves gathering information about a client computer’s hard-
ware and software.
■ Hardware inventory collects information about the hardware coniguration of client
computers.
■ Coniguration Manager supports hardware inventory collection for computers that are
running supported Windows operating systems, Mac OS X, Linux, and UNIX operating
systems.

284 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 ■ Software inventory collects information about iles on client devices. Operating sys-
tems not based on Windows do not support software inventory.
■ Custom client settings override any settings that you conigure within Default Client
Settings.
■ The Coniguration.mof ile is a text ile that deines the data classes for the hardware
inventory agent.
■ File collection allows iles to be collected from Coniguration Manager clients.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following Coniguration Manager features can you use to determine
whether a speciic graphics card is being used on a Coniguration Manager client?
a. Hardware inventory
B. Software inventory
C. File collection
D. Software metering
2. You want to collect all .ini iles stored in a speciic folder on each Coniguration
Manager client. Which of the following Coniguration Manager features would you
use to accomplish this goal?
a. Software metering
B. Asset Intelligence
C. Hardware inventory
D. File collection
3. You have conigured software inventory to inventory all iles that use the .docx exten-
sion. If you don’t change any other settings, which of the following ile types will not
be collected by software inventory by default? (Choose all that apply.)
a. Files with the encryption attribute set
B. Files with the compression attribute set
C. Files with the hidden attribute set
D. Files with the archive attribute set

Objective 6.1: Manage hardware and software inventory CHAPTER 6 285

From the Library of Ida Schander

 Objective 6.2: Manage software metering
Software metering enables you to track how often a particular application is used. This is
extremely useful if you want to determine which applications are, and are not, being used in
your organization.

This section covers the following topics:

■ Software metering
■ Software-metering rules
■ Manage software-metering tasks

Software metering
You use software metering to monitor application usage on Coniguration Manager client
computers. You can summarize software-metering data to produce useful reports that can
help you plan for your organization’s software purchases.
Software metering can be useful when you need to know:
■ How many instances of a particular software program users are using.
■ How many licenses of a particular software program you need to purchase when you
renew your license agreement with the software vendor.
■ Whether any users are still running a particular software program. If users are no lon-
ger using the program, you could consider retiring it.
■ What times of the day users most frequently use a software program.
Software metering can collect detailed information, such as the information listed in
Table 6-3.

TABLE 6-3 Information collected by the software-metering process

Collected information Included values

Program usage information ■ Start time

■ End time
■ Meter data ID
■ Resource ID
■ User name
■ Users of Terminal/Remote Desktop Services sessions
■ Whether Terminal/Remote Desktop Services is still running

286 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

Collected information Included values

File information ■ File ID

■ File name
■ File version
■ File description
■ File size (in KB)

Program information ■ Company name

■ Product name
■ Product version
■ Product language

Software metering uses two main components to perform data collection tasks: the
Software Metering Agent and software-metering rules. When enabled, the Software
Metering Agent reports software-metering data based on the site’s software-metering rules.
You must conigure software-metering rules prior to beginning data collection about a pro-
gram’s usage.
Default Client Settings enables the Software Metering Agent by default and is conigured
to send software-metering data to the management point every seven days. Rules are cre-
ated automatically, based on usage. However, no rules are enabled by default. If you want to
enable software metering for a speciic group of computers, you can create a custom client
setting coniguration that targets a speciic collection of devices, and then you can disable
the Software Metering Agent in default client agent settings. Figure 6-9 shows the Software
Metering settings section of the Default Client Settings object.

FIGURE 6-9 Software Metering

Objective 6.2: Manage software metering CHAPTER 6 287

From the Library of Ida Schander

 The software-metering process includes the following steps:
1. The Software Metering Agent examines each program that runs on the client and
determines whether the program ile’s information matches any software-metering
rule. The agent collects usage data every time an actively monitored program runs on
the client, regardless of whether the client is connected to the network.
2. The agent uploads the data to the management point on its next software metering
usage report cycle. If the client is not connected to the network, the data remains on
the client and then uploads to the management point the next time the client connects
to the network.
3. The management point forwards the data to the site server.
4. The site server adds the data to the site database.

MORE INFO SOFTWARE METERING

You can learn more about software metering at http://technet.microsoft.com/en-us/library
/gg682205.aspx.

Software-metering rules
When you create a new rule, you can specify the site to which the rule applies and whether
the rule should affect only the speciied site or all clients in the hierarchy. By default, rules
apply either to the site in which you deine them or to all sites if you deine them in the cen-
tral administration site.
To create a software-metering rule, perform the following steps:
1. In the Coniguration Manager console, click the Software Metering node of the Assets
And Compliance workspace.
2. On the ribbon, click Create Software Metering Rule.
3. On the General page of the Create Software Metering Rule Wizard, specify the details
of the application you wish to meter. Figure 6-10 shows a metering rule conigured
for Notepad.exe. You can browse to the application location to have these properties
populated automatically.

288 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 FIGURE 6-10 Create Software Metering Rule Wizard

4. Complete the wizard to create the rule.

Automatic software-metering rule creation enables you to specify the percentage of client
computers in the hierarchy that must have the application installed before a rule is auto-
matically created. The default value is 10 percent. You can conigure a maximum number of
software-metering rules that can be automatically created; the default is 100. You can con-
igure automatic software-metering rule creation in the Software Metering Properties dialog
box, which is accessible through the Assets And Compliance workspace of the Coniguration
Manager console. Figure 6-11 shows the Software Metering Properties dialog box.

Objective 6.2: Manage software metering CHAPTER 6 289

From the Library of Ida Schander

 FIGURE 6-11 Software Metering Properties

MORE INFO AUTOMATIC RULE CREATION

You can learn more about automatic software-metering rule creation at http://technet
.microsoft.com/en-us/library/hh427343.aspx.

EXAM TIP
Remember how to conigure automatic rule creation.

Manage software-metering tasks

Software-metering data is summarized on a speciied schedule and then replicates to the
central administration site, which contains usage data from all client computers within the
hierarchy. After the site server summarizes client data, you can view the information by using
queries and reports. This data, combined with data from software inventory and Asset
Intelligence, can assist your organization in determining its software usage.
Coniguration Manager includes a number of site-maintenance tasks to help you manage
the usage data that software metering collects. These tasks are responsible for summarizing
software-metering data and deleting aged software-metering data. These summarization
tasks summarize data to reduce the amount of data that the Coniguration Manager site
database stores.
Data summarization runs daily and only runs against usage data that is older than
12 hours. Data summarization is required for all Coniguration Manager software-metering
reports to display meaningful data.

290 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 You can use the RunMeterSumm.exe tool to initiate an off-cycle summarization of soft-
ware-metering data. You can obtain this tool from the Coniguration Manager toolkit.
If you want to understand what data the most current set of summary data contains, you
should know when the summarization last occurred. You can refer to the software-metering
summarization progress report in Coniguration Manager to determine when summarization
last occurred.
The software-metering summarization tasks are:
■ Summarize Software Metering File Usage Data The Summarize Software
Metering File Usage Data task condenses software-metering ile usage data from
multiple records into one general record. This record provides information about the
program name, version, language, and number of distinct users over intervals of
15 minutes and 1 hour. This process compresses and optimizes the amount of data
stored in the Coniguration Manager site database. By default, the Summarize Software
Metering File Usage Data task runs daily. For every hour and every 15-minute interval
within the hour, the task calculates the total number of distinct user/computer com-
binations that are running the matching program. Within the 15-minute intervals, this
approximates the number of concurrent users. For example:
■ If a single user is using a software program and signs in to three computers simulta-
neously, this counts as three usages.
■ If three users sign in to a computer that is running Terminal Services or Remote
Desktop Services, and all three are running the software program, this counts as
three usages.
■ If a single user starts and stops the software program on the same computer three
times during the hour, this counts as one usage for that user.
■ Summarize Software Metering Monthly Usage Data This task condenses detailed
software-metering usage data from multiple records into one general record. This
record provides information about the program name, program version and language,
program running times, number of usages, last usage, user name, and computer name.
Data summarization helps compress the amount of data in the Coniguration Manager
site database. Monthly software usage data replicates to the central administration site.
The summarization information includes the number of times each matching software
program runs on a particular computer and by a particular user during the month. By
default, the task runs daily, and the summarization period is one month.
The following maintenance tasks remove old software-metering data and summarized
data from the Coniguration Manager site database:
■ Delete Aged Software Metering Data This task deletes all unsummarized soft-
ware-metering data that is older than the number of days speciied. By default, the
task runs every day and deletes software-metering data that is older than ive days.
You can conigure the number of days to be anywhere from 2 to 255 days.

Objective 6.2: Manage software metering CHAPTER 6 291

From the Library of Ida Schander

 ■ Delete Aged Software Metering Summary Data This task deletes summarized
software-metering summary data that is older than the number of days speciied. By
default, the task runs every Sunday to delete software-metering summary data that is
older than 270 days.

Thought experiment
Software metering at Fabrikam
You are the Coniguration Manager administrator at Fabrikam. You’ve been trialing
Coniguration Manager’s software-metering functionality, but you’ve found that
the default coniguration does not suit your needs. Speciically, you want to use it to
ind out how many people are running a speciic graphics application that you want
to retire. You also want to reduce the number of automatically created rules so that
they are only generated if a substantial number of people are using an application.
With this in mind, answer the following questions:

1. How can you determine the number of people who are running the graphics
application, given that it’s likely to be used by less than 10 percent of people in
the organization?

2. What steps can you take to reduce the number of automatically created rules
and limit rule creation to when more than 30 percent of client computers in your
organization use an application?

Objective summary
■ Software metering records how many instances of a particular software program users
are using.
■ Software metering records when the application was run, who ran it, and how long
they were running it.
■ Maintenance tasks remove software-metering data and summary data after speciied
periods.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You want to ensure that aged software-metering summary data is stored for 365 days.
Which of the following tasks would you modify to accomplish this goal?
a. Summarize Software Metering File Usage Data
B. Summarize Software Metering Monthly Usage Data

292 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 C. Delete Aged Software Metering Data
D. Delete Aged Software Metering Summary Data
2. You want to ensure that software-metering data is deleted only after 28 days. Which of
the following tasks would you modify to accomplish this goal?
a. Delete Aged Software Metering Summary Data
B. Delete Aged Software Metering Data
C. Summarize Software Metering Monthly Usage Data
D. Summarize Software Metering File Usage Data
3. You want to track which users are running a speciic application and how often they
are running that application. Which of the following Coniguration Manager features
would you take advantage of to accomplish this goal?
a. Software inventory
B. Software metering
C. File collection
D. Asset Intelligence
4. By default, on what percentage of Coniguration Manager client computers in the
hierarchy must an application be launched before a software-metering rule is auto-
matically created to track its use?
a. 5 percent
B. 10 percent
C. 20 percent
D. 25 percent

Objective 6.3: Create reports

The reporting functionality in Coniguration Manager enables you to view and manipulate
the information that it has collected about client devices in your organization. The Asset
Intelligence functionality of Coniguration Manager enables you to identify precisely which
software is running on managed client devices.

This section covers the following topics:

■ Queries
■ Coniguration Manager reporting
■ Managing reports
■ Asset Intelligence

Objective 6.3: Create reports CHAPTER 6 293

From the Library of Ida Schander

 Queries
A query is a speciic set of instructions that extract information about a deined set of objects.
You can use a query in Coniguration Manager to obtain almost any information from the site
database. This includes items such as speciic types of computers, user groups, sites, collec-
tions, and applications. You also can query your database for information such as the number
of clients that have free space of less than 5 GB and the number of clients in a particular site.
One caveat is that the inventory information in the database is as current as the last inventory
cycle. You might run a particular query to locate a computer that could have changed since
the last inventory. Therefore, because the computer no longer meets the criteria of the query,
it will not appear in the query results.
You build queries in Coniguration Manager in the WMI Query Language (WQL), which is
based on Windows Management Instrumentation (WMI). WMI is similar to Structured Query
Language (SQL). You can use preconigured queries or create your own custom queries to
search the site database. When creating custom queries in Coniguration Manager, you can
use the Query Statement Properties in the Create Query Wizard in design mode to choose
the components of your query, or you can use Query Statement Properties in the query lan-
guage mode to type your own WQL queries.
Although design mode provides an easier interface to use when creating queries, you can-
not create all queries by using design mode. For instance, when using aggregation commands
in WQL, you can view and manage the query only in query language mode.
You can perform two types of queries in Coniguration Manager:
■ Data queries You can use data queries for extracting information that relates to
resource discovery or inventory data. In general, the primary purpose of data queries is
to build collections.
■ Status message queries This type of query has a very speciic use. The Site Status
and Component Status nodes show you status messages that relate to a speciic site
system or component. Although there are some iltering options, these might not be
suficient when troubleshooting an issue. Therefore, you can use status message que-
ries to create custom queries that return status messages, including from clients. The
primary purpose of status message queries is to locate stored status messages.
You can use queries in Coniguration Manager to search the site database for any object.
All objects have attributes and values that you can query. However, not all objects have the
same attributes and values. For example, both user resources and system resources have a
name; however, user resources do not have installed software.
Every object type is deined by a set of attribute classes, which are further deined by
individual attributes. For example, the System Resource object type is deined by attribute
classes such as processor, disk drives, and installed software. Together, these characterize the
discovery data and inventory data of a system resource. These attribute classes have their
own unique attributes. The attributes deine the values stored in the database, such as current
clock speed for processors or partitions for disk drives.

294 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 Most object types, such as the Site object type, have only one attribute class and few
attributes, whereas the System Resource object type has more than 200 attribute classes
and thousands of attributes. Attribute classes are directly related to SQL Server tables and
Web-Based Enterprise Management (WBEM) classes. In database terms, the attribute class
represents a table, the attributes represent the column headers, and the actual data collected
is stored in the rows.
Queries search against only one object type at a time. By default, Coniguration Manager
queries the System Resource object type.
Coniguration Manager has 28 object types, as shown in Table 6-4.

TABLE 6-4 Configuration Manager object types

Coniguration Manager Object Types

■ Application Conlicts Data ■ Application Dependency ■ Application Deployment

Data Asset Details

■ Application Deployment ■ Application Deployment ■ Application Deployment

Error Asset Details Error Status Requirement Not Met
Asset Details

■ Application Deployment ■ Application Requirement ■ Application Requirement

Status Not Met Status Data

■ Collection Data Point ■ Deployment ■ Deployment Asset Details

■ Deployment Summary Per ■ Endpoint Protection Dash ■ Failed VE Data

Collection Board Data Point

■ IP Network ■ Package ■ Program

■ Program Deployment ■ Program Deployment ■ Security Roles

Asset Details Status

■ Security Scopes ■ Site ■ Software Metering Rule

■ System Resource ■ Unknown Computer ■ User Group Resource

■ User Resource

In addition, there is an Unknown Computer object for the All Unknown Computers col-
lection that is used in operating system deployment. You can create queries by using the
Unknown Computer object type; however, you must write out the query in WQL.
A valid query includes the following elements:
■ A unique query name that identiies the query
■ Object type
■ Attribute class
■ Attribute
When you create a query, the only requirement is that you specify a unique name for your
query. The object type is set to the System Resource object type by default, and all attribute

Objective 6.3: Create reports CHAPTER 6 295

From the Library of Ida Schander

 classes and attributes have default values. However, by including speciic object types,
attribute classes, and attributes, you can ensure that you do not have an overly large number
of results, which can be unwieldy.
If you use the default values and your default query returns a large number of attributes,
you can limit the number of attributes that appear. To do this, perform the following steps:
1. In the Query Properties dialog box, click Edit Query Statement.
2. In the Query Statement Properties dialog box, on the General tab, conigure the
attributes that you want to view in the results.
If you want to restrict the results that are returned to only attributes with speciic values,
use the Criteria tab to specify the attribute class and attribute along with the value that you
want to ind. You do not need to use the same attributes on the General tab that you use on
the Criteria tab. For example, on the General tab, you might include attributes such as
Computer Name or IP Address to identify speciic computers. However, your criteria could
be to restrict the results to a speciic driver version.
If your query includes attributes from more than one attribute class, you can join or link
the attribute classes so the displayed data for each accurately relates to that for the other.
When you select an attribute on either the General tab or the Criteria tab, Coniguration
Manager creates a suitable join for the attribute class automatically. For example, if you build
a query to display all computers with 4 gigabytes (GB) of random access memory (RAM) and
with Microsoft Ofice installed, the data is joined automatically because both tables have a
key ield that identiies the device from which the data was collected. For advanced queries,
you can use the Joins tab to link attributes manually from multiple attribute classes.

Coniguration Manager reporting

For reporting to function in Coniguration Manager, you must install a SQL Server
Reporting Services (SSRS) server that is running the same version of SQL Server as the site
database server. You can use any supported version of SQL Server:
■ SQL Server 2008 Service Pack 2 (SP2) with cumulative update (CU) 9 or newer
■ SQL Server 2008 SP3 with CU 4 or newer
■ SQL Server 2008 R2 with SP1 and CU 6 or newer
■ SQL Server 2008 R2 with SP2
■ SQL Server 2012 with CU 2 or newer
■ SQL Server 2012 SP1
■ SQL Server 2014
You can install SSRS on the site server or on a remote site system. However, for optimal
performance, you should install SSRS on a remote site system server.

296 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 There are prerequisites before you can install SSRS:
■ The user account that you use to run setup must be a member of the local
Administrators group and have rights to create databases on the server running SQL
Server that is hosting the SSRS databases.
■ The computer account for the Coniguration Manager server must be in the local
Administrators group on the SSRS server. Coniguration Manager connects to
Reporting Services to conigure security rights for users. You should not conigure SQL
Server security rights when you integrate Coniguration Manager reports with SSRS.
■ When installing SSRS, you must have a SQL Server database engine installed in the
same instance.
■ Check for interoperability issues. To use the default coniguration for SSRS Native
Mode, setup must be able to use the following default settings:
■ Port 80
■ Virtual directory names ReportServer_instance_name and Reports_instance_name
■ Default databases named ReportServer and ReportServerTempDB
After you install SSRS, you can conigure a reporting services point. To conigure SSRS, the
simplest option is to install SSRS by using the default coniguration for native mode. When
you use this option, the SSRS server is ready to use after installation. Default installation con-
igures the following:
■ Service account for the Report Server service
■ Report Server Web service URL
■ Report Manager URL
■ Report Server database
■ Service account access to the report server databases
■ Data source name (DSN) connection for the report server databases
Default installation does not conigure the unattended execution account, report server
email settings, or scale-out deployment settings. You should back up the encryption keys
after you have completed the installation.
If you choose to install in the iles-only mode, then before you can use the reporting ser-
vices point, you irst must manually conigure SSRS. After installing SSRS, you would conigure
it by using the Reporting Services Coniguration Manager, shown in Figure 6-12.

Objective 6.3: Create reports CHAPTER 6 297

From the Library of Ida Schander

 FIGURE 6-12 Reporting Services Configuration Manager

When running the Reporting Services Coniguration Manager, you irst must specify the
server name and instance that you are managing. After you connect to the server, you must
conigure the nodes as described in Table 6-5.

TABLE 6-5 Reporting services configuration

Node Description

<Server Name> This node displays a summary of the current coniguration and the status of
\<Instance Name> the service.

Service Account This node enables you to change the service account that was set during
SSRS installation.

Web Service URL During the initial coniguration, you click the Apply button to accept the
default settings, or you can change the default settings before clicking
Apply.

Database In this node, you click the Change Database button to specify the database
that SSRS should use.

Report Manager URL During the initial coniguration, you click the Apply button to accept the
default settings, or you can change the default settings prior to clicking
Apply.

Email Settings This is an optional setting. If you will use report subscriptions through
email, you must conigure a sender address and a Simple Mail Transfer
Protocol (SMTP) server.

Execution Account This account enables you to use report-data sources that require creden-
tials or to connect to remote servers that store external images such as
custom icons.

298 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

Node Description

Encryption Keys This node enables you to back up or restore the encryption keys that SSRS
uses.

Scale-out Deployment This node displays the status of a scale-out deployment of SSRS in which
multiple SSRS servers share a common reporting database.

MORE INFO SQL SERVER REPORTING SERVICES

You can learn more about SQL Server Reporting Services at http://technet.microsoft.com
/en-us/library/bb934490(v=sql.110).aspx and http://technet.microsoft.com/en-us/library
/ms156305(v=sql.110).aspx.

Managing reports
Coniguration Manager includes more than 400 reports. They are displayed in the
Coniguration Manager console as shown in Figure 6-13 and are organized into more than
50 subfolders based on the category of the report.

FIGURE 6-13 Configuration Manager Reports node

Objective 6.3: Create reports CHAPTER 6 299

From the Library of Ida Schander

 When you run the Create Report Wizard, you select whether you want to create a
Model-Based Report or an SQL-Based Report. Figure 6-14 shows the Create Report Wizard.

FIGURE 6-14 Create Report Wizard

If you select Model-Based Report, you will be asked to select the reporting services model on
which to base the report, and the Microsoft SQL Server Report Builder will run as shown in
Figure 6-15. If you choose SQL-Based Report, the report builder is launched without selecting a
model.

300 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

FIGURE 6-15 SQL Server Report Builder

SQL Server Report Builder also runs if you choose to edit an existing report. You can edit
a report by selecting it within the Coniguration Manager console and clicking Edit on the
console ribbon. You can create a clone of a report by editing the report and then saving it
with a new name by using SQL Server Report Builder. You also can use Save As functionality
to export an existing report.
To import a report, navigate to the Reporting Services webpage, which is located at
http://server/reports, using an account that has permission to edit reports. Navigate to the
folder into which you want to upload the report and then click Upload File. On the Upload
File page, shown in Figure 6-16, browse to the report ile in .rdl format and click OK. You
also can use the Reporting Services webpage to add folders in which to store Coniguration
Manager reports.

Objective 6.3: Create reports CHAPTER 6 301

From the Library of Ida Schander

 FIGURE 6-16 Upload report

MORE INFO MANAGING REPORTS

You can learn more about managing Coniguration Manager reports at http://technet
.microsoft.com/en-us/library/dn581948.aspx.

EXAM TIP
Remember what steps you need to take to clone and import a report.

Asset Intelligence
Asset Intelligence enhances the inventory capabilities of Coniguration Manager by extend-
ing hardware inventory and adding functionality for license reporting. By enabling additional
hardware-inventory WMI reporting classes, Asset Intelligence helps improve the range of
information that it gathers about software titles in use.
Asset Intelligence offers the following beneits over software inventory:
■ Enables more accurate representation of software titles that are present on managed
computers
■ Provides information about the license usage for speciic products rather than just
information about the software itself
■ Can be used in conjunction with software metering to rationalize licensing by deter-
mining instances when software has deployed but is not being used
■ Retrieves information about installed software through the hardware inventory client
agent after the software inventory agent detects software titles by scanning client
storage

302 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 Asset Intelligence reports are divided into three main areas: hardware, license, and soft-
ware. Asset Intelligence presents a picture of how software is used in your environment, for
example, by inding which systems cannot upgrade a software package and inding installed
software that is not being used.
Table 6-6 lists some of the Asset Intelligence reports.
TABLE 6-6 Important Asset Intelligence reports
Name
Hardware 04A – Shared (multi-
user) Computers
Hardware 08A – Hardware That
Is Not Ready For A Software
Upgrade
Hardware 10A – Computers In A
Speciied Collection That Have
Changed During A Speciied
Timeframe
License 01A – Microsoft Volume
License Ledger For Microsoft
License Statements
License 03A – Count Of Licenses
By License Status
License 15A – General License
Reconciliation Report
Software 01A – Summary Of
Installed Software In A Speciic
Collection
Software 03A – Uncategorized
Software
Inputs Description
■ Collection This report lists computers that
do not seem to have a primary
user because no one user has a
percentage of console logon time
greater than 66 percent.
■ Collection This report displays hardware
that does not meet the minimum
■ Product
hardware requirements.
■ Collection This report displays a list of
computers in a speciied collec-
■ Name of the changed class
tion in which a hardware class
(All = All classes) has changed during a speciied
■ Objects added to the timeframe.
database The objects added/deleted/up-
dated inputs are set to either yes
■ Objects deleted from the or no to include or exclude those
database objects from the report.
■ Objects updated in the
database
■ Start date of the change
window
■ End date of the change
window
■ Collection This report displays an inven-
tory of all Microsoft software
■ Channel Code
titles that are available from the
Microsoft Volume Licensing
program.
■ Collection This report lists the products
whose licenses are managed by
■ Product Name
the Software Licensing Service.
■ Collection This report provides reconcilia-
tion of general software licenses
purchased and the actual inven-
tory count.
■ Collection This report provides a summary
of installed software, which is
■ Publisher
ordered by the number of
■ Maximum rows to return instances found from inventory.
■ Collection This report lists the software that
either is categorized as unknown
or has no categorization.
Objective 6.3: Create reports CHAPTER 6 303
From the Library of Ida Schander
 Name Inputs Description

Software 09A – Infrequently Used ■ Collection This report displays software titles
Software that have not been used during a
■ Days not used
speciied period of time.

Asset Intelligence components include:

■ The Asset Intelligence catalog Asset Intelligence relies on a set of database tables,
which contain software identiication, categorization information, and hardware
requirements for software titles. Collectively, these tables are the Asset Intelligence
catalog and are stored within the site database. The Asset Intelligence catalog can
provide data for reports on installed software titles, organize the information within
software categories and families, and provide a predeined set of hardware require-
ments for the software titles. You also can customize the organization of your informa-
tion by creating custom software categories and families and adding new user-deined
hardware requirements for speciic software titles. By using an Asset Intelligence
synchronization point, you can download periodic updates dynamically from
Microsoft to the Asset Intelligence catalog. These updates contain information about
newly released or validated software.
■ Asset Intelligence synchronization point This is a Coniguration Manager site
system role that you can use to connect to System Center Online, an online service that
Microsoft hosts. From there, you can download Asset Intelligence catalog updates. You
can either schedule or manually initiate catalog synchronization. You also can use the
Asset Intelligence synchronization point to upload custom software title information to
System Center Online. Microsoft then categorizes it.
■ Asset Intelligence home page The Asset Intelligence node in the Asset And
Compliance workspace displays a summary dashboard of Asset Intelligence informa-
tion. It includes summaries of the Asset Intelligence component status, the catalog
synchronization status, and inventoried software status.
■ Asset Intelligence reports More than 50 reports present Asset Intelligence informa-
tion in a simpliied format. Many of these reports link to more speciic reports, which
enable you to query for general information and procure detailed information. Report
categories include hardware, license management, and software.
The Asset Intelligence catalog contains information for more than 500,000 software titles
and versions, representing more than 20 families and 90 speciic categories. The Asset
Intelligence catalog includes the following:
■ Support for manually importing software license information for software titles in use,
including both Microsoft and non-Microsoft titles
■ Hardware requirements for many software titles in the catalog
■ Support for adding custom software categories, families, and software labels

304 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 ■ Support for uploading software title information to the System Center Online service,
which then categorizes it
You can review contents of the Asset Intelligence catalog and customize certain elements
by clicking the Asset Intelligence folder in the Assets And Compliance workspace of the
Coniguration Manager console. The Asset Intelligence folder includes the following nodes:
■ Catalog Includes most of the catalog segments that administrators can update:
■ Software Categories Asset Intelligence software categories broadly classify
inventoried software titles. By default, there are a number of predeined software
categories, including line-of-business (LOB), original equipment manufacturer
(OEM), and Ofice Suites And Productivity. You can create additional user-deined
categories to classify inventoried software further.
■ Software Families Asset Intelligence software families further deine inventoried
software titles. By default, the Asset Intelligence catalog includes approximately 20
predeined software families. Some examples of these predeined software families
are Components And Peripherals, Equipment, Home And Entertainment, Industry
Speciic, Line Of Business, and Productivity And Viewers. You can create additional
user-deined software families to classify inventoried software further.
■ Custom Labels Custom labels enable further classiication of inventoried software
according to attributes that administrators deine. For example, you might cre-
ate a custom label known as Shareware and associate that label with inventoried
shareware titles. You then can run a report to display all software titles that have the
custom label Shareware associated with them.
■ Inventoried Software The list of inventoried software titles includes information
about software that the hardware inventory agent reports. This node displays the fol-
lowing information by default for each inventoried software title:
■ Product Name The name of the inventoried software
■ Publisher The name of the vendor that developed the software
■ Version The product version of the software title
■ Category The currently assigned software category
■ Family The currently assigned software family
■ Label (1, 2, and 3) The custom labels that have been assigned with the software
title, to a maximum of three
■ Software Count The number of Coniguration Manager clients that have invento-
ried the software title
■ State The validation state for the software title
■ Hardware Requirements You can use Asset Intelligence hardware requirements to
help verify that computers meet hardware requirements for software titles before you
target the computers for deployment. Asset Intelligence retrieves from its catalog the
hardware requirements that display in the Coniguration Manager console. The list is

Objective 6.3: Create reports CHAPTER 6 305

From the Library of Ida Schander

 not based on inventoried software title information from Coniguration Manager cli-
ents. You can add, modify, or delete custom hardware requirements for software titles
that the Asset Intelligence catalog does not predeine. However, existing noncustom
hardware requirement information that the Asset Intelligence catalog stores is read-
only, which means you cannot modify or delete it. The following information appears
for each listed hardware requirement:
■ Software Title The software title name with which the hardware requirement is
associated.
■ Minimum CPU (MHz) The minimum central processing unit (CPU) speed, in
megahertz (MHz), that the software title requires.
■ Minimum RAM (KB) The minimum random access memory (RAM), in KB, that
the software title requires.
■ Minimum Disk Space (KB) The minimum free disk space, in KB, that the software
title requires.
■ Minimum Disk Size (KB) The minimum hard-disk size, in KB, that the software
title requires.
■ Validation State The validation state for the hardware requirement. Valid states
include Validated and User deined.
In System Center 2012 R2 Coniguration Manager, Asset Intelligence supports the
mandatory software identiication tags speciied in the International Organization for
Standardization (ISO)/International Electrotechnical Commission (IEC) 19770-2 standard.
These tags include authoritative data that Coniguration Manager can use to identify soft-
ware installed on client computers. Because the tags are standardized, an increasing number
of software vendors include them in their applications. If you want Coniguration Manager
to use mandatory software identiication tags, you must enable the SMS_SoftwareTag Asset
Intelligence Hardware Inventory reporting class.
In System Center 2012 R2 Coniguration Manager, Asset Intelligence collects information
about Microsoft Application Virtualization 5.0 and Application Virtualization 4.0 applications
even though these applications run through the Microsoft Application Virtualization (App-V)
client and are not installed on the client computer in a traditional manner.
You must conigure several settings and tasks so that Asset Intelligence performs opti-
mally. These settings include:
■ Enable Hardware Inventory Asset Intelligence reports depend on information that
the hardware inventory agent collects. Ensure that you enable the hardware inventory
agent on clients.
■ Enable Software Metering The following Asset Intelligence reports depend on the
Software Metering Client Agent to provide the following data:
■ Software 07A - Recently used executables by number of computers
■ Software 07B - Computers that recently used a speciied executable

306 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 ■ Software 07C - Recently used executables on a speciic computer
■ Software 08A - Recently used executables by number of users
■ Software 08B - Users who recently used a speciied executable
■ Software 08C - Recently used executables by a speciied user
■ Enable Asset Intelligence Inventory Reporting Classes To enable the Asset
Intelligence Inventory reporting classes, right-click the Asset Intelligence node and
then click Edit Inventory Classes. You can enable the Asset Intelligence reporting
classes that you need per the type of reporting that you require. Note that from within
the Edit Inventory Classes dialog box, as you point to each reporting class, a tooltip
displays information about the reports that depend on each reporting class.
■ Enable Windows Event Log Settings Several Asset Intelligence reports rely on
information that Windows security event logs gather on client computers. To support
these reports, you must modify the event-log settings for Windows security on clients
so that it logs all Success logon events. These reports include:
■ Hardware 03A - Primary computer users
■ Hardware 03B - Computers for a speciic primary console user
■ Hardware 04A - Computers with multiple users (shared)
■ Hardware 05A - Console users on a speciic computer
■ Import Software License Information Use the Import Software Licenses Wizard
to import Microsoft Volume License Statements and General License Statements from
non-Microsoft vendors into the Asset Intelligence catalog.
■ Install An Asset Intelligence Synchronization Point The site system role for the
Asset Intelligence synchronization point connects to System Center Online to down-
load and synchronize Asset Intelligence catalog information. You must install this role
on a site system in the central administration site for hierarchy conigurations. This
requires Internet access using Transmission Control Protocol (TCP) port 443. You can
conigure a synchronization schedule, which by default is set to run every seven days.
■ Conigure Asset Intelligence Maintenance Tasks By default, the Asset Intelligence
feature uses two maintenance tasks:
■ Check Application Title With Inventory Information This task reconciles the
software title in the software inventory reports with the software title in the Asset
Intelligence catalog.
■ Summarize Installed Software Data This task provides information that displays
in the Inventoried Software node. This task is available only on primary sites.
■ Conigure Asset Intelligence Security You can use the Asset Manager Security role
to provide the required permissions to manage the Asset Intelligence synchronization
point and to modify the Asset Intelligence reporting classes and permissions related to
software inventory, hardware inventory, and software metering.

Objective 6.3: Create reports CHAPTER 6 307

From the Library of Ida Schander

 Maintaining and managing Asset Intelligence involves a number of tasks, including:
■ Viewing Asset Intelligence information that Asset Intelligence reports col-
lect from clients You can run Asset Intelligence reports to view the most detailed
information that the Asset Intelligence feature collects. Asset Intelligence reports are as
follows:
■ Hardware reports Provide information about hardware assets within your orga-
nization, including age and upgrade readiness
■ License management reports Provide information about licensing, including
number of licenses in use, sales channels, and time until expiration
■ Software reports Provide information about software families, categories, and
speciic software titles installed on your organization’s computers
■ Updating the Asset Intelligence catalog To request synchronization manually, in
the Coniguration Manager console, click the Assets And Compliance workspace and
then click Asset Intelligence. Right-click Asset Intelligence, point to Synchronize, and
then click Synchronize Asset Intelligence Catalog. You may request manual synchroni-
zation only once every 12 hours.
■ Requesting software categorization You can submit uncategorized software title
information for research and categorization. After you submit an uncategorized soft-
ware title, Microsoft researchers identify, categorize, and then make the software title
categorization information available to all customers who are using the System Center
Online service. The following information applies to software title information that is
submitted for categorization:
■ System Center Online receives only basic software title information. You can review
the software title information before Microsoft researchers categorize and submit it.
■ Submitting software titles for categorization does not transmit any license
information.
■ Software title information that you upload becomes available publicly as part of
the Microsoft System Center Online Services catalog. Other customers then can
download it.
■ Microsoft System Center Online Services does not record the source of the submit-
ted software. However, you should not submit application titles for categorization
that contain conidential or proprietary information.
■ Resolving software details conlicts If an Asset Intelligence catalog categorization
value conlicts with information downloaded from System Center Online, a software
details conlict occurs. You can use the Asset Intelligence Software Details Conlict
Resolution dialog box to select a conlict resolution action.

MORE INFO ASSET INTELLIGENCE

You can learn more about Asset Intelligence at http://technet.microsoft.com/en-us/library
/gg699382.aspx.

308 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 Thought experiment
Asset Intelligence at Adatum
You are piloting the Coniguration Manager Asset Intelligence feature at Adatum.
You are interested in going beyond the reports that are included in the product by
default. You also have some concerns about some data from System Center Online,
which you want to correct for your local deployment. With this information in mind,
answer the following questions:

1. Which tool can you use to create a brand new report based on Asset Intelligence
data?

2. An Asset Intelligence catalog categorization value conlicts with information

downloaded from System Center Online. What can you do to resolve this issue?

Objective summary
■ Software metering enables you to track how often a particular application is used.
■ Automatic software metering rule creation enables you to specify the percentage of
client computers in the hierarchy that must have the application installed before a rule
is automatically created.
■ Software-metering data is summarized on a speciied schedule and then replicates to
the central administration site, which contains usage data from all client computers
within the hierarchy.
■ Data summarization runs daily and only against usage data that is older than 12 hours.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following tools could you use to import a report in RDL format so that it
can be used in Coniguration Manager?
a. Coniguration Manager console
B. Internet Explorer
C. SQL Server Report Builder
D. Reporting Server Coniguration Manager
2. Which of the following tools could you use to clone an existing Coniguration Manager
report?
a. Reporting Server Coniguration Manager
B. SQL Server Report Builder

Objective 6.3: Create reports CHAPTER 6 309

From the Library of Ida Schander

 C. Internet Explorer
D. Coniguration Manager console
3. You want to edit the properties of an existing Coniguration Manager report. Which of
the following tools could you use to accomplish this goal?
a. Coniguration Manager console
B. Internet Explorer
C. SQL Server Report Builder
D. Reporting Server Coniguration Manager
4. Which of the following Coniguration Manager features would you use to determine
software license usage information?
a. Hardware inventory
B. Software inventory
C. File collection
D. Asset Intelligence

310 Chapter 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

Answers

Objective 6.1
Thought experiment
1. Windows, Mac OS X, Linux, and supported UNIX operating systems support the collec-
tion of hardware inventory.
2. Only Coniguration Manager clients running Windows operating systems support the
collection of software inventory.

Objective review
1. Correct answer: A
a. Correct: You can use hardware inventory to determine whether a speciic graphics
card is being used on a Coniguration Manager client.
B. Incorrect: Software inventory enables you to inventory software, not hardware.
C. Incorrect: You can’t use ile collection to determine which hardware is installed on
a computer.
D. Incorrect: Software metering tracks how often an application is run.
2. Correct answer: D
a. Incorrect: Software metering tracks how often an application is run.
B. Incorrect: Asset Intelligence enables you to identify software on a computer.
C. Incorrect: Hardware inventory enables you to collect hardware information, not
iles.
D. Correct: You would use ile collection to collect all .ini iles stored in a speciic
folder on a Coniguration Manager client.
3. Correct answers: A and B
a. Correct: Software inventory does not collect iles with the encryption attribute set
by default.
B. Correct: Software inventory does not collect iles with the compression attribute
set by default.
C. Incorrect: Software inventory will inventory iles with the hidden attribute set by
default.
D. Incorrect: Software inventory will inventory iles with the archive attribute set by
default.

Answers CHAPTER 6 311

From the Library of Ida Schander

 Objective 6.2
Thought experiment
1. Because the graphics application is likely to be used by less than 10 percent of people
in the organization, you’ll need to create a software-metering rule rather than letting
one be created automatically.
2. You can modify Software Metering Properties to change the threshold for rule creation
and the maximum number of automatically created rules.

Objective review
1. Correct answer: D
a. Incorrect: The Summarize Software Metering File Usage Data task condenses
software-metering ile usage data from multiple records into one general record.
B. Incorrect: The Summarize Software Metering Monthly Usage Data task condenses
detailed software-metering usage data from multiple records into one general
record.
C. Incorrect: The Delete Aged Software Metering Data task deletes all unsummarized
software-metering data that is older than the number of days speciied.
D. Correct: The Delete Aged Software Metering Summary Data task deletes sum-
marized software-metering summary data that is older than the number of days
speciied. By default, the task runs every Sunday to delete software-metering sum-
mary data that is older than 270 days.
2. Correct answer: B
a. Incorrect: The Delete Aged Software Metering Summary Data task deletes sum-
marized software-metering summary data that is older than the number of days
speciied. By default, the task runs every Sunday to delete software-metering sum-
mary data that is older than 270 days.
B. Correct: The Delete Aged Software Metering Data task deletes all unsummarized
software-metering data that is older than the number of days speciied. By default,
the task runs every day and deletes software-metering data that is older than ive
days.
C. Incorrect: The Summarize Software Metering Monthly Usage Data task condenses
detailed software-metering usage data from multiple records into one general
record.
D. Incorrect: The Summarize Software Metering File Usage Data task condenses
software-metering ile usage data from multiple records into one general record.

312 CHAPTER 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

 3. Correct answer: B
a. Incorrect: You cannot use software inventory to determine which user has been
running an application and how often the user does so.
B. Correct: You can use software metering to determine which user has been running
an application and how often the user does so.
C. Incorrect: You cannot use ile collection to determine which user has been run-
ning an application and how often the user does so.
D. Incorrect: You cannot use Asset Intelligence to determine which user has been
running an application and how often the user does so.
4. Correct answer: B
a. Incorrect: By default, a software-metering rule is created when an application is
launched on 10 percent of Coniguration Manager client computers in a hierarchy.
B. Correct: By default, a software-metering rule is created when an application is
launched on 10 percent of Coniguration Manager client computers in a hierarchy.
C. Incorrect: By default, a software-metering rule is created when an application is
launched on 10 percent of Coniguration Manager client computers in a hierarchy.
D. Incorrect: By default, a software-metering rule is created when an application is
launched on 10 percent of Coniguration Manager client computers in a hierarchy.

Objective 6.3
Thought experiment
1. You can use SQL Server Report Builder to create a report based on information in the
Coniguration Manager database.
2. You can use the Asset Intelligence Software Details Conlict Resolution dialog box to
resolve conlicts between categorization and information in System Center Online.

Objective review
1. Correct answer: B
a. Incorrect: You cannot use the Coniguration Manager console to import reports in
RDL format.
B. Correct: You use Internet Explorer, or another browser, to connect to http://server
/reports to upload reports in RDL format.
C. Incorrect: You can use SQL Server Report Builder to clone and edit reports, but
you need to use Internet Explorer, or another browser, to upload a report to a
Report Server instance.
D. Incorrect: You use Reporting Server Coniguration Manager to conigure the
Reporting Server instance.

Answers CHAPTER 6 313

From the Library of Ida Schander

 2. Correct answer: B
a. Incorrect: You use Reporting Server Coniguration Manager to conigure the
Reporting Server instance.
B. Correct: You can use SQL Server Report Builder to clone and edit reports.
C. Incorrect: You use Internet Explorer, or another browser, to connect to
http://server/reports to upload reports in RDL format. You can’t use Internet
Explorer to clone a report.
D. Incorrect: You cannot use the Coniguration Manager console to clone a report.
3. Correct answer: C
a. Incorrect: You cannot use the Coniguration Manager console to edit the proper-
ties of an existing Coniguration Manager report.
B. Incorrect: You cannot use Internet Explorer to edit the properties of an existing
Coniguration Manager report.
C. Correct: You can use SQL Server Report Builder to clone and edit reports.
D. Incorrect: You use Reporting Server Coniguration Manager to conigure the
Reporting Server instance.
4. Correct answer: D
a. Incorrect: You can’t use hardware inventory to determine software license usage
information.
B. Incorrect: Although software inventory can identify some iles, it is not as reliable
as Asset Intelligence for determining software licensing information.
C. Incorrect: You can’t use ile collection to determine software license usage infor-
mation.
D. Correct: Because Asset Intelligence provides a more accurate report about which
software is present on Coniguration Manager clients, it is the best tool for deter-
mining software license usage information.

314 CHAPTER 6 Manage inventory using Coniguration Manager

From the Library of Ida Schander

CHAPTER 7

Provision and manage mobile

devices
Mobile devices, whether laptops, tablets, or smartphones, make up an increasing percent-
age of the devices used to perform work-related activities in organizations. Mobile device
management (MDM) enables the organization to manage those devices. You can perform
MDM through Microsoft Exchange Server by using Coniguration Manager, through
Microsoft Intune, or through a combination of Exchange and Microsoft Intune.

Objectives in this chapter:

■ Objective 7.1: Integrate Coniguration Manager with the Microsoft Exchange
ActiveSync Connector.
■ Objective 7.2: Manage devices with Microsoft Intune.
■ Objective 7.3: Manage connection proiles by using Coniguration Manager.

Objective 7.1: Integrate Coniguration Manager with

the Microsoft Exchange ActiveSync Connector
In many organizations, mobile devices already connect to a Microsoft Exchange deploy-
ment by using ActiveSync. Although it’s possible to apply mobile device policies directly
through Exchange to apply coniguration settings to these devices, this requires Exchange
administrators to perform MDM tasks. Coniguration Manager provides the option of con-
iguring a connector between a Coniguration Manager deployment and Microsoft
Exchange so that MDM policies set in Coniguration Manager are applied through the
mobile device’s ActiveSync connection to Exchange Server.

This section covers the following topics:

■ Exchange Server connector
■ Connector settings
■ Connector coniguration

315

From the Library of Ida Schander

 Exchange Server connector
In many organizations, mobile devices connect to an organization’s infrastructure through
Microsoft Exchange. Users of mobile devices that are running the iOS, Android, Windows
Phone, and Windows Mobile operating systems already synchronize their email messages.
The Exchange Server connector for System Center 2012 R2 Coniguration Manager enables
you to manage mobile devices remotely that connect to an Exchange Server deployment,
without requiring Coniguration Manager to enroll these devices directly.
The Exchange Server connector enables you to manage mobile devices by using the
Coniguration Manager console instead of Exchange ActiveSync mailbox policies. You can use
the Exchange Server connector with an on-premises deployment of Exchange and a cloud-
based Exchange deployment.
The Exchange Server connector enables you to perform the following mobile device–man-
agement tasks:
■ Discovery Enables Coniguration Manager to discover any mobile device that has
registered with the Exchange Server environment.
■ Hardware inventory Enables Coniguration Manager to perform hardware
inventory only based on the information that it receives from Exchange. This is not as
comprehensive as a hardware inventory that is available to mobile devices that you
manage through the Intune connector for Coniguration Manager.
■ Settings management Enables you to override default Exchange ActiveSync mail-
box policy settings with settings that you conigure through the Exchange Server con-
nector for Coniguration Manager.
■ Quarantine and block from Exchange Server Enables you to block a mobile device
from the Exchange Server organization and from Coniguration Manager.
■ Remote wipe Enables Exchange Server administrators, the device user, and
Coniguration Manager administrators to wipe devices remotely.
■ Reporting Enables basic mobile device–management reports but does not provide
all the reports that are available when you manage the device by using the Intune con-
nector for Coniguration Manager.
When you conigure the Exchange Server connector, you determine whether
Coniguration Manager or Exchange ActiveSync mailbox policies are responsible for manag-
ing speciic settings, including the following groups:
■ General
■ Password
■ Email Management
■ Security
■ Applications

316 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 The important thing to remember is that after you conigure any setting in a group,
Coniguration Manager is responsible for managing all of that group’s settings. If you do
not conigure any settings in a group, the applicable Exchange ActiveSync policy remains in
effect. When planning to use the Exchange Server connector, remember that responsibility
for managing mobile devices will shift from the Exchange administrators to the Coniguration
Manager administrators.

General settings
The General Settings group of policies, shown in Figure 7-1, enables you to conigure the fol-
lowing settings:
■ Internet Sharing From Mobile Devices Whether the device allows tethering
■ Computer Synchronization Whether the device can be synchronized with a
computer
■ Allow mobile devices that cannot be provisioned Whether mobile devices that
cannot be managed completely by Exchange can make connection
■ Refresh Interval (Hours) How often the mobile device policy is refreshed

FIGURE 7-1 General Settings

Password settings
The Password Settings group, shown in Figure 7-2, enables you to conigure the following
settings:
■ Require Password Settings On Mobile Devices Whether to require a password to
unlock the mobile device
■ Minimum Password Length (Characters) Minimum required password length
■ Password Expiration In Days Maximum password age

Objective 7.1: Integrate Coniguration Manager with the Microsoft Exchange ActiveSync Connector CHAPTER 7 317

From the Library of Ida Schander

 ■ Number Of Passwords Remembered How many unique passwords are stored
before one can be reused
■ Number Of Failed Logon Attempts Before Device Is Wiped Number of incorrect
password entries that can be made before the device wipes
■ Idle Time In Minutes Before Mobile Device Is Locked Number of minutes of inac-
tivity before the device locks
■ Password Complexity Whether complex passwords are required
■ Minimum Number Of Complex Characters Number of character types required in
a complex password (uppercase/lowercase/symbol/number)
■ Allow Simple Password Whether to allow a simple password
■ Allow Password Recovery Whether to allow passwords to be recovered by
administrators

FIGURE 7-2 Password Settings

Email management
The Email Management Settings group, shown in Figure 7-3, enables you to conigure the
following settings:
■ POP And IMAP Email Whether to allow POP and IMAP protocol email
■ Maximum Time To Keep Email How long email will be stored
■ Maximum Time To Keep Calendar Entries How long calendar entries can be stored
■ Direct Push When Roaming Whether to allow Direct Push when the mobile device
is on a roaming network
■ Allowed Message Formats Whether to allow HTML and/or plaintext messaging
formats

318 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 ■ Size Limit In Kilobytes (KB) For Plain Text Email (Automatically
Downloaded) Maximum size of plaintext messages that will be automatically
downloaded
■ Size Limit In KB For HTML Email (Automatically Downloaded) Maximum size for
HTML format messages that will be downloaded
■ Email Attachments Whether to allow email attachments to be downloaded
■ Size Limit In KB For Email Attachments (Automatically Downloaded) Maximum
size for automatically downloaded email attachments

FIGURE 7-3 Email Management Settings

Security
The Security Settings group, shown in Figure 7-4, enables you to conigure the following
settings:
■ Remote Desktop Whether the device supports Remote Desktop
■ Removable Storage Whether the device supports removable storage
■ Camera Whether the device’s camera can be used
■ Bluetooth Whether Bluetooth functionality can be used
■ Wireless Network Connections Whether to allow connections to a wireless
network
■ Infrared Whether to allow infrared connections
■ Browser Whether to allow use of the mobile device’s browser
■ Storage Card Encryption Whether to enforce encryption on any storage card

Objective 7.1: Integrate Coniguration Manager with the Microsoft Exchange ActiveSync Connector CHAPTER 7 319

From the Library of Ida Schander

 ■ File Encryption On Mobile Device Whether to require encryption on the mobile
device itself
■ Short Message Service (SMS) And Multimedia Messaging Service (MMS)
Messaging Whether to allow SMS/MMS functionality on the device

FIGURE 7-4 Security Settings

Applications
The Applications Settings group, shown in Figure 7-5, enables you to conigure the following
settings:
■ Unsigned File Installation Whether to allow the installation of unsigned iles
■ Unsigned Applications Whether to allow the installation of unsigned applications
■ Block The Following Applications In ROM A list of speciically blocked applications

320 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 FIGURE 7-5 Applications Settings

Connector coniguration
You should conigure the account that you want to use when you set up an Exchange Server
connector to be a member of the following Exchange management roles:
■ Recipient Management
■ View Only Organization Management
■ Server Management
The Exchange Server connector enables you to manage any device that supports Exchange
ActiveSync, although not all devices that use Exchange ActiveSync support all Exchange
ActiveSync management functionality. The Exchange Server connector does not install a cli-
ent on the mobile device that you are managing. This means that using the Exchange Server
connector provides only a subset of the functionality available for mobile device manage-
ment when compared to managing the same devices through the Coniguration Manager
Intune connector.
When you conigure the Exchange Server connector, you specify the address of a Client
Access server as shown in Figure 7-6. When coniguring the address of the client access server,
specify one that is in the same Active Directory Domain Services (AD DS) site as the
Coniguration Manager site system server.

Objective 7.1: Integrate Coniguration Manager with the Microsoft Exchange ActiveSync Connector CHAPTER 7 321

From the Library of Ida Schander

 FIGURE 7-6 Add Exchange Server Wizard

The Exchange Server connector connects through the client access server to conigure the
default Exchange ActiveSync mailbox policy on the mailbox server. Even though the mailbox
server is used to interact with the policy, the policy itself is stored within Active Directory
Domain Services.
The irst time a mobile device connects to the client access server, it retrieves the policy.
Every subsequent time that the device connects to the client access server, it checks to see
whether there are updates to the policy. If the policy has been updated, the mobile device
downloads and applies the new policy.

MORE INFO CONFIGURATION MANAGER AND ACTIVESYNC

You can learn more about Coniguration Manager and ActiveSync at http://technet
.microsoft.com/en-us/library/gg682001.aspx.

MORE INFO MOBILE DEVICE MANAGEMENT

You can learn more about the Microsoft mobile device management strategy by watching
the session from TechED New Zealand in 2014 at http://channel9.msdn.com/events/TechEd
/NewZealand/2014/PCIT305.

322 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 EXAM TIP
Remember which type of Exchange Server you specify when creating the connection
between Coniguration Manager and Exchange.

Thought experiment
ActiveSync MDM at Fabrikam
You are responsible for MDM at Fabrikam, a manufacturer of surveillance drones.
You have conigured the Coniguration Manager ActiveSync connector for
Exchange and will be managing MDM policies from Coniguration Manager. You will
be implementing policies as required. Because of the secure nature of Fabrikam’s
facilities, you need to ensure that the cameras on any mobile phones brought into
the facilities are disabled. In addition, because several Fabrikam executives travel
extensively overseas, you want to ensure that Direct Push functionality is disabled
when their mobile phones are connected to roaming networks. With this in mind,
answer the following questions:

1. Which settings group would you conigure to ensure that mobile device cameras
cannot be used on mobile devices managed at Fabrikam?

2. Which settings group would you conigure to block Direct Push notiications
when a mobile device is connected to a roaming network?

Objective summary
■ The Exchange Server connector enables you to conigure mobile device policies
applied through ActiveSync to devices that connect to an Exchange deployment.
■ After you conigure one setting in a settings group, all settings in that group will be
managed through Coniguration Manager rather than through Exchange.
■ When coniguring the Exchange Server connector on the Coniguration Manager
server, specify the address of the client access server.
■ The Exchange Server connector enables you to perform Discovery, Hardware
Inventory, Settings Management, Remote Wipe, Reporting, and Quarantine And Block
from Exchange Server.

Objective 7.1: Integrate Coniguration Manager with the Microsoft Exchange ActiveSync Connector CHAPTER 7 323

From the Library of Ida Schander

 Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You are coniguring the Coniguration Manager Exchange Server connector. Your
organization has an Exchange Server 2010 deployment. Each Exchange Server role
is located on a separate server. Which of the following server addresses should you
specify when creating the connector?
a. The address of the Hub Transport server
B. The address of the mailbox server
C. The address of the client access server
D. The address of the Edge Transport server
2. Which of the following Exchange Server ActiveSync connector settings would you
conigure to ensure that a person must change her mobile device password every ive
weeks?
a. Minimum Password Length
B. Password Expiration In Days
C. Number Of Passwords Remembered
D. Number Of Failed Logon Attempts Before The Device Is Wiped
3. Which of the following Exchange Server ActiveSync connector settings would you con-
igure to ensure that a person cannot use one of his 20 previously used passwords the
next time he has to change his mobile device password?
a. Number Of Failed Logon Attempts Before The Device Is Wiped
B. Number Of Passwords Remembered
C. Password Expiration In Days
D. Minimum Password Length
4. You work at a secure facility. You want to ensure that people cannot unlock a stolen
mobile device by randomly attempting to guess the password. Which of the following
Exchange Server ActiveSync connector settings would you conigure to ensure that the
device is wiped if such an attempt is made?
a. Password Expiration In Days
B. Minimum Password Length
C. Number Of Failed Logon Attempts Before The Device Is Wiped
D. Number Of Passwords Remembered

324 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

Objective 7.2: Manage devices with Microsoft Intune
Microsoft Intune (formerly Windows Intune) is a cloud-based management service. You can
use it to manage enrolled mobile devices through a web portal. You can also conigure a
connector between Intune and an on-premises Coniguration Manager deployment. When
you do this, Intune functions as a conduit through which Coniguration Manager policies are
applied.

This section covers the following topics:

■ Microsoft Intune
■ Integrating Microsoft Intune with Coniguration Manager
■ Device enrollment

Microsoft Intune
Microsoft Intune is a cloud-based management service that enables you to manage client
computers and mobile devices. You can use Intune to perform the following tasks:
■ Deploy and manage software updates
■ Deploy and manage applications
■ Inventory hardware and software
■ Manage endpoint protection
■ Perform remote assistance
■ Manage mobile devices
■ Manage software licensing
■ Conigure Windows Firewall policy
You can use Intune to perform management tasks on computers that rarely connect to an
organizational network. You can also use Intune to perform management tasks on a device
that is not joined to an Active Directory domain. Intune also enables you to manage software
deployment for computers that are running Windows, Android, and Apple iOS operating
systems.
You do not need a Coniguration Manager deployment to use Intune, but you can inte-
grate Intune into a Coniguration Manager deployment. Using Coniguration Manager with
Intune enables you to manage all of your organization’s devices, both mobile devices and
traditional computers, using a single console.
Intune supports management of clients on the following operating systems:
■ Windows 8.1 (x86, x64), Windows 8 (x86, x64), Windows 7, and Windows Vista
■ Windows RT 8.1 and Windows RT
■ Windows Phone 8 and Windows Phone 8.1

Objective 7.2: Manage devices with Microsoft Intune CHAPTER 7 325

From the Library of Ida Schander

 ■ Apple iOS 6, iOS 7, and iOS 8
■ Android 4

MORE INFO SET UP INTUNE

You can learn more about setting up Intune at http://technet.microsoft.com/en-us/library
/dn646960.aspx.

Application deployment with Microsoft Intune

Each operating system Intune manages has different requirements according to what is
needed to perform application deployment.
To deploy applications directly to mobile devices that are running Windows RT, you must
obtain sideloading keys, and you must have a code-signing certiicate to sign the applica-
tions. The Windows RT or Windows Phone 8 device must trust this code-signing certiicate. In
addition, you can use deep linking to deploy an application from the appropriate Windows
App store directly to mobile devices that are running the Windows RT, Windows RT 8.1,
Windows Phone 8, or Windows Phone 8.1 operating systems.
You can use Intune to deploy applications to iOS devices by deep linking to the Apple
Store or by sideloading apps, which means you are installing them by using direct access
to the source iles. To deploy applications to iOS devices, you must obtain the appropriate
mobile device management certiicates from Apple. You can use a similar process for devices
running the Android operating system.

MORE INFO INTUNE APPLICATION DEPLOYMENT

You can learn more about Intune application deployment at http://technet.microsoft.com
/en-us/library/dn646955.aspx.

Integrating Microsoft Intune with Coniguration Manager

To conigure the connector between Intune and System Center 2012 R2 Coniguration
Manager or System Center 2012 Coniguration Manager with SP1, you must create the con-
nector and deploy the Intune connector site system role.
Prior to coniguring the Intune connector, you should ensure that you perform the follow-
ing tasks:
■ Sign up for an Intune organizational account. Before you can conigure the connector,
you must have Intune administrator credentials for the organizationname.onmicrosoft.
com domain. Do not use the account that you used to sign up for Intune (the Outlook.
com, Hotmail.com, or live.com Microsoft account) to conigure the connector.

326 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 ■ Add a public company domain to Intune. You should have a public company domain
for which you can create Domain Name System (DNS) resource records, and you
must conigure this domain within Intune. This isn’t a requirement, but it is highly
recommended.
■ If you have a public domain name that you will be using with Intune, conigure user
account, or user principal name (UPN), sufixes. You must conigure user accounts with
UPNs for the public company domain.
■ Conigure directory synchronization. You must conigure Active Directory synchroniza-
tion between your on-premises Active Directory and the Microsoft Azure Active
Directory that you are using with the Intune organizationname.onmicrosoft.com
domain.
■ Create a DNS alias. Create a canonical name (CNAME) record in DNS that maps
enterpriseenrollment.organizationname.com (where organizationname.com is your
organization’s DNS sufix) to manage.microsoft.com.
■ Obtain relevant certiicates or keys. Depending on the mobile devices that you will be
managing through Intune, you need the certiicates or keys that are listed in the fol-
lowing table.
Depending on the mobile device operating system, you will need certiicates or keys to
enroll mobile devices through the Intune with Coniguration Manager connector. Table 7-1
details those speciications.

TABLE 7-1 Mobile device operating system requirements

Mobile-device operating system Certiicates or keys Notes

Windows Phone 8 and Windows Code-signing certiicate. All side- Purchase a code-signing certiicate
Phone 8.1 loaded apps must be code-signed. from Symantec.

Windows RT 8.1 and Windows RT
Sideloading keys to allow installa-
tion of sideloaded apps.
All apps that you sideload must be
code-signed.
Obtain sideloading keys from
Microsoft.
Sign apps by using a code-signing
certiicate that an internal or third-
party trusted certiication author-
ity (CA) issues.

iOS 6, iOS 7, iOS 8 Apple Push Notiication service Obtain from Apple.
certiicate.

Android Not required.

To create the Intune connector, you must perform the following procedure:
1. In the Administration workspace, expand the Hierarchy Coniguration folder and then
click Microsoft Intune Subscriptions.
2. On the ribbon, click Add Microsoft Intune Subscription.
3. On the Introduction page, click Next.

Objective 7.2: Manage devices with Microsoft Intune CHAPTER 7 327

From the Library of Ida Schander

 4. On the Subscription page, sign in by using an account conigured as an administrator
for your Intune organization. Select the Allow The Coniguration Manager Console To
Manage This Subscription check box.
5. Review the privacy links.
6. On the General page, specify the following settings:
■ Collection: Specify which user collection contains users who will enroll their mobile
devices.
■ Company name: Specify your organization name.
■ URL to company privacy information: Provide privacy information (optional).
■ Color scheme for company portal: Change the color of the company portal if
desired.
■ Coniguration Manager site code: Specify the primary site for mobile devices.
7. On the Platforms page, choose the device types you want to manage and then review
the platform requirements. For each device type that you select, you need to conigure
additional settings. You can conigure these settings on a per-device basis when
necessary.
When you enable Allow The Coniguration Manager Console To Manage This Subscription,
Coniguration Manager takes control of the Intune subscription for mobile device manage-
ment. You cannot undo this step. If you later decide that you do not want to manage Intune
by using Coniguration Manager, you must create a new Intune subscription.
To deploy the site system role for the Intune connector, perform the following procedure
on a site system server that communicates with the Intune servers that manage.microsoft.com
hosts:
1. In the Administration workspace, expand the Site Coniguration folder and then click
Servers And Site System Roles.
2. Select the site system server and then click Add Site System Roles on the ribbon.
3. On the System Role Selection page, select Microsoft Intune Connector and then click
Next.
4. Complete the wizard.

MORE INFO INTEGRATING INTUNE WITH CONFIGURATION MANAGER

You can learn more about integrating Intune with Coniguration Manager at http://technet
.microsoft.com/en-us/library/jj884158.aspx.

Device enrollment
Each mobile device operating system uses a different method to enable users to self-enroll
their mobile devices, with the method sometimes different depending on whether you are

328 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

using Intune as a standalone product or have conigured integration with Coniguration
Manager. You can use the following method:
■ Windows Phone 8 and Windows Phone 8.1 To enroll a Windows Phone 8 device,
users select Company Apps or Workplace from their phones’ Settings screen. They
then provide their domain credentials in the form of their UPN and password. The user
is then prompted to install the company app or hub, which installs the company portal.
The device collects inventory and applies management settings. Users then can access
any available apps.
■ Windows RT 8.1 and Windows RT To enroll a Windows RT 8 device, go to the
Workspace section of settings and provide the organizational credentials as shown
in Figure 7-7. This enrolls the Windows RT device in Coniguration Manager. If your
organization has System Center 2012 R2 Coniguration Manager, you also can down-
load the Company Portal App from the Windows Store and then provide your user
credentials.

FIGURE 7-7 Workplace join

■ iOS To enroll an iOS device, use the device’s browser to navigate to manage
.microsoft.com and then provide credentials. If your organization has integrated
System Center 2012 R2 Coniguration Manager, you can obtain the Company Portal
app through the Apple App Store.
■ Android Users can enroll mobile devices that are running the Android operating
system by acquiring the Company Portal App, without charge, from the Google
Play store. They then can provide their credentials in the app to enroll in the

Objective 7.2: Manage devices with Microsoft Intune CHAPTER 7 329

From the Library of Ida Schander

 Coniguration Manager infrastructure. Only System Center 2012 R2 Coniguration
Manager supports this method.
■ Windows To enroll a computer running Windows 8.1, go to the Workplace settings
control panel shown in Figure 7-8 and click Join. You’ll need to be signed on with an
appropriate set of credentials. You also can download the Company Portal App from
the Windows Store and then provide your user credentials.

FIGURE 7-8 Workplace join

MORE INFO INTUNE ENROLLMENT

You can learn more about Intune enrollment at http://technet.microsoft.com/en-au/library
/dn646957.aspx.

MORE INFO INTEGRATING INTUNE WITH CONFIGURATION MANAGER

You can learn more about integrating Intune with Coniguration Manager by watching the
MMS 2013 session at http://channel9.msdn.com/events/MMS/2013/UD-B309.

EXAM TIP
Remember that an Apple Push Notiication Service certiicate is required to manage
devices running iOS. No such certiicate is required to manage devices running Android.

330 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 Thought experiment
Intune connector coniguration at Tailspin Toys
You are preparing to deploy an Intune connector between the Tailspin Toys
Coniguration Manager deployment and a recently activated Intune subscription.

1. With which hostname on the Internet must the site server on which you will
deploy the Intune connector be able to communicate?

2. Which account should you specify when coniguring the Intune connector on the
Coniguration Manager site server?

Objective summary
■ You can use Intune to manage hardware inventory, software inventory, endpoint pro-
tection, remote assistance settings, software licensing, and irewall policy.
■ You can use Intune to deploy and manage software updates and applications.
■ You can use Intune separately from Coniguration Manager, or you can integrate it
with Coniguration Manager.
■ You can deploy apps to mobile devices by deep linking to the app in the appropriate
vendor’s store.
■ You need to have an Apple Push Notiication Service certiicate from Apple if you want
to manage and deploy applications to devices running the iOS operating system.
■ Devices running the Android operating system do not require special certiicates to be
managed through Intune.
■ You need to conigure directory synchronization between Microsoft Azure Active
Directory and on-premises Active Directory if you intend to integrate Intune with
Coniguration Manager.
■ The site server that hosts the Intune connector must be able to communicate with
manage.microsoft.com on the Internet.

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. Which of the following device management tasks can you perform using Intune on a
computer running Windows 8.1? (Choose all that apply.)
a. Operating system upgrade
B. BitLocker unlock
C. Application deployment
D. Hardware inventory

Objective 7.2: Manage devices with Microsoft Intune CHAPTER 7 331

From the Library of Ida Schander

 2. You work for adatum.com. You are preparing to integrate your on-premises
Coniguration Manager 2012 R2 deployment with a newly conigured Intune
subscription. Which of the following DNS coniguration changes must you make?
a. Create a CNAME record named enterpriseenrollment.adatum.com that maps to
manage.microsoft.com.
B. Create an MX record named enterpriseenrollment.adatum.com that maps to
manage.microsoft.com.
C. Create an NS record named enterpriseenrollment.adatum.com that maps to
manage.microsoft.com.
D. Create an SRV record named enterpriseenrollment.adatum.com that maps to
manage.microsoft.com.
3. Which of the following are necessary if you want to deploy an in-house application by
using Intune to 150 tablets running the Windows RT 8.1 operating system? (Choose
two. Each correct answer forms part of a complete solution.)
a. Code-signing certiicate trusted by the Windows RT 8.1 devices
B. Encryption certiicate trusted by the Windows RT 8.1 devices
C. Sideloading keys
D. Activation keys

Objective 7.3: Manage connection proiles by using

Coniguration Manager
Connection proiles enable you to provision managed devices automatically with settings,
including Wi-Fi access point authentication information, virtual private network (VPN) con-
iguration, email account setup, and digital certiicate provisioning.

This section covers the following topics:

■ Remote connection proiles
■ VPN proiles
■ Certiicate proiles
■ Email proiles
■ Wi-Fi proiles

Remote connection proiles

You use remote connection proiles to conigure Coniguration Manager clients so that they
can establish remote connections across the Internet to their work computers. This saves
you from needing to provide instructions to end users on how they can perform these steps

332 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

manually. For example, you can use remote connection proiles to conigure a collection of
desktop computers in the ofice so that it is possible for appropriately authenticated users on
the Internet to establish remote desktop connection sessions. Through these sessions, these
users would be able to interact with their ofice desktop computers directly, allowing access
to iles, shared folders, and resources such as printers.
You can conigure remote connection proiles to:
■ Force the use of a known Remote Desktop Gateway (RD Gateway) server. Incoming
connections will only be allowed if they are initiated from this address. You can conig-
ure RD Gateway servers with secure authentication policies so that connections from
external clients are appropriately vetted before being forwarded to computers that
can host remote desktop connection sessions on protected networks.
■ Conigure a collection of computers to allow inbound Remote Desktop connection
sessions.
■ Limit inbound Remote Desktop connection sessions to users who are listed as primary
users of a computer.
■ Conigure Windows Firewall with advanced security rules so that inbound connections
are possible if the computer connects to a domain or private network.
Figure 7-9 shows the creation of a remote connection proile in which an RD Gateway
server has been speciied and settings allowing connections from primary users are enabled.

FIGURE 7-9 Create Remote Connection Profile Wizard

Objective 7.3: Manage connection proiles by using Coniguration Manager CHAPTER 7 333

From the Library of Ida Schander

 MORE INFO REMOTE CONNECTION PROFILES
You can learn more about remote connection proiles at http://technet.microsoft.com
/en-us/library/dn261199.aspx.

VPN proiles
You can use VPN proiles to deploy VPN connection coniguration information to
Coniguration Manager clients that are running Windows 8.1 and Windows RT 8.1 or to
iPhone and iPad devices that are running iOS 5, iOS 6, and iOS 7. You can use VPN proiles
to deploy VPN connections that use the following connection types:
■ Cisco AnyConnect
■ Juniper Pulse
■ F5 Edge Client
■ Dell SonicWALL Mobile Connect
■ Check Point Mobile VPN
■ Microsoft SSL (SSTP)
■ Microsoft Automatic
■ IKEv2
■ PPTP
■ L2TP
The advantage of doing this is that by deploying the proiles to devices, end users will be
able to make VPN connections without having to conigure them themselves. Figure 7-10
shows the coniguration of an IKEv2-based VPN proile.

334 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

FIGURE 7-10 Create VPN Profile Wizard

MORE INFO VPN PROFILES

You can learn more about VPN proiles at http://technet.microsoft.com/en-us/library

/dn261217.aspx.

Certiicate proiles
You can use certiicate proiles to deploy certiicates to Coniguration Manager clients.
Certiicate proiles enable you to conigure automatic certiicate deployment to clients that
cannot participate in the Active Directory Certiicate Services (AD CS) autoenrollment process
because they are not members of the organization’s AD DS. The Windows RT 8.1,
Windows 8.1, iOS, and Android operating systems support certiicate proiles, which in turn
support the following functionality:
■ Certiicate enrollment and renewal from enterprise or standalone certiication
authorities (CAs)
■ Deployment of trusted CA certiicates to compatible Coniguration Manager clients
■ Monitoring of and reporting on installed certiicates
To use certiicate proiles, you must deploy the certiicate registration point on a site sys-
tem server either in the central administration site or in a primary site. You cannot deploy this
role in a secondary site.

Objective 7.3: Manage connection proiles by using Coniguration Manager CHAPTER 7 335

From the Library of Ida Schander

 Figure 7-11 shows the coniguration of a certiicate proile.

FIGURE 7-11 Create Certificate Profile Wizard

MORE INFO CERTIFICATE PROFILES

You can learn more about certiicate proiles at http://technet.microsoft.com/en-us/library
/dn261202.aspx.

Email proiles
Email proiles are an optional feature in Coniguration Manager 2012 R2. They enable you to
provision managed devices running Windows Phone 8 and Windows Phone 8.1 or devices
running iOS 5, iOS 6, iOS 7, and iOS 8 with proile information for organizational email
accounts through Exchange ActiveSync. This minimizes the amount of effort required for a
user to provision a connection to his organizational email account. In addition to email set-
tings, an email proile conigures synchronization settings for contacts, calendars, and tasks.
Before it is possible to conigure an email proile, it is necessary to install the Email Proiles
Extension for Intune in the Coniguration Manager site.

336 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

 MORE INFO EMAIL PROFILES
You can learn more about email proiles at http://technet.microsoft.com/en-au/library
/dn554226.aspx.

Wi-Fi proiles
You can use Wi-Fi proiles to deploy wireless network settings so that devices will connect
automatically to preconigured wireless networks without requiring the user to perform the
operation manually. When you deploy Wi-Fi proiles, computers and mobile devices will con-
nect to networks automatically without requiring direct user intervention.
You can use Wi-Fi proiles with devices running the following operating systems:
■ Windows 8.1 (x86 and x64)
■ Windows RT 8.1
■ iOS 5
■ iOS 6
■ iOS 7
■ iOS 8
■ Android
Figure 7-12 shows a Wi-Fi proile for a wireless network with the SSID Contoso.

FIGURE 7-12 Create Wi-Fi Profile Wizard

Objective 7.3: Manage connection proiles by using Coniguration Manager CHAPTER 7 337

From the Library of Ida Schander

 MORE INFO WI-FI PROFILES
You can learn more about Wi-Fi proiles at http://technet.microsoft.com/en-us/library
/dn261221.aspx.

EXAM TIP
Remember which items can be provisioned using proiles.

Thought experiment
Managed iOS devices at Contoso
You are using the MDM functionality of Coniguration Manager and Intune to man-
age a large collection of iOS devices at Contoso. You want to ensure that the man-
aged devices trust certiicates issued by a standalone CA deployed on the Contoso
perimeter network. You also want to ensure that users of managed iOS devices do
not have to conigure connections manually to the internal Contoso Wi-Fi network.
With this information in mind, answer the following questions:

1. What steps can you take to ensure that managed iOS devices trust certiicates
issued by the standalone CA on the perimeter network?

2. What steps can you take to ensure that managed iOS devices can automatically
connect to wireless networks?

Objective summary
■ Remote connection proiles enable you to deploy Remote Desktop connection conig-
uration information to managed computers, allowing remote access to those comput-
ers using a Remote Desktop Protocol (RDP) client.
■ VPN proiles enable you to deploy VPN connection coniguration information to man-
aged devices.
■ Certiicate proiles enable you to deploy certiicates to managed devices.
■ Email proiles enable you to deploy email, calendar, contacts, and tasks coniguration
information to managed devices.
■ Wi-Fi proiles enable you to deploy wireless network coniguration information to
managed devices.

338 Chapter 7 Provision and manage mobile devices

From the Library of Ida Schander

Objective review
Answer the following questions to test your knowledge of the information in this objective.
You can ind the answers to these questions and explanations of why each answer choice is
correct or incorrect in the “Answers” section at the end of the chapter.
1. You want to allow people to connect using Remote Desktop connection from their
home computers, through an RD Gateway server deployed on your organization’s
perimeter network, to their work desktop computers on your organization’s internal
network. Which of the following proiles should you deploy to accomplish this goal?
a. Email proile
B. Certiicate proile
C. VPN proile
D. Remote connection proile
2. You are testing a new device that uses a self-signed certiicate to encrypt communica-
tion. You want to conigure 30 Coniguration Manager clients so that they trust this
self-signed certiicate. Which of the following proiles would you deploy to accomplish
this goal?
a. Email proile
B. Certiicate proile
C. VPN proile
D. Remote connection proile
3. You are switching your remote access service from an SSTP VPN to an IKEv2 VPN
because this allows automatic reconnection without requiring user reauthentication.
Which of the following proiles would you deploy to mobile computers so that they are
updated with this new VPN connection information?
a. Remote connection proile
B. Certiicate proile
C. VPN proile
D. Email proile
4. Which of the following can you use to conigure nondomain-joined computers running
the Windows 8.1 operating system with the appropriate settings that allow them to
connect to your organization’s Exchange deployment?
a. Email proile
B. Certiicate proile
C. VPN proile
D. Remote connection proile

Objective 7.3: Manage connection proiles by using Coniguration Manager CHAPTER 7 339

From the Library of Ida Schander

 Answers

Objective 7.1
Thought experiment
1. You would conigure the Security Settings group to ensure that mobile device cameras
cannot be used at Fabrikam.
2. You would conigure the Email Management Settings group to block Direct Push noti-
ications when a mobile device is connected to a roaming network.

Objective review
1. Correct Answer: C
a. Incorrect: When coniguring the connector, you have to provide the address of
the client access server.
B. Incorrect: When coniguring the connector, you have to provide the address of
the client access server.
C. Correct: When coniguring the connector, you have to provide the address of the
client access server.
D. Incorrect: When coniguring the connector, you have to provide the address of
the client access server.
2. Correct Answer: B
a. Incorrect: The Minimum Password Length setting conigures minimum password
length.
B. Correct: You would conigure the Password Expiration In Days setting and set the
value to 35 days if you wanted people to change their mobile device’s password
every ive weeks.
C. Incorrect: Use the Number Of Passwords Remembered setting to ensure that
passwords cannot be reused.
D. Incorrect: Use the Number Of Failed Logon Attempts Before The Device Is Wiped
setting to ensure that a device is wiped if a password is incorrectly entered a num-
ber of times in succession.
3. Correct Answer: B
a. Incorrect: Use the Number Of Failed Logon Attempts Before The Device Is Wiped
setting to ensure that a device is wiped if a password is incorrectly entered a num-
ber of times in succession.
B. Correct: Use the Number Of Passwords Remembered setting to ensure that pass-
words cannot be reused.

340 CHAPTER 7 Provision and manage mobile devices

From the Library of Ida Schander

 C. Incorrect: The Password Expiration In Days setting determines how often a person
must change her mobile device password.
D. Incorrect: The Minimum Password Length setting conigures minimum password
length.
4. Correct Answer: C
a. Incorrect: The Password Expiration In Days setting determines how often a person
must change his mobile device password.
B. Incorrect: The Minimum Password Length setting conigures minimum password
length.
C. Correct: Use the Number Of Failed Logon Attempts Before The Device Is Wiped
setting to ensure that a device is wiped if a password is incorrectly entered a num-
ber of times in succession.
D. Incorrect: Use the Number Of Passwords Remembered setting to ensure that
passwords cannot be reused.

Objective 7.2
Thought experiment
1. The site server on which you deploy the Intune connector must be able to communi-
cate with the manage.microsoft.com hostname.
2. You must conigure an Intune administrator account. You should not use the account
that you used to sign up for Intune (the Outlook.com, Hotmail.com, or live.com
Microsoft account) to conigure the connector.

Objective review
1. Correct Answers: C and D
a. Incorrect: You cannot perform an operating system upgrade by using Intune.
B. Incorrect: You cannot perform BitLocker unlock by using Intune.
C. Correct: You can perform application deployment by using Intune.
D. Correct: You can perform hardware inventory by using Intune.
2. Correct Answer: A
a. Correct: Prior to coniguring a connection between an on-premises Coniguration
Manager deployment and Intune, you must create a canonical name (CNAME)
record in DNS that maps enterpriseenrollment.organizationame.com (where orga-
nizationname.com is your organization’s DNS sufix) to manage.microsoft.com.
B. Incorrect: You must create a CNAME record. MX records are used to locate mail
servers.

Answers CHAPTER 7 341

From the Library of Ida Schander

 C. Incorrect: You must create a CNAME record. NS records are used to locate name
servers.
D. Incorrect: You must create a CNAME record. SRV records are used to locate
services.
3. Correct Answers: A and C
a. Correct: To deploy an application to computers running Windows RT 8.1 through
Intune, you must obtain sideloading keys, and you must have a code-signing cer-
tiicate to sign the applications.
B. Incorrect: You need a code-signing certiicate
C. Correct: To deploy an application to computers running Windows RT 8.1 through
Intune, you must obtain sideloading keys, and you must have a code-signing cer-
tiicate to sign the applications.
D. Incorrect: You need sideloading keys.

Objective 7.3
Thought experiment
1. You can conigure a certiicate proile to deploy the CA certiicate of the standalone CA
on the perimeter network to managed devices. This will ensure that the managed iOS
devices trust certiicates issued by the standalone CA.
2. You can conigure a Wi-Fi proile with the authentication details of Wi-Fi networks at
Contoso. This will ensure that managed iOS devices can automatically connect to wire-
less networks.

Objective review
1. Correct Answer: D
a. Incorrect: You use an email proile to provision a device with email, calendar, task,
and contacts settings.
B. Incorrect: You can use a certiicate proile to deploy a certiicate, including a root
certiicate or a self-signed certiicate, to a managed device. This certiicate will be
trusted.
C. Incorrect: You can use a VPN proile to deploy VPN connection information auto-
matically to managed devices.
D. Correct: You can use a remote connection proile to conigure computers so that
they will accept inbound Remote Desktop connection requests if speciic condi-
tions are met.

342 CHAPTER 7 Provision and manage mobile devices

From the Library of Ida Schander

2. Correct Answer: B
a. Incorrect: You use an email proile to provision a device with email, calendar, task,
and contacts settings.
B. Correct: You can use a certiicate proile to deploy a certiicate, including a root
certiicate or a self-signed certiicate, to a managed device. This certiicate will be
trusted.
C. Incorrect: You can use a VPN proile to deploy VPN connection information auto-
matically to managed devices.
D. Incorrect: You can use a remote connection proile to conigure computers so that
they will accept inbound Remote Desktop connection requests if speciic condi-
tions are met.
3. Correct Answer: C
a. Incorrect: You can use a remote connection proile to conigure computers so that
they will accept inbound Remote Desktop connection requests if speciic condi-
tions are met.
B. Incorrect: You can use a certiicate proile to deploy a certiicate, including a root
certiicate or a self-signed certiicate, to a managed device. This certiicate will be
trusted.
C. Correct: You can use a VPN proile to deploy VPN connection information auto-
matically to managed devices.
D. Incorrect: You use an email proile to provision a device with email, calendar, task,
and contacts settings.
4. Correct Answer: A
a. Correct: You use an email proile to provision a device with email, calendar, task,
and contacts settings.
B. Incorrect: You can use a certiicate proile to deploy a certiicate, including a root
certiicate or a self-signed certiicate, to a managed device. This certiicate will be
trusted.
C. Incorrect: You can use a VPN proile to deploy VPN connection information auto-
matically to managed devices.
D. Incorrect: You can use a remote connection proile to conigure computers so that
they will accept inbound remote desktop connection requests if speciic conditions
are met.

Answers CHAPTER 7 343

From the Library of Ida Schander

This page intentionally left blank

From the Library of Ida Schander

Index

Numbers and Symbols All Systems collection, 243

All Unknown Computers collection, 243
3DES (Triple Data Encryption Standard) encryption All User Groups collection, 243
algorithm, 282 All Users And User Groups collection, 243
All Users collection, 243
antimalware
about, 175
A automatic deployment rules, 153
access accounts, 41 coniguration item settings, 184
Access RemoteApp And Desktops dialog box, 29 Endpoint Protection, 198–212
Active Directory Certiicate Services (AD CS), 335 Sequencer and, 7
Active Directory Domain Services (AD DS) APK ile format, 57
authenticating users, 226 App Package for Android deployment type, 57
Coniguration Manager clients, 230–231 App Package for iOS deployment type, 57
Exchange Server connector, 321 App-V (Application Visualization)
extending schema, 234–236 about, 1
ActiveSync beneits, 2–3
Coniguration Manager and, 315–324 Connection Groups, 7–10
Intune and, 76 deployment models, 13–16
AD CS (Active Directory Certiicate Services), 335 Group Policy, 20–22
AD DS (Active Directory Domain Services) infrastructure elements, 12–13
authenticating users, 226 objective summary and review, 11–12, 22–23, 34–35
Coniguration Manager clients, 230–231 preparing Sequencer environment, 6–7
Exchange Server connector, 321 sequenced applications, 3–6, 16–20
extending schema, 234–236 App-V client
Add Applications dialog box, 8–9 Coniguration Manager integrated model, 15
Add Dependency dialog box, 19–20 coniguring dependencies, 18–20
Add Exchange Server Wizard, 322 App-V Sequencer
Add New Collection Alerts dialog box, 211 about, 3–5
add-ons, 5 additional information, 7
Advanced antimalware policy setting, 206 advanced settings, 5–6
alerts Coniguration Manager integrated model, 15
client health, 262 preparing environment, 6–7
Endpoint Protection, 211–212 application cache, streaming and, 18
software update, 148–149, 155 Application Catalog
All Desktop And Server Clients collection, 243 about, 45–46, 48–49
All Mobile Devices collection, 243 user device afinity, 66

345

From the Library of Ida Schander

Application Conlicts Data object type

Application Conlicts Data object type, 295 software metering, 306

Application Dependency Data object type, 295 Asset Intelligence catalog, 89–92
Application Deployment Asset Details object type, 295 Asset Intelligence Software Details Conlict Resolution
Application Deployment Error Asset Details object type, dialog box, 308, 313
295 Asset Manager security role, 93
Application Deployment Error Status object type, 295 authentication
Application Deployment Requirement Not Met Asset App-V, 13–14
Details object type, 295 Group Policy settings, 31
Application Deployment Status object type, 295 Internet-based, 100
application distribution strategy Kerberos, 226
about, 49 Mac OS X computers, 232
Application Catalog, 48–49 mobile clients, 100, 106
application management, 40–41 RD Gateway, 333
application management features, 43–45 RDC, 28
application management server roles, 45–48 Wi-Fi access point, 332
applications and packages, 42–43 Windows, 226
objective summary and review, 49–51, 115–116 automatic approval rules, 164–167
application metering, 13–14 automatic deployment rules, 153–156
Application Requirement Data object type, 295 Available deployment purpose, 44
Application Requirement Not Met Status object type,
295
application upgrades
about, 82
B
application revision history, 84–85 Background Intelligent Transfer Service (BITS), 15
application supersedence, 83–84 bandwidth management, 103–104
objective summary and review, 86–87, 118–119 baselines, coniguration
retiring applications, 85–86 about, 189–190
uninstalling applications, 86 coniguration packs, 193
Application Virtualization Sequencing Wizard, 4 copying existing, 192
Application Visualization (App-V) creating, 191–192
about, 1 deploying, 192–193
beneits, 2–3 objective summary and review, 197–198, 216–217
Connection Groups, 7–10 viewing compliance information, 194–196
deployment models, 13–16 BITS (Background Intelligent Transfer Service), 15
Group Policy, 20–22 boundary groups, 100
infrastructure elements, 12–13 BranchCache, 15, 101–102
objective summary and review, 11–12, 22–23, 34–35
preparing Sequencer environment, 6–7
sequenced applications, 3–6, 16–20
APPV ile format, 56
C
APPX ile format, 56 CA (certiication authority)
Asset Intelligence certiicate proiles, 335
about, 89, 293, 302 distribution points, 100, 106
beneits, 302 Internet-based clients, 226
components, 89–92, 304–306 SCUP requirements, 125
data collection, 92–93 CAB ile format, 56, 181
inventory management and, 89–93, 270, 305–306 canonical name (CNAME) record, 327
reporting, 303–304, 307–308 capacity requirements (RemoteApp), 26–27

346

From the Library of Ida Schander

 Coniguration Manager

catalogs Coniguration Manager clients, 227

about, 132 creating and monitoring baselines, 189–198
Asset Intelligence, 89–92, 304–305, 308 rules for, 185
SCUP supported, 132 scanning for, 143–144
Catalogs workspace (SCUP), 132 compressed iles
CcmExec.log ile, 283 inventory collection, 278, 280
CCMSetup.exe, 230–231, 235 troubleshooting, 109
CCMSetup.log ile, 259 ConigmgrMacClient.msi ile, 233
CCMSetup.msi ile, 231 Coniguration Baseline Name dialog box, 192
certiicate proiles, 335–336 coniguration baselines
certiication authority (CA) about, 189–190
certiicate proiles, 335 coniguration packs, 193
distribution points, 100, 106 copying existing, 192
Internet-based clients, 226 creating, 191–192
SCUP requirements, 125 deploying, 192–193
child coniguration items, 180 objective summary and review, 197–198, 216–217
CIM (Common Information Model), 272 viewing compliance information, 194–196
Client Coexistence node (Group Policy), 20 Coniguration Item Name dialog box, 181
Client Health evaluation engine, 260–261 coniguration items
Client Push Installation Properties dialog box, 231, 237 about, 176–178
Client Status reports, 261–262 compliance settings, 176
ClientIDManagerStartup.log ile, 259 copying existing, 181
ClientLocation.log ile, 259 creating, 178–180, 182
Client.msi ile, 231, 235, 238 creating child, 180–182
Client.msi.log ile, 259 importing data, 181, 191
cloud-based distribution points, 102–103 monitoring settings, 182–185
CMMAC ile format, 57 objective summary and review, 187–188, 215–216
CNAME (canonical name) record, 327 remediation, 185–186
Collection Data Point object type, 295 revision history, 181–182
collections Coniguration Manager
about, 221, 242 about, 15
Asset Intelligence, 92–93 application distribution strategy, 39–51
limiting, 244 application upgrades, 82–87
maintenance windows, 245–247 automatic deployment rules, 153–156
monitoring, 254–255 building coniguration items, 175–188
power management, 247–253 coniguring dependencies, 18–20
predeined, 243 coniguring Endpoint Protection, 198–214
rules for, 244–245 creating and monitoring baselines, 189–198
command-line interface creating reports, 293–310
Coniguration Manager clients, 222 deploying applications, 52–75
RemoteApp, 27 integrated model, 15–16
Common Information Model (CIM), 272 integrating with Intune, 326–328
company portals, 78 integrating with SCUP, 127
compatibility managing connection proiles, 332–339
local installation and, 16 managing content distribution, 98–114
remote applications and, 25–26 managing hardware and software inventory,
compliance 269–285
building coniguration items, 175–188 managing software metering, 286–293

347

From the Library of Ida Schander

Coniguration Manager clients
managing updates, 145–148
monitoring deployment, 87–98
monitoring software updates, 148–153
sequenced applications, 17
software update client settings, 141–144
software update points, 137–140
software updates in, 136
troubleshooting software updates, 148–153
Coniguration Manager clients
about, 222–229
assigning to sites, 237–238
coniguring settings, 238–240
evaluating status, 259–260
extending schemas, 234–235
ile collection, 279–280
health alerts, 262–263
health evaluation and remediation, 260–261
health reports, 261–262
installing, 230–234
Internet-based, 226–227
managing collections, 242–257
monitoring client status, 257–264
objective summary and review, 240–241, 263–268
site systems used in deployment, 235–237
verifying installation, 257–259
workgroup-based, 225
Coniguration Manager Properties dialog box
Actions tab, 224, 280
Cache tab, 224
Components tab, 223
Conigurations tab, 194, 224
General tab, 222–223, 258
Network tab, 224
Site tab, 224
coniguration packs, 193
Coniguration.mof ile, 275–276
Conigure Client Setting dialog box, 277
Connection Groups (App-V), 7–10
connection proiles, 332–339
content distribution
about, 98, 109–111
content library, 105
content management, 99–100
distribution points, 100–103
monitoring, 108–109
network bandwidth considerations, 103–104
objective summary and review, 113–114, 120–122
prerequisites, 105–108
348
prestaging, 111–113
content library, 99, 105
content management
distribution points, 99–103
prerequisites for, 105–108
Control Panel
Coniguration Manager clients, 194
RD Web Access, 27
Create A New Policy dialog box, 158–160
Create Antimalware Policy dialog box, 206
Create Application Wizard
Application Catalog tab, 53
Content Locations tab, 54
Deployment Types tab, 54
Distribution Settings tab, 54
General Information tab, 52–53
Reference tab, 53
Security tab, 54
Supersedence tab, 54
Create Automatic Approval Rule Wizard
Deployment page, 166–167
General page, 164
Product Categories page, 165
Summary page, 167
Update Classiications page, 165–166
Create Automatic Deployment Rule Wizard
Alerts page, 155
Deployment Package page, 155
Deployment Schedule page, 155
Deployment Settings page, 154
Distribution Points page, 156
Download Location page, 156
Download Settings page, 155
Evaluation Schedule page, 154
General page, 154, 164
Language Selection page, 156
Software Updates page, 154
Summary page, 156
User Experience page, 155
Create Certiicate Proile Wizard, 336
Create Child Coniguration Item Wizard, 180
Create Coniguration Baseline dialog box, 191
Create Coniguration Item Wizard
Compliance Rules page, 179–180
Detection Methods page, 179
General page, 178–179
Mobile Device Settings page, 180
Platform Applicability page, 180
From the Library of Ida Schander

Settings page, 179–180
Supported Platforms page, 179–180
Create Deployment Type Wizard
about, 56
Content section, 59
Dependencies section, 59
Detection Method section, 59
General section, 59
Programs section, 59
Requirements section, 59
Return Codes section, 59
User Experience section, 59
Create Device Collection Wizard, 244–245
Create Direct Membership Rule Wizard, 244
Create Prestaged Content File Wizard, 112
Create Query Wizard, 294
Create Remote Connection Proile Wizard, 333
Create Report Wizard, 300
Create Requirement dialog box, 63
Create Site System Server Wizard
Boundary Groups page, 108
Content Validation page, 108
Distribution Point page, 107
Drive Settings page, 107
Multicast page, 108
Pull Distribution Point page, 108
PXE Settings page, 108
Select A Server To Use As A Site System page,
106–107
Specify Internet Proxy Server page, 107
Specify Roles For This Server page, 107
Create Software Metering Rule Wizard, 94, 288–289
Create Software Update Group dialog box, 145
Create User Collection Wizard, 244
Create Virtual Environment dialog box, 8–9
Create VPN Proile Wizard, 335
Create Wi-Fi Proile Wizard, 337
Create Windows Firewall Policy dialog box, 208
critical updates, 161–162, 164–165
CSV ile format, 67
D simulated deployment, 73
data queries, 294
data source name (DSN), 297
Dataldr.log ile, 284
DataTransferService.log ile, 259
deployment models (App-V)
DDRs (discovery data records), 283
Default Actions antimalware policy setting, 206
Default Antimalware Policy dialog box, 205–206
Default Settings dialog box
Compliance Settings section, 190
Computer Agent section, 140
Endpoint Protection section, 203
Hardware Inventory section, 273
Software Inventory section, 276
Software Metering section, 287
Software Updates section, 141
deinition updates, 161–162
Deinition Updates antimalware policy setting, 207
Delete Aged Collected Files site maintenance task, 282
Delete Aged Inventory History Properties dialog box,
283
Delete Aged Inventory History site maintenance task,
282
denial-of-service attacks, 281
dependencies (deploying applications)
coniguring, 18–20
deployment types and, 60
RemoteApp deployment, 26
Deploy Coniguration Baselines dialog box, 192–193
Deploy Software Updates Wizard, 147
Deploy Software Wizard
about, 55, 67
Alerts page, 72
Content page, 68
Deployment Settings page, 69–70
General page, 68
Scheduling page, 70–71
User Experience page, 71
Deploy Windows Firewall Policy dialog box, 208
deploying applications (Coniguration Manager)
about, 55–59
creating applications, 52–54
dependencies, 60
deployment software wizard, 67–72
detection methods, 59–60
global conditions, 61–62
objective summary and review, 73–75, 116–117
requirements, 62–65
user device afinity, 65–67
deployment actions, 44–45, 78
Deployment Asset Details object type, 295
deployment models (App-V), 13–16
349
From the Library of Ida Schander
Deployment Summary Per Collection object type

Deployment object type, 295 downloading coniguration packs, 193

deployment packages, 145–147, 155–157 DSN (data source name), 297
deployment purposes, 44–45, 78
Deployment Summary Per Collection object type, 295
deployment types
creating, 56–59 E
differences among, 55 Edit Inventory Classes dialog box, 92, 307
requirements, 62–65 email management
deployments, deined, 41 client health alerts, 262
desktop and mobile applications email proiles, 336–337
deploying using Coniguration Manager, 51–75 Endpoint Protection, 200
deploying using Microsoft Intune, 75–82 Exchange Server connector, 318–319, 322
differences between packages and, 42–43 maintenance windows, 245
managing content distribution, 98–114 mobile devices, 177, 182
monitoring, 87–98 reporting services coniguration, 298
objective summary and review, 115–122 email proiles, 336–337
planning distribution strategy, 39–51 encryption
planning for upgrades, 82–87 Exchange Server connector, 319
Desktop Management Interface (DMI), 272 inventory collection, 278, 281–282
Despooler.log ile, 109 Microsoft Azure, 103
detection methods (deploying applications), 44, 59–60 mobile devices, 183, 320
Detection Rule dialog box, 60 SSRS, 297, 299
direct rule, 244 Endpoint Protection
discovery data records (DDRs), 283 about, 199–200
DistMgr.log ile, 109 antimalware policies, 204–207
Distribute Content Wizard, 110 automatic deployment rules, 153
Distribution Point Site System role, 106 client settings, 202–204
distribution points coniguring alerts, 211–212
about, 41, 99–102 implementing, 200–204
assigning priority, 104 monitoring status, 210–211
certiicates and, 105–106 objective summary and review, 213–214, 217–219
cloud-based, 102–103 policy management, 209–210
Coniguration Manager clients, 237 prerequisites, 200–201
coniguring, 146 Windows Firewall policies, 207–208
distributing content to, 109–111 Endpoint Protection Dash Board Data Point
monitoring, 108–109 object type, 295
network bandwidth considerations, 103–104 Endpoint Protection Point Site System role, 200–202
prerequisites, 105–108 enrollment (mobile devices), 328–330
pull, 102 enrollment points, 237
Distribution Points Or Distribution Point Groups dialog enrollment proxy points, 237
box, 54 Enrollment Wizard, 233
DMI (Desktop Management Interface), 272 Enterprise (full infrastructure) model, 13–14
DNS (Domain Name System), 236, 327 Error compliance state, 88
Domain Name System (DNS), 236, 327 Exchange Server connector
Download Center, 233 about, 316
Download Deinition dialog box, 209 Applications Settings group, 320–321
download location, 146–147, 156 coniguring, 316–317, 321–322
Download Software Updates Wizard, 145–146 Email Management Settings group, 318–319, 322

350

From the Library of Ida Schander

 Intune (Microsoft)

encrypted iles, 319

General Settings group, 317
management tasks, 316
objective summary and review, 323–324, 340–341
Password Settings group, 317–318
Security Settings group, 319–320
exclude collections rule, 244
Exclusion Settings antimalware policy setting, 206
EXE ile format, 56
Existential condition type, 63
Existential rules, 184
ExtADSch.exe tool, 235
ExtractContent command, 113
H
hardware inventory
Asset Intelligence, 89–90, 92–93, 306
Coniguration Manager clients, 239
Exchange Server connector, 316
extending, 274–276
inventory collection, 270, 272–274
Linux computers, 229
Mac OS X computers, 227
power management and, 248–249
UNIX computers, 229
Hardware Inventory Classes dialog box, 274–275
health evaluation rules, 260–261

F
Failed VE Data object type, 295
fallback status points, 236
ile collection
about, 279–280
disabling, 282
status messages regarding, 284
File System detection rule, 60
FileSystemFile.log ile, 283
irewalls
bandwidth management settings, 104
Coniguration Manager clients, 230
distribution points, 100
Endpoint Protection, 198–200, 207–208
mobile device settings, 184
FQDN (fully qualiied domain name), 100, 226
Full Administrator role, 140
full infrastructure (Enterprise) model, 13–14
fully qualiied domain name (FQDN), 100, 226
I
IDMIF ile format, 282
IIS (Internet Information Services), 105
Import Coniguration Data Wizard, 181, 191
Import Software Licenses Wizard, 93, 307
In Progress compliance state, 88
include collections rule, 244
Install deployment action, 44
Installable Rules dialog box, 131
Installable rules rule type, 134
installation
Coniguration Manager clients, 230–234, 257–259
Intune, 78–79
sequenced applications, 16–18
streaming applications, 17–18
Installed compliance state, 144
Installed rules rule type, 134
instance limitation, deployment models, 13–14
Integration node (Group Policy), 20
Internet-based clients, 226–227

G Internet Information Services (IIS), 105

Intune (Microsoft)
global conditions (deploying applications), 44, 61–62 about, 18, 49, 75–76, 158
Group Policy approving updates, 162–164
about, 20–22, 29 automatic approval rules, 164–167
computer settings, 30 categories and classiications, 161–162
Coniguration Manager clients, 230 deploying software for automatic installation, 78–79
sequenced applications, 17 deploying software to company portal, 78
user settings, 30–31 inventory collection, 270
managing mobile devices, 76, 325–332

351

From the Library of Ida Schander

inventory management
objective summary and review, 81–82, 117–118,
168–170, 172–173
operating system support, 76–78
third-party updates, 167–168
update policies, 79–80, 158–161
inventory management
about, 280–284
Asset Intelligence, 89–93, 270, 305–306
Coniguration Manager clients, 224, 229, 239
creating reports, 293–310
deletion interval, 282
ile collection, 279–280
gathering information, 270–272
hardware inventory collection, 272–274
Intune, 77
Linux computers, 229
Mac OS X computers, 227
objective summary and review, 311–314
power management, 248–249
software inventory collection, 276–278
software metering, 94, 286–293
troubleshooting, 283
UNIX computers, 229
WMI, 89
InventoryAgent.log ile, 283
IP Network object type, 295
IPA ile format, 57
K Microsoft Action Protection Service antimalware
Kerberos authentication, 226
L Microsoft Intune
language selection, 146–147, 156
LDIFDE tool, 235
limiting collections, 244
Linux operating systems
Coniguration Manager clients, 222, 228–229,
233–234
Endpoint Protection, 201
hardware inventory collection, 272
software inventory and, 276
LocalSystem account, 282
log iles
Asset Intelligence, 93, 307
352
collections, 254
Coniguration Manager client status, 259
content status monitoring, 111
distribution point monitoring, 109
inventory collection, 283–284
update-related, 151–153
M
Mac OS X operating system
coniguration items, 177, 180, 184–185
Coniguration Manager clients, 222, 227–228,
232–233
deployment considerations, 57–58
Endpoint Protection, 201
hardware inventory collection, 272
software inventory and, 276
Macclient.dmg ile, 233
maintenance windows, 142–143, 245–247
Manage Deployment dialog box, 160–161
Managed Object Format (MOF) ile, 272, 275
management points
about, 235–236
Mac OS X computers, 228
reviewing log iles, 283–284
Management Server, 12
Management Server database, 13
metadata synchronization, 138–140
policy setting, 207
Microsoft Application Virtualization deployment
type, 56
Microsoft Azure, 103
Microsoft Download Center, 233
about, 18, 49, 75–76, 158
approving updates, 162–164
automatic approval rules, 164–167
categories and classiications, 161–162
deploying software for automatic installation, 78–79
deploying software to company portal, 78
inventory collection, 270
managing mobile devices, 76, 325–332
objective summary and review, 81–82, 117–118,
168–170, 172–173
operating system support, 76–78
third-party updates, 167–168
From the Library of Ida Schander
 PKI (public key infrastructure)

update policies, 79–80, 158–161 multiuser environments

Microsoft SQL Server Report Builder, 300–301 application virtualization, 2
Microsoft SQL Server Reporting Services, 46 RemoteApp deployment, 26
Microsoft Update
Coniguration Manager software update integration,
136–139, 143, 147, 155–156
Endpoint Protection, 199, 207 N
Sequencer options, 5 NAP (Network Access Protection), 136
WSUS software update integration, 136–139, 143, Network Access Protection (NAP), 136
147, 155–156 network bandwidth, 103–104
MIF ile format, 282 New-RDRemoteApp cmdlet, 28
Mifprovider.log ile, 283 NOIDMIF ile format, 282
mobile applications Nokia SIS File deployment type, 57
differences between packages and, 42–43 Not Required compliance state, 144
managing content distribution, 98–114
managing with Coniguration Manager, 51–75
managing with Intune, 75–82
monitoring, 87–98 O
objective summary and review, 115–122 object types, 295
planning distribution strategy, 39–51 OMI (Open Management Infrastructure), 272
planning for upgrades, 82–87 OOBE state, 7
mobile devices Open Management Infrastructure (OMI), 272
coniguration items, 177, 180, 183–184 Operations Manager, 72, 193
enrollment, 328–330 Options dialog box, 5–6, 222
inventory collection, 270
managing with Coniguration Manager, 332–339
managing with Exchange Server connector, 315–324
managing with Intune, 76, 325–332 P
objective summary and review, 340–343
package accelerators, 5
MOF (Managed Object Format) ile, 272, 275
package deinition iles, 41
monitoring
Package Installation Root policy, 21
about, 45, 87–88
Package object type, 295
Asset Intelligence, 89–93
Package Transfer Manager, 111, 149
collections, 254–255
packages
compliance, 194–195
about, 40, 109
Coniguration Manager, 136, 148–153
differences between applications and, 42–43
Coniguration Manager client status, 257–264
scripts and, 43
content status, 111
password management
distribution points, 108–109
content management, 109
Endpoint Protection status, 210–211
Exchange Server connector, 316–318
objective summary and review, 97–98, 119–120
mobile devices, 177, 182–183, 328
software metering, 93–96
power management, 250
WSUS, 148–153
RD Web Access, 25
MP_Hinv.log ile, 283
Remote Desktop Connection Client, 30–31
MP_Relay.log ile, 284
PatchDownloader.log ile, 152
MP_Retry.log ile, 284
PKGX ile format, 112
MSI ile format, 16, 56
PkgXferMgr.log ile, 109, 111
MSIExec ile, 231
PKI (public key infrastructure), 100

353

From the Library of Ida Schander

planning application distribution strategy

planning application distribution strategy Publishing Servers

about, 49 about, 12
Application Catalog, 48–49 full infrastructure model, 14
application management, 40–41 sequenced applications, 17
application management features, 43–45 pull-distribution points, 102
application management server roles, 45–48
applications and packages, 42–43
objective summary and review, 49–51, 115–116
plug-ins, 5 Q
policy management queries
App-V, 18, 21–22 about, 294–296
Endpoint Protection, 204–210 rules for, 244
Exchange Server connector, 317–321 status message, 284
Intune, 79–80, 158–161
Windows Firewall, 207–208
PolicyAgent.log ile, 259, 283
power management R
about, 48, 247, 253 RD Gateway, 28, 31, 333
external dependencies, 248 RD Licensing, 30
plan settings, 249–252 RD Web Access (Remote Desktop Web Access), 25–28
prerequisites, 248–249 RDC (Remote Desktop Connection) client
reports, 252–253 about, 24–25
PowerShell (Windows), 277 Advanced tab, 28
Prerequisite dialog box, 131 computer settings, 30
prestaging content, 111–113 connecting with, 28–29
Program Deployment Asset Details object type, 295 Display tab, 28
Program Deployment Status object type, 295 Experience tab, 28
Program object type, 295 General tab, 28
programs, deined, 40–41 Local Resources tab, 28
Properties dialog box Programs tab, 28
applications, 19–20, 58, 83 user settings, 31
collections, 211, 246, 262, 279 RDL ile format, 301
Coniguration Manager, 194, 222–223, 258, 280 RDMS (Remote Desktop Management Service), 27
content, 110, 112 RDP (Remote Desktop Protocol) client, 25
distribution points, 112, 228–229 RDP ile format, 30
management points, 228 RDS (Remote Desktop Services), 2, 25
queries, 296 Real-time Protection antimalware policy setting, 206
query statements, 296 redistributing content, 110–111
sites, 282 Registry detection rule, 60
software metering, 95, 289–290 remediation
software update components, 149 client health, 260–261
website point, 48 coniguration items, 185–186
PS1 ile format, 277 remote connection proiles, 332–334
public key infrastructure (PKI), 100 Remote Desktop Connection (RDC) client
Publications workspace (SCUP), 133 about, 24–25
Publish RemoteApp Programs Wizard, 27–28 Advanced tab, 28
Publishing node (Group Policy), 21 computer settings, 30
Publishing Server 1 Settings policy, 21 connecting with, 28–29

354

From the Library of Ida Schander


Display tab, 28
Experience tab, 28
General tab, 28
Local Resources tab, 28
Programs tab, 28
user settings, 31
Remote Desktop Management Service (RDMS), 27
Remote Desktop Protocol (RDP) client, 25
Remote Desktop Services (RDS), 2, 25
Remote Desktop Session Host servers, 24–28, 30–31
Remote Desktop Users group, 24, 28
Remote Desktop Web Access (RD Web Access), 25–28
remote desktops, 24–25
RemoteApp
about, 24–25
application presentation strategies, 24–26
Group Policy settings, 29–31
managing application connections, 28–29
objective summary and review, 32–33, 36–37
preparing applications, 26–27
publishing and coniguring, 27–28
user settings, 31
removing content, 110–111
Reporting node (Group Policy), 21
Reporting Server, 13
Reporting Server database, 13
reporting services
Asset Intelligence, 303–304, 307–308
client health, 262
collections, 254–255
compliance management, 195–196
Coniguration Manager, 46, 111, 136, 296–299
Coniguration Manager clients, 258
Exchange Server connector, 316
managing reports, 299–302
objective summary and review, 309–310, 313–314
queries, 244, 284, 294–296
software update groups, 145
software updates, 150–151
Reporting Services Coniguration Manager, 297–299
reporting services points, 237, 297
Required compliance state, 144
Required deployment purpose, 44
requirements (deploying applications)
Asset Intelligence, 91–92, 305–306
Coniguration Manager, 44, 62–65, 101
Intune, 76–77
RemoteApp, 26–27
SCUP (System Center Updates Publisher)
SCUP, 124–125
Requirements Not Met compliance state, 88
Resource Explorer
about, 271
accessing, 281
viewing ile collections, 280
viewing hardware inventory, 227, 229, 281
viewing software inventory, 276, 278, 281
retiring applications, 85–86
revision history
applications, 84–85
coniguration items, 181–182
rules
automatic approval, 164–167
automatic deployment, 153–156
collection, 244–245
compliance, 185
detection, 60
health evaluation, 261
for queries, 244
SCUP options, 133–134
software metering, 94–95, 287–290
Rules workspace (SCUP), 133–134
S
Scan Settings antimalware policy setting, 206
ScanAgent.log ile, 152
Scheduled Scans antimalware policy setting, 206
Scheduler.log ile, 109
schedules
inventory collection, 272
reevaluating collection rules, 244
Schema Admins group, 234
schemas
CIM, 272
extending, 234–235
Script Installer deployment type, 56
Scripting node (Group Policy), 21
scripts, packages and, 43
SCUP (System Center Updates Publisher)
about, 174
additional information, 129
certiicate requirements, 125
integrating with Coniguration Manager, 127
managing updates, 129–134
OS and software requirements, 124
355
From the Library of Ida Schander
Secure Hash Algorithm 256 (SHA-256)
setting options, 125–129
Secure Hash Algorithm 256 (SHA-256), 281
Secure Sockets Layer (SSL), 281
security management
App-V, 22
application virtualization, 3
Asset Intelligence, 93
compliance settings, 176
connection proiles, 333
creating applications, 54
Endpoint Protection, 200–201, 206, 209
event logs, 93
Exchange Server connector, 319–320
Full Administrator role, 140
managing collections, 242–243
managing inventory collections, 280–282
mobile devices, 177, 182–184
Remote Desktop Connection Client, 30
Remote Desktop Session Host, 30–31
reports and, 295, 297, 307
SCUP, 131
security updates, 161–162, 164–165
Software Update Manager security role, 140, 145
software updates, 145
Security Roles object type, 295
Security Scopes object type, 295
security updates, 161–162, 164–165
Select Collection dialog box, 206, 208
self-signed certiicates
distribution points, 105, 107
Linux computers, 229
Mac OS X computers, 228
SCUP, 125
UNIX computers, 229
Sender.log ile, 109
sequenced applications
about, 3–5
additional information, 6
deploying, 16–20
local installation, 16–18
streaming applications, 16–18
Sequencer
about, 3–5
additional information, 7
advanced settings, 5–6
Coniguration Manager integrated model, 15
preparing environment, 6–7
service packs, 161–162
356
service (SRV) record, 236
session virtualization
about, 24
application presentation strategies, 24–26
Group Policy settings, 29–32
managing connections to applications, 28–29
objective summary and review, 32–33, 36–37
preparing applications, 26–27
publishing and coniguring programs, 27–28
severity levels (noncompliance), 185
SHA-256 (Secure Hash Algorithm 256), 281
Shared Content Store (SCS) mode policy, 18, 21–22
Simple Network Management Protocol (SNMP), 272
simulated deployments, 73
Sinvproc.log ile, 284
Site object type, 295
Site Server log iles, 152
site system roles, 235–237
SMS_COLLECTION_EVALUATOR, 254
SMS_DEF.MOF ile, 272
SMSDPProv.log ile, 109
SMS_ENDPOINT_PROTECTION _MANAGER, 202
SMS_PACKAGE_TRANSFER_MANAGER, 111, 149
SMSProv.log ile, 109
SMSPXE.log ile, 109
SMS_SoftwareTag Asset Intelligence Hardware Inven-
tory Reporting class, 89
SMSTSAssignUsersMode task sequence variable, 67
SMSTSUdaUsers task sequence variable, 67
SMS_WSUS_CONFIGURATION_MANAGER, 138
SMS_WSUS_CONTROL_MANAGER, 138
SMS_WSUS_SYNC_MANAGER, 139, 149
SNMP (Simple Network Management Protocol), 272
Software Center
about, 47–49, 222
application deployment, 55, 71
customizing settings, 47–48, 222, 225
maintenance windows and, 143
power management settings, 248
software delivery preferences, 225
user experience setting, 155
Software Center Options dialog box, 222
software inventory
Asset Intelligence, 89, 91–93, 305
Coniguration Manager clients, 224, 239
coniguring ile collection, 279
Intune, 77
inventory collection, 270, 276–278
From the Library of Ida Schander
 troubleshooting

software metering, 94 summarization tasks, software metering, 95–96,

software metering 290–292
about, 93–94, 286–288 Superseded Updates dialog box, 131
Asset Intelligence, 306 supersedence, 42, 44, 83–84
coniguring rules, 94–95 synchronizing update points, 138–140
objective summary and review, 292–293, 312–313 System Center Endpoint Protection
rules for, 287–290 about, 199–200
summarization tasks, 95–96, 290–292 antimalware policies, 204–207
Software Metering Agent, 94, 287–288 automatic deployment rules, 153
Software Metering Rule object type, 295 client settings, 202–204
software update groups, 145 coniguring alerts, 211–212
Software Update Manager security role, 140, 145 implementing, 200–204
Software Update Point Synchronization Status, 148 monitoring status, 210–211
software update points objective summary and review, 213–214, 217–219
about, 137–138 policy management, 209–210
Coniguration Manager clients, 230, 237 prerequisites, 200–201
log iles, 152 Windows Firewall policies, 207–208
synchronizing, 138–140 System Center Marketplace, 193
software updates System Center Updates Publisher (SCUP)
approving, 162–164 about, 174
categories and classiications, 161–162 additional information, 129
using Coniguration Manager and WSUS, 135–157 certiicate requirements, 125
using Microsoft Intune, 78–79, 158–169 integrating with Coniguration Manager, 127
objective summary and review, 170–173 managing updates, 129–134
third-party, 124–134, 167–168 OS and software requirements, 124
Software Updates agent, 140–144 setting options, 125–129
Software workspace (Intune), 77 System Resource object type, 295
SoftwareDistribution.log ile, 152
Specify Application dialog box, 8
Specify Required Application dialog box, 19–20
Specify what to load in background (that is, Autoload) T
policy, 22 task sequence action variables, 67
SQL (Structured Query Language), 294 third-party updates
SQL Server Report Builder, 300–301 Intune support, 167–168
SQL Server Reporting Services (SSRS), 46, 296–299 managing, 129–134
SRV (service) record, 236 objective summary and review, 134–135, 170–171
SSL (Secure Sockets Layer), 281 System Center Updates Publisher, 124–129, 174–175
SSRS (SQL Server Reporting Services), 46, 296–299 Threat Overrides antimalware policy setting, 207
standalone deployment model, 14 Triple Data Encryption Standard (3DES) encryption
state, application, 45 algorithm, 282
status message queries, 284, 294 troubleshooting
streaming applications client installation, 259
about, 16 compressed iles, 109
App-V application cache and, 18 Coniguration Manager issues, 284
combining local installation and, 17–18 content distribution, 108
Streaming node (Group Policy), 21 content management, 109
Structured Query Language (SQL), 294 inventory collection, 283
Success compliance state, 88 power consumption, 249

357

From the Library of Ida Schander

Trusted Root Certiication Authorities certiicate store

query issues, 294

software updates, 148–153
V
Trusted Root Certiication Authorities certiicate validating content, 99–100, 110–111
store, 125 Value condition type, 63
Value rule, 184–185
VDI (Virtual Desktop Infrastructure), 272

U virtual applications, managing environment

about, 12
Uninstall deployment action, 44 App-V deployment models, 13–16
uninstalling applications, 86 App-V Group Policy, 20–22
UNIX operating systems App-V infrastructure, 12–13
Coniguration Manager clients, 222, 228–229, deploying sequenced applications, 16–20
233–234 objective summary and review, 22–23, 35–36
hardware inventory collection, 272 virtual applications, preparing
software inventory and, 276 about, 1
Unknown compliance state, 88, 144 App-V Connection Groups, 7–10
Unknown Computer object type, 295 basic concepts, 2–3
update policies (Intune), 79–80, 158–161 objective summary and review, 11–12, 34–35
update rollups, 161–162 Sequencer environment, 3–7
updates (software) Virtual Desktop Infrastructure (VDI), 272
approving, 162–164 VPN proiles, 334–335
categories and classiications, 161–162
using Coniguration Manager and WSUS, 135–157
using Microsoft Intune, 78–79, 158–169
objective summary and review, 170–173
W
third-party, 124–134, 167–168 Wake On LAN (WOL), 70, 136, 147
Updates workspace (SCUP) WBEM (Web-Based Enterprise Management), 272, 295
about, 132 WCM.log ile, 152
Optional Information section, 131 Web Application deployment type, 57
Package Information section, 130–131 Web-Based Enterprise Management (WBEM), 272, 295
Required Information section, 131 Wi-Fi proiles, 337–338
UpdatesDeployment.log ile, 153 Windows App Package, 56
UpdatesHandler.log ile, 152 Windows authentication, 226
UpdatesStore.log ile, 152 Windows Firewall
upgrades (application) Coniguration Manager clients, 230
about, 82 Endpoint Protection, 199–200, 207–208
application revision history, 84–85 Windows Installer
application supersedence, 83–84 deployment type, 56
objective summary and review, 86–87, 118–119 detection rule, 60
retiring applications, 85–86 Windows Internet Naming Service (WINS), 236
uninstalling applications, 86 Windows Management Instrumentation (WMI), 144,
User And Device Afinity group, 65 272, 294
user device afinity (deploying applications), 45, 65–67 Windows Mobile Cabinet, 56
User Group Resource object type, 295 Windows operating systems
User Resource object type, 295 coniguration items, 177, 179–180, 182–183
Coniguration Manager clients, 222
Endpoint Protection, 200
inventory collection, 270, 278

358

From the Library of Ida Schander

 XML ile format

Windows Phone App Package, 56 software update points, 137–140

Windows PowerShell, 277 software updates in Coniguration Manager, 136
Windows Server Update Services (WSUS) troubleshooting software updates, 148–153
about, 123 WSUS Synchronization Manager, 138–139
automatic deployment rules, 153–156 WSUSCtrl.log ile, 152
Coniguration Manager clients, 230 WSUSUtil tool, 139–140
managing updates, 145–148 wsyncmgr.log ile, 152
monitoring software updates, 148–153 WUAHandler.log ile, 152
objective summary and review, 156–157, 171–172
software update client settings, 141–144
software update points, 137–140
software updates in Coniguration Manager, 136 X
troubleshooting software updates, 148–153 XAP ile format, 56
Windows Update agent, 143 XML ile format, 56
WindowsUpdate.log ile, 152
WINS (Windows Internet Naming Service), 236
WMI (Windows Management Instrumentation), 144,
272, 294
WMI Query Language (WQL), 294–295
WOL (Wake On LAN), 70, 136, 147
workgroup-based clients, 225
WQL (WMI Query Language), 294–295
WSUS (Windows Server Update Services)
about, 123
automatic deployment rules, 153–156
Coniguration Manager clients, 230
managing updates, 145–148
monitoring software updates, 148–153
objective summary and review, 156–157, 171–172
software update client settings, 141–144

359

From the Library of Ida Schander

This page intentionally left blank

From the Library of Ida Schander

About the author
ORIN THOMA S is an MVP, an MCT, and has a string of Microsoft MCSE and
MCITP certiications. He has written more than 30 books for Microsoft Press
and is a contributing editor at Windows IT Pro magazine. He has been working
in IT since the early 1990s. He regularly speaks at events such as TechEd in
Australia and around the world on Windows Server, Windows Client, System
Center, and security topics. Orin founded and runs the Melbourne System
Center, Security, and Infrastructure Group. You can follow him on Twitter at http://twitter.com
/orinthomas.

361

From the Library of Ida Schander

 Free ebooks

From technical overviews to drilldowns on special topics, get

free ebooks from Microsoft Press at:

www.microsoftvirtualacademy.com/ebooks

Download your free ebooks in PDF, EPUB, and/or Mobi for

Kindle formats.

Look for other great resources at Microsoft Virtual Academy,

where you can learn new skills and help advance your career
with free Microsoft training delivered by experts.

Microsoft Press

From the Library of Ida Schander

 Now that
you’ve
read the
book...
Tell us what you think!
Was it useful?
Did it teach you what you wanted to learn?
Was there room for improvement?

Let us know at http://aka.ms/tellpress

Your feedback goes directly to the staff at Microsoft Press,

and we read every one of your responses. Thanks in advance!

From the Library of Ida Schander